If DCAA called your office tomorrow, would you know why?
Most government contractors treat audits like weather events: unpredictable, unavoidable, and beyond their control. The reality is different. DCAA does not audit contractors at random. The agency uses a risk-based selection process, spelled out in the Contract Audit Manual (CAM), to decide which contractors get scrutiny and which ones wait. Certain contractor behaviors, contract conditions, and filing patterns move you to the front of the line.
The eight red flags below are the specific DCAA audit triggers that put contractors on the radar. Some you control. Others come with the territory. All of them deserve your attention before the audit notice arrives.
The Basics: How DCAA Picks Who Gets Audited
DCAA performs audits for one reason: the federal government needs independent verification before making a contract decision. Award decisions, billing approvals, rate negotiations, and contract closeouts all require audit support. The agency does not have the staff to audit every contractor every year, so it prioritizes based on risk.
The CAM Chapter 3 (Audit Planning) directs DCAA field offices to assess contractor risk using factors including dollar volume, contract type, prior audit history, and the quality of a contractor’s internal controls. Incurred cost proposals with an auditable dollar volume above $250 million receive automatic selection. Below that threshold, DCAA classifies each submission as high or low risk, and every high-risk submission goes into the audit queue.
For small and mid-size contractors, risk classification is where these eight red flags come into play. Each one raises your risk profile in the eyes of DCAA auditors.
Red Flags in Your Billing and Submissions
Red Flag #1: Late or Inadequate Incurred Cost Submissions
FAR 52.216-7 requires contractors with flexibly-priced contracts (cost-reimbursement, T&M, cost-plus) to file an adequate Incurred Cost Submission (ICS) within six months of their fiscal year end. For calendar-year contractors, the deadline is June 30. Filing late, or filing a submission that DCAA rejects as inadequate, triggers immediate consequences.
Late filers face unilateral rate determinations by the contracting officer, potential disallowance of all claimed costs, and a flag in DCAA’s system for future scrutiny. DCAA published an ICS Adequacy Checklist with specific criteria your submission must meet. Failing the adequacy review is functionally the same as filing late: it signals a contractor whose financial controls need a closer look. Our ICS preparation checklist walks through the month-by-month steps to avoid this trigger entirely.
Red Flag #2: Sharp Indirect Rate Fluctuations
Your overhead, fringe, and G&A rates should move gradually from year to year. A fringe rate that jumps from 32% to 51% in one year, or a G&A rate that drops by 40% without an obvious business change, will draw an auditor’s attention. DCAA tracks your historical rates and flags material year-over-year swings for investigation.
Rate fluctuations often point to deeper problems: costs shifting between direct and indirect pools, inconsistent allocation bases, or new cost categories appearing without documentation. Even when the fluctuation has a legitimate explanation (a large new contract changing your cost base, for example), the burden falls on you to prove it. Contractors who document the reason for rate changes in their ICS cover letter give auditors less reason to dig.
Red Flags in Your Labor and Timekeeping
Red Flag #3: Timekeeping Deficiencies
Labor is the largest direct cost on most government contracts, and DCAA knows it. The agency conducts Mandatory Annual Audit Requirements (MAARs) at contractor sites, including unannounced floor checks to verify timekeeping practices. Auditors walk the floor, compare who is physically present against timesheet entries, and test whether employees record time correctly.
Specific timekeeping failures that trigger deeper audits: employees not recording time daily, supervisors editing timesheets without employee knowledge, missing total-time accounting (all hours worked, including uncompensated overtime, must appear on the timesheet per DCAA guidance), and correction procedures that lack an audit trail. A single floor check finding does not end your world. But repeated timekeeping deficiencies signal systemic control weakness, and DCAA responds by expanding audit scope.
Red Flag #4: Compensation That Exceeds Market Benchmarks
FAR 31.205-6 requires contractor compensation to be “reasonable” based on comparable market data. DCAA tests executive and employee compensation against Bureau of Labor Statistics data, salary surveys, and industry benchmarks for your geographic area and company size. Compensation packages that exceed market norms without documented justification get questioned.
