The National Defense Authorization Act (NDAA) of 2013, signed into law on January 3, 2013 included a provision related to DCAA's access to contractor internal audits. The Senate version of the NDAA, which did not survive, included a provision that would have required contractors to grant access to their internal audits or face potential billing withholds. The version that was signed into law was much more benign. It does not require contractors to grant the Government access to internal audits. It requires DCAA to document requests for access to defense contractor internal audit reports. The documentation must include
- Written determination that access to such reports is necessary to complete required evaluations of contractor business systems
- A copy of any request from DCAA to a contractor for access to such reports
- A record of response received from the contractor, including the contractor's rationale or justification if access to requested reports was not granted.
The NDAA also provides that DCAA shall set up procedures to ensure that contractor internal audit reports, when and if granted, cannot be used by DCAA for any purpose other than evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems.
Finally, the NDAA requires the GAO to review DCAA's documentation after a year and submit to congressional defense committees a report on the results of the review, with findings and recommendations for improving the audit process of the DCAA.
We don't see anything in this law that requires contractors to provide DCAA access to its internal audits. Its still voluntary on the contractor's part. If it were not voluntary, the original wording would have been retained and there would be no need for DCAA to document contractor rationale or justification when access was not granted.
DCAA recently issued guidance to its audit staff on access to contractor internal audit reports and made corresponding changes to its Contract Audit Manual (CAM). Most of the guidance mirrors the NDAA provisions but there is one troubling aspect to both the guidance and the revised CAM. DCAA guidance now implies that contractors must turn over their internal audits. DCAA states that "... the Law not only allows us to use the internal audits to assess the contractor's business systems; it allows us to use the internal audits to understand the efficiency of the contractor's internal controls..". What DCAA should have stated in their guidance is that there is no requirement that contractors provide copies of their audit reports but if they voluntarily decide to do so, DCAA can only use those reports in limited circumstances.