Based on a GAO Prompt, DCAA solidifies process to gain access of Contractor Internal Audit Reports
In December 2011, the Government Accountability Office (GAO) issued a report, whereby GAO determined “that the number of DCAA requests for internal audit reports was relatively small when compared to the number of internal audits GAO identified as relevant to defense contract oversight.” As a result, the Defense Contract Audit Agency (DCAA) will be asking, one more time, for contractors internal audit reports, as a requirement of the DCAA audit process. The DCAA recently issued Audit Guidance [Memorandum For Regional Directors DCAA, Dated August 14, 2012] providing specific direction for requesting and monitoring the requests of Contractor Internal Audit Reports. This guidance states that DCAA’s Contract Audit Coordinators and Field Audit Offices (at major contractor locations) must establish a process and a central point of contact to obtain and monitor DCAA’s access to and use of internal audits.
In the GAO report, titled “Actions needed to improve DCAA’s access to and use of Defense Company Audit Reports,” the GAO found:
- The sampled Defense company audit departments reviewed “generally adhered to Institute of Internal Auditors (IIA) standards for organizing their internal audit departments”
- Many of the Reports were pertinent to areas reviewed by the DCAA
- DCAA’s access to and use of internal audit information from reports and working papers have been limited. This is, in part, because of differing company interpretations of court decisions concerning DCAA’s access to documents. Based on GAO’s interpretation of the court decisions, the courts held that DCAA does not have unlimited power to demand access to all internal company materials, but they also held that DCAA may demand access to materials relevant to its audit responsibilities.
What does this mean to Contractors?
For companies who provide open and complete access to internal audit reports, the new DCAA guidance should have little to no impact on the company. For companies who do not provide full and complete access to internal audit reports that could arguably pertain to a DCAA audit, make ready to have to defend the company’s position once again! Clearly, DCAA management intends to hold DCAA auditors accountable for requesting internal audit reports and using the internal audits to conduct DCAA’s own audits. Also, DCAA management is planning on holding the contractor responsible for furnishing reports to the auditor, and documenting any request rejections, subjecting the contractor to potential further action, including the issuance of a possible subpoena.
Contractors that do have functioning internal audit departments should be prepared, if not already, for DCAA to review and use the company’s internal audit report, audit program and audit tests to compare to the DCAA audit program steps to identify any possible overlap.
Government contractor who do not currently have an internal audit department, should quickly review the company’s options to mitigate this potential internal control deficiency. Conducting internal audits (or management reviews) are a requirement of several Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) contract requirements, including the recently issued Business Systems rule. Contractors should consider implementing a DCAA review ready internal audit program or run the risk of being cited for a significant Accounting System deficiency.
As an interim, immediate solution, some contractors have outsourced the company’s internal audit Government compliance program to a qualified audit firm. Other contractors elect to open their own internal audit program in-house. Finally, others elect to do a combination of the two methods, in order to obtain immediate, compliant results, but harness in-house expertise over time. In any case, a viable internal audit program should be developed with the expectation of DCAA evaluation.
By John Stunson CPA CMA