Long time readers of this blog will recall back in the 2012 and 2013 National Defense Authorization Acts (NDAAs), there was a lot of attention to whether the Government should or should not have access to contractor internal audit reports. There were provisions in early iterations of the 2012 NDAA bills that would have given the Government access to internal audit reports. Those were deleted in the final bill. In 2013, the issue came up again. Ultimately, there was no provision requiring contractors to furnish internal audit reports but there was a requirement for the Government (namely DCAA or Defense Contract Audit Agency) to document requests made to contractors for copies of those audit reports and report on contractors' responses to those requests every six months. Specifically, the 2013 NDAA required auditors to document that
- access to company internal audit reports is necessary to an ongoing DCAA audit
- a request to the contractor, and
- the contractors' responses.
In the five month period ending December 1, 2013, DCAA made 163 requests for internal audits. In April of this year, the GAO (General Accountability Office) initiated a review to determine DCAA's level of compliance with these documentation requirements. The GAO randomly selected eight of the 163 requests to determine the level of DCAA compliance with the statute. They issued their report last month.
One aspect of GAO's review, perhaps the most important point, was verifying that DCAA's requests for access to internal audit reports contained a clear connection between DCAA's work and the audit and that it included narrative justifying how obtaining the audit would benefit DCAA's work. The drafters of the legislation were justifiably concerned that DCAA would simply go on a fishing expedition and request every audit, regardless of its relevance to the internal control systems that DCAA considered necessary to protect the Government's interests. So, the NDAA included specific requirements that DCAA establish a nexus between contractors' internal audits and their own audits.
Both DCAA and company internal auditors have responsibility for assessing the quality of company internal controls. Broadly speaking, internal controls refer to management processes designed to provide reasonable assurance about a company's ability to provide reliable financial reporting, promote effective and efficient operations, and comply with applicable laws, regulations, and contract provisions. While contractor internal audit departments have a very broad scope, the internal control audits performed by DCAA are limited to those systems that impact costs charged to Government contracts, e.g. estimating systems, accounting systems, and billing systems.
The GAO found that none of the eight sampled requests for access to contractor internal audits were adequately documented. None contained a full statement of the requested report's connection to DCAA's work and two did not cite any connection. The justifications were too broadly stated such as "we determined that we should view the audit report to support our assessment of the efficacy of internal controls". This kind of broad justification, according to the GAO, did not identify which aspects of internal controls were to be particularly addressed - it did not provide a detailed explanation of how the internal report was connected to the ongoing work of evaluating internal controls or risk assessment.
Contractors that are recipients of requests for internal audits could help DCAA by insisting that the Agency properly draw a connection between the requested documents and the objectives of the internal control audit being performed. That wouldn't necessarily commit a contractor to providing the internal report but it would be useful to know whether a particular report could contribute to the DCAA audit objectives, thereby reducing the level of testing required.