DCAA - Access to Internal and External Audit Reports

From Knowledge base
Revision as of 11:01, 12 February 2015 by Marshall (Talk | contribs)

Jump to: navigation, search

Contents

History of Providing Audit Reports to DCAA

1988

Internal Audit Reports up until December 2011 were not generally provided to DCAA. The rationale behind not providing the reports to DCAA, was that DCAA did not have the right to those documents. This rationale was based on the court decision of United States v. Newport News Shipbuilding & Dry Dock, Co., 837 F.2d 162 (4th Cir. 1988) and Newport News Shipbuilding & Dry Dock, Co., 862 F.2d 464 (4th Cir. 1988).

December 2011

On December 2011, this changed with the issuance by the Government Accountability Office (GAO) of a report, where GAO stated “that the number of DCAA requests for internal audit reports was relatively small when compared to the number of internal audits GAO identified as relevant to defense contract oversight.” As a result of this report DCAA began asking contractors for their internal audit reports.

August 2012

An August 14, 2012 DCAA issued a Policy Memorandum, and along with an updated DCAA Contract Audit Manual (DCAM), addressing DCAA's intent to get access to contractor internal audit reports. The DCAA Memorandum requires that DCAA Contract Audit Coordinator (CAC) offices and Field Audit Offices (FAO) at major contractor locations establish a process and central point of contact (POC) to obtain and monitor DCAA’s access to and use of internal audits. Additionally, adjustments have been made to the DCAM 4-202 to address the specific duties of the central POC. Of particular note, the central POC must:

  • Obtain a semi-annual summary listing of all internal audit reports issued with a sufficient description in the listing to ascertain whether the internal audit may affect Government contracts.
  • That listing will be provided to the CAC Network or the FAO’s audit teams responsible for audits of the contractor.
  • Copies of reports and/or working papers considered pertinent by the auditors will be requested and the contractor’s response to these requests will be tracked.
  • DCAA Headquarters will receive a semi-annual summary of all requests for internal audit reports, the contractor’s response to each request and the audit assignment for which access to the internal audit report was requested.

While the foregoing formal tracking requirements are mandatory only for major contractors, the Memorandum notes that internal audits for non-major contractors remain useful. DCAM notes that requests for internal audit reports for non-major contractors will be issued “when warranted.”DCAA will not only extend beyond internal audit reports but will demand work papers as well.

Contractors that refuse to provide internal audit information will be subject to DCAA’s standard procedures relating to record access issues, set forth at DCAM 1-504. DCAA may seek the records by means of a subpoena.

2013

Section 843 in the Senate version of the 2013 National Defense Authorization Act, which is still pending Senate vote, a contractor’s failure to provide access to internal audit reports can serve as a basis to determine related contractor business systems inadequate.Italic text

DCAA Guidance

  • MRD 12-PPS-019(R) - Audit Guidance on Access to Contractor Internal Audit Reports, dated August 14, 2012
  • CAM 4 - 202 Access to Contractor Internal and External Audits.

Conclusion

Whether or not Section 843 survives in the final bill, the reality for contractors is that government auditors will be routinely seeking access to internal audit reports. If Section 843 does not pass, contractors will continue to have a reasonable legal basis under the U.S. v. Newport News Shipbuilding & Dry Dock Co. case to resist DCAA demands that exceed its audit access.

Contractors should implement and/or update their practices and procedures relating to internal audits to ensure that, when auditors, or investigators request that information, that contractors have appropriatedly protected their rights, especially if the information was collected in support of a legal analysis, or under attorney-client privilege.

The report states that “by not routinely obtaining access to relevant company internal audits, DCAA auditors are hindered in their ability to effectively plan work and meet audit standards for evaluating internal controls.” This is a very broad statement, and the information needs to have relevance to a particular audit, or audits anticipated for the upcoming year.

Contractor Response Options

Contractors have four general avenues of response to this access issue. They can either:

  • 1. Provide DCAA full access to internal audit reports;
  • 2. Allow them to view selected reports but not copy or take possession of them;
  • 3. Allow them to view selected reports and copy or take possession of them or,
  • 4. Deny any and all access to internal audit reports.

, while limiting or denying access may lead to adversarial conditions and potential system disallowances and withholds. Moreover, a disclosure of internal audit reports may be required if a contractor makes a disclosure of wrongdoing under FAR 52.203-13. Before GAO issued its report, the FAR Councils had taken action that opens the door to potential demands for access to internal audit reports. In June 2011, new guidance on what constitutes an adequate incurred cost submission was added to FAR 52.216-7, Allowable Cost and Payment. The new guidance identifies a list of internal audit reports and the contractor’s internal audit plan for the current year as elements that may be required.

Therefore, it is suggested that contractors maintain a listing of internal audits performed by title and date that can be provided to DCAA. From that listing, DCAA can choose what internal audit reports it would like access. Once they have chosen specific internal audit reports, they need to document, in writing, their choice of report and what it is that they expect to obtain from reviewing the chosen report.

Only after this is done and the reasoning for access to the given report accepted, should “view only” access be provided unless the report is one that should be disclosed under FAR 52.203-13. Supporting working papers should not be provided. The contractor should guide them through the report and what it indicates, if anything, and they should not be allowed to copy or retain any part of the provided report.

From DCAA’s point of view, it should be noted that many internal audit reports are targeted at financial controls and not the internal controls for government contracting. While they intersect to some extent, they are implemented to satisfy different goals. There is also the potential that internal audit staff will not have the organizational freedom necessary to express candid opinions in their reports or to audit areas that could actually benefit from oversight.

It is anticipated that the referenced GAO report along with DoD’s acceptance of GAO recommendations will lead to increased requests of internal audit report access. Contractors should have a plan established and be ready to provide a prompt response to these requests.


Pros and Cons of Providing Internal Audit Reports

Pros

Cons

  • Full access can potentially lead to a DCAA fishing expedition related to what is seen or perceived to be seen in the internal report
  • Can provide information that is not related to their program plan, and change the audit oversight and direction of DCAA audits

while limiting or denying access may lead to adversarial conditions and potential system disallowances and withholds

Retrieved from "http://www.govcwiki.org/index.php?title=DCAA_-_Access_to_Internal_and_External_Audit_Reports&oldid=9498"