DCAA does not audit accounting software. It audits your entire operational control system.
★ The DCAA Operating Model — Governing Paper
"The most costly misconception in GovCon compliance: that compliance is a function of what a system reports, not what it enforces. DCAA examines whether your operational system enforces compliance at the point of every transaction — before costs post, before hours are approved, before invoices are submitted."
Paper 1 defines the system DCAA actually audits — the six adequacy pillars, the full audit lifecycle from pre-award through FICS, and the foundational reframe that every other paper in this canon builds on. This is the governing paper of the GovCon Compliance Canon.
Paper 1 plays the same role in Canon III that Paper 8 played in Canon I and Paper 3 played in Canon II — it names the category, defines it precisely, and establishes the framework that every other paper in the series references. The DCAA operating model is that framework: the eight operational domains DCAA examines, the six adequacy pillars it evaluates, and the core insight that adequacy is an operational state, not an audit output.
What This Paper Defines
- Timekeeping validated at approval — not at entry
- Rates calculated at month-end — always stale
- Audit trail assembled on request
- Timekeeping validated at entry — structurally enforced
Download the Executive Paper
Complete the form to receive the full research, frameworks, and architectural blueprints.
The Argument
The Governing Paper That All Other Canon III Papers Reference
Paper 1 plays the same role in Canon III that Paper 8 played in Canon I and Paper 3 played in Canon II — it names the category, defines it precisely, and establishes the framework that every other paper in the series references. The DCAA operating model is that framework: the eight operational domains DCAA examines, the six adequacy pillars it evaluates, and the core insight that adequacy is an operational state, not an audit output. ""DCAA does not audit software. DCAA audits whether the software — and the operational system it supports — enforces the right behaviors at the right time, with the right evidence, automatically.""
Why This Reframe Changes Everything
Once compliance is understood as a system enforcement function rather than a reporting function, every compliance investment decision changes. The question is no longer "can we produce compliant reports?" — the question is "does our operational system enforce compliance at the point of every transaction?" These questions have different answers, different costs, and different audit outcomes.
A system is adequate when compliance is enforced at the point of every operational event, not when compliant outputs can be produced on request. Timekeeping adequacy means entries are validated when submitted. Rate adequacy means pools and bases are current when charges post. Audit trail adequacy means evidence is generated when events occur — not assembled when auditors arrive.
The Failure Modes
Four structural limitations identified in this research area.
Non-Contemporaneous Timekeeping
The system accepts entries on any schedule. Employees comply by policy, not by architecture. DCAA tests entry timestamps — not policy statements. Finding: timekeeping system inadequacy.
Period-End Rate Calculations
Indirect rates calculated at month-end. Unallowable costs accumulate in pools between periods. Rate instability discovered at ICS submission — not during the year when corrections are manageable.
Assembled Audit Trails
Evidence requested by DCAA must be gathered from timekeeping, payroll, G/L, and billing — each with a different version of the same facts. Gaps between systems are where findings live.
ICS/FICS Prepared at Submission
40–120 hours assembling Schedules A–O from systems not designed to produce them. DCAA sees the seams. Reconciliation errors appear. Retroactive corrections required.
The Architecture of Choice
Side-by-side comparison of structural assumptions and operational outcomes.
Periodic Compliance (Legacy ERP)
Timekeeping validated at approval — not at entry
Entries accepted on any schedule. Contemporaneous requirement enforced by policy. DCAA tests entry timestamps. Policy statements are not evidence.
Rates calculated at month-end — always stale
Unallowable costs accumulate invisibly. Rate variance discovered at ICS. Corrections required retroactively — after DCAA has seen the numbers.
Audit trail assembled on request
Evidence gathered from multiple systems with different versions of the same facts. Gaps are visible to DCAA examiners. 40–120 hours per engagement.
Continuous Operational State (xpdOffice)
Timekeeping validated at entry — structurally enforced
Every entry validated against LCAT, contract period, and charge code eligibility at submission. Non-contemporaneous entry rejected before it posts.
Rates updated on every write event — always current
Live indirect rate engine updates pool and base on every cost entry. Unallowable costs flagged at entry. Rate instability surfaced daily, not at submission.
Audit trail generated at every event — never assembled
Immutable, append-only record at every transaction. Structured for DCAA examination. No gaps — because evidence is generated when events occur, not assembled when auditors arrive.
Strategic Insight
""DCAA does not audit software. DCAA audits whether the software — and the operational system it supports — enforces the right behaviors at the right time, with the right evidence, automatically.""
Frequently Asked Questions
What does DCAA system adequacy actually mean?
Why does preaward survey risk matter for growing GovCon firms?
How is Canon III different from Canon I and Canon II?
What is the Compliance Command Center?
Want to model your own ROI?
Use our interactive calculator to see how a contract-native architecture can transform your margin.