This is the accessible text file for GAO report number GAO-09-468 
entitled 'DCAA Audits: Widespread Problems with Audit Quality Require 
Significant Reform' which was released on September 23, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Committee on Homeland Security and Governmental Affairs, 
U.S. Senate: 

United States Government Accountability Office: 
GAO: 

September 2009: 

DCAA Audits: 

Widespread Problems with Audit Quality Require Significant Reform: 

GAO-09-468: 

GAO Highlights: 

Highlights of GAO-09-468, a report to the Committee on Homeland 
Security and Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

The Defense Contract Audit Agency (DCAA) under the Department of 
Defense (DOD) Comptroller plays a critical role in contractor oversight 
by providing auditing, accounting, and financial advisory services in 
connection with DOD and other federal agency contracts and 
subcontracts. Last year, GAO found numerous problems with DCAA audit 
quality at three locations in California, including the failure to meet 
professional auditing standards. This report addresses audit quality 
issues at DCAA offices nationwide. GAO was asked to (1) conduct a broad 
assessment of DCAA’s management environment and audit quality assurance 
structure, (2) evaluate DCAA actions to date to correct previously 
identified problems, and (3) identify potential legislative and other 
actions for improving DCAA effectiveness and independence. To achieve 
these objectives, GAO analyzed DCAA’s mission, strategic plan, audit 
policies, and quality assurance program; conducted interviews; reviewed 
selected audits at DCAA offices; and analyzed legislative and other 
actions. 

What GAO Found: 

GAO found audit quality problems at DCAA offices nationwide, including 
compromise of auditor independence, insufficient audit testing, and 
inadequate planning and supervision. GAO’s conclusions stem from a 
review of 69 audit assignments supporting contract award and 
administrative decisions; an assessment of DCAA’s audit quality 
assurance structure, which found similar audit quality problems but 
gave satisfactory ratings to deficient audits; and DCAA’s rescission of 
80 problem audit reports. The rescinded audits supported decisions on 
pricing and contract awards and impacted the planning and reliability 
of hundreds of other DCAA audits, representing billions of dollars in 
DOD expenditures. GAO findings include the following. 

Table: Selected Details of Audits GAO Reviewed: 

Contractor: Research and development grantee; Audit: Billing system; 
Significant case study issues: 
* DCAA auditors spent 530 hours to support an audit of a nonexistent 
billing system and reported adequate system controls. 
* Instead, DCAA should have relied on the Single Audit Act report on 
the grantee’s cash management system. DCAA agrees. 

Contractor: Combat systems; 
Audit: Billing system; 
Significant case study issues: 
* This was a new system and therefore high risk, but auditors deleted 
key audit steps related to contractor policies and internal controls 
over progress payments without explanation. 
* One auditor told GAO he did not perform detailed tests because “the 
contractor would not appreciate it.” 
* DCAA allowed the contractor 7 months to address 6 significant 
deficiencies, dropping 2 and downgrading the other 4.
* DCAA rescinded this audit report following GAO’s review. 

Contractor: Iraq reconstruction; 
Audit: Accounting system; 
Significant case study issues: 
* Contractor objected to draft report, which included 8 significant 
deficiencies in the accounting system.
* Auditors dropped 5 significant deficiencies and downgraded 3 others 
to suggestions to improve without performing new work.
* Supervisory auditors directed audit staff to delete some audit 
documents, generate others, and in one case, copy the signature of a 
prior supervisor onto new documents making it appear that the prior 
supervisor had approved a revised risk assessment.
* Supervisory auditor who approved altered documents was later promoted 
to western region quality assurance manager, where he served as quality 
control check over thousands of audits. 

Source: GAO. 

[End of table] 

GAO found DCAA’s management environment and quality assurance structure 
were based on a production-oriented mission that put DCAA in the role 
of facilitating DOD contracting without also protecting the public 
interest. DCAA has taken several positive steps. However, DOD and DCAA 
have not yet addressed fundamental weaknesses in DCAA’s mission, 
strategic plan, metrics, audit approach, and human capital practices 
that had a detrimental effect on audit quality. 

To improve DCAA oversight, the DOD Comptroller requested Defense 
Business Board and “tiger team” reviews and established a DCAA 
Oversight Committee. In addition, in the short-term, Congress could 
provide DCAA with certain legislative protections and authorities 
similar to those available to IGs. In the longer term, Congress may 
wish to consider organizational changes to elevate DCAA to a component 
agency reporting to the Deputy Secretary or to establish an independent 
governmentwide contract audit agency. 

What GAO Recommends: 

GAO makes 17 recommendations to DOD and the DOD Inspector General (IG) 
to improve DCAA’s management environment, audit quality, and oversight. 
GAO also discusses matters that Congress should consider to enhance the 
effectiveness and independence of DCAA contract audits. DOD and DOD IG 
generally agreed with GAO’s recommendations, concurring with all but 
two. 

View [hyperlink, http://www.gao.gov/products/GAO-09-468] or key 
components. For more information, contact Gregory Kutz at (202) 512-
6722 or kutzg@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Nationwide Audit Quality Problems Are Rooted in DCAA's Poor Management 
Environment: 

DCAA Has Made Progress, but Correcting Fundamental Problems in Agency 
Culture That Have Impacted Audit Quality Will Require Sustained 
Leadership: 

Legislative and Other Actions To Improve DCAA's Effectiveness and 
Independence: 

Conclusions: 

Recommendations for Executive Action: 

Matters for Congressional Consideration: 

Agency Comments and Our Evaluation: 

Appendix I: Internal Control System Audits Did Not Meet Professional 
Standards: 

Appendix II: DCAA Does Not Perform Sufficient Work to Identify and 
Collect Contractor Overpayments: 

Appendix III: Objectives, Scope, and Methodology: 

Appendix IV: Comments from the Department of Defense: 

Appendix V: Comments from the Department of Defense Inspector General: 

Tables: 

Table 1: Examples of DCAA Audit and Nonaudit Services: 

Table 2: Summary of Five Selected Internal Control Audits: 

Table 3: Summary of Five Selected Cost-Related Assignments: 

Table 4: Summary of Selected DCAA Audit Quality Review Results: 

Table 5: GAGAS Noncompliance on 37 Selected Audits of Contractor 
Controls: 

Table 6: Case Studies of Problem DCAA Cost-Related Assignments: 

Table 7: Summary of DCAA Audits Reviewed for GAGAS Compliance: 

Table 8: Summary of DCAA Cost-Related Assignments Reviewed: 

Figures: 

Figure 1: DCAA Opinions on Contractor Internal Control Systems Audits: 

Figure 2: Comparison of DOD Contract Obligations and DCAA Workforce for 
Fiscal Years 2002 through 2008: 

Figure 3: DCAA Questioned Costs and Amounts Sustained by Contracting 
Officers: 

Abbreviations: 

AICPA: American Institute of Certified Public Accountants: 

AT: AICPA Statements on Attestation Standards: 

AT&L: Acquisition, Technology, and Logistics: 

APO: Audit Policy and Oversight (a Defense Inspector General 
organization): 

AU: AICPA Statements on Auditing Standards: 

CAS: Cost Accounting Standards: 

CAM: Contract Audit Manual, also referred to as the DCAA Contract Audit 
Manual, or DCAM: 

CFO: Chief Financial Officer: 

COSO: Committee on Sponsoring Organizations: 

DBB: Defense Business Board: 

DCAA: Defense Contract Audit Agency: 

DCAM: DCAA Contract Audit Manual: 

DCMA: Defense Contract Management Agency: 

DFARS: Defense Federal Acquisition Regulation Supplement: 

DFAS: Defense Finance and Accounting Service: 

DFMR: Defense Financial Management Regulation: 

DOD: Department of Defense: 

DPAP: Director of Defense Procurement Policy: 

FAO: field audit office: 

FAR: Federal Acquisition Regulation: 

FLA: Financial Liaison Advisor: 

FMR: Financial Management Regulation, also referred to as the Defense 
Financial Management Regulation, or DFMR: 

GAGAS: generally accepted government auditing standards: 

GAS: Government Auditing Standards: 

GPRA: Government Performance and Results Act: 

GS: General Schedule: 

IG: Inspector General: 

IGDH: Inspector General, Defense Handbook: 

OIG: Office of Inspector General: 

PCIE: President's Council on Integrity and Efficiency, renamed the 
Council of the Inspectors General on Integrity and Efficiency: 

SAS: AICPA Statements on Auditing Standards: 

SES: Senior Executive Service: 

SIGIR: Special Inspector General for Iraq Reconstruction: 

SSAE: AICPA Statements on Standards for Attestation Engagements: 

USC: United States Code: 

USD: Under Secretary of Defense: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

September 23, 2009: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs:
United States Senate: 

The Honorable Claire C. McCaskill: 
Chairman: 
Subcommittee on Contracting Oversight: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

This report addresses audit quality problems and independence issues at 
the Defense Contract Audit Agency (DCAA). In a September 2008 hearing 
before the Committee, we testified[Footnote 1] that DCAA failed to meet 
professional audit standards at three locations in California. 
Specifically, we found that the audit documentation for 14 selected 
audits at two locations did not support reported opinions, that DCAA 
supervisors dropped findings and changed audit opinions without 
adequate audit evidence for their changes, and that sufficient audit 
work was not performed to support audit opinions and conclusions. 
Further, we found that contractor officials and the Department of 
Defense (DOD) contracting community improperly influenced the audit 
scope, conclusions, and opinions of several audits, including forward 
pricing audits at a third location--a serious independence issue. 
During our investigation, DCAA managers took actions against their 
staff at two locations that served to intimidate auditors and create an 
abusive work environment. For example, we learned of verbal 
admonishments, reassignments, and threats of disciplinary action 
against auditors who spoke with or contacted our investigators, DOD 
investigators, or DOD contracting officials. 

At the time of the September 2008 hearing, we were conducting a broad 
assessment of DCAA's management environment and audit quality assurance 
structure at DCAA offices nationwide. Given the evidence presented at 
this hearing, you requested that we expand our ongoing assessment. This 
report therefore presents (1) an assessment of DCAA's management 
environment and quality assurance structure; (2) an analysis of DCAA's 
corrective actions in response to our July 2008 report,[Footnote 2] the 
Under Secretary of Defense (Comptroller/Chief Financial Officer) 
[Footnote 3] "tiger team" review,[Footnote 4] and the Defense Business 
Board study;[Footnote 5] and (3) potential legislative and other 
actions that could improve DCAA's effectiveness and independence. 

To assess DCAA's overall management environment and quality assurance 
structure, we analyzed DCAA's mission statement and strategic plan, 
performance metrics, policies and audit guidance, and system of quality 
control. We also reviewed audit documentation for selected audits at 
certain field audit offices (FAO) in each of DCAA's five regions for 
compliance with generally accepted government auditing standards 
(GAGAS)[Footnote 6] and other applicable standards. We selected 37 
audits of contractor internal control systems performed by seven 
geographically disperse DCAA field offices within the five DCAA regions 
during fiscal years 2004 through 2006.[Footnote 7] These were the most 
recently completed fiscal years at the time we initiated our audit. Our 
approach focused on DCAA offices that reported predominately adequate, 
or "clean," opinions on audits of contractor internal controls over 
cost accounting, billing, and cost estimating systems issued in fiscal 
years 2005 and 2006.[Footnote 8] We selected DCAA offices that report 
predominately adequate opinions on contractor systems and related 
internal controls because contracting officers rely on these opinions 
for three or more years to make decisions on pricing and contract 
awards, and payment. For example, audits of estimating system controls 
support negotiation of fair and reasonable prices.[Footnote 9] Also, 
the FAR requires contractors to have an adequate accounting system 
prior to award of a cost-reimbursable or other flexibly priced 
contract.[Footnote 10] Billing system internal control audit results 
support decisions to authorize contractors to submit invoices directly 
to DOD and other federal agency disbursing offices for payment without 
government review.[Footnote 11] In addition, DCAA uses the results of 
internal control audits to assess risk and plan the nature, extent, and 
timing of tests for other contractor audits and other assignments. When 
a contractor has received an adequate opinion on its systems and 
related controls, DCAA would assess the risk for subsequent internal 
control and cost-related audits as low and would perform less testing 
on these audits. Although our selection of the seven offices and 37 
internal control audits was not statistical, it represented about 9 
percent of the total 76 DCAA offices that issued audit reports on 
contractor internal controls and nearly 18 percent of the 40 offices 
that issued 8 or more reports on contractor internal controls during 
fiscal year 2006. Of the 37 internal control audits we reviewed, 32 
reports were issued with adequate opinions and 5 reports were issued 
with inadequate-in-part opinions. 

At the same seven DCAA field offices, we selected an additional 32 paid 
voucher, overpayment, request for equitable adjustment, and incurred 
cost assignments that were completed during fiscal years 2004 through 
2006 for review of supporting documentation to determine whether DCAA 
auditors were identifying and reporting contractor overpayments and 
billing errors.[Footnote 12] In total, we reviewed 69 DCAA audits and 
cost-related assignments.[Footnote 13] To address our second objective, 
we assessed the status and analyzed several key actions that DCAA 
initiated as a result of our earlier investigation, including changes 
in performance metrics and policy and procedural guidance, as well as 
DCAA efforts in response to DOD Comptroller/CFO and Defense Business 
Board[Footnote 14] recommendations. To achieve our third objective to 
identify potential legislative and other actions that could improve 
DCAA's effectiveness and independence, we considered DCAA's current 
role and responsibilities; the framework of statutory authority for 
auditor independence in the Inspector General Act of 1978, as 
amended;[Footnote 15] best practices of leading organizations that have 
made cultural and organizational transformations; our past work on DCAA 
organizational alternatives; GAGAS criteria for auditor integrity, 
objectivity, and independence; and GAO's Standards for Internal Control 
In the Federal Government[Footnote 16] on managerial leadership and 
oversight. 

Throughout our audit, we met with the DCAA Director and DCAA 
headquarters policy, quality assurance, and operations officials and 
DCAA region and FAO managers, supervisors, and auditors. We also met 
with DOD Office of Inspector General (OIG) auditors responsible for 
DCAA audit oversight and DOD OIG hotline office staff. We conducted 
this performance audit from August 2006 through December 2007, at which 
time we suspended this work to complete our investigation of hotline 
complaints regarding audits performed at three DCAA field offices. We 
resumed our work on this audit in October 2008 and performed additional 
work through mid-September 2009 to evaluate DCAA's quality assurance 
program during fiscal years 2007 and 2008, assess DCAA corrective 
actions on identified audit quality weaknesses, and consider 
legislative and organizational placement options. During our assessment 
of DCAA corrective actions and analysis of legislative and 
organizational placement options for DCAA, we met with the former DOD 
Comptroller/CFO to discuss plans for Office of Comptroller/CFO and 
Defense Business Board reviews, and we continued to meet with and 
obtain information from the new DOD Comptroller/CFO and his staff. We 
also met with Comptroller's new DCAA Oversight Committee, which 
includes the Auditors General of the Army, the Navy, and the Air Force; 
the DOD Director of Defense Procurement and Acquisition Policy; and the 
DOD Deputy General Counsel for Acquisition. We obtained DOD and DOD OIG 
comments on a draft of this report. DOD and DOD IG comments are 
summarized in the Agency Comments and Our Evaluation section of this 
report. DOD comments are reprinted in appendix IV and DOD OIG comments 
are reprinted in appendix V. We conducted our audit in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for findings and conclusions based 
on our audit objectives. We performed our investigative procedures in 
accordance with quality standards set forth by the Council of the 
Inspectors General on Integrity and Efficiency (formerly the 
President's Council on Integrity and Efficiency). A detailed discussion 
of our objectives, scope, and methodology is included in appendix III. 

Background: 

DOD contract management continues to be a high-risk area for the 
government.[Footnote 17] With hundreds of billions of taxpayer dollars 
at stake, strong controls are needed to provide reasonable assurance 
that contract funds are not lost to fraud, waste, abuse, and 
mismanagement. Downsizing of contract administration personnel during 
the 1990s coupled with increased contract spending since 2000 have 
exacerbated the risks associated with DOD contract management. Our work 
continues to identify significant problems with federal agency contract 
payments[Footnote 18] and contract management.[Footnote 19] 

DCAA is charged with a critical role in DOD contractor oversight by 
providing auditing, accounting, and financial advisory services in 
connection with the negotiation, administration, and settlement of 
contracts and subcontracts. DCAA also performs contract audit services 
and payment reviews for other federal agencies, as requested, on a fee- 
for-service basis. DCAA contract audit services are intended to be a 
key control to help assure that prices paid by the government for 
needed goods and services are fair and reasonable and that contractors 
are charging the government in accordance with applicable laws, 
regulations (e.g., Federal Acquisition Regulation (FAR) and Defense 
Federal Acquisition Supplement (DFARS), standards (e.g., Cost 
Accounting Standards (CAS)), and contract terms. 

