CAM 4 - 200 - Contractor Internal and External Audits

4-201 Introduction^[1]

This section provides direction for requesting, using, and monitoring access to contractor internal and external audits.

4-202 Access to Contractor Internal and External Audits

a. The auditor's evaluation of a contractor's internal controls, pursuant to 5-100, may disclose, particularly at a major defense contractor location, that a contractor maintains a highly professional internal audit staff. In addition, the majority of larger contractors also engage an external public accounting firm to conduct an audit of their financial statements. While these internal and external auditors' final audit objectives are not the same as DCAA's, the information contained in their reports may be useful to DCAA in the course of our audits. The audit team, as part of the risk assessment, should ask contractor management if any internal audits were performed and request a summary listing of the internal audits that would assist in understanding and evaluating the efficacy of the internal controls relevant to the subject matter of the audit. If relevant internal audits are identified the auditor should follow the guidance in section c through f below when requesting internal audit reports.

b. SEC registered public companies are subject to additional certification and reporting requirements as a result of the Sarbanes-Oxley Act of 2002. These companies are required to certify to the financial and other information contained in the quarterly and annual reports filed with the SEC, and are to include with their annual filing, a report of management on the company’s internal control over financial reporting. They are also required to include with the annual report the independent auditor’s attestation report on management’s assessment of the company’s internal control over financial reporting. As a result, public companies and their independent auditors may now perform additional audit effort to support the certification and reporting requirements. Auditors should be aware of the potential for increased opportunities in reviewing these audits as part of their audit risk assessment.

c. The 2013 National Defense Authorization Act (NDAA) states that DCAA can use the internal audit reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. The law not only allows the use of internal audits to assess the contractor’s business systems; it also allows the use of internal audits to understand the efficiency of the contractor’s internal control which we do as part of our risk assessment in every audit. Internal audit reports should not be used for other purposes. Requests for internal audit reports will only occur when the auditor/supervisor can demonstrate how the report may support the risk assessment or audit procedures in a current, on-going audit (i.e., there must be a nexus to your current audit effort).

d. The NDAA requires DCAA maintain appropriate documentation of requests for access to defense contractor internal audit reports. At a minimum, it requires DCAA maintain the following:

(1) Written determination that access to such reports is necessary to complete required evaluations of contractor business systems.

(2) A copy of any request from the Defense Contract Audit Agency to a contractor for access to such reports.

(3) A record of response received from the contractor, including the contractor’s rationale or justification if access to requested reports was not granted.

e. The NDAA also requires DCAA include appropriate safeguards and protections to ensure that we do not use the contractor internal audit reports for any purpose other than understanding, evaluating, and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. DCAA should handle internal audits obtained from contractors in accordance with the procedures outlined in CAM 1-507, Security Requirements for Contractor Information, as well as the additional safeguarding requirements below.

f. In order to meet the requirements of the 2013 NDAA, the following reporting requirements and safeguards over contractor internal audits are established.

(1) Contract Audit Coordinator (CAC) and Major Contractor Offices

CAC offices and FAOs at major contractor locations will establish a central point of contact (POC) and a process to obtain and monitor access to and use of internal audit reports. If a segment of a CAC has its own internal audit department, the local FAO responsible for that segment should designate its own POC. The segment POC should coordinate with the overall CAC POC to ensure no duplication of effort. The segment POC must also support any segments reporting to their segment. The semi-annual report for each CAC location should include all documentation related to that CAC; therefore, POC’s at segment locations must be sure to provide the documentation necessary to the CAC POC prior to the end of the reporting period (see g below). The process to obtain and monitor access to and use of internal audit reports will include a method for tracking requests for internal audit reports and working papers, when needed, and the contractor’s disposition of these requests. The central point of contact will:

(a) Coordinate with the contractor and obtain a semi-annual summary level listing of all internal audit reports issued. The summary document should contain sufficient descriptions to ascertain whether the internal audit may affect Government contracts.

(b) Review the summary list of internal audits and use the list in discussions with the contractor to identify internal audits that are relevant to the subject matter of the DCAA audits. If the summary is not adequate to determine which internal audits may affect Government contracts, coordinate with the contractor to obtain the necessary information.

(c) Provide the summary list to the CAC Network or the FAO’s audit teams responsible for audits of the contractor for use when inquiring about relevant internal audits during the audit entrance conference as part of the risk assessment.

(d) Send a request to the contractor for access to the internal audit reports and/or working papers considered pertinent for performing the audit and coordinate with the contractor to obtain access to the internal audit report (i.e. some contractors provide copies of the reports; others provide access to the report for the purpose of taking notes.) The request should describe the scope of the DCAA audit. It should explain why the internal audit would assist in:

1) understanding and evaluating the efficacy of the internal controls; and

2) assessing risk for the controls relevant to the audit. Additionally if the contractor provided a copy of the report to DCAA for a prior audit, the request should seek the contractor’s agreement for the point of contact to provide access to the report for the current audit.

(e) Safeguard the internal audit report or notes taken on the content of the report (see CAM 1-507 for more information on handling contractor proprietary information).

(f) Implement a process to track auditor’s requests for internal audit reports and the contractor’s response to the requests.

(g) Provide the Region a semi-annual summary of all requests for internal audit reports. The summary should be grouped by contractor and include the contractor’s response to each request, the audit assignment that required access to the internal audit report, and the usefulness of the internal report. If a CAC segment is tracking and monitoring at a local FAO, their semi-annual summary must be provided to the overall CAC POC to allow sufficient time for consolidation and submission to Headquarters by the due date discussed in (g)(2) below.

(2) Regional Offices

The Region will consolidate the POCs submissions by contractor. The consolidated Regional semi-annual reports are due to Headquarters on June 1st and December 1st (email to DCAA-PPS@dcaa.mil). The June 1st report should include information on requests still open from prior periods and new requests through April 30th. The December 1st report should include information on requests still open from prior periods and new requests through October 31st.

(3) Field Offices

The FAO audit team will:

(a) Determine if access to the internal reports is necessary (a nexus is established) to complete the evaluation of the internal controls to support the risk assessment or audit procedures related to the subject matter of the audit.

reports. The request should include information on how the internal audit report is relevant

(b) Coordinate with CAC or FAO point of contact to request access to pertinent to the DCAA audit.

(c) Review the internal audit reports and determine if sufficient information is contained in the report for use in identifying risk in audit assignments. In order for the internal audit report to be useful in audit planning, the auditor needs to understand the scope of the review, the reported deficiencies and any recommended corrective actions. If sufficient information is not included in the report, coordinate with the CAC or FAO point of contact to request access to the contractor’s audit working papers for review.

(d) Summarize and reference the contractor internal audit reports in the working papers and discuss how the audit reports affected the audit plan. Do not include the contractor internal audit report in the working papers or the local perm files.

(e) Provide follow up information to the CAC or FAO point of contact regarding usefulness of internal audit reports for his or her use in updating the semi-annual summary of internal audits request report.

should comply with the requirements of the 2013 NDAA discussed in paragraph d and the guidance in paragraph g(3)(a) through (d) above.

(5) When the contractor denies access to internal audit reports, the CAC or FAO manager will implement Access to Records procedures (1-504.5).

Related Pages

DCAA - Access to Internal and External Audit Reports

DCAA - Conditions Representing Denial of Access to Contractor Records

References

1. ↑ Defense Contract Audit Manual, October 1, 2015, sections 4-200