Audits performed by DCAA (Defense Contract Audit Agency) and other Government auditors (e.g. GAO, Office of Inspector General, etc) must comply with GAGAS (Generally Accepted Government Auditing Standards). Those standards require the auditor to apply audit procedures to provide reasonable assurance that material unallowable costs and other material noncompliances with applicable Government laws and regulations in the contractors assertion or subject matter of audit, are detected. This requirement applies whether the auditor is evaluating a forward pricing proposal, incurred cost, adequacy of internal control systems, billings, termination settlement proposals, claims, or defective pricing.
There are three broad categories of audit procedures under GAGAS that the auditor must consider in planning and performing the audit.
1. Risk Assessment Procedures. Risk assessment procedures are performed to obtain an understanding the the contractor and its environment, including its internal controls, to assess the risk of material unallowable costs and other material noncompliances (i.e. things that might affect the propriety of costs charged to Government contracts) and to design audit procedures in response to the assessed risk. Some audits are terminated after the risk assessment phase because there is no risk to the Government. For example, if an auditor is asked to audit a price proposal but finds that a contract has already been awarded, that audit will be terminated because there is no possibility that audit results would impact the contract price.
2. Tests of the Operating Effectiveness of Relevant Controls. Tests of controls are made to obtain evidence about their operating effectiveness when the auditor plans to rely on controls for a particular area. A good system of internal controls should reduce the amount of substantive testing needed to validate the propriety of costs. This answers the question of whether auditors can rely on the contractor's system (e.g. accounting system, billing system, estimating system, purchasing system, etc.) to provide good data. At very small companies, the audit effort required to test controls is not commensurate with the risk to the Government so the auditor will minimize effort in this area and compensate by doing more work in the Substantive Procedures phase of the audit.
3. Substantive Procedures. Substantive procedures are tests of specific cost elements or other areas within the contractor's assertion performed to detect material unallowable costs and other material noncompliances with the requirements relevant to that specific cost element or area being audited. Substantive procedures are always required but the amount required depends upon the results of the risk assessment and tests of controls (Items 1 and 2, above). Substantive procedures include analytical procedures (e.g. regression or trend analysis) and tests of details (e.g. inspecting supporting documentation that demonstrates that the claimed costs comply with applicable FAR requirements or verifying proposed costs to the basis of estimate or other supporting documentation such as vendor quotes).
Although it is absolutely imperative that auditors be independent with respect to the contractor being audited, contractors can have some influence in how the audit is planned and performed. First, contractors can ensure that internal controls are in place and operating effectively. This should reduce the amount of substantive procedures necessary during the audit. Secondly, contractors can make sure that auditors fully understand risks. For example, if final indirect expense rates are significantly higher than billing rates and there is no possibility that the contracting officer will increase funding under the contract, the auditor should be made aware in the risk assessment phase of the amount of potentially unallowable costs he/she would need to find before such costs would affect amounts charged to the Government.
Showing posts with label audit standards. Show all posts
Showing posts with label audit standards. Show all posts
Friday, June 15, 2012
Thursday, January 12, 2012
GAO Revises "Yellow Book" Auditing Standards
Late last year, the U.S. Government Accountability Office (GAO) published an update to Government Auditing Standards. This version, called the "2011 Revision", replaces the 2007 Revision. Government auditors are required to adhere to these standards (usually referred to as Generally Accepted Government Auditing Standards or GAGAS) whenever they perform audits or attestation engagements. If you've ever looked at a Government audit, you would see something like the following: "This audit was performed in accordance with GAGAS..."
From a Government contractor's perspective, there should be little, if any impact from this new revision. There are some major changes involving the independence of the auditor and the audit organization to the entity under audit. The added concepts address personal, external, and organizational impairments to independence. This reminds us of an incident that happened a number of years ago. A Government contractor notified an audit agency performing audits at their plant that the auditor assigned to the engagement had a close relative employed by the contractor. The audit agency swiftly reassigned that particular auditor so as to avoid any real or perceived independence issues.
The new revision contains requirements for the audit agencies to assess whether management possesses suitable skills, knowledge, and experience for a particular audit. Sometimes it seems that auditors are in over their heads on certain audits. Often this is due to a lack of experience, training and/or supervision. The revision requires auditors to now document this determination.
Another change to the 2011 revision involves the reporting requirement for fraud. The GAO is trying to put it into perspective by restricting reports to only those occurrences that are significant within the context of the audit objectives. Evidently, the previous requirement did not allow judgment or common sense and investigative agencies were flooded with immaterial and trivial reports of "suspected" fraud.
From a Government contractor's perspective, there should be little, if any impact from this new revision. There are some major changes involving the independence of the auditor and the audit organization to the entity under audit. The added concepts address personal, external, and organizational impairments to independence. This reminds us of an incident that happened a number of years ago. A Government contractor notified an audit agency performing audits at their plant that the auditor assigned to the engagement had a close relative employed by the contractor. The audit agency swiftly reassigned that particular auditor so as to avoid any real or perceived independence issues.
The new revision contains requirements for the audit agencies to assess whether management possesses suitable skills, knowledge, and experience for a particular audit. Sometimes it seems that auditors are in over their heads on certain audits. Often this is due to a lack of experience, training and/or supervision. The revision requires auditors to now document this determination.
Another change to the 2011 revision involves the reporting requirement for fraud. The GAO is trying to put it into perspective by restricting reports to only those occurrences that are significant within the context of the audit objectives. Evidently, the previous requirement did not allow judgment or common sense and investigative agencies were flooded with immaterial and trivial reports of "suspected" fraud.