Owner-operators of small GovCon firms face particular risk here. A sole proprietor paying themselves $350,000 on a $2 million contract portfolio will attract scrutiny. DCAA expects a compensation philosophy document that explains how you set salaries and demonstrates the analysis behind each pay level. Without one, the auditor writes the finding.
Red Flags in Your Accounting Controls
Red Flag #5: Unallowable Costs in Your Billing
FAR 31.205 lists dozens of cost categories that contractors cannot charge to the government: entertainment, alcohol, lobbying, bad debts, fines, penalties, and more. Your accounting system must identify and exclude these costs at the point of entry, not during year-end cleanup. When unallowable costs show up in your indirect pools or direct charges, DCAA questions whether your system works at all.
The bigger risk is not the individual finding. Billing unallowable costs, even unintentionally, triggers a “system adequacy” concern. If your chart of accounts does not segregate unallowable costs into specifically labeled accounts, DCAA will likely recommend an accounting system audit under DFARS 252.242-7006. One bad expense line item opens the door to a full system review.
Red Flag #6: Inconsistent Cost Accounting Practices
CAS 401 requires consistency in estimating, accumulating, and reporting costs. CAS 402 requires consistency in allocating costs incurred for the same purpose. When DCAA finds costs classified as direct on one contract and indirect on another, or allocation bases changing without a disclosed practice change, the inconsistency itself becomes the audit issue.
Common examples: travel charged direct to Contract A but pooled into overhead on Contract B. Subcontractor costs included in the G&A base for one fiscal year but excluded the next. Software licenses treated as direct costs on a proposal but booked as indirect in execution. Each inconsistency raises the question of whether the contractor is shifting costs to maximize reimbursement. Even if the answer is no, proving consistency after the fact is expensive and time-consuming. A written cost accounting practice disclosure, updated annually, prevents this trigger from activating.
Red Flags from External Signals
Red Flag #7: Prior Audit Findings and Repeat Deficiencies
A contractor with a clean audit history gets the benefit of the doubt. A contractor with prior findings does not. DCAA maintains a record of all audit results, and prior deficiencies directly influence future risk classification. If a previous audit identified timekeeping problems and your corrective action plan was weak or incomplete, the follow-up audit will dig deeper.
Repeat deficiencies carry the most weight. A first-time finding is a warning. The same finding in the next audit period signals a contractor who either ignored the problem or failed to fix it. DCAA’s risk model treats repeat findings as evidence of weak internal controls, which pushes the contractor into the high-risk category for future audit selection. The lesson: treat every audit finding as a system to fix, not a line item to dispute. Document your corrective actions, implement them fully, and test them before the next audit cycle.
Red Flag #8: Hotline Complaints and Referrals
DCAA operates a fraud, waste, and abuse hotline managed by its Office of Inspector General. Current and former employees, subcontractors, and contracting officers all use it. A single credible complaint about timesheet falsification, cost mischarging, or billing fraud triggers an investigation outside the normal audit cycle.
Hotline-triggered audits differ from routine audits in scope and intensity. The auditor arrives with a specific allegation to investigate, and the examination focuses on proving or disproving that allegation. Contractors under hotline investigation face additional referral risk: if DCAA finds indicators of fraud, the case goes to the Department of Justice or the relevant Inspector General for potential criminal or civil action under the False Claims Act. The best defense against hotline complaints is operational: pay employees fairly, maintain clear policies, document everything, and create an internal reporting channel so problems surface before they reach DCAA.
How These Red Flags Stack
No single red flag guarantees an audit. But red flags stack. A contractor with sharp rate fluctuations, a late ICS, and a prior finding from two years ago looks very different to DCAA than a contractor with clean submissions and stable rates. The risk model is cumulative.
The good news: most of these triggers are preventable. Five of the eight (late ICS, rate documentation, timekeeping controls, unallowable cost segregation, and consistent cost accounting) come down to the quality of your accounting system and the discipline of your monthly processes. Fix those, and you reduce your audit risk profile substantially.
