APPENDIX - CC Army Procurement Management Review Program

This Appendix CC describes the Army Contracting Enterprise (ACE) risk management strategy and provides procedures to be used within the Army to establish and manage Army internal control assessments conducted via the Procurement Management Review (PMR) Program. The content in this appendix is consistent with the processes described in Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management (ERM) and Internal Control, and Army Regulation (AR) 11-2, Managers Internal Control Program (MICP). The functions covered in this appendix are applicable to all FAR-based and non-FAR-based Army acquisition functions. Specific guidance relating to the method and frequency of assessment for the Government-wide Purchase Card (GPC), Army Small Business Program, Other Transactions (OTs), and financial assistance (i.e., Assistance Awards) functions are located in the applicable policy documents for those functions. For additional information on the PMR Program, please reference the Office of the Deputy Assistant Secretary of the Army (Procurement) (ODASA(P)) PMR Guidebook, located on the PMR SharePoint.

As used in this appendix—

“Answer” means a reply to a specific review question. Any “No” answer shall also include a “Deficiency” that helps to categorize why the response was “No”.

“Best Practice” means an innovative, novel, or otherwise noteworthy approach or practice used to comply with one or more internal controls.

“Checkpoint” means a moment during the corrective action process where Organizations shallprovide ODASA(P) with status updates at 90-day increments (i.e. calendar days).

“Contingency Contracting” means a military operation that is designated by the Secretary of Defense as an operation in which members of the armed forces are or may become involved in military actions, operations, or hostilities against an enemy of the United States or against an opposing military force in accordance with 10 USC 101(a)(13)(A) (see also FAR subpart 2.1). The support may be provided in a mature or immature operational environment and may be long term or short term.

“Contract Execution Review (CER)” means a contract review that can be conducted automated or manually. CER generally refers to an automated contract review (i.e. contract/order/modification) within a Review Event in the VCE-PMR Assistant application.

“Corrective Action” means the actions taken by an organization to improve the findings associated with Non-compliance. Corrective action is the activity of reacting to a process problem, improving it, and ensuring internal controls are in place to reduce the likelihood of reoccurrence.

“Corrective Action Plan (CAP)” means a report or document that provides an organization with systemic deficiencies to complete corrective action to strengthen an organization’s internal control environment for contract operations.

“Deficiency” means a categorization of why the question was answered with a “No”.

“Finding” means the explanation why a particular question was deficient to warrant taking corrective action.

“Internal Controls” or also known as “internal management controls” means the rules, procedures, techniques, and devices employed by managers to ensure that what should

occur in their daily operations does occur on a continuing basis. For the purposes of this appendix, internal controls include the policies in the FAR, DFARS, and AFARS, and the associated processes and procedures of the contracting activity’s acquisition instruction (see AFARS 5101.304-90).

“Key Internal Controls” means the internal controls that must be implemented and sustained in daily operations to ensure organizational effectiveness and compliance with legal requirements. The effectiveness of key internal controls is assessed through the PMR Program and other management review processes.

“Lesson Learned” means a noteworthy flaw in the design, implementation, or operational effectivenessof one or more internal controls.

“Toolkit” means a collection of questions that is managed for a PMR Program ManagementReview or Non-Contract Review.

“Question” means a specific review question included in a question set. For CERs, a questionwill be included in a Review based on specific question categorizations/filters (e.g. Competitive/Non-competitive, MOD type, SME Review). For SME Reviews, all questions associated with the Subject will be included. A question can have a Yes/No or Yes/No/N/A answer.

“Question Set” means a collection of questions that is managed by a PMR Administrator or Subject Matter Expert (SME) and selected for use in Review Events. The Internal Control (IC) Question Set will be the default Question Set for all Contract Execution Reviews (CERs). The IC Question Set and any supplemental Question Sets are managed by PMR System.

“Root Cause Analysis” means an administrator or Subject Matter Expert (SME) and selected for use in Review Events. The Internal Control (IC) Question Set will be the default Question Set for all Contract Execution Reviews (CERs). The IC Question Set and any supplemental Question Sets are managed by PMR System.

“Strategic Controls” means those controls that are directly linked to ACE contracting strategic objectives. The primary focus of strategic controls is on operations (i.e., cost, schedule, and performance) objectives.

