Concerning the first point, accurate representations of the original document, the Government is worried about potential alterations somewhere along the line. In its latest audit guidance on the subject, DCAA makes the following point:
Without testing internal controls (access and storage controls) related to the contractor's imaging process, there is going to be a risk that the records to be reviewed could have been altered since the time the testing was performed. This risk is similar to the risk that the contractor has altered their hardcopy documents from the time of creation to the time of audit. Therefore, if no IT system audit has been performed to test the contractor's internal controls, the auditor must consider fraud risk indicators and other know risk factors in determining whether there is a material chance that the scanned images have been altered since the time of testing (similar to the thought process that would take place in considering the risk that hardcopy documents have been altered). Based on this determination, the auditor will need to make a decision as to whether a qualification relevant to the lack of testing access and storage controls will be necessary.So, what will happen if the auditor finds fault in the scanning/archiving/retrieval process? In theory, the auditor won't be able to rely on the integrity of the scanned records. The auditor will then ask to review the original documents. If those are no longer available (i.e. its past one year after the scanning process), the auditor will complete the audit but "qualify" the report.
Funny thing about qualified reports. The contracting officer that receive qualified reports, absolutely don't care about qualifications. They just want to award their contract or settle some incurred costs. Qualifications might make the auditor more comfortable but qualifications have no impact on the ultimate resolution of the audit report.
No comments:
Post a Comment