Pages

Tuesday, October 22, 2013

More on Electronic Record Retention

In the last two postings, we have discussed the FAR requirements for scanning your original source documents and saving them electronically and the Government's (namely DCAA's) procedures for ensuring that contractors meet those requirements. The Government's concern is primarily three-fold. Are the images accurate representations of the original, are they conveniently and readily retrievable, and are they secure.

Concerning the first point, accurate representations of the original document, the Government is worried about potential alterations somewhere along the line. In its latest audit guidance on the subject, DCAA makes the following point:
Without testing internal controls (access and storage controls) related to the contractor's imaging process, there is going to be a risk that the records to be reviewed could have been altered since the time the testing was performed. This risk is similar to the risk that the contractor has altered their hardcopy documents from the time of creation to the time of audit. Therefore, if no IT system audit has been performed to test the contractor's internal controls, the auditor must consider fraud risk indicators and other know risk factors in determining whether there is a material chance that the scanned images have been altered since the time of testing (similar to the thought process that would take place in considering the risk that hardcopy documents have been altered). Based on this determination, the auditor will need to make a decision as to whether a qualification relevant to the lack of testing access and storage controls will be necessary.
So, what will happen if the auditor finds fault in the scanning/archiving/retrieval process? In theory, the auditor won't be able to rely on the integrity of the scanned records. The auditor will then ask to review the original documents. If those are no longer available (i.e. its past one year after the scanning process), the auditor will complete the audit but "qualify" the report.

Funny thing about qualified reports. The contracting officer that receive qualified reports, absolutely don't care about qualifications. They just want to award their contract or settle some incurred costs. Qualifications might make the auditor more comfortable but qualifications have no impact on the ultimate resolution of the audit report.


No comments:

Post a Comment