Access to Internal Audits - What's the Big Deal?

DCAA (Defense Contract Audit Agency) has, for some time, been seeking unfettered access to internal audits conducted by contractors' internal audit organizations. The Agency found an ally in the GAO (General Accountability Office) who reported that access to these internal audits would make DCAA more effective. The Senate included a provision in the 2013 National Defense Authorization Act (NDAA) that would have required contractors to grant access to their internal audits or face potential billing withholds. That provision did not survive the final bill. Instead, the NDAA passed into law only directs DCAA to request internal audits it would like to review, document the request, and document the contractor's response to the request. If the contractor denies access, there are no ramifications.

If the contractor provides access, the internal audit reports can only be used by DCAA to help evaluate the efficacy of contractor internal controls and the reliability of associated contractor business systems. Those reports cannot be used as the sole basis for determining whether contractors have sound internal control systems.

Why is this important? What is the big deal with gaining access to internal audits? It all has to do with audit efficiency. At the end of the day, an audit report provides reasonable (not absolute) assurance that a contractor's representations, be they financial statements, incurred costs, TINA (Truth in Negotiations Act) representations, are fairly presented. Auditors, not just DCAA but any audit organization or audit firm, must test the propriety of transactions. How many transactions? It depends on the level, adequacy, and compliance with internal controls.

The adequacy of contractor internal control structure is an important factor in determining audit scope. Adequate controls, sound policies, and the effective implementation of prescribed policies and procedures contribute to the reliance that the auditor can place on contractor cost representations, and permit reduction of the extent of verification which might otherwise be required.

More formalized systems, such as the accounting, estimating, and purchasing , with strong self-controls built into those systems can reduce the audit effort required to satisfy the audit objective once the system has been evaluated and determined to be adequate. Poorly defined or nonexistent systems, or those which rely on external controls only, increase the risk for cost mischarging or misallocation and could correspondingly result in an increase to the audit scope.

Additionally, the internal control structure may affect the audit scope. If there is little separation of duties and responsibilities or if the separation is not conducive to adequate internal controls, there is greater risk for costs to be mischarged or misallocated. The control environment may be such that the same management has responsibility for and control over multiple contracts and can manipulate the allocation of costs to those contracts to the Government's detriment. Also, if the internal control structure changes frequently, the audit scope must be expanded to assure that the change(s) have not adversely affected contract costs.