Defense Contract Audit Agency:

Additional Guidance Needed Regarding DCAA's Use of Companies' Internal Audit Reports

GAO-15-44: Published: Nov 12, 2014. Publicly Released: Nov 12, 2014.

Additional Materials:

Contact:

William T. Woods
(202) 512-4841
woodsw@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Defense Contract Audit Agency (DCAA) revised its guidance in the Contract Audit Manual to address the documentation requirements mandated by section 832 of the National Defense Authorization Act (NDAA) for Fiscal Year 2013, but implementation has been inconsistent. The revisions include provisions for DCAA auditors to document (1) that access to company internal audit reports is necessary to an ongoing DCAA audit, (2) the request sent to the company, and (3) the company's response. However, based on GAO's review of selected cases, implementing the changes has been inconsistent across the agency. GAO randomly selected eight requests for companies' internal audits and compared them to the mandated requirements and DCAA instructions provided to its auditors as criteria to test whether or not the three documentation requirements had been properly recorded. None of eight cases sampled had complete records for the three required documents. The figure below shows the results of GAO's examination of the eight requests.

Required Documentation for Eight Randomly Selected DCAA Requests to Companies for Internal Audit Reports

HL_5 - v01 - 121182 - OT-01

DCAA's revised guidance is specific about physical safeguards for companies' internal audit information. For example, the Contract Audit Manual contains extensive guidance for physically securing proprietary information and specifies that the working papers should not include a copy of the companies' internal audit reports. However, the guidance is less specific about safeguards to prevent unauthorized use of internal audit reports; that is, using the reports for purposes other than evaluating the efficacy of internal controls or the reliability of the business systems. In particular, the guidance does not define authorized use, provide examples of authorized use, or identify a specific approach for implementing safeguards. Officials stated that plans for an electronic storage system for safeguarding companies' internal audits from unauthorized use are in process as well as guidance for using them. The planned electronic storage capability would provide limited access rights to companies' internal audit reports and thus help ensure better tracking and limit the potential for unauthorized use.

Why GAO Did This Study

DCAA audits play a critical role in oversight of companies that provide goods and services to the Department of Defense. These defense companies also conduct their own internal audits. Section 832 of the NDAA for Fiscal Year 2013 (Pub. L. No.112-239) required DCAA, among other things, to revise its audit guidance on documenting its requests for defense contractors' internal audit reports and ensuring the reports are used only for evaluating and testing the strength of internal audit controls.

The act required GAO to assess the revised guidance. This report assesses the extent to which DCAA's revised guidance (1) complied with the act, and whether selected requests for company internal audit reports were documented in accordance with requirements, and (2) contains safeguards to help ensure that companies' internal audit reports are used only for authorized purposes. GAO compared DCAA's revised guidance to the provisions of the act and examined a nongeneralizable, random sample of eight recent DCAA requests for companies' internal audits.

What GAO Recommends

GAO recommends that DCAA clarify its guidance and establish and monitor internal controls to help ensure that requests for company internal audits are fully documented in accordance with the act, and that the guidance defines authorized use. DCAA concurred with GAO's recommendations.

For more information, contact William T. Woods at (202) 512-4841 or woodsw@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In providing comments on this report, the agency concurred with this recommendation and on May 20, 2015 posted changes to the chapter 4 of its Contract Audit Manual(CAM). The manual was updated to provide specific details for how to request company internal audits, including how such company internal audits are specifically tied to DCAA?s work, and a definition of authorized use and examples of such use.

    Recommendation: To help improve the process for requesting company internal audit reports, the Secretary of Defense should direct the Director, DCAA, to clarify the guidance in the Contract Audit Manual to (1) further define, with examples, the specific details that should be in the requests for company internal audits including how such internal audits are specifically tied to DCAA's work and (2) provide a definition of authorized use and examples of such use.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: In providing comments on this report, the agency concurred with this recommendation and updated chapter 4 of its Contract Audit Manual May 20, 2015 to establish internal controls. The updated policy created bi-annual reporting with cut off dates for data submittal that monitors the access to and use of company internal audit reports by DCAA's Contact Audit Coordinators (CACs) and Field Audit Offices(FAOs) residing at major contractors. In addition, DCAA conducted training in November 2015 prior to the June, 2016 reporting, to discuss populating the established access to company internal reports worksheets, and the need to ensure completeness and accuracy of the data (includes all major contractors). As part of its monitoring efforts, additional training was provided after the reporting period in June to address concerns with the data that was submitted.

    Recommendation: To help improve the process for requesting company internal audit reports, the Secretary of Defense should direct the Director, DCAA, to establish and monitor internal controls for a reporting cut-off date, identifying major contractors, and ensuring information has been reviewed for completeness and accuracy.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 6, 2016

Aug 19, 2016

Aug 12, 2016

Jul 29, 2016

Jul 28, 2016

Jul 13, 2016

Jul 11, 2016

Jun 13, 2016

Looking for more? Browse all our products here