Defense Contract Audit Agency:
Additional Guidance Needed Regarding DCAA's Use of Companies' Internal Audit Reports
GAO-15-44: Published: Nov 12, 2014. Publicly Released: Nov 12, 2014.
What GAO Found
The Defense Contract Audit Agency (DCAA) revised its guidance in the Contract Audit Manual to address the documentation requirements mandated by section 832 of the National Defense Authorization Act (NDAA) for Fiscal Year 2013, but implementation has been inconsistent. The revisions include provisions for DCAA auditors to document (1) that access to company internal audit reports is necessary to an ongoing DCAA audit, (2) the request sent to the company, and (3) the company's response. However, based on GAO's review of selected cases, implementing the changes has been inconsistent across the agency. GAO randomly selected eight requests for companies' internal audits and compared them to the mandated requirements and DCAA instructions provided to its auditors as criteria to test whether or not the three documentation requirements had been properly recorded. None of eight cases sampled had complete records for the three required documents. The figure below shows the results of GAO's examination of the eight requests.
Required Documentation for Eight Randomly Selected DCAA Requests to Companies for Internal Audit Reports
DCAA's revised guidance is specific about physical safeguards for companies' internal audit information. For example, the Contract Audit Manual contains extensive guidance for physically securing proprietary information and specifies that the working papers should not include a copy of the companies' internal audit reports. However, the guidance is less specific about safeguards to prevent unauthorized use of internal audit reports; that is, using the reports for purposes other than evaluating the efficacy of internal controls or the reliability of the business systems. In particular, the guidance does not define authorized use, provide examples of authorized use, or identify a specific approach for implementing safeguards. Officials stated that plans for an electronic storage system for safeguarding companies' internal audits from unauthorized use are in process as well as guidance for using them. The planned electronic storage capability would provide limited access rights to companies' internal audit reports and thus help ensure better tracking and limit the potential for unauthorized use.
Why GAO Did This Study
DCAA audits play a critical role in oversight of companies that provide goods and services to the Department of Defense. These defense companies also conduct their own internal audits. Section 832 of the NDAA for Fiscal Year 2013 (Pub. L. No.112-239) required DCAA, among other things, to revise its audit guidance on documenting its requests for defense contractors' internal audit reports and ensuring the reports are used only for evaluating and testing the strength of internal audit controls.
The act required GAO to assess the revised guidance. This report assesses the extent to which DCAA's revised guidance (1) complied with the act, and whether selected requests for company internal audit reports were documented in accordance with requirements, and (2) contains safeguards to help ensure that companies' internal audit reports are used only for authorized purposes. GAO compared DCAA's revised guidance to the provisions of the act and examined a nongeneralizable, random sample of eight recent DCAA requests for companies' internal audits.
What GAO Recommends
GAO recommends that DCAA clarify its guidance and establish and monitor internal controls to help ensure that requests for company internal audits are fully documented in accordance with the act, and that the guidance defines authorized use. DCAA concurred with GAO's recommendations.
For more information, contact William T. Woods at (202) 512-4841 or email@example.com.
Recommendations for Executive Action
Comments: In providing comments on this report, the agency concurred with this recommendation but has not yet taken any actions necessary to implement it. However, in its response, the Defense Contract Audit Agency (DCAA) plans to review its Contract Audit Manual guidance and provide definitions that are more detailed. Additionally, DCAA will provide examples, either in a guidebook or as a best practice, to assist auditors in writing request for internal audits that contain well-developed connections between the internal audits and DCAA's work, and to assist in determining what is considered authorized use.
Recommendation: To help improve the process for requesting company internal audit reports, the Secretary of Defense should direct the Director, DCAA, to clarify the guidance in the Contract Audit Manual to (1) further define, with examples, the specific details that should be in the requests for company internal audits including how such internal audits are specifically tied to DCAA's work and (2) provide a definition of authorized use and examples of such use.
Agency Affected: Department of Defense
Comments: In providing comments on this report, the agency concurred with this recommendation but has not yet taken any actions necessary to implement it. However, in its response, the Defense Contract Audit Agency(DCAA) plans to update the Contract Audit Manual guidance to include a specific cut off dates to ensure the consolidation of data is consistent and complete. Further, DCAA will update guidance to include procedures for ensuring all relevant major contractors are included in the report and for ensuring all required documentation exits for each item reported.
Recommendation: To help improve the process for requesting company internal audit reports, the Secretary of Defense should direct the Director, DCAA, to establish and monitor internal controls for a reporting cut-off date, identifying major contractors, and ensuring information has been reviewed for completeness and accuracy.
Agency Affected: Department of Defense