xpdOffice Logo
xpdOffice.AI-Native Business Operating System™
Paper 02 of 13

A GovCon compliance architecture is not a collection of modules.It is ten connected subsystems producing one unbroken data lineage.

12 min reading time
Compliance Mechanics

The Compliance Architecture of a GovCon OS

"DCAA examines the lineage from time entry to final invoice. A gap anywhere in the chain is a potential finding everywhere it touches. Paper 2 maps all ten subsystems, defines what each must enforce, and shows how they connect."

A system-by-system blueprint of the compliance architecture DCAA expects to find — with the binary adequacy test for each subsystem and a data lineage map from time entry through invoice to ICS/FICS.

Paper 2 closes with a binary adequacy test for each of the ten subsystems — a single question that distinguishes a compliant implementation from a present-but-inadequate one. These are the same tests DCAA examiners apply, framed as self-assessment questions for controllers and compliance officers evaluating their own systems.

What This Paper Defines

  • Timekeeping accepts entries on any schedule
  • Rate engine runs at month-end from snapshots
  • Audit trail assembled from multiple systems
  • SoD enforced by organizational hierarchy
Doctrine Access

Download the Executive Paper

Complete the form to receive the full research, frameworks, and architectural blueprints.

You will receive a direct download link by email.
xpdOffice does not share your information with third parties.

The Argument

The Binary Adequacy Test for Each Subsystem

Paper 2 closes with a binary adequacy test for each of the ten subsystems — a single question that distinguishes a compliant implementation from a present-but-inadequate one. These are the same tests DCAA examiners apply, framed as self-assessment questions for controllers and compliance officers evaluating their own systems. ""The question every GovCon compliance architecture must answer is not 'can we produce the Schedule A?' The question is: 'can every number on Schedule A be traced, without manual reconciliation, to the operational events that produced it?'""

Why Legacy ERP Has All Ten and Satisfies None

Legacy GovCon ERP systems have modules that correspond to each of the ten subsystems. But having a module is not the same as enforcing compliance. The timekeeping module accepts entries on any schedule. The rate module runs at period-end. The audit trail is assembled from exports. The SoD rules are documented in policy manuals. Each subsystem is present. None enforces compliance at the point of every transaction. All ten binary tests produce the same answer: policy, not architecture.

The Compliance Architecture Standard

A GovCon compliance architecture is adequate when it comprises all ten subsystems, each enforcing compliance at the point of every transaction, connected by a single unbroken data lineage from time entry to final invoice, with an immutable audit trail generated at every event. xpdOffice is the reference implementation of this standard.

10
Compliance subsystems DCAA evaluates
Each maps to a specific adequacy pillar
7
Links in the data lineage
From time entry to ICS/FICS — unbroken
10
Binary adequacy tests
One per subsystem — pass or fail, no partial credit
0
Shortcuts in the architecture
Every subsystem must be present and connected

The Architecture of Choice

Side-by-side comparison of structural assumptions and operational outcomes.

Subsystem Present but Not Enforcing

Timekeeping accepts entries on any schedule

Policy says "enter daily." System accepts entries regardless of when submitted. DCAA tests entry timestamps. Policy is not evidence.

Rate engine runs at month-end from snapshots

Rates 30+ days stale by design. Unallowable costs accumulate in pools between periods. Rate problems discovered at ICS submission.

Audit trail assembled from multiple systems

Transaction logs exist in each system. Reconciliation required before DCAA examination. Gaps between systems are where findings live.

SoD enforced by organizational hierarchy

Approval authority assigned by role and documented in policy. System does not prevent a single user from initiating and approving a transaction.

Subsystem Present and Enforcing

Timekeeping enforces contemporaneous entry by architecture

Every entry validated at submission. Non-contemporaneous entries rejected. Enforcement is structural — cannot be overridden by policy exception.

Rate engine updates on every cost entry

Pool and base current to last write event. Unallowable costs flagged at entry, never accumulate. Rate instability surfaced daily.

Audit trail generated at every event across all subsystems

Immutable, append-only record generated when events occur. No reconciliation required. DCAA examination is a query, not an assembly exercise.

SoD enforced by the system access model

No single user identity can initiate and approve within defined scope boundaries. Enforcement is architectural — organizational instructions cannot override it.

Strategic Prediction

Strategic Insight

""The question every GovCon compliance architecture must answer is not 'can we produce the Schedule A?' The question is: 'can every number on Schedule A be traced, without manual reconciliation, to the operational events that produced it?'""

Frequently Asked Questions

Why does DCAA examine the data lineage specifically?

DCAA's incurred cost audit is fundamentally a lineage audit. Examiners trace a specific billed cost from the invoice back through billing records, rate application records, cost accumulation records, and finally to the original time entry or cost document. If the trace breaks at any point — if any system in the chain produces data the next system cannot consume without manual reconciliation — the gap is a potential finding. The lineage examination is how DCAA tests whether the compliance architecture is genuinely connected or merely superficially complete.

What does "enforcing at the point of every transaction" actually mean?

It means the system rejects non-compliant inputs before they post — not after. A timekeeping system that enforces contemporaneous entry at the point of submission rejects late entries before they become part of the labor charge record. A job costing engine that enforces FAR Part 31 allowability at the point of cost entry flags unallowable costs before they enter a pool. A billing engine that validates against contract provisions before generating an invoice catches billing errors before they are sent. Enforcement at the point of transaction means the compliance error never exists in the record — it is prevented, not corrected.

How is Paper 2 different from Paper 1?

Paper 1 defined the system DCAA actually audits — the eight operational domains and six adequacy pillars at a conceptual level. Paper 2 maps that system to a concrete compliance architecture — the ten specific subsystems, what each must do, how they connect, and what the data lineage looks like in a compliant system. Paper 1 establishes the standard. Paper 2 blueprints the implementation. Papers 3 through 9 then develop each subsystem domain in operational detail.
Previous Paper DCAA does not audit accounting software. It audits your entire operational control system. Next Paper Timekeeping deficiencies are themost common DCAA finding.They are also entirelypreventable — by architecture.

Want to model your own ROI?

Use our interactive calculator to see how a contract-native architecture can transform your margin.

Run ROI Calculator