DCAA is headed by a director who reports to the Under Secretary of 
Defense (Comptroller/CFO). DCAA's placement provides the DOD 
Comptroller/CFO with access to financial information on defense 
contracts and allows the Comptroller/CFO to make this information 
available to the Secretary and Deputy Secretary of Defense. In 
addition, it permits the Comptroller/CFO to elevate policy issues 
concerning the scope of DCAA's authority and level of resources. The 
DCAA Director is responsible for day-to-day management of DCAA, 
development of strategic plans, audit guidance and procedures, and the 
quality of DCAA's audit services. DCAA's Contract Audit Manual 
(CAM)[Footnote 20] prescribes the standards, policies, and techniques 
to be followed by DCAA personnel in conducting contract audits. DCAA 
emphasizes and supplements CAM guidance through policy memorandums and 
other written notices, as well as through training and oral 
communications. 

The IG Act gives the DOD IG broad responsibilities to provide policy 
direction for and to conduct, supervise, and coordinate audits and 
investigations in DOD and in contractor operations, if warranted. DOD 
IG duties pertaining to DCAA include (1) providing policy direction for 
all DOD audits; (2) investigating fraud, waste, and abuse uncovered as 
a result of audits; (3) monitoring and evaluating adherence by all DOD 
auditors to audit policies, procedures, and standards; and (4) 
requesting assistance as needed from other auditors in DOD. As part of 
its audit policy and oversight responsibilities, the DOD IG reviews 
DCAA's system of audit quality control on a 3-year basis that is 
intended to meet the requirements under GAGAS for a peer review. 

DCAA History and Organizational Structure: 

Audits of military contracts can be traced back to at least the World 
War I era. Initially, the various branches of the military had their 
own contract audit function and associated instructions and accounting 
rulings. Contractors and government personnel recognized the need for 
consistency in both contract administration and audit. The Navy and the 
Army Air Corps made the first attempt to perform joint audits in 1939. 
By December 1942, the Navy, the Army Air Corps, and the Ordnance 
Department had established audit coordination committees for selected 
areas where plants were producing different items under contracts for 
more than one service. On June 18, 1952, the three military services 
jointly issued a contract audit manual that later became the DCAA CAM. 

In May 1962, Secretary of Defense Robert S. McNamara instituted 
"Project 60" to examine the feasibility of centrally managing the field 
activities concerned with contract administration and audit.[Footnote 
21] An outcome of this study was the decision to establish a single 
contract audit capability within DOD and DCAA was established on June 
8, 1965.[Footnote 22] At that time, DCAA's mission to perform all 
necessary contract audits for DOD and provide accounting and financial 
advisory services regarding contracts and subcontracts to all DOD 
components responsible for procurement and contract administration was 
established. The former Deputy Comptroller of the Air Force was 
selected as the DCAA Director and the former Director of Contract Audit 
for the Navy, was selected as the Deputy Director. DCAA was placed 
under management control of the Under Secretary of Defense 
(Comptroller), where it remains today. 

DCAA consists of a headquarters office at Fort Belvoir, Virginia, and 
six major organizational components--a field detachment office, which 
handles audits of classified contracting activity, and five regional 
offices within the United States. The regional offices manage field 
audit offices (FAO), which are identified as branch offices, resident 
offices, or suboffices. Resident offices are located at larger 
contractor facilities in order to facilitate DCAA audit work. In 
addition, regional office directors can establish suboffices as 
extensions of FAOs to provide contract audit services more 
economically. A suboffice depends on its parent FAO for release of 
audit reports and other administrative support. In total, there are 
more than 300 FAOs and suboffices throughout the United States and 
overseas. During fiscal year 2008, DCAA employed about 3,600 auditors 
at more than 300 FAOs throughout the United States, Europe, the Middle 
East, and in the Pacific to perform audits and provide nonaudit 
services in support of contract negotiations related to approximately 
10,000 contractors. 

DCAA Audit and Nonaudit Services: 

DCAA's mission encompasses both audit and nonaudit services in support 
of DOD contracting and contract payment functions. FAR subpart 42.1, 
"Contract Audit Services," and DOD Directive 5105.36, Defense Contract 
Audit Agency (DCAA), establish DCAA as the department's contract audit 
agency[Footnote 23] and set forth DCAA's responsibilities. 

FAR 42.101 prescribes contract audit responsibilities as submitting 
information and advice to the requesting activity, based on the 
analysis of contractor financial and accounting records or other 
related data as to the acceptability of the contractors' incurred and 
estimated costs; reviewing the financial and accounting aspects of 
contractor cost control systems; and, performing other analyses and 
reviews that require access to contractor financial and accounting 
records supporting proposed and incurred costs. DOD Directive 5150.36 
lists several responsibilities and functions that shall be performed by 
the DCAA Director,[Footnote 24] including: 

* "Assist in achieving the objective of prudent contracting by 
providing DOD officials responsible for procurement and contract 
administration[Footnote 25] with financial information and advice on 
proposed or existing contracts and contractors, as appropriate." 

* "Audit, examine, and/or review contractors' and subcontractors' 
accounts, records, documents, and other evidence; systems of internal 
control; [and] accounting, costing, and general business practices and 
procedures; to the extent and in whatever manner is considered 
necessary to permit proper performance of other functions …." These 
other functions cover contract audit and nonaudit services. In 
addition, the Directive states that the DCAA Director shall perform 
such other functions as may be assigned by the Secretary and Deputy 
Secretary of Defense or the Under Secretary of Defense (Comptroller/ 
CFO). 

* "Approve, suspend, or disapprove costs on reimbursement vouchers 
received directly from contractors, under cost-type contracts, 
transmitting the vouchers to the cognizant Disbursing Officer." 

DCAA uses the term audit to refer to a variety of evaluations of 
various types of data.[Footnote 26] In fiscal year 2008, DCAA reported 
that over 97 percent of its service work hours were spent on audits, 
meaning that DCAA has opted to provide nearly all of its services to 
the contracting and finance communities under applicable auditing 
standards, as discussed below. Table 1 lists several audit and nonaudit 
services provided by DCAA during the three phases of the contracting 
process--pre-award, contract administration, and close-out--and cites 
the statutory and regulatory provisions that authorize or establish the 
need to have DCAA perform the service. DCAA audits also support the 
contract payment process both directly and indirectly. For example, 
audits of contractor incurred cost claims and voucher reviews directly 
support the contract payment process by providing the information 
necessary to certify payment of claimed costs. [Footnote 27] Other 
audits of contractor systems, including audits of contractor internal 
controls, CAS compliance, and defective pricing, indirectly support the 
payment process by providing assurance about contractor controls over 
cost accounting, cost estimating, purchases, and billings that the 
agency may rely upon when making contract decisions, such as 
determinations of reasonable and fair prices on negotiated contracts. 
For example, an accounting system deemed to be adequate by a DCAA audit 
permits progress payments based on costs to be made without further 
audit.[Footnote 28] 

Table 1: Examples of DCAA Audit and Nonaudit Services: 

Pre-award phase: 

Contract phase and assignment: Accounting system[A]; 
Audit and Nonaudit services: Audit: DCAA determines adequacy of the 
contractor's accounting system prior to award of a cost-reimbursable or 
other flexibly priced contract. FAR § 16.301-3(a)(1); 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Contractor accounting disclosure 
statements; 
Audit and Nonaudit services: Audit: DCAA reviews the contractor's 
Disclosure Statement for adequacy and CAS compliance and determines 
whether the contractor's Disclosure Statement is current, accurate, and 
complete. DCAA also reviews Disclosure Statements during the post award 
phase if contractors revise them. FAR §§ 30.202-6(c), 30.202-7 and 
30.601(c); 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Estimating system [A]; 
Audit and Nonaudit services: Audit: DCAA determines adequacy of 
contractor estimating systems. FAR § 15.407-5 and DFARS § 252.215-
7002(d),(e); 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Contract price proposals and forward 
pricing proposals[B]; 
Audit and Nonaudit services: Audit: DCAA examines contractor records to 
ensure that cost or pricing data is accurate, current, and complete and 
supports the determination of fair and reasonable prices. 10 U.S.C. §§ 
2306a and 2313 (DOD) and 41 U.S.C. § 254d (other agencies); FAR Subpart 
15.4 (esp. FAR § 15.404-2(c)) and § 52.215-2(c); and DFARS § 215.404-1; 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Financial liaison advisory services[B]; 
Audit and Nonaudit services: Nonaudit: DCAA Director establishes and 
maintains liaison auditors and financial advisors, as appropriate, at 
major procuring and contract administration offices. These services are 
also provided during the post-award phase, as needed. DODD 5105.36, 
paras. 7.1.1 and 5.9; 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Post award/administration phase: 

Contract phase and assignment: Internal control system audits 
(generally); 
Audit and Nonaudit services: Audit: DCAA reviews the financial and 
accounting aspects of the contractor's cost control systems, including 
the contractor's internal control systems. FAR § 42.101(a)(3) and DFARS 
§ 242.7501; 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Billing system audits[A]; 
DCAA reviews the financial and Audit: DCAA determines adequacy of 
contractors' billing system controls and reviews accuracy of paid 
vouchers. DCAA uses audit results to support approval of contractors to 
participate in the direct-bill program. FAR § 42.101 and DFARS § 42.803 
(b)(i)(C); 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Purchasing system review[B]; 
Audit and Nonaudit services: Audit: DCAA determines adequacy of a 
contractor's or subcontractor's purchasing system. FAR Subpart 44.3; 
Contracting support: [Check]; 
Payment support: Direct: [Empty]; 
Payment support: Indirect: [Check]. 

Contract phase and assignment: Progress payments[B]; 
Audit and Nonaudit services: Audit: DCAA verifies amount claimed, 
determines allowability of contractor requests for cost-based progress 
payments, and determines if the payment will result in undue financial 
risk to the government. FAR §§ 32.503-3, 32.503-4, and 52.232-16; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Incurred cost claims[A]; 
Audit and Nonaudit services: Audit: DCAA determines acceptability of 
the contractors' claimed costs incurred and submitted by contractors 
for reimbursement under cost-reimbursable, fixed-price incentive, and 
other types of flexibly priced contracts and compliance with contract 
terms, FAR, and CAS, if applicable. FAR §§ 42.101, 42.803(b), and DFARS 
§ 242.803; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Billing rates and final indirect cost 
rates[A]; 
Audit and Nonaudit services: Audit: DCAA establishes billing rates for 
interim indirect costs and final indirect cost rates. FAR §§ 42.704, 
42.705 and 42.705-2 and DFARS § 42.705-2; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Defective pricing[B]; 
Audit and Nonaudit services: Audit: DCAA determines the amount of cost 
adjustments related to defective pricing. See above authorities to 
audit contractor cost and pricing data and FAR § 15.407-1; 
Contracting support: [Check]; 
Payment support: [Empty]; 
Payment support: [Check]. 

Contract phase and assignment: CAS compliance[B]; 
Audit and Nonaudit services: Audit: DCAA determines contractor and 
subcontractor compliance with CAS set forth in 48 CFR § 9903.201 and 
determines cost impacts of noncompliance. FAR §§ 1.602-2, 30.202-7, and 
30.601(C); 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Other specially requested services; 
Audit and Nonaudit services: Audit: Audit and nonaudit services: DCAA 
conducts performance audits and other audits based on requests from DOD 
components and requests from other federal agencies. DOD Directive 
5105.36, Sec. 5; 
Contracting support: [Check]; 
Payment support: [Empty]; 
Payment support: [Check]. 

Contract phase and assignment: Paid voucher reviews[A]; 
Audit and Nonaudit services: Audit: Nonaudit services: DCAA reviews 
vouchers after payment to support continued contractor participation in 
the direct bill program. CAM 6-1007.6; FAR § 42.803; DFARS § 242.803; 
DODD 5105.36, paras. 5.4 and 5.5; and DOD Financial Management 
Regulation (FMR), vol. 10, ch. 10, para. 100202; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Approval of vouchers prior to 
payment[A]; 
Audit and Nonaudit services: Audit: Nonaudit: DCAA reviews and approves 
contractor interim vouchers for payment and suspends payment of 
questionable costs. FAR § 42.803; DFARS § 242.803(b)(i)(B); DOD 
Directive 5105.36, paras. 5.4 and 5.5; and DOD FMR vol. 10, ch. 10, 
para. 100202; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Contract phase and assignment: Overpayment reviews[A]; 
Audit and Nonaudit services: Audit: Non audit services: At the request 
of the contracting officer, DCAA reviews contractor data to identify 
potential contract overpayments. FAR §§ 2.605, 52.216-7(g),(h)2; 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Close-out/termination phase: 

Contract phase and assignment: Contract close-out procedures and 
audits[A]; 
Audit and Nonaudit services: Audit: DCAA reviews final completion 
vouchers and the cumulative allowable cost worksheet and may review 
contract closing statements. DFARS § 242.803(b)(i)(D); 
Contracting support: [Check]; 
Payment support: [Check]; 
Payment support: [Empty]. 

Source: GAO analysis. 

[A] Indicates DCAA audit and nonaudit services covered in this audit. 

[B] Indicates types of audits covered in our prior investigation (GAO-
08-857). We reviewed progress payment and contract close-out audits 
that related to audits in our earlier investigation or this audit where 
the auditors considered the evidence in those audits. 

[End of table] 

Importance of Audits in Accordance with GAGAS: 

DCAA policy states[Footnote 29] that it follows GAGAS[Footnote 30] when 
conducting audits. These standards provide a framework for conducting 
high quality government audits and attestation engagements. These 
standards also provide guidelines to help government auditors maintain 
competence, integrity, objectivity, and independence in their work and 
require that they obtain sufficient evidence to support audit 
conclusions and opinions. When auditors are required to follow GAGAS or 
are representing to others that they followed GAGAS, they should follow 
all applicable GAGAS requirements and should refer to compliance with 
GAGAS in the auditor's report.[Footnote 31] Most DCAA audits are 
performed as attestation audits under GAGAS. For attestation audits, 
GAGAS incorporates the American Institute of Certified Public 
Accountants (AICPA) general standard on criteria, and the field work 
and reporting standards and the related Statements on Standards for 
Attestation Engagements (SSAE), unless specifically excluded or 
modified by GAGAS.[Footnote 32] DCAA also conducts performance audits 
upon request. This report addresses DCAA attestation audits and related 
supporting assignments. 

GAGAS state that the public expects auditors to observe the principles 
of serving the public interest and maintaining the highest degree of 
integrity, objectivity, and independence in discharging their 
professional responsibilities. Serving the public interest and honoring 
the public trust are critical when performing government audits. 
Auditors increase public confidence when they conduct their work with 
an attitude that is objective, fact-based, nonpartisan, and non- 
ideological with regard to audited entities and users of the auditors' 
reports. Auditors also should be intellectually honest and free of 
conflicts of interest in discharging their professional 
responsibilities.[Footnote 33] Management of the audit organization 
sets the tone for ethical behavior throughout the organization by 
maintaining an ethical culture, clearly communicating acceptable 
behavior and expectations to each employee and creating an environment 
that reinforces and encourages ethical behavior throughout all levels 
of the organization. [Footnote 34] The credibility of auditing in the 
government sector is based on auditors' objectivity and integrity in 
discharging their professional responsibilities.[Footnote 35] 

Nationwide Audit Quality Problems Are Rooted in DCAA's Poor Management 
Environment: 

We found audit quality problems at DCAA offices nationwide, as 
demonstrated by serious quality problems in the 69 audits and cost- 
related assignments we reviewed, DCAA's ineffective audit quality 
assurance program, and DCAA's rescission of 80 audit reports in 
response to our work. [Footnote 36] Of the 69 audits and cost-related 
assignments we reviewed for this report, 65 exhibited serious GAGAS or 
other deficiencies similar to those found in our prior investigation, 
including compromise of auditor independence, insufficient audit 
testing, and inadequate planning and supervision. Although not as 
serious, the remaining four audits also had GAGAS compliance problems. 
The 69 audits and cost-related assignments we reviewed included 43 
audits that DCAA reported were performed in accordance with GAGAS and 
26 non-GAGAS cost-related assignments, including 10 overpayment and 16 
paid voucher assignments. According to DCAA officials, DCAA rescinded 
the 80 audit reports because the audit evidence was outdated, 
insufficient, or inconsistent with reported conclusions and opinions 
and reliance on the reports for contracting decisions could pose a 
problem. Nearly one third (24) of the 80 rescinded reports relate to 
unsupported opinions on contractor internal controls, which were used 
as the basis for risk-assessments and planning on subsequent internal 
control and cost-related audits. Other rescinded reports relate to CAS 
compliance and contract pricing decisions. Because the conclusions and 
opinions in the rescinded reports were used to assess risk in planning 
subsequent audits, they impact the reliability of hundreds of other 
audits and contracting decisions covering billions of dollars in DOD 
expenditures. We found that DCAA's focus on a production-oriented 
mission led DCAA management to establish policies, procedures, and 
training that emphasized performing a large quantity of audits to 
support contracting decisions over audit quality. An ineffective 
quality assurance structure compounded this problem. 

