“He who has nothing to hide, hides nothing.” – Dr. Phil
The recent National Defense Authorization Act for FY 2013 (NDAA) has me scratching my head. As a former DCAA auditor, I can many times remember getting a little pushback from contractors on what it was that I was “allowed” to ask for.
According to the CAM guidance I received (many times), “TINA provides the Government with the right to examine contractor records to
evaluate the accuracy, completeness, and currentness of the certified cost or pricing data required to be submitted.” Part of this evaluation and examination relates to “[p]erformance of the contract or subcontract.” This sentiment is carried out in FAR 15.4 also. 
Internal audit reports are one of the tools that DCAA, historically, can use to identify “red flags” in the system – cost, performance, internal control, or any other system being reviewed. As part of DCAA’s annual requirements, internal controls are looked at (well before Sarbanes-Oxley placed such a focus on them). NDAA 832 now gives DCAA broader authority to look at these reports, but also requires more justification as to their use. The internal audit report, under the NDAA can now only be used in “evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems.”
So, my fundamental question on this is why, as a contractor, would you not want to provide as much information as possible to help DCAA streamline its review? I know part of the answer is “well they wouldn’t have found out about _____ if I didn’t provide the reports.” The rebuttal being that if they find out anyway, is it potentially worse that you weren’t up front about it? Then they take a stance that is more adversarial than some auditors are from the beginning.
The one thing I know, from experience, is you do not want DCAA coming in the door to turn over EVERY stone. From DCAA’s standpoint, it is all about risk assessment. Humans are fallible – there will be mistakes. DCAA’s job is to find the big stuff. (There was a time when a motto floated around DCAA – “tick and tie, let it fly”). Guiding DCAA on the path to the big stuff ensures they don’t have to spend 3 weeks onsite digging. If you are “hiding nothing” they will feel more at ease and potentially be able to justify a reduced scope because you have “nothing to hide.” The original estimate of that audit just went from 24 hours on site to 8 hours on site.