“Virtual Contracting Enterprise (VCE)” means a suite of web-based contracting tools used by its employees and their customers in the performance of their daily duties acquiring supplies and services for the US Army.

“Self-Assessment” means any review other than an official PMR that internally assesses either organizational or individual compliance.

“Procurement Management Review (PMR)” means an official review that assesses the effectiveness of internal controls, key internal controls, and strategic controls to mitigate risks to the ACE strategic objectives.

“Risk” means the probable or potential adverse effects from inadequate internal controls that may result in the loss of government resources through fraud, error, or mismanagement Risk Management A series of coordinated activities to direct and control challenges or threats toachieving an organization’s goals and objectives.

“Risk Tolerance” means the acceptable level of variance in performance relative to the achievement of objectives.

In accordance with FAR 1.102(b), the ACE defines its operations, reporting, and compliance strategic objectives for contracting as follows:

(1) Operations objectives.

a. Satisfy the customer in terms of cost;

b. Satisfy the customer in terms of quality; and

c. Satisfy the customer in terms of timeliness.

(2) Reporting objective. Conduct business with openness.

(3) Compliance objectives.

a. Minimize administrative operating costs;

b. Conduct business with integrity and fairness; and

c. Fulfill public policy objectives

The ACE views internal control as a critical element for managing risk. The ACE manages risk to its strategic objectives and assesses the effectiveness of its internal controls, using Procurement Management Reviews, Peer Reviews, Independent Management Reviews, audits, training, self-assessments, and other management control activities. The use and periodic evaluation of key internal controls is an integral component of an organization’s management that provides reasonable assurance of the effectiveness and efficiency of the organization. Risk is defined as the effect of uncertainty on objectives. Risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organization’s goals and objectives. Risk management on an enterprise-wide basis is an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks across the organization, rather than addressing risks only within a single component of the organization. While agencies cannot respond to all risks related to achieving strategic objectives and performance goals, they must identify, measure, and assess risks related to mission execution. ACE risk management reflects forward-looking management decisions and balancing risks and returns so the ACE enhances its value to the taxpayer and increases its ability to achieve its strategic objectives.

Risk tolerance is the acceptable level of variance in performance relative to the achievement of objectives. The ACE will tolerate a greater level of variance in performance in achieving reporting and compliance strategic objectives relative to the achievement of operations strategic objectives. However, variation in achievement of the non-operations strategic objectives is not tolerated when it negatively impacts the achievement of operations strategic objectives. This strategic guidance is intended to promote initiative and sound business judgment by the Acquisition Team in providing the best value product or service to meet the customer’s needs.

The PMR Program is a crucial element of ACE contracting governance. Specifically, the PMR Program assesses the effectiveness of strategic controls, internal controls, and key internal controls to mitigate risks to the ACE contracting strategic objectives.

(a) The Army PMR Program will assess the effectiveness of internal controls at both the contracting activity level and on a strategic, enterprise-wide basis.

(b) The Office of the Deputy Assistant Secretary of the Army (Procurement) (ODASA(P)) is responsible for evaluating the effectiveness of strategic controls. Questions for strategic controls are designed to be qualitative in nature and to facilitate the identification of best practices and lessons learned. The ODASA(P) will conduct such assessments via ODASA(P)-led PMRs or will leverage other strategic management review processes. The effectiveness of strategic controls will be assessed via ODASA(P)-led strategic management reviews (Type 4 assessment) and the effectiveness of internal/key controls will be assessed, as required, by the ODASA(P), using Special Assistance Reviews or Assessments (Type 3 assessment. The Strategic Control Toolkit is an Excel-based document located on the PMR SharePoint and can be found within the Question Sets and Toolkits section under Manual Toolkits. The ODASA(P) may also leverage other question sets, as required, for strategic management reviews.

(c) In addition to any command-authority internal control duties, each Head of Contracting Activity (HCA) is responsible for executing the procurement authority aspects of the contracting activity’s MICP (see AR 11-2). Specifically, HCAs and Senior Contracting Officials (SCOs) shall assess the effectiveness of key internal controls (Type 2 assessment) and shall provide the results annually as part of the Summary Health Report (SHR). The Internal Control Question Set is located in the Virtual Contracting Enterprise (VCE)- PMR Assistant Module. All other PMR Question Sets and Toolkits are located on the PMR SharePoint.

