Audits performed by DCAA (Defense Contract Audit Agency) and other Government auditors (e.g. GAO, Office of Inspector General, etc) must comply with GAGAS (Generally Accepted Government Auditing Standards). Those standards require the auditor to apply audit procedures to provide reasonable assurance that material unallowable costs and other material noncompliances with applicable Government laws and regulations in the contractors assertion or subject matter of audit, are detected. This requirement applies whether the auditor is evaluating a forward pricing proposal, incurred cost, adequacy of internal control systems, billings, termination settlement proposals, claims, or defective pricing.
There are three broad categories of audit procedures under GAGAS that the auditor must consider in planning and performing the audit.
1. Risk Assessment Procedures. Risk assessment procedures are performed to obtain an understanding the the contractor and its environment, including its internal controls, to assess the risk of material unallowable costs and other material noncompliances (i.e. things that might affect the propriety of costs charged to Government contracts) and to design audit procedures in response to the assessed risk. Some audits are terminated after the risk assessment phase because there is no risk to the Government. For example, if an auditor is asked to audit a price proposal but finds that a contract has already been awarded, that audit will be terminated because there is no possibility that audit results would impact the contract price.
2. Tests of the Operating Effectiveness of Relevant Controls. Tests of controls are made to obtain evidence about their operating effectiveness when the auditor plans to rely on controls for a particular area. A good system of internal controls should reduce the amount of substantive testing needed to validate the propriety of costs. This answers the question of whether auditors can rely on the contractor's system (e.g. accounting system, billing system, estimating system, purchasing system, etc.) to provide good data. At very small companies, the audit effort required to test controls is not commensurate with the risk to the Government so the auditor will minimize effort in this area and compensate by doing more work in the Substantive Procedures phase of the audit.
3. Substantive Procedures. Substantive procedures are tests of specific cost elements or other areas within the contractor's assertion performed to detect material unallowable costs and other material noncompliances with the requirements relevant to that specific cost element or area being audited. Substantive procedures are always required but the amount required depends upon the results of the risk assessment and tests of controls (Items 1 and 2, above). Substantive procedures include analytical procedures (e.g. regression or trend analysis) and tests of details (e.g. inspecting supporting documentation that demonstrates that the claimed costs comply with applicable FAR requirements or verifying proposed costs to the basis of estimate or other supporting documentation such as vendor quotes).
Although it is absolutely imperative that auditors be independent with respect to the contractor being audited, contractors can have some influence in how the audit is planned and performed. First, contractors can ensure that internal controls are in place and operating effectively. This should reduce the amount of substantive procedures necessary during the audit. Secondly, contractors can make sure that auditors fully understand risks. For example, if final indirect expense rates are significantly higher than billing rates and there is no possibility that the contracting officer will increase funding under the contract, the auditor should be made aware in the risk assessment phase of the amount of potentially unallowable costs he/she would need to find before such costs would affect amounts charged to the Government.