Tuesday, April 8, 2014

Auditor Access to Contractor Internal Audit Reporting

Its been some time since we've discussed the Government's access to contractor internal audit reports. It was a big deal about a year and a half ago during the legislative process leading up to the 2013 National Defense Authorization Act (NDAA). Ultimately, Congress did not give Government auditors unfettered access to internal audit reports. Not knowing whether this was an issue worthy of legislation, Congress asked for more information. Congress asked DCAA to begin compiling data on requests for access to defense contractor internal audit reports. That data includes

  • Written determination that access is necessary to complete a required evaluation of one or more contractor business systems
  • Copy of the request from DCAA to the contractor
  • A record of the response received from the contractor including its rationale if access is denied.

Once there is a couple of years of history here, Congress will look at the matter again to see if there is a reason for further legislation.

There is nothing in the law that compels a contractor to provide access to internal audit reports though a contractor can certainly choose to voluntarily do so (and most do so when there is a legitimate nexus between the audit being performed by the Government and the subject of the internal audit).

With this background, we were reading recent DCAA guidance on access to contractor internal audit reports and we came across the following (see CAM 4-202.c):
The 2013 National Defense Authorization Act (NDAA) states that DCAA can use the internal audit reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. The law not only allows the use of internal audits to assess the contractor’s business systems; it also allows the use of internal audits to understand the efficiency of the contractor’s internal control which we do as part of our risk assessment in every audit. However, it is important to remember that requests for internal audit reports will only occur when the auditor/supervisor can demonstrate how the report may support the risk assessment or audit procedures in a current, on-going audit (i.e., there must be a nexus to your current audit effort).
One might get the impression from the foregoing that the 2013 NDAA gives DCAA the right to access internal audit reports. That would be an inaccurate impression. The guidance should state something to the effect that if a contractor chooses to provide DCAA access to its internal audit reports, the 2013 NDAA limits the use of those reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated business systems.

Contractors should know that they are still free to withhold internal audit reports from Government auditors. We don't necessarily think that's a good idea but there could be compelling reasons for doing so. In theory, if DCAA can rely on the work performed by the contractor's internal audit staff, they, in turn, will be able to reduce the level of their own oversight. That would be a good thing for everyone.

No comments:

Post a Comment