(d) The PMR Program will identify elevated risks to the achievement of contracting strategic objectives and compliance with acquisition policies and procurement regulations. The key internal controls, strategic control assessments, and other PMR Program outputs will be used to identify improvements to contracting operations.

1. Assistant Secretary of the Army (Acquisition, Logistics and Technology) (ASA(ALT)) Army Acquisition Executive (AAE) and SPE

a. The ASA(ALT), as the AAE and the SPE, is responsible for all procurement and contracting functions across the Army to include, but not limited to, providing oversight of contracting functions through an enterprise wide PMR program.

2. Deputy Assistant Secretary of the Army for Procurement (DASA(P))

a. The DASA(P) serves as the DA proponent for the oversight of the execution of an Army-wide PMR program on behalf of the SPE.

3. Procurement In/Oversight Directorate (PI) (SAAL-PI)

a. SAAL-PI is responsible for the effective administration and conduct of the AFARS Appendix CC and all PMR guidance.

b. The Director of SAAL-PI, on behalf of the DASA(P), shall:

(1) Oversee the Army-wide PMR program.

(2) Advocate coordination and resolution of issues at DA or higher levels for the field.

(3) Coordinate, manage, communicate best practices, trends, and lessons learned.

(4) Monitor and maintain a repository for the resulting Corrective Action Plans (CAPs) resulting from PMRs.

(5) Prepare the ACE Annual Summary Health Report (SHR).

(6) Assign a PMR Program Lead to coordinate, manage, and oversee the Army-wide PMR program.

4. PI PMR Program Lead

a. The PIO Directorate PMR Program Lead, under the direction of the Director of SAAL-PIO, is responsible for managing all aspects of the PMR program and leading ODASA(P)-led and special assistant PMRs.

b. The PMR Program Lead shall:

(1) Oversee Army-wide execution of the PMR program.

(2) Be an advocate of the field for coordination and resolution of issues at DA or higher levels.

(3) Lead the ACE PMR Advisory Board (AB).

(4) Lead the Configuration Management Board (CMB).

(5) Provide acquisition management advice to the ACE Senior Leaders.

(6) Provide PMR guidance to HCAs, including guidance for ODASA(P) special interest reviews.

(7) Analyze and assess the effectiveness and efficiency of Army contracting programs and operations.

(8) Direct ODASA(P)-led PMRs of strategic controls or internal controls of special interest to the ODASA(P).

(9) When not serving as the PMR Team Manager/Lead, designate a PMR Team Manager/Lead.

(10) When serving as the PMR Team Manager/Lead, establish the PMR Team and execute all PMR Team Manager/Lead responsibilities, as applicable (see paragraph I).

(11) Develop, maintain, and update, as needed, a PMR volunteer list.

NOTE: Volunteer PMR team member(s) shall not be a member of the contracting office under review.

(12) Communicate best practices and lessons learned identified to the ACE.

(13) Prepare and/or coordinate completion of the ACE Annual SHR.

5. HCAs

a. The HCA executes the Army PMR program, under the direction of the DASA(P), to ensure fulfillment of HCA responsibilities for assessing the effectiveness of procurement authority key internal controls, consistent with the policies and objectives of AFARS Appendix CC.

b. The HCA shall:

(1) Designate a senior representative from their staff to serve on the PMR AB to support the successful execution of the policies of AFARS Appendix CC.

(2) The AB representative and the CMB representative shall not be the same person.

(3) Designate a senior representative from their staff to serve on the CMB to support updates and revisions of the Army PMR Toolkits and Question Sets.

(4) Provide supplemental staff support, as required, to assist with ODASA(P)-led assessments of strategic controls and ODASA(P)-directed special interest reviews.

(5) Provide the schedule of reviews for the following Fiscal Year (FY) no later than 31 August of the current FY.

(6) Conduct PMRs on contracting activities, to include subordinate commands, at least once every three years (36 months).

(7) Request, manage, and oversee the CAP in response to PMR deficiencies.