Tuesday, January 18, 2011
Contractor Notification Letters
Auditors are required by GAGAS (Generally Accepted Government Auditing Standards, aka the GAO "Yellow Book") to communicate certain information regarding their understanding of the services to be performed. This communication is to be in writing and is addressed to both the requester and the contractor to be audited. This is to occur during the planning stage of the audit, before any "field work" begins. Specifically, the GAGAS 6.07 requires the following minimum information;
A typical notification letter pertaining to an audit of a price proposal might read something like this:
- The nature, timing, and extent of planned testing and reporting
- The level of assurance the auditor will provide
- Any potential restrictions on the audit report
A typical notification letter pertaining to an audit of a price proposal might read something like this:
We received a request from the ACO at Wright Patterson AFB to examine your January 1, 2011 CPFF proposal submitted in response to Solicitation No. F1468-11-R-0001 to determine if the proposed costs are acceptable as a basis to negotiate a fair and reasonable contract price.Just to reiterate, if a Government audit organization does not provide you a notification letter, you should request one.
Our audit will include
- Gaining an understanding of the contractor's internal controls, assessing control risk, and determining the extent of audit testing needed based on the control risk assessment
- Examining, on a test basis, evidence supporting the amounts and disclosures in the proposal
- Assessing the accounting principles used and significant estimates made by the contractor
- Evaluating the overall proposal presentation
- Determining the need for technical specialist assistance
We will evaluate the proposed costs using the applicable requirements contained in the
- FAR
- Agency FAR Supplements
- CAS (if applicable
We will start our audit on or about January 15, 2011 and expect to issue the report expressing an opinion on whether the proposed costs are acceptable as a basis to negotiate a fair and reasonable contract price on approximately February 15, 2011. The audit report will be subject to the following restrictions:
- The contents of the report should not be released or disclosed, other than to those persons whose official duties require access, without the approval of the Contracting Officer
- The report will be subject to the restrictions of 18 USC 1905 which restricts the disclosure of proprietary information and if the information is contractor bid or proposal or source selection information, 41 USC 423 which restricts disclosure of contractor bid or proposal or source selection information
- If the report is on a subcontractor proposal/submission, the release of the report or specific information in the report to the higher-tier contractor will be restricted if the subcontractor objects to the release.
Wednesday, November 3, 2010
Why Auditors Do What They Do - Using Judgment
There are times, in our interactions with Government auditors, when we are left scratching our heads trying to figure out why they do some of the things that they do. When asked to explain or clarify, auditors often say that they are exercising professional judgment. Auditors typically begin an audit with a standard or pro-forma audit program. These programs are somewhat generic and the expectation is that they will add or delete audit steps based on a preliminary risk assessment. In planning and performing an audit and in reporting on the results, auditors are required by GAGAS (Generally Accepted Government Auditing Standards) to exercise professional judgment. Today we are going to look at "professional judgment".
Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care concerns acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.
Using the auditors' professional knowledge, skills, and experience to diligently perform, in good faith and with integrity, the gathering of information and the objective evaluation of the sufficiency and appropriateness of evidence is a critical component of audits. Professional judgment and competence are interrelated because judgments made are dependent upon the auditors' competence.
Professional judgment represents the application of the collective knowledge, skills, and experiences of all the personnel involved with an assignment, as well as the professional judgment of individual auditors. In addition to personnel directly involved in the audit, professional judgment may involve collaboration with technical experts and contracting officers.
Using professional judgment is important in determining the required level of understanding of the audit subject matter and related circumstances. This includes consideration about whether the audit team's collective experience, training, knowledge, skills, abilities, and overall understanding are sufficient to assess the risks that the subject matter under audit may contain a significant inaccuracy or could be misinterpreted.
Considering the risk level of each assignment, including the risk that they may come to an improper conclusion is another important issue. Within the context of audit risk, exercising professional judgment in determining the sufficiency and appropriateness of evidence to be used to support the findings and conclusions based on the audit objectives and any recommendations reported is an integral part of the audit process.
So, when an auditor tells you he/she is exercising professional judgment, you could ask to see the risk assessment that led to the query. But, since this is a "judgment" call, there is no easy way to refuse the request, unless it is clearly and unequivocally out of line (which happens from time to time).
Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care concerns acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.
Using the auditors' professional knowledge, skills, and experience to diligently perform, in good faith and with integrity, the gathering of information and the objective evaluation of the sufficiency and appropriateness of evidence is a critical component of audits. Professional judgment and competence are interrelated because judgments made are dependent upon the auditors' competence.
Professional judgment represents the application of the collective knowledge, skills, and experiences of all the personnel involved with an assignment, as well as the professional judgment of individual auditors. In addition to personnel directly involved in the audit, professional judgment may involve collaboration with technical experts and contracting officers.
Using professional judgment is important in determining the required level of understanding of the audit subject matter and related circumstances. This includes consideration about whether the audit team's collective experience, training, knowledge, skills, abilities, and overall understanding are sufficient to assess the risks that the subject matter under audit may contain a significant inaccuracy or could be misinterpreted.
Considering the risk level of each assignment, including the risk that they may come to an improper conclusion is another important issue. Within the context of audit risk, exercising professional judgment in determining the sufficiency and appropriateness of evidence to be used to support the findings and conclusions based on the audit objectives and any recommendations reported is an integral part of the audit process.
So, when an auditor tells you he/she is exercising professional judgment, you could ask to see the risk assessment that led to the query. But, since this is a "judgment" call, there is no easy way to refuse the request, unless it is clearly and unequivocally out of line (which happens from time to time).
Subscribe to:
Posts (Atom)