The Foundational Misconception

DCAA does not audit
accounting software.
It audits your entire
operational control system.

Ten operational papers covering the full DCAA adequacy lifecycle — timekeeping, job costing, indirect rates, billing, ICS, FICS, procurement, and internal controls.

Most GovCon firms treat compliance as a reporting function — something assembled before each audit. DCAA treats compliance as a system function. This canon defines the operational mechanics of every compliance domain DCAA evaluates, and how a contract-native operating system satisfies each one continuously.

Ten operational papers covering the full DCAA adequacy lifecycle — timekeeping, job costing, indirect rates, billing, ICS, FICS, procurement, internal controls, and the Compliance Command Center. The regulatory mechanics Canon I and Canon II do not go into.

"Compliance is not a reporting function. It is a system function. The GovCon Compliance Canon defines the architecture that satisfies it — continuously, operationally, and by design."

Download the Full Canon View the Executive Summary

Compliance domain papers

From DCAA operating model to Compliance Command Center

Audit preparation in a CI system

Compliance is permanent operational state — not a project

40–120h

Audit prep cost in legacy ERP firms

Per engagement — the cost of periodic compliance architecture

DCAA adequacy pillars evaluated

Every paper maps to at least one adequacy requirement

Why Legacy Architecture Fails

Why Legacy Stack Fails GovCon

These outcomes are structural, not accidental. Fragmented systems force leaders to manage reconciliation, lag, and compliance risk instead of execution.

Failure 01

Timekeeping Assembled After the Fact

Labor charges reconstructed or corrected outside the contemporaneous submission window. DCAA defines timekeeping adequacy by when entries are made — not when they are correct.

Failure 02

Rates Calculated at Period End

Indirect rates derived at month-end from pool and base snapshots. Billing rates applied before final calculations. Variance accumulates invisibly until reconciliation forces corrections.

Failure 03

ICS/FICS Assembled from Disparate Systems

40–120 hours per engagement reconciling timekeeping, payroll, G/L, and billing across systems that were never designed to produce Schedules A–O automatically. DCAA sees the seams.

Failure 04

Unallowable Costs Discovered at Audit

FAR Part 31 allowability determinations made at review time, not at entry time. Unallowable costs accumulate in pools, distort rates, and create findings that require costly retroactive corrections.

Failure 05

Audit Trail Reconstructed, Not Generated

Evidence assembled in response to DCAA requests — not captured at the point of every operational event. Reconstructed trails have gaps DCAA can find. Generated trails do not.

The Result

Legacy ERPs were built to process transactions and produce reports. DCAA examines whether the system enforced compliance at the point of every transaction — before costs posted, before hours approved, before invoices submitted. Periodic compliance architecture cannot satisfy a continuous compliance standard.

The Architecture of Choice

Compliance as Reporting vs. Compliance as OS

A side-by-side comparison of structural assumptions and operational outcomes.

Compliance as Reporting (Legacy ERP)

✗

Timekeeping validated at approval

Labor charges entered, corrected, and approved on any schedule. Contemporaneous requirement met on paper — not in system architecture.

✗

Rates reconciled at period end

Pool and base calculations run monthly. Billing rates applied before actuals are known. Variance correction required after every close.

✗

ICS/FICS assembled for submission

Schedules A–O compiled from multiple systems. 40–120 hours per engagement. Seams visible to DCAA examiners.

✗

Audit trail reconstructed on request

Evidence assembled in response to DCAA requests. Reconstruction gaps create findings. Cannot prove what happened at point of transaction.

Compliance as OS (xpdOffice)

✓

Timekeeping enforced at entry

Every timesheet entry validated against LCAT qualification, contract period, and charge code eligibility at the point of submission — before it posts.

✓

Rates calculated on every write event

Live indirect rate engine updates pool and base on every cost entry. Billing rates current to today's cost data. No variance accumulation, no period-end surprise.

✓

ICS/FICS readiness maintained daily

Schedules A–O generated continuously from the live contract model. xpdOffice eliminates the concept of "preparing" an ICS — it is always ready.

✓

Audit trail generated, never assembled

Every operational event generates an immutable, append-only audit record at the point of occurrence. Structured for DCAA examination. Cannot have gaps.

Executive Download

Get the complete Compliance Canon package.

One ZIP. 13 papers. Full doctrine.

Receive the synthesized Canon, the full paper series, and the category-defining operating model in one delivery built for leadership review.

