The purpose, means, and authority for making these queries is rooted in GAGAS (Generally Accepted Government Auditing Standards or the so-called "Yellow Book"), the DoD-IG's (Inspector General) implementing guidance on the Yellow Book, and DoD Instruction 7600.02, Audit Policies. The auditors are just trying to do their jobs in accordance with GAGAS. The DoD-IG is driving DCAA to improve documentation in this area and these new policies are simply the fallout from that oversight. From our perspective, observations, and interactions with contract auditors, there is not a higher level of mistrust or suspicions. It just seems that way because of these misguided policies.
Auditors who perform independent audits and attestation engagements of DoD organizations, programs, activities, and functions are required by DoD Instruction (DoDI 7600.02, Audit Policies, to comply with the GAGAS. This includes every audit that DCAA (Defense Contract Audit Agency) performs at Government contractors. GAGAS requires auditors when performing audits to
- identify risk factors (indicators)
- assess the risk associated with those factiors (indicators)
- design and perform appropriate steps and procedures to address the risk areas
- document the process, and
- include information on any potential fraud that might have a material impact on the audited subject matter in the report.
The auditor should design procedures to obtain reasonable assurance of detecting fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, and abuse that could materially affect the audit or examination.
The auditor must perform procedures when they find information or indicators that fraud may have occurred that could materially impact the subject matter under review. In those cases, the auditor should determine whether the fraud was likely to have occurred and, if so, determine the effect on the results of the engagement. GAGAS requires auditors to comply with any legal requirements to report known or likely fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse directly to parties outside the audited entity.
DoDI 7600.02, paragraph 6.3 establishes the requirement that auditors shall refer to the appropriate investigative organization any indications of potential fraud or other criminal acts discovered while performing auditor work.