Audit Quality Problems Found in All Audits GAO Reviewed: 

We found audit quality problems, including GAGAS compliance problems, 
with all 37 audits of contractor internal controls and the 4 incurred 
cost and the 2 request for equitable adjustment audits we reviewed at 7 
FAOs across the 5 DCAA regions covered in this audit. In addition, none 
of the 26 cost-related assignments we reviewed from these same FAOs 
included sufficient testing to identify contractor overpayments and 
billing errors. For additional details on our analysis of these DCAA 
audits and assignments, including narrative case-studies, see 
appendixes I and II. 

Internal Control Audits: 

DCAA performs attestation audits of contractors' systems for cost 
accounting, estimating, and billing to gather evidence to express an 
opinion on the adequacy of the contractor's systems and related 
internal controls for compliance with applicable laws and regulations 
and contract terms. A contractor must have an adequate accounting 
system to be awarded a government cost-reimbursement contract, an 
adequate billing system to submit invoices for payment without 
government review, and an acceptable estimating system to support a 
contracting officer's approval of pricing proposals. A secondary 
objective of DCAA's audits of contractor systems and controls is to 
determine the degree of reliance that can be placed on the contractor's 
internal controls as a basis for planning the scope of other related 
audits. For example, if a contractor receives an adequate opinion on 
various systems control audits, auditors assess risk as low and reduce 
the level of testing on subsequent internal control and cost-related 
audits, including audits of contractors' annual incurred cost claims. 
Although the reports for all 37 audits of contractor internal controls 
that we reviewed stated that the audits were performed in accordance 
with GAGAS, we found GAGAS compliance issues with all of these audits. 
Examples of GAGAS compliance issues we found included: 

Independence issues. For 7 audits we reviewed, DCAA independence was 
compromised because auditors provided material nonaudit services to a 
contractor they later audited; experienced access to records problems 
that were not fully resolved; or significantly delayed report issuance 
in order to allow the contractors to resolve cited deficiencies. GAGAS 
state that auditors should be free from influences that restrict access 
to records or improperly modify audit scope.[Footnote 37] 

Insufficient evidence. We found that 33 of the 37 internal control 
audits did not include sufficient testing of internal controls to 
support auditor conclusions and opinions. GAGAS for examination-level 
attestation engagements require that sufficient evidence be obtained to 
provide a reasonable basis for the conclusion that is expressed in the 
report.[Footnote 38] However, our review of audit documentation often 
found that only two, three, or sometimes five transactions were tested 
to support audit conclusions, and the audit documentation did not 
contain a justification for the small sample sizes selected for 
testing. For internal control audits, which are relied on for 2 to 4 
years and sometimes longer, the auditors would be expected to test a 
representative selection of transactions across the year and not 
transactions for just one day, one month, or a couple of months. 
[Footnote 39] For many controls, the procedures performed consisted of 
documenting the auditors' understanding of controls, and the auditors 
did not test the effectiveness of the implementation and operation of 
controls. 

Generally, the basis for an auditor's determination of sufficient 
testing should include (1) an adequate risk assessment, taking into 
consideration any auditor alerts arising from related audits, past 
findings, and corrective actions; (2) the contractor's overall control 
environment; and (3) the nature and volume of transactions and 
associated materiality and risk of error. For example, decisions on 
sufficient testing of contractor internal controls would include 
consideration of the number and types of contracts or proposals; the 
nature, dollar amount, and volume of transactions; and key control 
attributes or special characteristics of the transactions. Further, a 
representative selection would include a representative number of 
transactions from a population of transactions representing a 
reasonable period of time, in order for test results to support 
conclusions and opinions on the overall adequacy of the contractor's 
systems and effectiveness of the related controls. For example, under 
the GAO/PCIE Financial Audit Manual,[Footnote 40] the minimum sample 
size for an attribute sample of a control would be 45 items. 

Reporting problems. According to GAGAS, audit reports should, among 
other matters, identify the subject matter being reported and the 
criteria used to evaluate the subject matter. Criteria identify the 
required or desired state or expectation with respect to the program or 
operation and provide a context for evaluating evidence and 
understanding the findings.[Footnote 41] None of the 37 internal 
control audit reports we reviewed cited specific criteria used in 
individual audits. Instead, the reports uniformly used boilerplate 
language to state that DCAA audited for compliance with the "FAR, CAS, 
DFARS, and contract terms." As a result the user of the report does not 
know the specific Federal Acquisition Regulation (FAR), Cost Accounting 
Standards (CAS), or contract terms used as criteria to test contractor 
controls. This makes it difficult for users of the reports to determine 
whether a particular report provides the level of assurance needed to 
make contracting decisions. 

The lack of sufficient support for the audit opinions on 33 of the 37 
internal control audits we reviewed rendered them unreliable for 
decision making on contract awards, direct billing privileges, the 
reliability of cost estimates, and reported direct cost and indirect 
cost rates. For example, the FAR requires[Footnote 42] government 
contracting officers to determine the adequacy of a contractor's 
accounting system before awarding a cost-reimbursement contract. Of the 
9 audits of contractor accounting system internal controls that we 
reviewed, only two of the audits included sufficient testing to support 
DCAA's audit opinion that internal controls over the contractors' 
accounting systems were adequate. In addition, none of the 20 audits of 
contractor billing system internal controls we reviewed contained 
sufficient testing of controls to support the reported opinions. 
Adequate opinions on billing system audits are the basis for DCAA 
decisions to approve contractors for the direct bill program, whereby 
contractors submit invoices directly to a government disbursing office 
without prior review.[Footnote 43] Four of the 6 audits of contractor 
estimating system controls that we reviewed did not include sufficient 
testing to support the reported opinions. DOD requires[Footnote 44] 
that large contractors have acceptable estimating systems. Opinions on 
contractor estimating systems support DCAA decisions on the extent of 
testing performed on contract proposals. Neither of the two internal 
control audits of contractor indirect and other direct costs we 
reviewed included sufficient testing to support reported opinions. As 
shown in figure 1, at the time these audits were performed, DCAA policy 
guidance provided for three categories of opinions on internal control 
audits. This policy provided for different opinions and criteria for 
judging them based on the severity of the problems identified. 
Professional standards have long recognized different levels of 
severity with regard to reporting deficiencies and material weaknesses 
in internal controls. 

Figure 1: DCAA Opinions on Contractor Internal Control Systems Audits: 

[Refer to PDF for image: illustrated table] 

Risk: Low; 
DCAA opinion: Adequate; 
Criteria: No significant deficiencies were identified in the audit; 
Resultant Actions: Scope of future audits will be decreased based on 
assurance provided by adequate controls. 

Risk: Medium; 
DCAA opinion: Inadequate in part; 
Criteria: Auditors identified one or more significant deficiencies that 
affect parts of the contractor’s system; 
Resultant Actions: Contractor is required to make improvements, and 
DCAA is to perform follow-up testing within 6 months. Inadequate in 
part opinion also requires expanded audit scopes on future and 
concurrent audits until the contractor’s corrective actions are 
confirmed by the auditors. 

Risk: High; 
DCAA opinion: Inadequate; 
Criteria: Auditors identified one or more significant deficiencies that 
render the entire contractor system unreliable; 
Resultant Actions: Contractor is required to make improvements and DCAA 
is to perform follow-up testing within 6 months. Inadequate opinion 
requires expanded audit scopes on other audits because controls do not 
provide reasonable assurance that data generated by the contractor’s 
system are reliable. 

Source: GAO analysis of DCAA policy. 

[End of figure] 

Supervisors of the DCAA internal control audits we reviewed dropped 
auditor findings of significant deficiencies from the audit reports or 
treated them as suggestions for improvement without adequate support, 
including instances of FAR noncompliance that should have been reported 
as material weaknesses. In some cases, auditors reported "inadequate-in 
part" opinions when the severity of the deficiencies or material 
weaknesses identified would have called for "inadequate" opinions. 

On December 19, 2008, DCAA revised its policy to eliminate the 
"inadequate-in-part" opinion and the requirement to report suggestions 
for improvement.[Footnote 45] The new DCAA policy defines "significant 
deficiency/material weakness" as an internal control deficiency that 
(1) adversely affects the contractor's ability to initiate, authorize, 
record, process or report government contract costs in accordance with 
applicable government contract laws and regulations; (2) results in a 
reasonable possibility that unallowable costs will be charged to the 
government; and (3) the potential unallowable cost is not clearly 
immaterial. The new DCAA policy also establishes new guidance on 
reporting audit opinions on contractors' internal control systems. For 
example, the new DCAA policy states that audit reports that identify 
any significant deficiencies/material weaknesses in contractors' 
internal control systems will include opinions that the systems are 
"inadequate." The policy notes that the contractor's failure to 
accomplish any control objective tested in DCAA's internal control 
audits will or could ultimately result in unallowable costs being 
charged to government contracts, even when the control objective does 
not have a direct relationship to charging costs to government 
contracts. As an example, the policy notes the control objective 
related to ethics and integrity is not directly related to charging 
costs to government contracts, but that the contractor's failure to 
accomplish the control objective creates an environment that could 
ultimately result in mischarging to government contracts. 

By eliminating the "inadequate-in-part" opinion, the new policy does 
not recognize different levels of severity and could unfairly penalize 
contractors whose systems have less severe deficiencies by giving them 
the same opinion--"inadequate"--as contractors having material 
weaknesses or serious deficiencies that in combination would constitute 
a material weakness. 

At the time we finalized our draft report for DOD comment, DCAA had 
rescinded 18 of the 33 audits of contractor internal controls that we 
determined did not contain sufficient testing to meet GAGAS.[Footnote 
46] Unreliable audit opinions on contractor internal controls pose a 
significant risk because DCAA generally performs these audits on a 2-to 
4-year cycle and the audit results are relied on for several years to 
make decisions on testing in various audits of contractor internal 
controls and cost-related assignments. In response to our earlier 
investigation in November 2008, DOD added DCAA audits not meeting 
professional standards to its list of material weaknesses.[Footnote 47] 
Table 2 provides details on five case studies that are typical of the 
flawed internal control audits that we reviewed during the course of 
our work. For more detail on the internal control audits we reviewed, 
see appendix I. 

Table 2: Summary of Five Selected Internal Control Audits: 

Case: 1; 
Region: Western; 
Audit type: Billing system (2004); 
Case details: 
* DCAA auditors inappropriately planned and performed a billing system 
audit of a federally funded research and development center (grantee) 
with $1.5 billion in annual funding. The grantee does not have a 
"billing system"; 
* The grantee is funded by a line of credit, which provides for cash 
draws and transaction reporting by the grantee's accounting system; 
* DCAA auditors spent 530 hours revising Single Audit Act cash 
management audit documentation to address procedures required in DCAA's 
standard audit program for billing system internal controls and 
developed a billing system audit report, when the auditors could have 
simply forwarded the results of work on the grantee's cash management 
system performed under the Single Audit Act to the federal agency's 
buying command; 
* As a result of our review, DCAA reassessed the need to perform a 
billing system audit for the grantee and determined that it would rely 
on the Single Audit reports in the future. 

Case: 2; 
Region: Western; 
Audit type: Accounting system (2004); 
Case details: 
* This audit involving accounting controls for one of the five largest 
DOD contractors working in Iraq was initiated in November 2003; 
* In September 2005, after nearly 2 years of audit work, DCAA provided 
draft findings and recommendations to the contractor that included 8 
significant deficiencies in the contractor's accounting design and 
operation; 
* The contractor objected to the findings, stating that the auditors 
did not fully understand its new policies and procedures, which were 
just being developed for the fast track effort in Iraq; 
* Following the contractor's objections, various supervisory auditors 
directed the auditors to revise and delete some workpapers, generate 
new workpapers, and in one case, copy the signature of a prior 
supervisor onto new workpapers making it appear that the prior 
supervisor had approved a revised risk assessment; 
* On August 31, 2006, after dropping 5 significant deficiencies and 
downgrading 3 significant deficiencies to suggestions for improvement, 
DCAA reported an "adequate" opinion on the contractor's accounting 
system without adequate audit evidence for the changes; 
* The interim audit supervisor, who instructed the lead auditor to copy 
and paste the prior supervisor's name onto key risk assessment 
workpapers, was subsequently promoted to be the Western Region's 
quality assurance manager where he served as quality control check over 
thousands of audits, including those GAO reported on last year; 
* In April 2007, the Special IG for Iraq Reconstruction (SIGIR) 
reported that despite being paid $3 million to complete the renovation 
of a building in Iraq, the contractor's work led to plumbing failures 
and electrical fires in a building occupied by the Iraqi Civil Defense 
Directorate; 
* DCAA rescinded the audit report on December 2, 2008. 

Case: 3; 
Region: Eastern; 
Audit type: Billing system (2005); 
Case details: 
* In May 2005, DCAA reported an inadequate-in-part opinion on the 
billing system internal controls of a second of the five largest DOD 
contractors; 
* After issuing the report, DCAA auditors helped the contractor develop 
policies and procedures related to accounts receivable, overpayments, 
and system monitoring before performing a required follow-up audit--a 
serious impairment to auditor independence; 
* In June 2006, DCAA reported an adequate opinion on the contractor's 
billing system internal controls, including the policies and procedures 
DCAA helped the contractor develop; 
* As a result of GAO's review, DCAA rescinded the follow-up audit 
report on March 6, 2009. 

Case: 4; 
Region: Central; 
Audit type: Billing system; (2005); 
Case details: 
* This audit, which was initiated in July 2005, covered a new billing 
system at a business segment of another of the five largest DOD 
contractors. Although DCAA considers new systems to be high-risk and 
requires increased testing, auditors deleted key audit steps related to 
contractor policies and internal controls over progress payments from 
the standard audit program without explanation and performed little or 
no testing of the contractor's billing controls; 
* The contractor objected to requests for documentation to test whether 
billing clerks had received necessary training; 
* One auditor told GAO he did not perform other tests because "the 
contractor would not appreciate it"; 
* The auditors provided draft findings and recommendations to the 
contractor in February 2006 that included six suggestions to improve 
the system related to the need for internal audits, oversight of 
subcontractor accounting systems, and improvements in policies and 
procedures and desk instructions; 
* Instead of issuing the report, when audit work was completed and 
noting the status of any contractor actions to address identified 
control weaknesses, the auditors monitored contractor corrective 
actions for 7 months, dropping the two suggestions for improvement 
related to internal audits and monitoring subcontractor accounting 
systems. The failure to monitor subcontractor accounting systems should 
have been considered a significant deficiency; 
* On September 15, 2006, DCAA reported an "adequate" opinion on the 
contractor's billing system; 
* Following GAO's review of this audit, DCAA rescinded the audit report 
on February 10, 2009. 

Case: 5; 
Region: Central; 
Audit type: Billing system (2006); 
Case details: 
* A fraud investigation by the Army's Criminal Investigative Division 
was under way at the time DCAA performed this contractor's billing 
system audit. The FAO was aware of the substance of the Army's 
investigation; 
* The auditor requested increases in budgeted audit hours to perform 
increased testing because of fraud risk and the contractor's use of 
temporary accounts for charging costs that had not yet been authorized 
by the contracting officer; 
* The auditor drafted an "inadequate" opinion on the contractor's 
billing system, which was overturned by the supervisor and FAO manager; 
* Despite a reported $2.8 million in fraud for this contractor, DCAA 
reported an "inadequate-in-part" opinion related to 3 significant 
deficiencies in the contractor's billing system on August 31, 2005, and 
an "adequate" opinion on September 11, 2006, related to a follow-up 
audit; 
* The auditor, whose performance appraisal was lowered for performing 
too much testing and exceeding budgeted audit hours, was assigned to 
and then removed from the follow-up audit. The auditor left DCAA in 
March 2007; 
* Following GAO's review, DCAA rescinded both audit reports on November 
20, 2008. 

