Last Friday, we wrote that the Government (namely DCAA) had formulated a new policy on requesting internal audits and associated working papers from Government contractors. We also noted, based on our experience, that contractor internal audits were not all that useful in reducing the amount of work necessary by Government auditors when evaluating the various business systems that are important for ensuring the propriety of costs charged to Government contracts.
Yesterday, we discussed the impetus behind the new policy, the GAO report that to some extent, disagreed with our experience, namely that there was a lot of useful information in internal audits that could be useful to a Government auditor. We remain unconvinced. If there was such good information in these reports, if DCAA could really use them to reduce the level of their own oversight, the Agency would have been much more aggressive over the years in obtaining them.
Today we will conclude this short series with a recap of the new policy. First of all, everyone acknowledges that DCAA cannot request unlimited access to all internal audits - there must be something there that is relevant to its audit responsibilities. The GAO found that, for the most part, DCAA didn't even know what was even out there, making it difficult to assess whether a report was or was not relevant to the audit mission. So, the first step is to set up focal points to monitor contractor internal audit activity, make requests for copies of the reports and working papers, and track these requests to ensure contractor responsiveness.
Auditors and supervisors are now required to review the listing of internal audits to determine whether any apply to their specific audit assignment. If so, the established point of contract will obtain and provide the auditor copies of the report and possibly the working papers. The auditor is to review the report and determine if sufficient information is contained in the report for use in identifying risk in audit assignments. In order to make such a determination, the auditor will need to understand the scope of the internal audit, the reported deficiencies and any recommended corrective actions. If that information is not in the report, the auditor will ask to review the working papers.
If contractors refuse to provide requested audits, the new guidance requires that the auditor elevate the denial as an "Access to Records" issue. At the conclusion of the audit, the auditor is required to provide feedback to the point of contact regarding the usefulness of the internal audit.