(8) Identify and communicate best practices and lessons learned, gathered from management control activities, in the Contracting Activity’s (CAs) annual SHR.

(9) Provide a SHR to the ODASA(P) no later than 31 October of the current FY-with information for the prior FY.

(10) Issue supplemental Command-level PMR guidance, including procedures for establishing additional guidance at lower/local levels, as needed.

6. Senior Contracting Official (SCO)

a. The SCO executes the PMR program, under the direction of the HCA, to ensure fulfillment of the HCA responsibilities for assessing the effectiveness of procurement-authority key internal controls, consistent with the policies and objectives of AFARS Appendix CC.

b. The SCO, as directed by the HCA, shall:

(1) Assess the effectiveness of internal/key internal controls of contracting activities, to include subordinate commands, at least once every three years (36 months).

(2) Provide the schedule of reviews no later than 31 August of the current fiscal year.

(3) Request, manage, and oversee the CAP in response to PMR deficiencies.

(4) Provide a SHR to the ODASA(P) no later than 31 October of the current FY-with information for the prior FY.

7. PMR AB Members

a. PMR AB members serve as representatives for each respective organization. The PMR AB facilitates collaboration amongst the DA’s major buying commands and the ODASA(P) by providing support and guidance for the development, implementation, standardization, and execution of the ACE PMR program.

b. PMR AB Members shall:

(1) Provide guidance for development of a standard PMR program across the ACE.

(2) Participate in, at a minimum, quarterly meetings to discuss problems, request assistance, and gather recommendations from other members.

(3) Share best practices, lessons learned, and innovative ideas across the ACE for implementation.

Note: reference PMR AB Governance for additional information.

8. PMR CMB Members

a. PMR CMB members serve as representatives for each respective organization. The CMB is tasked with providing guidance for the maintenance and development of the Army PMR Toolkits and Question Sets.

b. CMB members shall:

(1) Participate in monthly meetings and special meetings, as required.

(2) Recommend and/or review proposed changes, updates, or revisions to the PMR Question Sets and Toolkits.

(3) Communicate changes, updates, and revisions to the field offices.

(4) Relay critical information to senior leaders.

Note: reference PMR CMB Governance for additional information.

9. PMR Team Manager/Lead

a. The PMR Team Manager/Lead executes the PMR review process and is responsible for the overall PMR team management, including planning, conducting the review, and preparing or overseeing preparation of the PMR report. The PMR Team Manager/Lead is typically the same person, however local guidance may distinguish a separation of responsibility. In this instance, local guidance shall take precedence.

b. The PMR Team Manager/Lead shall:

(1) Establish the PMR Team.

(2) Develop, maintain, and update the PMR volunteer list.

(3) Confirm availability of team members for the established time of each PMR.

(4) Immediately contact replacements for those PMR team members who have schedule conflicts.

(5) Issue a 90-day notice for the PMR to the site being reviewed.

(6) Meet with senior representatives from the organization for the site being reviewed to ensure the organization understands what is expected of them and answer any questions.

(7) Coordinate the organization’s support requirements for the PMR team.

(8) NOTE: Volunteer PMR team member(s) shall not be a member of the respective contracting office under review.

(9) Notify PMR team members of assigned area(s) of responsibility.

(10) Conduct pre-PMR processes and training as required:

Introduce team members.

Provide the purpose of the PMR.

Discuss Business Rules (i.e. Ground Rules, site specific rules, and PMR team’s daily working hours, if applicable).

Provide guidance on conducting and documenting the PMR.

Ensure that reviewers are cognizant of local contracting requirements and provided access to copies of all relevant local policies and procedures.

Identify team member Subject Matter Expert (SME) capabilities.

(11) Conduct an in-brief and an out-brief with PMR team members.

(12) Facilitate regular (daily or weekly) meetings or exchanges to discuss systematic issues or new findings as the review progresses.

(13) Coordinate logistics.

(14) Request local policies & procedures from the organization. Note: guidance usually reflects dollar thresholds for review, peer reviews, pre-award reviews, and other local procedures.

(15) Provide an in-brief and an out-brief to the SCO and Senior Leadership.

(16) Adjudicate all lessons learned and best practices recommended for implementation across the ACE.