Source: GAO analysis of DCAA audit documentation and auditor 
interviews. 

[End of table] 

Cost-Related Assignments: 

The 32 cost-related assignments we reviewed did not contain sufficient 
testing to provide reasonable assurance that overpayments and billing 
errors that might have occurred were identified. As a result, there is 
little assurance that any such errors, if they occurred, were corrected 
and that related improper contract payments, if any, were refunded or 
credited to the government. Contractors are responsible for ensuring 
that their billings reflect fair and reasonable prices and contain only 
allowable costs, and taxpayers expect DCAA to review these billings to 
provide reasonable assurance that the government is not paying more 
than it should for goods and services. Further, we found that DCAA does 
not consider some cost-related assignments to be GAGAS audits, even 
though these assignments are used to provide assurance of the 
reasonableness of contractor billings, for example: 

Paid voucher reviews. DCAA performs annual testing of paid vouchers 
(invoices) to determine if contractor voucher preparation procedures 
are adequate for continued contractor participation in the direct-bill 
program.[Footnote 48] Under the direct-bill program, contractors may 
submit their invoices directly to the DOD disbursing officer for 
payment without further review. Although DCAA does not consider its 
reviews of contractor paid vouchers to be GAGAS engagements; it has not 
determined what standards, if any, apply to these assignments. In 
addition, for the 16 paid voucher assignments we reviewed, we found 
that DCAA auditors failed to comply with CAM guidance.[Footnote 49] 
Rather than documenting the population of vouchers, preparing sampling 
plans, and testing a random (statistical) sample, auditors generally 
did not identify the population of vouchers, did not create sampling 
plans, and made a small, nonrepresentative selection of as few as one 
or two invoices for testing to support conclusions on their work. Even 
when DCAA auditors tested 20 or 30 invoices, they did not test billing 
controls or review supporting documentation for goods and services 
purchased. Instead, the auditors performed limited procedures such as 
determining whether the vouchers were mathematically correct and 
included current and cumulative billed amounts. Based on this limited 
work, the auditors concluded that controls over invoice preparation 
were sufficient to support approval of the contractors' direct billing 
privileges. However, the limited work performed does not provide 
assurance that contractor billings are accurate and comply with 
applicable laws, the FAR, CAS, and contract terms. This is of 
particular concern because we determined that Defense Finance and 
Accounting Service (DFAS) certifying officers rely on DCAA voucher 
reviews, and they do not repeat review procedures they believe to be 
performed by DCAA. 

Professional literature contains guidance to help auditors determine 
the level of testing that should be performed to obtain sufficient, 
appropriate evidence to support a conclusion that internal controls are 
effectively designed, implemented, and operating effectively. Inquiry 
alone does not provide sufficient, appropriate evidence to support a 
conclusion about the effectiveness of a control. Some of the factors 
that affect the risk associated with a control include: 

* the nature and materiality of misstatements that the control is 
intended to prevent, 

* the inherent risk associated with the related account(s) and 
assertion(s), 

* whether there have been changes in the volume or nature of 
transactions that might adversely affect control design or operating 
effectiveness, 

* the degree to which the control relies on the effectiveness of other 
controls (i.e., information technology controls), 

* the competence of personnel who perform the control or monitor its 
performance, and whether there have been changes in key personnel who 
perform the control or monitor performance, and: 

* whether the control relies on performance by an individual or is 
automated (an automated control would generally be expected to be lower 
risk if relevant IT general controls are effective).[Footnote 50] 

Professional standards[Footnote 51] state that the auditor should focus 
more attention on the areas of highest risk. As the risk associated 
with the control being tested increases, the evidence that the auditor 
should obtain increases. In addition, the GAO/PCIE Financial Audit 
Manual provides guidance on sampling control tests that would be 
relevant to DCAA testing of contractor invoices.[Footnote 52] The 
auditor should assess risk in determining the control attributes to be 
tested and select a sample that the auditor expects to be 
representative of the population. Attribute sampling requires random or 
systematic, if appropriate, selection of sample items without 
considering the transactions' dollar amount or other special 
characteristics. To determine the sample size, the auditor uses 
professional judgment to determine three factors--confidence level, 
[Footnote 53] tolerable rate (maximum rate of deviations from the 
prescribed control that the auditor is willing to accept without 
altering the preliminary control risk), and expected population 
deviation rate (expected error rate).[Footnote 54] 

Finally, the American Institute of Certified Public Accountants (AICPA) 
Audit and Accounting Guide: Audit Sampling[Footnote 55] (Audit Guide) 
contains attestation guidance on the application of SSAEs in specific 
circumstances, including engagements for entities in specialized 
industries. The Audit Guide states that an auditor using nonstatistical 
sampling is not required to compute the sample size using statistical 
theory. However, sample sizes of statistical and nonstatistical samples 
ordinarily would be comparable when the same sampling parameters are 
used.[Footnote 56] 

Overpayment assignments. DCAA intends these audits to verify that 
contractors have billing procedures and internal controls in place to 
identify and resolve contractor overpayments in a timely manner. DCAA 
guidance states that these engagements should be conducted in 
accordance with GAGAS to the extent applicable under the circumstances. 
[Footnote 57] However, none of the 10 overpayment assignments we 
reviewed were performed or reported as GAGAS engagements. We found that 
auditor judgments about the population and selection of transactions 
for these assignments did not provide a representative basis for 
testing and concluding on contractor controls over billings and 
payments received. For example, for the 10 assignments we reviewed, the 
auditors selectively reviewed an accounts receivable aging report to 
identify overpayments and determine if they had been resolved. The 
auditors did not attempt to identify the population of transactions 
subject to overpayments and over billings during the year, and they did 
not document their rationale for selecting a particular dollar 
threshold, number of transactions, or time period for testing 
contractor invoices. Our assessment of these assignments includes the 
same concerns regarding insufficient evidence to support the auditors' 
conclusions as discussed above for annual testing of paid vouchers. As 
a result, this work does not provide reasonable assurance that 
contractors have adequate controls in place to identify and correct 
overpayments and billing errors and make appropriate, timely refunds 
and adjustments. 

Incurred cost audits. The purpose of incurred cost audits is to examine 
contractors' cost representations and opine on whether the costs are 
allowable, allocable to government contracts, and reasonable in 
accordance with the contract and applicable government acquisition 
regulations.[Footnote 58] DCAA performs these audits as GAGAS 
attestation engagements. For the four incurred cost audits we reviewed, 
we found that the auditors did not adequately document their judgments 
about control risk or the sampling and test methodologies used. In 
addition, we found that the auditors traced claimed pool and base costs 
(indirect costs) to the contractor's accounting books and records to 
determine their accuracy and allowability. However, the auditors did 
not perform sufficient, detailed testing of support for claimed 
indirect and direct costs. The scope of work performed was not 
sufficient to identify claimed costs, if any, that were not adequately 
supported or unallowable costs, if any, that should have been 
questioned. 

In addition to the testing failures we identified on the 32 cost- 
related assignments, several additional issues came to our attention 
during our review: 

Exempting from professional standards certain assignments that were 
used as support for internal control system audits. We noted that paid 
voucher reviews and overpayment assignments, which were used to support 
direct-bill decisions and billing system audits, were not performed 
under GAGAS, even though some of them used the same terminology as 
GAGAS engagements to describe the work performed, including 
"comprehensive examination" and "audit." According to DCAA's CAM and 
DCAA officials, paid voucher reviews and most overpayment assignments 
are not intended to meet GAGAS standards. However, paid voucher reviews 
are intended to serve as audits of contractor payments, and DCAA's 
standard audit program for overpayment assignments states that the 
assignments are to be performed in accordance with GAGAS, unless there 
are specific exceptions. When these types of assignments are not 
conducted under professional standards, it is important for the report 
to clearly state the procedures performed and the intended uses of the 
report, such as verifying compliance with certain FAR requirements, in 
order to provide context for understanding the stated conclusions of 
the work and avoid misleading users of the report. 

Auditor objectivity issues. We also determined that DCAA's role with 
regard to making decisions to approve contractors for participation in 
the direct-bill program[Footnote 59] presented an impairment to auditor 
objectivity--which includes being independent in fact and appearance 
when providing audit and attestation engagements.[Footnote 60] The 
objectivity impairment relates to DCAA's audit role in authorizing 
contractors to participate in the direct-bill program, which places it 
in the position of making decisions that impact its nonaudit workload 
related to the review of contractor invoices prior to payment. For 
example, when contractors do not have direct billing privileges, DCAA 
acts as the authorized representative of the DOD contracting officer in 
reviewing contractor invoices prior to submission for payment. However, 
if DCAA auditors determine that a contractor has an adequate billing 
system, DCAA may authorize a contractor to participate in the direct- 
bill program, thereby eliminating workload related to review of the 
contractor's invoices prior to payment. In addition, the 20 billing 
system audits and follow-up audits we reviewed lacked sufficient 
testing to support reported opinions, or the opinions reported were 
inconsistent with the audit evidence. DCAA had approved all but 2 of 
the 16 contractors involved in these audits for the direct bill 
program. 

At the end of our audit, DCAA had not rescinded any of the memorandums 
or reports on the results of the cost-related assignments we reviewed. 
Table 3 provides details on five selected case studies of flawed cost- 
related assignments that we reviewed during the course of our work. 

Table 3: Summary of Five Selected Cost-Related Assignments: 

Case: 1; 
Region: Eastern; 
Type of assignment: Paid voucher review (2004); Non-GAGAS; 
Case details: 
* This contractor generates $1.1 billion in annual billings to the 
government; 
* The auditor assessed risk as low for this assignment without 
documenting the basis for the decision. The auditor then judgmentally 
selected 3 vouchers totaling $88,000 for testing out of a total of 222 
vouchers submitted to the government for payment from March 2003 
through February 2004; 
* The auditor tested the first voucher selected and performed limited 
testing on the remaining 2 vouchers. The workpapers do not include any 
evidence to show that the auditor performed most of the audit steps 
required in the standard audit program; 
* Despite limited testing, on March 31, 2004, DCAA prepared a 
Memorandum for the Record, stating "continued reliance can be placed on 
the contractor's procedures for the preparation of interim vouchers..." 
and "the contractor has met the criteria for continued participation in 
the direct billing program." 

Case: 2; 
Region: Mid-Atlantic; 
Type of assignment: Paid voucher review (2004); Non-GAGAS; 
Case details: 
* In 2004, DCAA reviewed interim vouchers submitted by a contractor 
with $40 million in annual sales; 
* The auditor chose a nonrepresentative selection of 3 vouchers 
totaling $621,000 from a 3-month period. The auditor should have used a 
population covering a 12-month period because this assignment was 
designed to cover a 1-year period; 
* The auditor did not document the sample selection methodology as 
required by DCAA's CAM. Although testing of 3 vouchers is not 
sufficient to support a conclusion on the effectiveness of the 
contractor's controls over preparation of interim vouchers, the auditor 
removed one of the 3 vouchers from testing and did not document a 
reason; 
* The auditor did not identify any errors in testing the two remaining 
vouchers; 
* On August 31, 2004, DCAA reported "continued reliance can be placed 
on the contractor's procedures for the preparation of interim vouchers" 
and "the contractor had met the criteria for continued participation in 
the direct billing program." 

Case: 3; 
Region: Western; 
Type of assignment: Paid voucher; review (2005); Non-GAGAS; 
Case details: 
* This DOD contractor with over $1 billion in annual billings to the 
government was one of several contractors that performed work to 
support the FBI's Trilogy investigative systems upgrade project; 
* The auditor tested less than 20 vouchers of 5,530 vouchers issued in 
a 12-month period; 
* On April 14, 2005, DCAA issued a Memorandum for the Record, stating 
"continued reliance can be placed on the contractor's procedures for 
the preparation of interim vouchers" and "the contractor has met the 
criteria for continued participation in the direct-bill program; 
* One year later, a GAO audit report revealed that during the time of 
this DCAA assignment, the contractor had over billed the FBI by over 
$400,000 in labor and improper first-class travel costs. 

Case: 4; 
Region: Central; 
Type of assignment: Overpayment assignment (2005); Non-GAGAS; 
Case details: 
* This DCAA assignment covered one of the five largest DOD contractors; 
* The auditor tested 4 transactions from a listing of potential 
underpayments and overpayments prepared by the contractor. The auditor 
did not independently verify the accuracy or completeness of the 
contractor's listing; 
* The audit program required the auditor to determine whether the 
contractor monitors the billings submitted by its top 3 to 5 
subcontractors. However, the auditor performed this procedure for only 
1 subcontractor based on "auditor judgment" and did not document the 
basis for this judgment in the audit documentation; 
* The auditor also relied on the unverified contractor-provided listing 
to identify refunds to the government. The auditor then "judgmentally 
selected" 2 refunds for testing from the contractor's listing; 
* The auditors' conclusions that the contractor's controls are 
sufficient to detect and correct billing errors and overpayments were 
not supported by sufficient testing or other independent evidence. 

Case: 5; 
Region: Western; 
Type of assignment: Incurred cost; audit (2004); GAGAS; 
Case details: 
* This audit covered a $516 million incurred cost claim submitted by a 
contactor performing reconstruction work in Iraq; 
* The auditors reported about $6 million in questioned costs and about 
$83 million in unsupported costs based on assist audits (portions of 
the audit performed by other FAOs) that had not been received by the 
report issue date; 
* Although the auditors charged 2,292 hours to this assignment, GAO 
determined that the auditors did not perform sufficient work to support 
the audit opinion. For example, the auditors traced claimed pool and 
base costs to the contractor's accounting books and records using a 
threshold of $5 million for cost-type contracts and $2 million for time 
and materials contracts, but did not perform detailed testing of 
support for transactions. Tracing amounts to the general ledger is not 
sufficient work to support an examination-level opinion and the 
auditors did not document the basis for the judgment used to determine 
the multimillion dollar thresholds; 
* Further, the auditors relied on testing performed in a related 
accounting system audit, which DCAA rescinded on December 2, 2008, in 
response to GAO concerns; 
* As a result, the auditor's risk assessment used to plan the incurred 
cost audit is no longer supported. 

Source: GAO analysis of DCAA audit documentation and auditor 
interviews. 

[End of table] 

We did not attempt to re-perform these assignments to find out whether 
actual overpayments or billing errors existed. For additional details 
on the cost-related assignments we reviewed, see appendix II. 

Poor Management Environment and Quality Assurance Structure at DCAA 
Impacted Audit Quality: 

We found that a management environment and agency culture that focused 
on facilitating the award of contracts and an ineffective audit quality 
assurance structure are at the root of the agencywide audit failures we 
identified. DCAA's mission and management goals focus on producing a 
large quantity of audits to support procurement and contract 
administration rather than assuring proper contract costs that help 
save taxpayer dollars. In addition, an ineffective audit quality 
control system and a "clean" peer review opinion compounded the 
problem, hindering DCAA management from identifying and correcting 
agencywide audit quality problems. 

DCAA's Mission Statement and Strategic Plan Do Not Focus on the Public 
Interest: 

DCAA's current mission statement does not address protecting the public 
interest in the manner in which it carries out audits to help assure 
that contractors charge fair and reasonable prices that comply with 
applicable laws and regulations, cost accounting standards, and 
contract terms. Instead, DCAA's mission statement calls for it to 
perform all necessary contract audits for DOD and provide accounting 
and financial advisory services regarding contracts and subcontracts to 
all DOD components responsible for procurement and contract 
administration. Similarly, DCAA's 2006 strategic plan focused on 
various processes and outputs. DCAA's strategic plan contains the 
following five strategic goals with targeted completion dates from 2006 
through 2008: 

1. fostering a quality work-life environment that promotes trust, 
teamwork, mutual respect, superior job performance and high morale; 

2. assuring customer satisfaction by providing timely and responsible 
audits and financial services that meet or exceed customer requirements 
and expectations; 

3. attaining the highest level of professional competence through 
continuous improvement in the management and performance of audits and 
services; 

4. providing best value audit and financial services through continuous 
evaluation and improvement of audit and administrative processes; and: 

5. providing an integrated information technology structure that 
promotes effectiveness and efficiency in providing services for 
internal and external customers. 

