As an illustration of DCAA's new approach, consider how the audit program steps have changed. In a typical audit, the preliminary audit steps relating to the auditor's consideration of fraud read as follows:
In planning and performing the examination, review the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are ... . Document in the working papers any identified fraud risk indicators and your response/actions to the identified risks (either individually or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in the working papers.Back in our audit days, this step didn't take any time at all. We were somewhat familiar with the fraud indicators (they have been around in their current form since 1993 and in other forms before that. So, we simply initialed the workpaper indicating that we "considered" them, and moved on.
Now, DCAA's standard audit programs have been revised to include significantly more requirements pertaining to the detection of fraud. The former requirement has been replaced with the following:
Hold a planning meeting with the audit team (e.g., RAM, Manager, Supervisor, Auditors) to discuss the risk of fraud and other noncompliances with applicable laws and regulations that could have a material effect on the assertion. The discussion should include relevant prior audit experience (e.g. questioned cost, relevant reported estimating or accounting system deficiencies), relevant aspects of the contractor's environment (e.g., the extent of incentives, pressures and opportunities to commit fraud and the propensity to rationalize misstatements), other know risk factors, and the audit team's understanding of relevant internal controls. The team should also review and discuss the general and other relevant sections of the IG Handbook on Fraud Indicators for Contractors as well as the relevant fraud indicators in CAM (the DCAA Contract Audit Manual).
Based on the team discussion and other risk assessment procedures the team should document in the working papers the risk factors/indicators identified and design audit procedures to meet the audit objectives and provide reasonable assurance of detecting fraud and other noncompliances with applicable laws and regulations that could have a material effect on the proposal (GAGAS 6.13(a)).Its pretty obvious that the auditor cannot simply gloss over the step any longer. There has to be a meeting and a discussion and written documentation. This is why contractors are now seeing increased emphasis on the detection and prevention of fraud. Contractors should ask the DCAA auditor to share the results of its planning meetings.
By the way, this is not unique to Government auditing. Generally Accepted Auditing Standards (GAAS) requires the same level of consideration when it comes to financial statement auditing.