Download the Full Canon Review the FAQs

DEFINITIVE EDITION

10 REGULATORY DOMAIN PAPERS

Read Time: 10-Paper Series

Executive Access

Secure the Complete Canon

Get the synthesized doctrine plus all 13 flagship papers in a single ZIP archive.

The Complete Doctrine

Explore the 13 Papers

Move through the Canon paper by paper, from the structural diagnosis to the operational blueprints and compliance frameworks.

Paper 0112 min

DCAA does not audit accounting software. It audits your entire operational control system.

The most costly misconception in GovCon compliance: that compliance is a function of what a system reports, not what it enforces. DCAA examines whether your operational system enforces compliance at the point of every transaction — before costs post, before hours are approved, before invoices are submitted.

Paper 0212 min

A GovCon compliance architecture is not a collection of modules.It is ten connected subsystems producing one unbroken data lineage.

DCAA examines the lineage from time entry to final invoice. A gap anywhere in the chain is a potential finding everywhere it touches. Paper 2 maps all ten subsystems, defines what each must enforce, and shows how they connect.

Paper 0312 min

Timekeeping deficiencies are themost common DCAA finding.They are also entirelypreventable — by architecture.

Timekeeping adequacy is not a training problem or a policy problem. It is a system architecture problem. Either the system enforces contemporaneous entry at the point of submission, or it does not. Policy cannot substitute for architecture when DCAA tests entry timestamps.

Paper 0412 min

Unallowable costs that enteran indirect pool overstate every rateapplied to every contractfor the entire year.

Indirect rate adequacy is not achieved by calculating accurate rates at period end. It is achieved by a cost accumulation system that evaluates allowability at entry, segregates unallowable costs before they contaminate pools, and calculates rates from live data current to the last write event.

Paper 0512 min

Billing adequacy is nota function of invoice arithmetic.It is a function of what thesystem enforces before submission.

Every upstream compliance failure — stale rates, contaminated pools, noncompliant LCAT assignments, exceeded CLIN ceilings — becomes visible at billing. DCAA's billing system review examines whether the billing system enforces adequacy at the point of invoice generation, not whether invoices are corrected after examination.

Paper 0612 min

ICS preparation takes40 to 120 hoursin a legacy ERP firm.It takes zero hours in a compliant one.

ICS preparation time is a direct measure of compliance architecture quality. A firm that requires 40 to 120 hours to prepare an ICS package is demonstrating that its systems did not maintain cost data in ICS-ready format throughout the year. A contract-native system requires zero hours because the ICS schedules are continuously generated from live operational data.

Paper 0712 min

FICS permanently closesthe cost record.There is no reopeningafter final settlement.

FICS quality is determined by the quality of cost accounting maintained throughout the contract lifecycle — not by the effort invested at close. A firm that maintained compliant records across every contract year produces a FICS by exporting them. A firm that did not produces a FICS by reconstructing what it should have maintained — and the reconstruction is the finding.

Paper 0812 min

Procurement compliance isa cost accounting problem,not just a contractingrequirement.

Every subcontract cost that lacks adequate competition documentation, cost/price analysis, or flowdown compliance creates allowability exposure that flows directly into indirect pools and direct costs. A procurement deficiency is not a contracting paperwork failure — it is an ICS and FICS finding waiting to be discovered.

Paper 0912 min

SoD enforced byorganizational hierarchyis not SoD.It is a policy that can be bypassed.

SoD enforced by system architecture cannot be overridden by any organizational instruction. The DCAA adequacy standard requires architectural enforcement — not a policy that prohibits self-approval in a system that allows it.

Paper 1012 min

The ComplianceCommand Centerunifies all ten domainsinto one live dashboard.

Compliance is a continuous operational state enforced at the point of every transaction — not a periodic condition assembled before each audit. The Compliance Command Center makes that state visible daily across every domain simultaneously. When it is live, there is nothing to prepare for DCAA.

Paper 1111 min

A pre-award finding cannot be corrected in time to save the current award.

The only effective response to SF 1408 is a system that satisfies all 18 criteria before DCAA schedules the survey. A firm that begins building compliance architecture after receiving a survey notice has already lost the award it was trying to protect.

Paper 1211 min

Every cost posting decision is a contract management decision.

The question 'is this charge allowable?' cannot be answered without knowing which contract governs it, which CLIN is being charged, what the funded ceiling is, and whether the period of performance is active. A system that cannot answer these questions at the moment of charge entry cannot enforce compliance at the point of every transaction.

Paper 1311 min

The negotiation outcome is determined by the cost record built during performance.