DCAA objectives under each strategic goal focus on process improvements 
and do not contain a clear plan for achieving the respective goal or 
adequate quantitative and qualitative measures for determining success, 
for example: 

* One DCAA quality of work-life objective is to assess whether the 
participative work team concept is the best model for facilitating 
continuous process improvement. The underlying activities include 
internal meetings and brainstorming sessions, literature reviews, and 
developing recommendations for executive committee review. None of the 
activities included refer to identifying best practices or working with 
outside experts. 

* Another objective is to hold or lower attrition in high turnover 
areas. DCAA activities in this area include analyzing causes of 
attrition, and conducting surveys of new hires and departing employees. 
None of the related activities include surveys of like organizations, 
consideration of best practices, or identifying and addressing causes 
of high attrition. Moreover, in response to our requests for attrition 
data, DCAA provided high-level summaries without any analysis. 

* DCAA's strategic goal for customer satisfaction, included the 
objective of increasing by 20 percent annually the number of incurred 
cost audit reports issued with contractor cumulative allowable cost 
worksheets, completing 100 percent of identified incurred cost audits 
necessary to accomplish Defense Contract Management Agency (DCMA) 
performance goals for contract close-out and canceling funds.[Footnote 
61] DCAA's strategic plan contains no explanation of the importance of 
these objectives or how they link to DCAA's mission. 

* A key goal related to best value audit services is for DCAA to manage 
its cost per direct audit hour at a level sufficient to maintain DCAA's 
competitive advantage over the comparable national public firm 
composite rate. One of the ways DCAA has achieved a low cost per audit 
hour is to maintain a pay structure that caps journey-level auditors at 
the GS-12 level. In addition, our work identified numerous instances 
where entry-level auditors with little or no experience often perform 
audit assignments by themselves. However, lower grade levels and 
limited experience can place auditors at a disadvantage when dealing 
with contractor officials. 

The Government Performance and Results Act of 1993 (GPRA)[Footnote 62] 
directed federal agencies to shift their focus from traditional 
concerns of staffing and activity levels to a broad focus on outcomes 
or results by (1) defining a clear mission and desired outcomes instead 
of outputs, (2) measuring performance to gauge progress, and (3) using 
performance information as a basis for decision making. The act 
required agencies to meet with Congress and key stakeholders to clearly 
define their mission and develop long-term strategic goals as well as 
annual goals that were linked to them. Although these legislated 
requirements were directed at federal agencies, including DOD, DCAA's 
mission statement and strategic plan were not revised to conform to 
GPRA requirements. 

Performance Metrics Were Designed To Measure Output: 

GPRA also requires that once federal agencies establish their strategic 
goals they are to develop results-oriented measures for assessing 
performance in meeting those goals and publicly report on how well they 
are doing. However, most of DCAA's performance metrics continued to 
focus on output. Several DCAA managers noted that fear of outsourcing 
the contract audit function led DCAA to emphasize performance metrics 
that demonstrated high productivity and low cost. In fiscal year 2008, 
DCAA reported some results-oriented performance measures, such as 
return on investment and net savings related to questioned cost. 
However, most of DCAA's metrics focused on production and audit cost, 
including cost per direct audit hour, 30-day cycle time on forward 
pricing audits, and dollars audited per hour. In addition, DCAA's focus 
on completing over 30,000 assignments annually with about 3,600 
auditors continued to emphasize production of audits instead of 
performing quality audits that assured taxpayers that the government 
was paying fair and reasonable prices for contracted goods and 
services. 

DCAA's Audit Quality Assurance Program Was Ineffective: 

DCAA's audit quality assurance program was not properly implemented, 
resulting in an ineffective quality control process that accepted 
audits with significant deficiencies and noncompliance with GAGAS and 
DCAA policy. Moreover, even when DCAA's quality assurance documentation 
showed evidence of serious deficiencies within individual offices, 
those offices were given satisfactory ratings. GAGAS require that each 
audit organization performing audits and attestation engagements in 
accordance with GAGAS should have a system of quality control that is 
designed to provide the audit organization with reasonable assurance 
that the organization and its personnel comply with professional 
standards and applicable legal and regulatory requirements, and have an 
external peer review at least once every 3 years.[Footnote 63] 

Our analysis of DCAA audit quality review documentation for 14 of 48 
offices covered in audit quality reviews during fiscal years 2004 
through 2006--the period covered in the last DOD OIG peer review--found 
that although DCAA gave satisfactory ratings to 13 of the 14 FAOs, DCAA 
reviewers reported that 10 of these offices had 2 or more instances of 
serious GAGAS noncompliance, including inadequate planning, lack of 
proper supervision, and insufficient support for reported conclusions 
and opinions. However, DCAA gave only 1 of the 14 FAOs reviewed an 
unsatisfactory rating. The failed FAO had 5 of 9 assignments reviewed 
with at least two significant instances of noncompliance with GAGAS or 
DCAA policy. Further, although DCAA headquarters performed a follow-up 
review to confirm that problems identified at the failed office were 
corrected, DCAA headquarters officials told us they did not perform 
follow-up reviews to assure that the problems identified at other 
offices were corrected. 

In response to a DOD IG finding that DCAA quality assurance reviews did 
not cover a sufficient number of internal control system audits, DCAA 
increased the number of audits covered to date in its fiscal year 2007 
and 2008 quality assurance reviews. However, DCAA continued to 
inappropriately conclude that audits "demonstrated professional 
judgment," allowing reviewers to disregard serious deficiencies with 
GAGAS in concluding on overall audit quality.[Footnote 64] DCAA failed 
only 1 of the 40 FAOs as a result of its fiscal year 2007 and 2008 
audit quality reviews. Our analysis of DCAA's audit quality results 
showed that 19 of the 40 FAO's had two or more audits with at least 2 
instances of significant noncompliance with GAGAS or DCAA policy. 
However, 18 of these FAOs received a satisfactory rating. DCAA 
headquarters has not yet followed up with offices that had deficient 
audits. 

The examples in table 4 show the disparity between DCAA quality 
assurance reports of a "satisfactory level of compliance" and actual 
results documented by quality assurance reviewers. The examples below 
also illustrate the long-term nature of this problem. 

Table 4: Summary of Selected DCAA Audit Quality Review Results: 

Region: Eastern; 
Number and type of audits: 5 incurred cost audits; 
DCAA audit quality review conclusions and findings: On October 28, 
2008, DCAA reported a satisfactory level of compliance for the FAO 
reviewed. Supporting documentation showed that reviewers found that 2 
of 5 audits reviewed had at least 2 instances of significant 
noncompliance with GAGAS and DCAA policy, including insufficient 
supervisory involvement and inadequate workpaper documentation to 
support significant auditor judgments and conclusions. 

Region: North-eastern; 
Number and type of audits: 8 forward pricing audits; 
DCAA audit quality review conclusions and findings: On September 27, 
2007, DCAA reported satisfactory compliance by the FAO reviewed. 
Supporting documentation showed that reviewers found that 4 of 8 audits 
had at least 2 significant instances of noncompliance with GAGAS or 
DCAA policy and 2 of the 4 audits had 3 instances of noncompliance, 
including inadequate planning and supervision and failure to exercise 
reasonable professional judgment. 

Region: Central; 
Number and type of audits: 8 other (various) assignments; 
DCAA audit quality review conclusions and findings: On April 4, 2006, 
reviewers gave the FAO reviewed a satisfactory rating. However, 
supporting documentation showed that audit quality reviewers found that 
2 of 8 assignments had at least two significant deficiencies related to 
noncompliance with GAGAS and DCAA policy, including inadequate planning 
on 3 assignments and inadequate supervision on 2 assignments. Reviewers 
also determined that the auditor on one other assignment had not met 
the annual requirement for continuing professional education. 

Region: Western; 
Number and type of audits: 5 incurred cost audits; 
DCAA audit quality review conclusions and findings: On April 26, 2005, 
reviewers gave the FAO a satisfactory rating. Although the audit 
quality review documentation identified only 1 audit that had at least 
2 instances of significant deficiencies, the documentation noted 
limited testing and stated that statistical sampling was not used, as 
required. The reviewers also found that audit working papers did not 
support the conclusions in the audit report. The reviewers noted that 
insufficient supervisory involvement was responsible in part for the 
deficiencies found in the audit. 

Region: Mid-Atlantic; 
Number and type of audits: 6 incurred cost audits; 
DCAA audit quality review conclusions and findings: On September 29, 
2005, reviewers reported a satisfactory level of compliance for this 
FAO. However, supporting documentation showed that 4 of the 6 audits 
had at least 2 significant deficiencies related to noncompliance with 
GAGAS and DCAA policy. For example, audit quality reviewers noted that 
the risk assessment for one assignment inappropriately stated the 
contractor's accounting system was adequate. In addition, reviewers 
stated that conclusions and opinions in reports for three audits were 
not based on sufficient evidence. Reviewers also noted that three 
audits had significant deficiencies, including insufficient testing, 
inadequate procedures to identify illegal acts and noncompliance with 
laws and regulations, and reporting problems. Reviewers also found 
inaccuracies in reporting on three audits and stated that reports on 2 
of the audits should not have been issued and a reported qualification 
in the report for the third audit was worded incorrectly and implied 
that work had been performed when the related assist audits had not 
been completed. 

Region: Eastern; 
Number and type of audits: 6 internal control audits; 
DCAA audit quality review conclusions and findings: On June 8, 2004, 
DCAA reported satisfactory compliance by the FAO reviewed. However, 
supporting documentation showed that 2 of 6 audits reviewed had at 
least 2 instances of significant noncompliance with GAGAS and DCAA 
policy, including inadequate supervision, missing workpapers on the 
contractor's control environment, and insufficient and incomplete 
workpaper evidence to support conclusions in the audit reports. 

Region: Northeastern; 
Number and type of audits: 8 forward pricing audits; 
DCAA audit quality review conclusions and findings: On June 26, 2003, 
DCAA reviewers reported satisfactory level of compliance by the FAO 
reviewed. Audit quality review documentation showed that reviewers 
found that 6 of the 8 audits had at least 2 instances of significant 
GAGAS or DCAA policy noncompliance. For example, 2 audits were not 
adequately planned and 4 audits had inadequate supervisory involvement. 
In addition, supervisory review was performed 10 days after the report 
was issued on one audit, and audit work did not support the reported 
opinion on a second audit. 

Source: GAO analysis of DCAA documentation. 

[End of table] 

In March 2009, DCAA officials advised us that going forward, DCAA plans 
to report all audit quality review findings along with recommendations 
for corrective action and follow-up to assure that FAOs have taken 
appropriate corrective action. 

DOD IG Peer Review Opinion on DCAA's Audit Quality Control System Is 
Inconsistent with the Underlying Deficiencies Reported: 

The DOD IG reported an adequate ("clean") opinion on DCAA's most recent 
peer review results although the reported evidence indicated that 
numerous audits had serious deficiencies in audit quality.[Footnote 65] 
In conducting DOD's audit oversight review of DCAA audits for fiscal 
year 2006, DOD IG audit oversight reviewers considered the same results 
of DCAA's internal audit quality assurance reviews that we analyzed and 
reviewed numerous additional audits, which also identified significant 
GAGAS noncompliance as evidenced by DOD IG peer review findings and 
recommendations. Although the DOD IG report contained evidence of 
significant, systemic noncompliance with professional standards 
throughout DCAA audits that OIG staff reviewed, and the IG report 
included numerous findings and recommendations related to those issues, 
the DOD IG gave DCAA a "clean" peer review opinion,[Footnote 66] 
concluding that: 

"In our opinion, the DCAA system of quality control for audits and 
attestation engagements performed during the FY ended September 30, 
2006, was designed in accordance with quality standards established by 
Government Auditing Standards (GAS). Further, the internal quality 
control system was operating effectively to provide reasonable 
assurance that DCAA personnel were following established policies, 
procedures, and applicable auditing standards. Accordingly, we have 
determined that the DCAA system of quality control used on audits and 
attestation engagements for the review period ended September 30, 2006, 
is adequate." 

The overall report conclusion in the DOD IG report is not consistent 
with the detailed observations in the report, which indicate numerous 
significant deficiencies in DCAA's system of quality control. 
Furthermore, based on DCAA's actions to rescind dozens of audit reports 
[Footnote 67] related to our prior investigation and this audit and our 
analysis of DCAA's internal audit quality review procedures and 
documentation--all of which relate to the period covered by the DOD IG 
peer review--we concluded that DCAA's quality control system for the 
period covered by the last DOD IG peer review was not effectively 
designed and implemented to provide assurance that DCAA and its 
personnel comply with professional standards. The DCAA audits performed 
during fiscal years 2007 and 2008 were performed under the same policy 
guidance and production-related performance metrics as the earlier 
audits and had the same types of GAGAS noncompliance, as indicated by 
DCAA's internal audit quality review findings for audit reports issued 
in fiscal years 2007 and 2008. 

DCAA Lacks a Risk-Based Audit Planning Approach: 

In the absence of a risk-based audit planning approach, DCAA has 
historically performed 30,000 to 40,000 audits annually to support 
contracting community decisions on contract awards, administration, and 
close-out using 3,000 to 4,000 auditors--an average of about 10 audit 
reports per year for each auditor. The large number of assignments has 
contributed to the production-oriented environment and widespread 
problems we have identified with audit quality. The failure to perform 
quality audits leaves government contracting officers and disbursing 
officers with inadequate information, ultimately putting taxpayers at 
risk of improper contract payments and fraud, waste, abuse, and 
mismanagement. GAO's Standards for Internal Control in the Federal 
Government[Footnote 68] require federal agency managers to identify and 
assess relevant risks the agency faces from external and internal 
sources associated with achieving agency objectives, such as those 
defined in strategic and annual performance plans developed under the 
GPRA. To do this, management needs to consider all significant 
interactions between the entity and other parties as well as internal 
factors at the agency and activity levels. The specific risk analysis 
methodology used can vary by agency because of differences in agency 
missions and the difficulty in qualitatively and quantitatively 
assigning risk levels. For example, DCAA would need to consider 
requirements in law and federal regulation to audit contractor cost, 
price, schedule, systems, and compliance with laws, regulations, cost 
accounting standards, and contract terms. DCAA also would need to 
consider risks associated with contractor activity and the materiality 
of contractor costs. Once risks have been identified, sound management 
controls require that they should be analyzed for their possible 
effect, and management should decide how to manage the risk and what 
actions should be taken. 

A risk-based audit approach would help identify and prioritize which 
audits are the most important or have the highest return on investment 
and determine what constitutes appropriate testing for various audit 
and nonaudit services. Basing future audit plans on historical DCAA 
audit hour data is problematic because DCAA has not yet determined the 
time and effort that would be needed to perform quality audits. For 
example, historical audit hour data do not accurately reflect either 
the time needed to complete a quality audit or the hours actually 
worked on various audits because many auditors performed limited 
procedures or they performed audit procedures on their own time to meet 
budgeted audit hour metrics. In addition, some audits may not be 
necessary. For example, we concluded that 3 of the 37 internal control 
audits that we reviewed were not necessary. For one of the three 
audits, DCAA could have relied on the audit of a grantee that was 
performed under the Single Audit Act.[Footnote 69] DCAA agreed with our 
conclusion. Two other unnecessary audits involved estimating systems of 
contractors that only have one contract with the government. Because 
contract proposals, which would be tested as part of the estimating 
system audit for these contractors, are separately audited when they 
are submitted, we questioned the need for separate estimating system 
audits for these contractors. DCAA officials told us they would 
reconsider the need for separate estimating system audits in such 
cases. 

Developing a risk-based audit approach that considers the risk of 
improper contract payments and available resources would also be a 
first step in determining the level of audit resources and training 
needed to accomplish effective contract audits. In addition, 
determining appropriate roles and responsibilities for nonaudit 
assignments would further clarify DCAA audit resource needs as well as 
needed job skills and funding for buying commands and DCMA. 