10. PMR Team Members

a. PMR team members perform assessments of assigned review elements, including participating in the planning, conducting the review, and preparing their input to the PMR report.

b. The PMR team members shall:

(1) Be technically qualified and experienced to perform PMR reviews.

(2) Have the knowledge, skills, and abilities to review assigned area, and have at least five years of hands-on experience as a Contract Specialist or Procurement Analyst.

(3) Possess the experience in contracting relevant to the subject matter being reviewed.

(4) Shall be capable of independently completing the required Question Set and/or Toolkit for the review.

(5) Conduct all assigned cabinet reviews, document reviews, interviews (when required), or other required reviews in support of the PMR.

(6) Obtain system access for the location of the PMR, if required.

(7) Participate in all virtual or in-person meetings.

(8) Document, provide, and brief findings, lessons learned, and best practices.

(9) If serving as an SME for the review team, provide subject-matter-expertise in reviewing designated functional areas or special interest review elements during the PMR review process.

(10) Assist PMR Team Manager/Lead, if requested, in reviewing PMR findings for consistency, accuracy, and completeness.

11. Organizational CAP Representative

A representative from each Organization listed on the CAP Submission and Checkpoint Form. The Organizational CAP Representative receives the CAP from the CAP POC and is responsible for submission of the CAP to the PMR PAM SharePoint/Repository via the CAP Submission and Checkpoint Form.

12. CAP Point of Contact (POC)

a. A POC from the organization under review (typically the Subordinate Organization listed on the CAP Submission and Checkpoint Form). The CAP POC receives PMR results from the PMR Team Manager/Lead, creates the CAP, obtains CAP approval from the PMR Team Manager/Lead, and sends the approved CAP to the Organizational CAP Representative.

13. Deputy Assistant Secretary of the Army for Procurement (DASA(P)). The DASA(P) is the DA proponent for the PMR Program supporting the SPE to provide oversight and evaluation of Army contracting, consistent with the enterprise risk management and internal control practices of OMB Circular A-123 and AR 11-2.

14.CC-302 Heads of Contracting Activities.

HCAs shall –

(a) Assess the effectiveness of procurement-authority key internal controls, consistent with the policies and objectives of this appendix; review contracting compliance with FAR, DFARS, AFARS, DA Policy, and Command Supplements, consistent with DA PMR objectives and DASA(P) special interest areas.

(b) Designate representatives from their staff to interface with ODASA(P) to support the successful execution of the policies of this appendix

(1) Appoint, in writing, a primary and alternate representative to the PMR Advisory Board (AB).

(2) Delegable no lower than the designated PMR AB member, appoint, in writing, a primary and alternate representative to the PMR Configuration management Board (CMB).

(3) Designated representatives cannot simultaneously hold the position of PMR AB member and CMB member.

(c) Provide supplemental staff support, as required, to conduct ODASA(P)-led assessments of strategic controls and ODASA(P)-directed special interest reviews;

(d) Identify and communicate best practices and lessons learned, gathered from management control activities, in the contracting activity’s annual SHR.

(a) At a minimum, HCAs or their SCOs will -

(1) Conduct PMRs on contracting activities, to include subordinate contracting offices, regardless of the level, at least once every three years (36 months)

(2) Provide the schedule of reviews no later than 31 August of the preceding fiscal year to the ODASA(P) Procurement Insight/ Oversight (PI) Directorate.

(b) Waivers.

(1) The DASA(P) may grant, in writing, a 12-month extension, to the 36-month time frame, on a one-time basis, when circumstances are justified.

(2) Waiver requests shall be submitted with the annual PMR schedule of reviews.

(c) The DASA(P) may require, in writing, more frequent reviews of contracting activities as deemed necessary.

(a) The PMR is a tiered program that includes the following types of assessments:

(1) Type 1: Reviews of Internal Controls (other than key internal controls) conducted by the Contracting Activity (CA) Management, as needed, using assessment methods in accordance with Command, CA, local or other applicable guidance.

(2) Type 2: Reviews of Key Internal Controls conducted by the HCAs and SCOs to Offices of the Directors of Contracting and other subordinate contracting offices, at least once every three years (36 months), using the Internal Control Question Set, and any supplemental question sets or toolkits.

