Thursday, July 24, 2014

Independent Audits of Contractor Business Systems - Part 4

We're in the midst of a discussion on DoD's new proposal that will require contractors to perform their own self-assessments of compliance with the standards for business systems and to have a full CPA audit performed every three years on those systems. This proposed rule was published in the Federal Register on July 15th and applies to large DoD contractors. If you haven't read the previous postings, it would be a good idea to start from the beginning:
     Part 1
     Part 2
     Part 3

Yesterday we discussed the hoops that contractors will have to jump through just to get a CPA firm on board. The contractor is going to have to assess the CPA's independence, objectivity, and qualifications. Not only will the contractor have to make those assessments, but will need to be prepared to turn over its assessments for Government review. But what is to happen after that is perhaps more insidious (in a way).

What follows might seem arcane to non-CPAs but it is a big deal. When undertaking any audit, CPAs must plan out their strategy. They have to understand the objective of the audit, the criteria against which performance is to be assessed, the inherent risks associated with the audit engagement, considerations of fraud, and a step-by-step program for accomplishing the audit. These are often referred to as the planning and risk assessment phases of the audit. Often, hours associated with these activities represent a significant portion of audit engagements. These activities must be completed before field work (e.g. testing) begins.

DoD's proposed regulations will require that these preliminary documents be provided to the Government:
The Contractor shall provide the Contractor's CPA's audit strategy, risk assessment, and audit plan (program), upon completion ... to the cognizant contracting officer and Government auditor.
What is the contracting officer and Government auditor supposed to do with the CPA's audit strategy, risk assessment, and audit program? According to the proposed rule, the contracting officer must,
Upon receipt of the contractor's CPA's audit strategy, risk assessment, and audit plan (program), request a review from the Government auditor, and notify the contractor of any potential issues identified by the Government auditor regarding their reasonableness. Early notification of potential issues may decrease the likelihood of the contractor incurring unreasonable costs. However, review of the contractor's CPA's audit strategy, risk assessment, and audit plan (program) does not constitute the contracting officer's approval.
So here you have it. The Government auditor (DCAA), the same organization that cannot find the time and resources to audit contractor compliance with DoD's business systems criteria, and whose abject performance in this area led to this new regulation in the first place, is now tasked with overseeing the strategy,  risk assessment, and audit plans of the contractors' CPAs. What's more, DCAA is expected to turn around its assessment in a timely manner in order to reduce the likelihood that the CPA will become inefficient in its work. We see this as a major stumbling-block to efficient and effective execution of audits and we know of no other instances where such a requirement is imposed on the performance of audits conducted in accordance with GAGAS (Generally Accepted Government Auditing Standards).

Click here to read Part 5 in this series.

No comments:

Post a Comment