Two triggers (prior findings and compensation) require targeted corrective action. One (hotline complaints) requires healthy workplace practices and internal controls. None require luck.
| Red Flag | What DCAA Sees | Your Fix |
|---|---|---|
| #1 Late/inadequate ICS | Contractor unable to account for costs | File by June 30, use DCAA adequacy checklist |
| #2 Rate fluctuations | Possible cost shifting between pools | Document rate changes in ICS cover letter |
| #3 Timekeeping deficiencies | Weak labor controls, potential mischarging | Daily recording, supervisor approval, audit trail |
| #4 Above-market compensation | Unreasonable costs billed to government | Compensation philosophy with market data |
| #5 Unallowable costs in billing | System does not segregate prohibited costs | Labeled accounts, point-of-entry identification |
| #6 Inconsistent cost practices | Potential cost manipulation or CAS violation | Written disclosure, annual review |
| #7 Prior/repeat findings | Contractor did not fix known problems | Corrective action plans, tested before next audit |
| #8 Hotline complaints | Credible allegation from insider | Internal reporting channel, fair workplace practices |
Frequently Asked Questions
Does every government contractor get a DCAA audit?
No. DCAA uses risk-based selection to decide which contractors to audit. Contractors with cost-type contracts, large dollar volumes, and prior audit findings receive higher priority. Fixed-price contractors with no cost-reimbursement work face lower audit probability, though pre-award surveys and floor checks still apply.
How long does a DCAA audit take?
Timelines vary by audit type. A floor check takes hours. An incurred cost audit for a small contractor takes 3 to 12 months from entrance conference to final report. Accounting system audits typically take 4 to 8 months. Contractors with organized records and responsive staff shorten these timelines. For a breakdown of each audit type, see our guide to DCAA audit types.
What is the penalty for a failed DCAA audit?
Consequences range from questioned costs (amounts DCAA recommends the contracting officer disallow) to a determination that your accounting system is inadequate. An inadequate system determination under DFARS 252.242-7006 triggers a payment withhold of up to 5% on all flexibly-priced contracts until you fix the deficiencies. In fraud cases, referral to the Department of Justice or Inspector General brings potential civil or criminal liability under the False Claims Act.
Do fixed-price contracts trigger DCAA audits?
Rarely for incurred cost audits, since the government pays a fixed price regardless of your actual costs. However, DCAA still audits fixed-price contractors in pre-award scenarios (evaluating your proposed pricing), during Truth in Negotiations Act (TINA) reviews, and through floor checks if you also hold cost-type work. A fixed-price-only contractor faces lower audit risk but is not exempt from all DCAA oversight.
What happens after a DCAA hotline complaint?
DCAA’s Office of Inspector General evaluates the complaint for credibility and jurisdiction. If the allegation falls within DCAA’s scope (cost mischarging, billing fraud, timekeeping falsification), the agency opens a targeted investigation. If fraud indicators surface during the investigation, DCAA refers the case to the Department of Justice or the contracting agency’s Inspector General. Complaints remain confidential, and the complainant receives whistleblower protections.
Key Takeaways
- DCAA audits are not random. The agency selects contractors based on risk factors spelled out in the Contract Audit Manual. Your behavior directly influences your risk classification.
- Late or inadequate ICS filings are the most avoidable trigger. File on time, pass the adequacy checklist, and you eliminate one of the highest-visibility red flags.
- Timekeeping and labor controls draw the most routine scrutiny. DCAA conducts MAARs and floor checks annually. Daily recording, supervisor approval, and correction audit trails are the baseline.
- Red flags stack. No single issue guarantees an audit, but multiple risk factors compound. A contractor with clean submissions, stable rates, and no prior findings sits in a fundamentally different risk category.
- Five of eight triggers are accounting system issues. The right system configuration and monthly discipline prevent most audit triggers from ever activating.
Reduce Your Audit Risk Profile
Every red flag on this list traces back to the same root cause: gaps in your accounting system, your documentation, or your monthly processes. Our Compliance Readiness Check identifies where those gaps sit in 30 seconds. No obligation, no sales pitch.
If you already know your system needs work before the next audit cycle, book a discovery call. We provide CPA-managed bookkeeping built specifically for government contractors who need their accounting to hold up under DCAA scrutiny.