(3) Type 3: Reviews of Internal/Key Internal Controls, conducted by the ODASA(P), as needed for special assistance reviews and assessments, on selected CAs and/or ACE-wide, using the applicable question set(s).

(4) Type 4: Reviews of Strategic Controls conducted by the ODASA(P), annually, using the Strategic Control Question Set for CAs across the ACE.

(b) Top-level information on review responsibility, method of assessment, frequency of assessment, and assessment instructions is provided in the table below.

*Contingency Contracting Toolkit

In conjunction with any PMR performed with continency contracting efforts/missions, the HCA shall utilize the Contingency Contracting Toolkit, located on the PMR SharePoint, to assess the key internal controls of their contingency contracting operations.

(a) For ODASA(P)-led PMRs, the ODASA(P) will notify contracting activity 90 days, or as soon as practicable, before a planned PMR. The contracting activity shall provide the following in advance: metrics, specified statistics, lists of contracts, orientation data (such as vision and mission statements and standard operating procedures), logistical support, and copies of previous review reports and previous corrective action plans. The activity may identify special areas of emphasis and assistance after being notified of a planned PMR.

(b) All other PMRs should comply with the ODASA(P) PMR Standard Operating Procedures (SOP). Commands should establish Command/local procedures to supplement the ODASA(P) PMR SOP.

(a) Reports of PMR results will contain a risk assessment, analysis of issues, commendations, observations, findings, and recommendations as appropriate. PMR report findings must be specific and include sufficient information to enable root cause analysis. PMR recommendations must be based on supported findings and be actionable.

(b) Timely PMR result reports shall be provided. At a minimum -

(1) Reviewers shall submit the initial PMR report to the reviewed activity within 30 business days of the Out-brief.

(2) The responsible official must review and approve the Corrective Action Plans (CAP) and prepare a Final PMR report within 30 business days of CAP receipt.

(c) CAPs shall be created and implemented by the contracting activity. At a minimum -

(1) The contracting activity reviewed shall submit a CAP within 30 business days of report receipt.

(2) The reviewed activity must complete corrective actions – if any – within the agreed timeframe, inform the PMR Team Lead of corrective actions taken, and request closure of the CAP.

(a) The purpose of the CAP is to strengthen internal controls by identifying and resolving organizational weaknesses and deficiencies. The CAP contains data such a s a CAP Summary, CAP with Deficiency Score, Findings, Root Cause, along with the ability to track CAP status updates.

(b) A CAP is required when the contracting activity receives an Overall PMR Risk of Non-Compliance Rating of Medium (Yellow) or High (Red). Depending on the frequency of occurrence, the contracting activity shall take corrective action for findings and deficiencies related to Severity 2 and 3 questions.

CAPs shall be created and implemented by the contracting activity. At a minimum -

The contracting activity reviewed shall submit a CAP within 30 business days of Final PMR Report receipt.

The reviewed activity must complete corrective actions – if any – within the agreed timeframe, inform the PMR Team Lead of corrective actions taken, and request closure of the CAP.

For additional information on the CAP process, please reference the ODASA(P) PMR Guidebook, section 5, and the CAP Informational Guide, located on the PMR SharePoint.

The ACE annual SHR is designed to strategically assess the ACE’s collective risk management and internal control-related activities identify systemic issues, and to effectively evaluate the extent to which risks to the ACE strategic objectives have been mitigated. The goal of the process is to develop systematic evidence in order to support decision-making, understand how well policies and programs are working, and identify or promote possible changes that improve performance.

The HCA’s annual SHR is a key input to the ACE Annual SHR. HCAs shall provide to the PI/O Directorate an annual SHR for their organization, to include copies of all PMR reports and associated analyses of subordinate contracting offices, no later than 31 October, annually.

The ODASA(P) PI/O is responsible for preparing the annual ACE SHR no later than 31 January, annually. The inputs to the ACE SHR include the respective HCA’s annual SHR; the results of ODASA(P)-led assessments of strategic controls, and feedback from other Headquarters DA-level and Office of the Secretary of Defense (OSD) stakeholders. The content will describe major management challenges faced by the ACE, assess progress against ACE strategic objectives, and identify ways to improve performance.