DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 15
b. Site Visits. The Contract Pay Service Provider Office is notified by the external auditor
of all potential site visits so DCMA may coordinate with the responsible POCs regarding dates,
space, and technology needs. The Contract Pay Service Provider Office will notify Contract
Management Offices (CMOs) of the planned visits, as well as any other planning information or
requirements that are needed. This information will be forwarded to the CMO
Commander/Director in a written memorandum or by email. The external auditors will be
accompanied on all site visits by the Contract Pay Service Provider Office and/or other
designated representative(s).
c. PBC. The Contract Pay Service Provider Office will receive any PBC requests or
equivalents from the external auditor’s SharePoint site. The Contract Pay Service Provider
Office reviews PBC requests for clarity and completeness and notifies responsible directorates to
support completing the requests. PBC responses are uploaded to the applicable FY Evidentiary
Folder on the DCMA 360 Contract Pay Service Provider Office site. Once the PBC is accepted
by the Contract Pay Service Provider Office, the PBC is moved to the applicable FY Auditor
Folder and a notification is sent to the external auditor that the PBC response was uploaded. In
order to protect sensitive information, DCMA is responsible for indicating whether each PBC
item is “releasable” versus “non-releasable.”
d. NFR. Throughout the duration of the examination, deficiencies identified may result in
the issuance of NFRs by the external auditor. Once DCMA leadership and the Contract Pay
Service Provider Office receive the draft NFRs, internal meetings are held with responsible
parties to discuss the NFRs and validate that the condition, cause, effect, and criteria are
accurately stated. DCMA management will draft general comments on the findings and address
and develop planned corrective actions to remediate the deficiencies. Official responses are
consolidated and distributed to all customers and respective auditors and all NFR responses must
be approved by the Contract Pay Service Provider Office. During the SOC-1 examination, the
external auditor may also identify deficiencies that require management’s attention, but do not
rise to the level of an NFR. These deficiencies are called Management Letter Comments
(MLCs) and they appear in the Management Letter, which must be completed by mid-August.
The Contract Pay Service Provider Office tracks and monitors MLCs and NFRs.
e. CAP. As indicated in paragraph 4.3.d., deficiencies in any of the control activities that
affect the Contract Pay Service Provider audit readiness are formally documented in an NFR. A
CAP is created to address each deficiency identified in a NFR. Once the CAP is drafted, it must
be approved by the Contract Pay Service Provider Office or the Executive Director, FB. The
Contract Pay Service Provider Office is responsible for completing the CAP template, executing
CAP remediation, and tracking and monitoring CAP completion. CAP status updates will be
discussed during weekly Contract Pay Service Provider Office status meetings and follow-up
meetings with the Directorates will be conducted based on these discussions, as necessary. The
status of open CAPs will be briefed at monthly DCMA FIAR ESG meetings. When all the
corrective actions identified in the CAP have been completed, the Contract Pay Service Provider
Office must verify completion before recommending the CAP be closed. The Contract Pay
Service Provider Office will verify completion by obtaining all required supporting
documentation and perform sufficient testing to ensure remediation of the deficiency. Test