A contractor with a complete, traceable, immutable cost record can refute questioned costs with evidence. A contractor without one can only dispute them with arguments. The negotiation begins long before DCAA submits its audit report.

The Regulatory Mission

Why This Compliance Canon Exists

Compliance knowledge is scattered across manuals, regulations, audits, and consultant advice. This canon organizes it into a coherent operational framework. It maps each DCAA evaluation area to the specific operating system behavior that satisfies it continuously.

Compliance is a system property, not a checklist. This canon defines the architecture that enforces timekeeping, rate management, billing, and controls continuously, by design.

"Compliance is not a periodic report. It is a continuous operational state. The Compliance Canon defines the systems architecture that engineers it."

Audience

Who This Canon Is For

Controllers & Finance Leadership

The Operational Mechanics of Every Compliance Domain

Indirect rate engineering, job costing architecture, ICS/FICS mechanics, billing adequacy requirements, and the internal control environment DCAA evaluates — at the depth required to design and defend the system.

Compliance Officers & Program Managers

What DCAA Actually Examines on Every Audit

The full audit lifecycle mapped to specific operational requirements — what examiners look for in timekeeping, labor distribution, procurement files, audit trails, and segregation of duties. The compliance standard stated operationally, not bureaucratically.

CEOs & CFOs Evaluating GovCon Platforms

The Compliance Architecture Standard for Platform Evaluation

The ten compliance domains and the specific operational behaviors required to satisfy each. A framework for evaluating any GovCon platform claim about DCAA compliance — not on marketing language but on architectural behavior.

Common Inquiries

Frequently Asked Questions

What does DCAA actually audit?

DCAA does not audit accounting software. DCAA audits operational control systems — the full lifecycle of timekeeping, labor distribution, job costing, indirect rates, billing, procurement, contract management, and internal controls. Paper 1 (The DCAA Operating Model) defines this system and the six adequacy pillars DCAA evaluates across pre-award, forward pricing, incurred cost, and final settlement audits.

What is DCAA system adequacy and how is it determined?

System adequacy means the firm's operational control systems satisfy DCAA's six adequacy pillars: timekeeping integrity, labor distribution accuracy, indirect rate calculation and application, billing accuracy, procurement controls, and internal control environment. Adequacy is determined through examination of system behaviors — not through certification. DCAA examiners test whether the system enforces compliance at the point of every operational event, not whether the firm can produce compliant reports on request.

What is the Compliance Command Center?

The Compliance Command Center is xpdOffice's real-time compliance dashboard — a unified operational view of every compliance domain simultaneously: timekeeping status, indirect rate health, CLIN ceiling utilization, billing adequacy, ICS readiness, FICS progress, and audit trail completeness. It converts compliance from a periodic preparation exercise into a daily operational function. Paper 10 (The Compliance Command Center) develops this in full.

How is Canon III different from Canon I and Canon II?

Canon I makes the operational and strategic case for contract-native architecture — written for CEO, COO, and CFO audiences. Canon II makes the computational and systems architecture case — written for CIO, CTO, and enterprise architects. Canon III defines the regulatory mechanics of every compliance domain DCAA evaluates — written for controllers, compliance officers, and program managers who face audits directly. Three canons, three audiences, three abstraction levels, one underlying architecture.

Why does ICS/FICS preparation take 40–120 hours in legacy ERP firms?

Because Schedules A–O must be assembled from systems that were never designed to produce them automatically: timekeeping data from one system, payroll from another, general ledger from a third, billing from a fourth. The reconciliation between these systems — which maintain different versions of the same facts — is what consumes the hours. xpdOffice maintains ICS/FICS readiness continuously because all of these domains share the same contract-governed data layer. There is no reconciliation because there is no inconsistency. Paper 6 (ICS) and Paper 7 (FICS) cover this in operational detail.

Does "continuous compliance" require more work from operational staff?

No — the opposite. Continuous compliance transfers the compliance enforcement burden from operational staff (who must remember and apply rules manually) to the system architecture (which enforces rules at the point of every transaction automatically). Staff spend less time on compliance corrections, less time on audit preparation, and less time reconciling between systems. The compliance overhead moves from human review cycles to architectural enforcement — and architectural enforcement is always on.

Take the Next Step

Ready to shift to a BOS Architecture?

The Canon is the beginning. The architecture is the work. Secure the complete executive doctrine today and begin the transition to contract-native operations.

"The firms that reach $100M+ are those that solve architecture before they reach it."