The most pervasive audit deficiency we identified was insufficient 
testing to support DCAA's reported conclusions and opinions. Limited 
audit testing was directly related to DCAA's goal of performing 30,000 
or more audit assignments annually. Achieving a goal of performing 
quality audits will depend, in part, on appropriate guidance on testing 
coupled with adequate training and supervision. Quality audits will 
also be dependent upon contracting community support of a risk-based 
audit approach and an appropriate delegation of nonaudit contract 
administration activities and audit responsibilities among DCMA, buying 
commands, and DCAA. As noted above, DCAA provides nearly all of its 
services to the contracting and finance communities as GAGAS audits. 
However, a risk-based audit approach may require these communities to 
re-evaluate whether all such services should be provided as audits and 
whether DCAA, as an independent audit organization would perform any 
nonaudit services. 

DCAA Lacks Effective Human Capital Management: 

DCAA's deficiencies in audit quality are directly related to its human 
capital management. Effective, efficient contract audits and oversight 
are dependent on a workforce that has the required skills to meet 
organizational goals and perform quality audits that serve the public 
interest, especially the taxpayer. Both GAGAS and GAO's Internal 
Control Standards[Footnote 70] require that personnel possess and 
maintain a level of competence that allows them to accomplish their 
assigned duties. GAGAS specifically requires that the staff assigned to 
conduct audit or attestation engagements under GAGAS must collectively 
possess the technical knowledge, skills, and experience necessary to be 
competent for the type of work being performed before beginning that 
assignment.[Footnote 71] GAGAS also requires attestation engagements to 
be properly supervised.[Footnote 72] Accordingly, agency management has 
a responsibility to identify appropriate knowledge and skills needed 
for various jobs and provide needed training, as well as candid and 
constructive counseling, and performance appraisals. DCAA's human 
capital management practices of hiring auditors at the entry-level and 
assigning them to complex audits with little classroom training or on- 
the-job experience and minimal supervision have contributed to the 
audit problems we identified. 

Inadequate training and supervision. DCAA headquarters officials 
acknowledged that the agency could improve developmental training and 
that it does not have continuing training for DCAA auditors throughout 
their career, referred to by DCAA as life-cycle training. Given the 
complexity of contract audits and identified DCAA audit quality 
problems, timely and effective training and appropriate supervision are 
critical to achieving effective audits. Auditors also should understand 
the professional standards they are required to follow. 

In addition, we found that on-the-job-training and supervision, which 
are key components of developmental training, were not consistently 
provided to new auditors. On-the-job training for new auditors varied 
by supervisor and by DCAA field office. For example, we previously 
reported[Footnote 73] that one of the offices in our hotline 
investigation had addressed this training need by assigning one 
supervisor to oversee trainee auditors and assigning trainee auditors 
to senior auditors who provided them on-the-job training during a 
particular audit. However, we identified 13 CAS compliance audits at 
this same office to which trainee auditors were assigned with little or 
no training or supervision. In addition, documentation for one of the 
team performance awards that we recently obtained from this office 
contained evidence that some trainee auditors were immediately given an 
audit assignment to carry out on their own. The performance award 
documentation stated as an achievement that "new hires were purposely 
assigned their own assignments as early as deemed appropriate in order 
to instill in them early the concept that they are responsible for the 
planning and conduct of their assigned audits. The supervisory and 
senior auditor…made a conscious decision to do this to avoid dependency 
issues with the new auditors." 

Our discussions with auditors in DCAA's 5 regions provide anecdotal 
examples of the training problems we found. For example, one auditor 
told us that entry level training is a "one-size-fits-all" approach 
that does not provide the right training at the right time, while four 
auditors told us they were not given enough time to develop their 
skills. One consistent comment from auditors was that on-the-job 
training was key to auditor effectiveness, but DCAA provided little or 
no opportunity for new auditors to obtain this developmental 
experience. Several auditors told us that trainees in their offices are 
given assignments to do on their own and that while trainees may work 
with a senior level auditor, sometimes these senior auditors do not 
take a leadership role that would provide a learning experience for 
trainees. In addition, several auditors described DCAA's internal 
training courses as "good," but noted that the courses covered high- 
level conceptual and technical information and did not provide the 
detailed knowledge on how to apply this information when performing a 
particular contractor audit. Some FAO managers share this concern. 

Supervisors responsible for deficient audits identified in GAO's prior 
investigation were promoted. At the September 2008 hearing, Committee 
Members expressed concerns about DCAA promotions of supervisors who 
were responsible for improperly dropped audit findings, unsubstantiated 
changes in audit opinions, and abusive management actions against 
whistleblowers at locations covered in our investigation. Best 
practices of leading organizations making organizational and cultural 
changes include top leadership who set the direction, pace, and tone 
and provides a clear, consistent rationale that unites staff together 
behind a single mission. Agency management plays a key role by setting 
and maintaining the organization's ethical tone, providing guidance for 
proper behavior, removing temptations for unethical behavior, and 
providing discipline, when appropriate. Our review of GAO hotline 
allegations received since our investigation showed that meeting 
metrics related to producing reports within budgeted hours and planned 
time frames resulted in performance awards for auditors who performed 
deficient audits with little or no testing and lower performance 
ratings and personnel actions that resulted in downgrades and 
termination of auditors who did not meet these metrics. Further, our 
analysis of performance appraisals and performance award information 
for auditors and supervisors at the location in our investigation where 
supervisors had been promoted[Footnote 74] showed that the supervisory 
auditors responsible for deficient audits at this location were 
rewarded with high performance appraisals, cash awards, and promotions. 

We obtained performance evaluations and performance award documentation 
for auditors and supervisors involved with 12 audits that had serious 
deficiencies at the first location we investigated in our prior work. 
The DCAA Director told us that there are legal issues associated with 
holding employees, such as the supervisory auditors, accountable for 
actions that were identified after-the-fact. However, the two 
supervisory auditors responsible for the deficient audits were approved 
for promotion even though Western Region managers who made promotion 
decisions were aware of the GAGAS compliance problems. DCAA's Western 
Region management had received the DOD IG's January 24, 2007, 
memorandum of investigation covering 10 audits performed at this 
location that did not meet GAGAS. Further, during the summer of 2007, 
Region management was responding to issues identified in our hotline 
investigation, which mirrored the IG's concerns and raised concerns 
about GAGAS compliance with four additional audits. Despite these 
findings, we found no evidence that supervisors and auditors who did 
not follow GAGAS and DCAA policy were disciplined, counseled, or 
required to take additional training. Instead, our review of 
performance appraisal and awards documentation showed that the 
supervisors and auditors responsible for the deficient audits received 
performance appraisals ranging from "exceeds fully successful" to 
"outstanding" along with numerous cash awards. One of the two 
supervisors responsible for inappropriate decisions to drop audit 
findings and change opinions without supporting evidence was promoted 
on October 14, 2007, and the second supervisor was selected for 
promotion on July 25, 2008--3 days after our investigative report was 
issued. DCAA placed a hold on the second supervisor's promotion pending 
further investigation. In addition, a senior auditor who dropped audit 
findings without support at the direction of the second supervisor was 
promoted to a supervisory auditor position on January 6, 2008. In 
contrast, the performance appraisal of the senior auditor witness from 
that office who testified at the Committee's September 2008 hearing was 
lowered two levels from "outstanding" to "fully successful" following 
the submission of her hotline complaint, and she received no cash 
awards. DCAA has rescinded all 12 audit reports and re-performed the 12 
audits associated with our investigation at this field location. 

Allegations about abusive management actions have continued. We found 
that DCAA's current organization is highly decentralized, fostering a 
culture of region autonomy. Within this culture, DCAA's Western Region 
appears to have continuing problems with unresolved allegations of 
abusive management actions. For example, 21 of the 34 DCAA hotline 
allegations we received since our July 2008 report,[Footnote 75] 
include examples of abusive management actions, such as auditors being 
penalized for attempting to perform what they believe was sufficient 
testing to support audit opinions and auditors not completing work 
within established timeframes. Nine of these 21 allegations relate to 
DCAA's Western Region--the subject region in our prior hotline 
investigations. Seven of the 9 allegations relate to current problems 
in the Western Region. Our review of DCAA anonymous Web site contacts 
as of the end of May 2007 showed that over 40 percent (65 of 152) of 
the DCAA contacts also relate to the Western Region, including several 
that pertain to abusive management actions.[Footnote 76] Although DCAA 
headquarters officials have followed up on some of the complaints about 
management abuse that they received, decisions on disciplinary or 
corrective action typically have been delegated to region management. 
DCAA headquarters officials explained that in several cases, Western 
Region management has not agreed to take disciplinary or other 
available corrective actions. The officials told us that DCAA hotline 
staff have no recourse in these situations. 

DCAA Has Made Progress, but Correcting Fundamental Problems in Agency 
Culture That Have Impacted Audit Quality Will Require Sustained 
Leadership: 

Although DCAA has taken several positive steps, much more needs to be 
done to address widespread audit quality problems. DCAA's production- 
oriented culture is deeply imbedded and likely will take several years 
to change. Under the decentralized management environment, there has 
been little headquarters oversight of DCAA regions, as demonstrated by 
nationwide audit quality problems. Further, DCAA's culture has focused 
on hiring and promoting from within the agency and most training has 
been conducted by agency staff. This has led to a very insular culture 
where there are limited perspectives on how to make effective 
organizational changes. In response to our July 2008 investigative 
report,[Footnote 77] DOD's former Comptroller/CFO and Defense Business 
Board (DBB) conducted reviews[Footnote 78] of DCAA operations and made 
recommendations for corrective actions. The recommendations of the DBB 
are consistent with many of the recommendations discussed later in this 
report. DCAA has taken actions to revise performance metrics, change 
certain policy guidance, and obtain an independent organizational 
assessment (staff survey); however, DCAA has not yet addressed the 
fundamental weaknesses in its mission, strategic plan, audit approach, 
and human capital practices. Moreover, DCAA actions to date have 
focused on process and have not addressed the agency's decentralized 
organizational structure that has fostered a culture of DCAA region 
autonomy. On October 23, 2008, the DBB discussed its preliminary 
findings and recommendations at a public meeting, and on January 22, 
2009, the DBB released its DCAA study report, which concluded that: 

* DCAA's mission focused primarily on supporting the procurement 
community with no mention of protecting taxpayer interest. The current 
mission statement also provided for advisory services that raised 
serious questions about DCAA's independence and objectivity under 
GAGAS. 

* DCAA's strategic plan did not address essential elements required by 
GPRA, and it did not address emerging issues that could affect mission 
accomplishment or contain a human capital strategic plan despite 
spending 80 percent of its budget on personnel. 

* None of DCAA's 24 performance measures addressed audit quality, such 
as conformance to GAGAS, and only 8 could be tied to DCAA's strategic 
plan. 

* DCAA's decentralized organizational culture dilutes effectiveness of 
managerial oversight and affects GAGAS compliance and audit quality. 

* DCAA has not established a human capital strategic plan as a key tool 
to facilitate human capital management and workforce development in 
support of DCAA's mission and implementation of its strategic plan. 

The following discussion summarizes the status of DCAA corrective 
actions on identified weaknesses, including actions on key DBB and DOD 
Comptroller/CFO recommendations. 

DCAA's Mission Statement and Strategic Plan Have Not Yet Been Revised: 

The DBB report, released in January 2009, pointed out that DCAA had 
five versions of a mission statement, noting that each version focused 
primarily on supporting the procurement community. The Board concluded 
that DCAA's mission should be refocused to protect the taxpayer's 
interests, writing: "The mission fostered the culture of supporting 
contracting officials, and the value system was one of quantity 
(number, cost, and timeliness of audits) over quality…which was further 
reinforced by the performance metrics that drove the organization." In 
addition, the Board reported that instead of complying with GPRA 
strategic planning requirements for long-term goals and objectives for 
major operations and functions, DCAA's plan resembled a short-term 
process improvement checklist and did not address enterprise risk, 
external factors, or emerging issues that could affect mission 
accomplishment. In addition, the Board noted that DCAA's strategic plan 
did not include an adequate human capital strategy to facilitate 
workforce development, recruiting, retention, and succession planning. 

The Secretary of Defense Has Not Yet Developed a DCAA Mission Statement 
That Focuses on Protecting the Public Interest: 

The DBB report recommended that the Secretary of Defense revise DCAA's 
mission to focus on protecting the interest of taxpayers, with the 
taxpayer as the primary customer, and that DCAA establish a core value 
of performing high quality, independent, and objective contract audits 
that adhere to GAGAS and ensure that taxpayer dollars are spent on fair 
and reasonable contract prices. The DBB did not address any amendments 
that might need to be made to the FAR, DFARS, and DOD Directives and 
policy documents that reflect DCAA's primary role as an advisor to 
government contracting officers and disbursing officers.[Footnote 79] 

Leading organizations that have undergone cultural and organizational 
transformation have identified top leadership involvement in developing 
a mission statement and strategic plan as a best practice. These 
organizations consider top leadership commitment in setting the 
direction, pace, and tone for the transformation as essential to 
provide a clear, consistent rationale that unites agency components 
behind the mission to guide the transformation. In meetings with DCAA 
officials, we expressed our concern that the Secretary of Defense had 
not taken action to revise DCAA's mission statement. On March 12, 2009, 
following a discussion on the preliminary results of our audit, the 
DCAA Director submitted a proposed revision to DCAA's mission statement 
to the Comptroller/CFO for review. The proposed revision inserted 
phrases that refer to "...serving the public interest" and "...ensure 
taxpayer dollars are spent on fair and reasonable contract prices." 
Although the revised mission statement had not been approved by the 
Secretary of Defense as of the end of July 2009, these changes would be 
positive. 

DCAA Has Not Yet Developed a Strategic Plan To Provide a Framework for 
Organizational and Cultural Reform: 

The DBB also recommended that DCAA develop a strategic plan that 
cascades from the revised mission statement and concurrently develop 
(1) an annual performance operating plan and a balanced scorecard tied 
to the strategic plan and (2) a human capital strategic plan. In 
addition, the DBB recommended that DCAA obtain an independent 
assessment of resource needs and engage an external professional 
organization to assist in a cultural transformation. 

DCAA officials told us they are having difficulty identifying an 
independent external professional organization to assist the agency in 
developing a strategic plan because DCAA audits most of the 
organizations that should be able to provide this type of assistance. 
In her February 27, 2009, response to the DBB report, the DCAA Director 
stated that DCAA expects to complete action on this recommendation by 
September 2009. With regard to the recommendation to develop a balanced 
score card, the DCAA Director reported that based on agreements with 
prior DOD Comptroller/CFOs, DCAA plans to use a monthly status report 
of agency performance measures rather than developing a balanced score 
card. Together with the change in performance measures for fiscal year 
2009, DCAA implemented the monthly performance report in October 2008. 
The DCAA Director stated that DCAA will refine the annual performance 
plan in accordance with development of a revised strategic plan. 

The DCAA Director also stated that DCAA initiated a process to 
reengineer its human capital strategic plan in November 2008. The 
Director stated that DCAA obtained example plans from other 
organizations and attended training on human capital plan preparation 
and maintenance. DCAA is also seeking assistance from external 
organizations in reengineering its human capital plan. 

DCAA's Director Took Immediate Action To Eliminate Production Metrics, 
but Concerns about Audit Quality Measures Remain: 

The Committee's September 2008 DCAA oversight hearing raised concerns 
that DCAA's performance metrics focused on producing reports rather 
than performing quality audits and that auditors who attempted to 
perform quality audits were penalized for not meeting production goals. 
The DCAA Director acknowledged problems with the agency's metrics and 
stated that she had initiated a project to assess the agency's use of 
performance measures that would be completed by September 30, 2008. 
Performance metrics provide the basis for measuring achievement of 
agency mission and strategic goals. Accordingly, performance measures 
should be consistent with agency strategic goals. Although DCAA's 
mission statement and strategic plan have not yet been revised to 
provide new goals, the DCAA Director took action in September 2008 to 
eliminate production-oriented performance measures. On September 30, 
2008, the Director issued a policy memorandum that eliminated 18 
performance measures, identified 9 performance measures with goals for 
use in fiscal year 2009, and clarified the use and level of reporting 
on the revised measures. Some of the new performance metrics focus on 
outcomes, while others continue to focus on producing low cost audits 
in fixed time frames. 

New Performance Metrics Intended To Focus on Achieving Quality Audits: 

The DOD Comptroller/CFO required DCAA to develop standard metrics to 
measure and re-enforce compliance with GAGAS and CAM across DCAA by 
February 28, 2009. The DCAA Director reported that the new metrics 
established on September 30, 2008, met this requirement. DCAA 
identified the following six new performance metrics as focusing on the 
intended outcome-related goal of achieving quality audits that comply 
with GAGAS.[Footnote 80] 

1. Obtaining an unqualified DOD IG peer review opinion. 

2. DCAA's internal quality assurance program results show that 100 
percent of the audits reviewed reflected professional judgment. 

3. Checklist confirmation that issued reports did not include serious 
deficiencies. 

4. A goal that 45 percent of audit reports will have findings as an 
indication of the tangible value of the audit work performed. 

5. A goal that 15 percent of the audits will use quantitative methods 
to measure the extent to which advanced level audit techniques are 
used. 

6. A goal that auditors will meet 100 percent of their continuing 
professional education requirements on time. 

Only metrics number 1, 3, and 6 have a direct relationship to audit 
quality. Although metric number 2 could improve audit quality if 
properly implemented, DCAA gave passing scores to deficient audits. 
Given the problems with DCAA's ineffective quality assurance program 
and DOD IG peer review results, for these three metrics to achieve the 
intended audit quality goal, significant changes will be needed in 
policy guidance and training on audit standards, appropriate 
procedures, and audit documentation in order to comply with GAGAS. The 
fourth goal that 45 percent of DCAA audit reports will have findings is 
approximately the same as the actual percentage of 41 percent of the 
reports in 2008. Because findings would support recommendations for 
corrective action, this metric could contribute to improvements in 
accountability over contractor cost and billings. Regardless of the 
goal, findings should be reported as appropriate based on the 
completion of quality audits. Further, the use of quantitative methods 
of analysis in audit reports needs to be supported by training on the 
appropriate methods for sampling and testing contract costs, controls, 
and compliance to help auditors perform sufficient testing to support 
audit conclusions and opinions. 

Performance Metrics That Continue To Measure Output: 

Although three of DCAA's fiscal year 2009 metrics are important in that 
they address responsiveness to contracting officer requests for audits, 
if not properly managed, they could impact the effectiveness of DCAA's 
new audit quality metrics. In the past, DCAA's efforts to meet 
contracting officer requests for audits within specified time frames 
caused auditors to sacrifice audit quality. The following three 
performance metrics continue to address issuing reports within 
specified times to support contract awards and closeouts. 

* A forward-pricing audit timeliness goal of 95 percent based on 
agreement with requesters. 

* Incurred cost audit timeliness goals of 90 percent of corporate 
audits completed within 12 months, 90 percent of major contractor 
audits completed in 15 months, and 95 percent of non-major contractor 
audits completed in 24 months. 

* An efficiency goal of cost per direct audit hour of less than $113.45 
to be monitored at the agency level only. 

It is critical that agreements with the contracting community on 
timeliness goals for forward-pricing and incurred cost audits allow 
performance of sufficient audit procedures to help contracting officers 
ensure that prices paid by the government are fair and reasonable, and 
that contract costs comply with applicable laws, regulations, cost 
accounting standards, and contract terms. In addition, keeping cost per 
direct audit hour in line with past practices indicates that DCAA 
likely would continue to use trainee or junior auditors on assignments 
without senior auditor or supervisory auditor involvement. GAGAS 
requires that staff assigned to perform the audit or attestation 
engagement must collectively possess adequate professional competence 
for the tasks required.[Footnote 81] Moreover, DCAA has not agreed to 
develop a risk-based audit approach to address how it will perform 
required audits with available audit resources, reassess the need to 
perform 30,000 or more audits annually, and establish priorities for 
performing quality audits that meet GAGAS within available resources. 

On October 30, 2008, DCAA required regional audit managers to provide 
training on changes in performance metrics to all FAOs by December 31, 
2008, as part of the effort to get the word out that DCAA's mission 
should be to protect taxpayer interest and that auditors should perform 
quality audits that meet GAGAS. The DCAA Director stressed to us that 
budgeted audit hours would be captured for planning purposes, but they 
were never intended and should not have been used to evaluate auditor 
performance. The DCAA Director also told us that DCAA auditor 
performance appraisals should not have considered exceeding budgeted 
audit hours as a performance failure. In addition, DCAA implemented an 
anonymous Web site for capturing feedback on inappropriate use of the 
new performance measures and abusive management actions. 

Inconsistent Implementation and Training on New Metrics: 

During random telephone calls made to 17 auditors across 15 FAOs in the 
five DCAA regions, we found mixed results on FAO implementation of 
DCAA's new performance metrics. DCAA's Assistant Director of Operations 
told us she also had become aware of some problems with regional audit 
managers meeting the requirement to provide training to FAOs on 
implementation of the new DCAA performance metrics. The Operations 
Assistant Director told us that she planned to follow-up with all FAOs 
in this regard. In response to our telephone calls, for example: 

* Auditors at 13 of the FAOs told us that metrics related to meeting 
budget hours for completing audits have been relaxed. Although most of 
these auditors were not aware of audit completion dates in fiscal year 
2009 program plans for their offices, two auditors told us that audit 
completion dates had been pushed back to allow more time for performing 
individual audits. An auditor at a Northeast Region FAO told us the use 
of budget hours was flexible before the metrics changes, so there was 
no noticeable difference. An auditor at a Western Region FAO said that 
although budget hours are no longer a metric for individual auditor 
performance, there is still a lot of pressure on auditors to meet 
budgeted hours. 

* Auditors at 5 of the 15 FAOs told us they had received the mandatory 
training on changes in performance metrics prior to December 31, 2008. 
However, auditors at 4 FAOs told us they received the mandatory 
training after December 31, 2008, including two auditors at one Eastern 
Region FAO who told us they did not receive the required training until 
February 13, 2009. Auditors at the other 6 FAOs told us they received 
the metrics training, but they could not remember the dates of the 
training. 

* Auditors at 5 FAOs told us they were permitted to charge from 1 to 2 
hours of administrative time per pay period for reading e-mails on DCAA 
policy changes and new policy memorandums. Auditors at 2 FAOs said they 
were not given an administrative code for this purpose. One of these 
auditors told us they read the policies on their own time. Auditors at 
the remaining 8 FAOs did not mention a time limit for reading DCAA 
policy memoranda. DCAA headquarters officials told us that auditors 
should be permitted to charge administrative codes for this purpose and 
that they are working to resolve this issue across DCAA. 

The DCAA Director advised DCAA employees that the new performance 
metrics would be revisited after 6 months to determine if changes are 
needed. On February 11, 2009, DCAA revised its fiscal year 2009 job 
objectives/performance plans to reflect the new performance measures, 
and DCAA's Deputy Assistant Director of Operations advised us that DCAA 
initiated an assessment of the new performance metrics in April 2009. 

DCAA Has Centralized, but Has Not Yet Restructured Its Audit Quality 
Assurance Program: 

DCAA has taken some actions to improve its quality assurance program. 
However, staffing difficulties and other issues have left the outcome 
of this important initiative uncertain. As previously discussed, GAGAS 
require that each audit organization performing audits and attestation 
engagements in accordance with GAGAS should have a system of quality 
control that is designed to provide the audit organization with 
reasonable assurance that the organization and its personnel comply 
with professional standards and applicable legal and regulatory 
requirements, and have an external peer review at least once every 3 
years.[Footnote 82] In addition, considering the large number of DCAA 
audit reports issued annually and the reliance the contracting and 
finance communities have placed on DCAA audit conclusions and opinions, 
an effective quality assurance program is key to protecting the public 
interest. Such a program would report review findings along with 
recommendations for any needed corrective actions; provide training and 
additional policy guidance, as appropriate; and perform follow-up 
reviews to assure that corrective actions were taken. When we briefed 
DCAA on our preliminary findings in March 2009, DCAA had not yet taken 
action to correct serious deficiencies in its quality assurance 
program, including problems with DCAA's application of the professional 
judgment standard, whereby quality assurance program officials gave 
satisfactory ratings when significant noncompliance with GAGAS had been 
identified by reviewers. 

In response to our previous report, on August 20, 2008, the DOD 
Comptroller/CFO required that DCAA take certain actions to improve 
audit quality, which included a restructuring of DCAA's quality 
assurance function. Accordingly, on August 22, 2008, DCAA established a 
new headquarters Directorate for Quality Assurance and Integrity, which 
centralized the quality assurance function at DCAA headquarters. The 
DOD Comptroller/CFO directed that the new Quality Assurance Directorate 
be headed by a Senior Executive Service (SES) Deputy Director. Because 
DOD did not grant DCAA an additional SES position for this purpose, the 
DCAA Director assigned responsibility for leading DCAA's quality 
assurance function to a level GS-15, Assistant Director for Integrity 
and Quality Assurance. Under DCAA's management environment and culture, 
which continue to foster autonomous regions headed by SES-level 
directors, the grade level and experience of the GS-15 equivalent 
Assistant Director for Integrity and Quality Assurance pose a challenge 
when dealing with SES-level regional directors, deputy directors, and 
regional audit managers. For example, when presented with our findings 
and conclusions that various audits did not comply with GAGAS, DCAA 
headquarters policy and quality assurance managers allowed regions and 
FAO's to decide whether to rescind the subject audit reports. In March 
2009, DCAA officials advised us that the GS-15, Assistant Director for 
Integrity and Quality Assurance position is an intended SES position 
and that two GS-15 Assistant Directors will perform as Chief of 
Integrity and Chief of Quality Assurance. 

In centralizing the quality assurance program, DCAA's new quality 
assurance organization provides for five GS-14 senior quality assurance 
auditors at DCAA headquarters and up to 27 GS-13 quality assurance 
auditors in the field assigned across the 5 DCAA regions. However, a 
headquarters requirement that all senior quality assurance staff 
relocate to DCAA headquarters at Fort Belvoir, Virginia, resulted in 
all but one of the five senior staff accepting other positions within 
DCAA because they did not wish to relocate. It took several months to 
recruit DCAA staff for the senior quality assurance positions at DCAA 
headquarters. On July 10, 2009, a DCAA headquarters official advised us 
that DCAA had selected staff to fill the two remaining vacancies, and 
these staff would be reporting for duty in the next few weeks. 

In response to our concerns that DCAA's quality assurance program has 
not resulted in audits that comply with GAGAS, DCAA officials advised 
us that going forward, DCAA will no longer rate an FAO's overall 
compliance with GAGAS and DOD policy. The officials told us that 
instead, DCAA headquarters plans to (1) report the detailed results of 
the audit quality reviews, (2) make recommendations to FAOs for any 
needed corrective actions, (3) conduct follow-up reviews for all FAOs 
with identified audit deficiencies to ensure that corrective actions 
are taken, and (4) provide training and policy guidance, as 
appropriate. If properly implemented, these procedures would help to 
assure an effective audit quality assurance program. 

DCAA Disagrees with the DBB Recommendation for a Risk-Based Audit 
Planning Process: 

The DBB recommended that DCAA establish a risk-based planning process 
that expands DCAA self-initiated audits and increases the potential for 
identifying fraud, waste, and abuse, and higher rates of return to the 
taxpayer by April 2009. The DBB intended for DCAA to audit any and all 
contracts awarded by the department. On February 27, 2009, in 
responding to the DBB recommendation, the DCAA Director stated that (1) 
DCAA's practice of auditing only certain contracts was due to 
regulation or statute and (2) absent the DCAA access-to-records clause 
in certain types of contracts, DCAA has no legal basis to obtain cost 
data from a contractor. The DCAA Director suggested that the DBB 
recommendation should be directed to the Under Secretary for 
Acquisition, Technology and Logistics, who oversees DCMA, and not DCAA. 
The DCAA Director told us that she believes that DCMA should address 
this recommendation because DCMA decides what audits DCAA should 
perform to support contracting decisions and DCMA would need to 
initiate action to change audit-related FAR requirements. 

Generally, DCAA, as the agent of the Secretary of Defense, has 
authority[Footnote 83] to examine records of (1) a contractor 
performing any cost-reimbursement, incentive, time-and-materials, labor-
hour, or price re-determinable contracts and subcontractors performing 
such contracts of the contractor and (2) to evaluate the accuracy, 
completeness, and currency of certified cost or pricing data required 
to be submitted pursuant to law, all records of the contractor or 
subcontractor related to the proposal, and discussions conducted on the 
proposal, pricing of the contract or subcontract or performance of the 
contract or subcontract. This authority is implemented by insertion of 
the Audit of Records clause in solicitations for negotiated contracts. 
[Footnote 84] In addition, the Director of DCAA may require by subpoena 
the production of any records of a contractor that the Secretary of 
Defense is authorized to audit or examine. While DCAA does not have 
access to the records of all DOD contractors or statutory rights of 
access to contractor officials, we believe it has sufficient authority 
to undertake a risk-based audit approach consistent with its existing 
authority. Therefore, we believe the DBB recommendation for DCAA to 
develop a risk-based audit planning approach is appropriate. DOD 
acquisition officials we met with agree. Further, as previously 
discussed, a risk-based audit approach would provide a basis for 
determining audit resource requirements. 

DCAA has selected the Army Force Management Support Agency[Footnote 85] 
to perform its staffing study. However, DCAA is conducting a staffing 
study as a stand-alone effort rather than performing the study in 
concert with an effort to establish a risk-based planning process. To 
provide useful information for decision making, it is important that 
the staffing study and risk-based audit planning approach are conducted 
as integrated efforts. It is also important for the DOD contracting and 
finance communities to be involved in the staffing study analysis and 
planning process because, as discussed earlier, a risk-based audit 
approach may require these communities to re-evaluate whether all DCAA 
services should be provided as audits and whether DCAA, as an 
independent audit organization, should perform any nonaudit services. 

To address immediate staffing needs, DCAA requested funds for 
additional audit staff and training from the Defense Acquisition 
Workforce Development Fund,[Footnote 86] including 300 positions for 
fiscal year 2009 and another 200 positions in 2010. DCAA received 
approval of this request in December 2008. In May 2009, as part of 
DOD's request for an additional 9,000 positions for contract management 
and oversight, the DCAA request was increased from 500 to 700 new 
positions that are to be phased in from fiscal year 2009 through 
2011.[Footnote 87] As previously discussed, without developing a risk- 
based audit approach, it is difficult to determine the level of 
resources needed to perform effective, quality contract audits. 
However, federal acquisition and contract audit resources have not kept 
pace with the growth on federal procurements. As shown in figure 2, 
although procurement obligations related to greater reliance on 
contractor-provided services and support of the Global War on Terrorism 
have more than doubled since fiscal year 2002, DCAA audit resources 
have remained about the same. In addition, contractor and subcontractor 
relationships have become more complex, increasing the complexity of 
contract audits. These changes underscore the need for a risk-based 
audit plan and assessment of auditor resource and training needs. 

Figure 2: Comparison of DOD Contract Obligations and DCAA Workforce for 
Fiscal Years 2002 through 2008: 

[Refer to PDF for image: multiple line graph] 

Fiscal year: 2002; 
DCAA audit workforce: 3,500; 
DOD contract obligations: $171 billion. 

Fiscal year: 2003; 
DCAA audit workforce: 3,500; 
DOD contract obligations: $195 billion. 

Fiscal year: 2004; 
DCAA audit workforce: 3,500; 
DOD contract obligations: $231 billion. 

Fiscal year: 2005; 
DCAA audit workforce: 3,500; 
DOD contract obligations: $270 billion. 

Fiscal year: 2006; 
DCAA audit workforce: 3,500; 
DOD contract obligations: $299 billion. 

Fiscal year: 2007; 
DCAA audit workforce: 3,600; 
DOD contract obligations: $331 billion. 

Fiscal year: 2008; 
DCAA audit workforce: 3,600; 
DOD contract obligations: $383 billion. 

Source: GAO analysis of unaudited obligations data from the Federal 
Procurement Data System and acquisition workforce data from the Office 
of Personnel Management. 

[End of figure] 

Although DCAA has undertaken certain initiatives to improve the 
effectiveness of audits of contractor billings and internal control 
systems, these efforts are not targeted for completion until September 
2010 and September 2012, respectively, and they are not part of a 
comprehensive audit strategy or framework. Once decisions are made on 
changes in various audit procedures for these audits, related audit 
guidance and training would be needed to help ensure the new procedures 
are effectively implemented. 

DCAA Issued Revised Policy Guidance To Address Auditor Independence, 
Assure Management Involvement in Key Decisions, and Address Audit 
Quality Issues: 

Our investigation and audit identified problems and concerns related to 
auditor independence, the need for management involvement in key 
decisions, and audit quality. In response to our work, the DBB and DOD 
Comptroller/CFO made several recommendations for DCAA actions to 
address these concerns. Specific DCAA actions and our assessment 
include the following. 

Auditor independence. The DBB recommended that DCAA address advisory- 
type (nonaudit) services by (1) discontinuing participation on 
Integrated Product Teams and Source Selection Evaluation Boards, both 
of which impair auditor independence in fact and appearance under 
GAGAS; (2) reevaluating the role and number of Financial Liaison 
Advisors (FLA) to ensure independence and objectivity in both fact and 
appearance; and (3) working with the DOD acquisition leadership to 
explore alternatives for providing technical advice and support to the 
contract management community while adhering to the auditor 
independence standards in GAGAS. 

The DCAA Director responded that DCAA discontinued participation in 
Integrated Product Teams on August 4, 2008, and Source Selection 
Evaluation Boards on September 12, 2008. On November 23, 2008, DCAA 
realigned all FLAs to report directly to DCAA headquarters and 
completed an assessment of the number of advisors. DCAA is continuing 
to assess the functions performed by FLAs to assure their independence. 
The DCAA Director stated that if there is a significant change in the 
advisory functions, DCAA will initiate discussions with DOD acquisition 
leadership. We support efforts to reevaluate DCAA's nonaudit advisory 
services given the problems identified in our investigation. Although 
our review of DCAA's CAM guidance found that DCAA had established 
appropriate guidelines to avoid independence issues, we found that the 
auditors had not followed DCAA policy. According to the DCAA Director, 
the DBB's primary concern is that DCAA participation in these advisory 
services created the appearance of a lack of independence. 

Requirement for DCAA management involvement in key decisions. DCAA 
issued policy memorandums requiring that (1) FAO managers sign all 
audit reports issued by the FAO; (2) auditors elevate memorandums on 
disagreements with supervisors and FAO managers on draft audit opinions 
to the highest level necessary, including the DCAA Director, for 
resolution; and (3) auditors elevate problems in accessing contractor 
records to FAO managers, contracting officers, and regional offices for 
appropriate handling. 

DCAA action to require FAO managers to sign all audit reports issued by 
the FAO addresses concerns identified in our investigation that 
supervisors could inappropriately issue reports with adequate ("clean") 
opinions without review by FAO managers. Similarly, the policy to 
elevate disagreements on changes to audit opinions responds to findings 
in our investigation that supervisors ignored auditors' objections to 
dropped findings and changed opinions, and the auditors had no 
opportunity to elevate their disagreement beyond the supervisors. The 
access-to-records policy clarified actions required when auditors are 
denied access to records and required FAO managers to brief their staff 
on the revised guidance. The revised policy guidance emphasized that 
auditors (1) should follow procedures for addressing denial of access 
to records, which include notifying the FAO manager, contracting 
officer, and DCAA region; (2) take appropriate actions to effect a 
suspension or withholding of any unsupported costs billed to the 
government until the data are received and a determination is made 
regarding the allowability of the costs; and (3) question the 
unsupported costs in the audit report if the supporting documentation 
is not received prior to the completion of fieldwork. Although our work 
identified some access-to-records problems, in these cases, there was 
no evidence that DCAA supervisors elevated the issue to management or 
to procurement officials to initiate enforcement action, as set out in 
existing DCAA policy. 

Guidance to improve audit quality. On August 6, 2008, the DCAA Director 
requested that each FAO hold a stand-down day (where staff were 
relieved of assigned duties to take mandatory training) to discuss 
audit quality and the requirement to comply with GAGAS requirements for 
competence, integrity, objectivity, and independence in performing 
contract audits. In addition, DCAA issued policy guidance on adequate 
audit documentation and testing, including the following guidance that 
applied to assignments we reviewed for this report: 

* "Workpaper Documentation of Judgmental Selections"--requires a 
description of the universe (population) from which items are selected 
for testing, identification of items and attributes to be tested, and 
an explanation to support that the judgmental selection will result in 
adequate audit coverage. 

Emphasizing the requirement that audit documentation include a 
description of the population used for sampling and identification of 
items and attributes to be tested is appropriate. However, the 
requirement for an explanation in the audit documentation that the 
judgmental selection will result in adequate audit coverage needs to be 
sufficiently justified. GAGAS and AICPA standards require that auditors 
document significant decisions affecting the audit objectives, scope 
and methodology, findings, conclusions, and recommendations resulting 
from professional judgment.[Footnote 88] 

* "Audit Guidance for Annual Testing of Contractor Eligibility for 
Direct Bill," which is intended to determine whether continued reliance 
can be placed on the contractor's procedures for preparation of interim 
vouchers. This policy change clarified and consolidated audit steps 
related to the contractor's compliance with contract provisions, added 
audit steps for reviewing vouchers under time-and-material and labor- 
hour contracts, and removed the requirement to verify that the 
contractor's Central Contractor Registration is current. The policy 
memorandum states that this scope of work performed does not constitute 
an audit or attestation engagement under GAGAS. 

It is within DCAA's purview to determine whether these procedures 
constitute an audit. However, because direct-bill decisions present a 
risk of undetected improper contract payments, prudent decisions to 
continue a contractor's direct-bill authorization would necessarily be 
based on testing a statistical sample of invoices[Footnote 89] and 
include a review of supporting documentation, including documentation 
to confirm the government received goods and services noted on the 
billing invoice. We confirmed that Defense Finance and Accounting 
Service certifying officers rely on DCAA reviews, and they do not 
repeat review procedures they believe to be performed by DCAA. 

Human Capital Management and Cultural Transformation: 

The DBB made two recommendations to improve DCAA human capital 
management and agency culture, namely that DCAA (1) develop a human 
capital strategic plan as a key tool to facilitate human capital 
management and workforce development and (2) engage an external 
professional organization to assist in a cultural transformation that 
includes emphasizing core values such as quality, independence, ethics, 
and objectivity rather than a mindset focused on quantity and 
productivity. DCAA has not yet developed a human capital strategic plan 
as a key tool to facilitate human capital management and workforce 
development. In May 2009, DCAA finalized an agreement with the Naval 
Post Graduate School, Center for Defense Reform, for assistance on 
cultural reform. According to GAO's Internal Control Standards, 
[Footnote 90] operational success is possible only when the right 
personnel for the job are on board and are provided the right training, 
tools, structure, incentives, and responsibilities. Accordingly, 
management should ensure that skill needs are continually assessed and 
that the organization is able to obtain a workforce that has the 
required skills that match those necessary to achieve organizational 
goals. In addition, training should be aimed at developing and 
retaining employee skill levels to meet challenging organizational 
needs; qualified and continuous supervision should be provided to 
ensure that internal control objectives are achieved; and performance 
evaluation and feedback, supplemented by an effective reward system, 
should relate employee performance to the organization's success. 

Lack of a human capital strategic plan. The lack of a human capital 
management strategic plan has limited the effectiveness of DCAA's 
hiring, training, and staff development efforts. DCAA officials told us 
they view contract auditing as a highly specialized profession that 
requires knowledge of acquisition law and regulations and government 
procurement and contract management processes. As a result, DCAA 
officials believe that auditors must be hired at the entry level and 
trained to perform contract audits. The officials also believe that 
because DCAA is the only contract audit agency in the federal 
government and it operates the only federal contract audit training 
institute, DCAA is in the best position to train contract auditors. 
However, DCAA is not the only agency that performs contract audits. 
Many IG offices, including the DOD IG, the military service audit 
agencies, several executive agency IGs, and GAO all perform contract 
audits. Further, DCAA has not provided training that is designed to 
develop contract audit skills at successively higher levels, and it has 
not provided adequate or continuous supervision of audit staff. 
Moreover, our work has shown that performance evaluations and feedback 
have not always related performance to the agency's success, as was the 
case when supervisors who were responsible for improperly dropping 
audit findings and changing draft audit opinions received high 
performance evaluations and cash awards. 

At the September 2008 hearing, the DCAA Director acknowledged the need 
to develop revised training to address audit quality issues. However, 
it will take considerable time to develop a revised training program to 
address the range of changes in audit policies, processes, and 
procedures for performing quality audits in accordance with GAGAS. 
However, on April 8, 2009, DCAA revised its Supervisory Development 
Training Curriculum to emphasize leadership skills and better reflect 
the day-to-day activities performed by supervisors. This revision was 
based on feedback received through DCAA's suggestion program, anonymous 
Web site contacts, and focus groups and is not based on a study or 
expertise of an outside professional organization. In addition, DCAA 
has begun a reassessment of the 2-week technical indoctrination class 
for new hires. 

Although it is appropriate to consider staff input in developing 
training courses, the development of in-house training by agency 
personnel may not result in a design that encourages participants to 
develop more critical analysis of the underlying principles or ways to 
bring about organizational change. Outside expertise helps ensure that 
an organization benefits from outside subject matter experts as well as 
education and training professionals who have a broad perspective on 
innovative approaches to best practices or best learning design. 

DCAA has difficulty identifying an independent professional 
organization to assist in cultural transformation. According to the 
DCAA Director, DCAA faces challenges in engaging a professional 
organization to assist with cultural change because (1) many external 
organizations that provide this service are audited by DCAA and to 
preserve the appearance of independence under the auditing standards, 
DCAA cannot engage organizations that it audits and (2) based on 
initial discussions with various organizations, DCAA believes this 
effort could cost from $1 to $2 million or perhaps more and DCAA would 
need additional funding to pay for this assistance. However, based on 
an assumption that DCAA would receive funding for this effort, the 
Director established a completion date of January 2010 with training of 
the workforce potentially extending into fiscal years 2011 and 2012. In 
the face of these challenges, the DCAA Director took action on three 
other initiatives related to cultural change. The DCAA Director stated 
that shortly after issuance of our July 2008 report, DCAA initiated a 1-
to 2-year project to accomplish an organizational assessment using the 
Baldrige National Quality Program[Footnote 91] criteria with assistance 
from Baldrige experts within the Army. In addition, as required by the 
DOD Comptroller/CFO in September 2008, the Director asked the Office of 
Personnel Management to conduct an independent organizational survey of 
DCAA. As previously discussed, to help ensure that DCAA's new 
performance metrics resulted in appropriate cultural change with regard 
to the new emphasis on audit quality, DCAA established an anonymous Web 
site for obtaining feedback on the inappropriate use of the performance 
measures. 

In May 2009, DCAA asked the Naval Postgraduate School, Center for 
Defense Reform to assist DCAA with cultural transformation as 
recommended by the DBB. The Center began work in June 2009 to help DCAA 
identify issues facing the organization and develop an action plan. 

Delay in reporting results of DCAA's organizational survey. DCAA's 
independent organizational survey was completed during the fall of 
2008, and DCAA officials said the assessment results would be finalized 
in March 2009, but then amended the date for completing the assessment 
of the survey results to late July 2009. Therefore, the survey results 
were not available to us for review. 

DCAA's anonymous Web site contacts underscore the need for a separate 
hotline office. DCAA's anonymous Web site was established as a 
mechanism for monitoring compliance with DCAA's new performance 
metrics; however, it has become an internal hotline, with many auditors 
reporting the same issues as those presented in hotline complaints 
received by GAO. The DBB report stated that DCAA would benefit from the 
establishment of a Chief of Internal Review to perform critical 
inspector general functions, such as performing periodic reviews and 
evaluations, serving as an ombudsman between staff and DCAA management, 
and addressing hotline complaints. Instead of establishing a separate 
Internal Review function, in March of 2009, the DCAA Director divided 
responsibilities of its Operations Directorate between the Operations 
Assistant Director and Deputy Assistant Director to provide dedicated 
staff to handle auditor concerns reported to the internal DCAA 
anonymous Web site. DCAA's Assistant Director of Operations along with 
a Division Chief and three program managers were made responsible for 
the DCAA hotline function, and the Deputy Assistant Director of 
Operations was given responsibility for day-to-day operations. 

Our review of DCAA headquarters handling of DCAA auditor concerns and 
hotline allegations sent to DCAA's anonymous Web site determined that 
internally reported DCAA auditor concerns represent problems across all 
five DCAA regions. As with GAO hotline complaints, the largest number 
of problems reported to DCAA's anonymous Web site related to DCAA's 
Western Region. Our review of DCAA documentation and discussions with 
auditors and DCAA officials indicate that current handling of 
internally reported DCAA auditor concerns and allegations appears to be 
timely, objective, and fact-based. The Assistant Director of Operations 
has made good progress in establishing credibility and trust in the 
DCAA hotline function. It will be important for any future inspector 
general or ombudsman to carry forward in this role. The DCAA Director's 
response to the DBB report did not address the recommendation to 
establish a Chief of Internal Review. We agree with the DBB 
recommendation. It is important for DCAA to have a hotline function 
that is separate from management and operations. Currently, the 
Operations Assistant Director has been reassigned to handle this 
function on a temporary basis. However, given the size of the DCAA 
organization, the extensive number of internal DCAA hotline complaints-
-which totaled about 150 at the end of May 2009--and the likelihood of 
continuing hotline contacts that would need to be addressed as DCAA 
undergoes its cultural transformation, a permanent internal review or 
inspector general function is warranted. 

Legislative and Other Actions To Improve DCAA's Effectiveness and 
Independence: 

In addition to correcting the fundamental weaknesses in mission and the 
overall management environment discussed above, certain legislative and 
other actions, such as changes in organizational placement, could 
enhance DCAA's effectiveness and independence. Successful management 
initiatives for cultural and organizational change in large private and 
public sector organizations can often take several years to accomplish. 
Changing DCAA's organizational placement without first correcting 
fundamental weaknesses in mission and the overall management 
environment would not assure effective audits. Given this time frame 
and pursuant to your request, we identified legislative and other 
actions that decision makers can consider to improve DCAA's 
effectiveness. In the short term, Congress could enhance DCAA's 
effectiveness and independence by granting DCAA certain authorities and 
protections similar to those offered to presidentially appointed 
inspectors general under the Inspector General Act of 1978, as amended 
[Footnote 92] (IG Act). The IG Act contains provisions that enhance the 
independence of presidentially appointed IGs, including protections 
from removal without congressional notification, access to independent 
legal counsel, public reporting of audit results, rights to take 
statements from contractor and other personnel, and budget visibility. 
These provisions would enhance the important DCAA initiatives currently 
under way. Continued monitoring and oversight will be essential to 
assuring the successful implementation of DCAA's management 
initiatives. In the longer term, Congress could consider changes in 
organizational placement after current reform efforts have been 
effectively implemented. However, moving DCAA as an organization would 
require careful analysis and planning before implementation. 

Short-Term Legislative Actions: 

In addition to DCAA management reforms already under way and our 
additional recommendations, we identified certain legislative 
protections and authorities under the IG Act that could enhance DCAA's 
effectiveness. Legislation would be needed in order to grant DCAA such 
protections and authorities. 

Leadership. The IG Act provides for the President to appoint the IG, 
with Senate confirmation, at many federal agencies.[Footnote 93] Under 
the act, Congress must be notified in advance of removing the IG, and 
only Congress can eliminate the office of an IG. Currently, the head of 
DCAA is appointed and can be removed by the Secretary of Defense. 
Further, DCAA was created and can be reorganized or reassigned by 
departmental order without notice. IG Act protections Congress could 
grant to DCAA would therefore include (1) Senate confirmation of a 
presidentially appointed DCAA Director[Footnote 94] and (2) removal of 
the DCAA Director conditioned on congressional notification. [Footnote 
95] Specifically, the act provides that an inspector general may be 
removed from office by the President and any removal is to be reported 
to both Houses of Congress 30 days prior to the removal. In addition to 
these IG Act protections, Congress could build additional provisions 
into legislation, to include the following: 

* Requirements that the DCAA Director possess the appropriate 
professional qualifications. For example, provisions for appointment of 
the DCAA Director could require selection from among individuals who 
possess demonstrated ability in managing and leading organizations, 
specific accounting or auditing background, general knowledge of 
contract management, and knowledge of and extensive practical 
experience in financial management practices in large governmental or 
business entities. 

* A mandate permitting the DCAA Director to hold a renewable term 
appointment for between 5 to 7 years. Legislation should provide that 
the DCAA Director can be removed only for cause or other stated 
reasons. These protections would allow the head of DCAA to provide 
stability and continuity of leadership that span presidential 
administrations and prevent removal except for cause or other disclosed 
reasons. 

* Conflict of interest provisions for the DCAA Director and other key 
staff in addition to those provisions currently in law. This would be 
intended to ensure that selection of the audit agency head would not 
involve a "revolving door" situation between contractors and the 
contract audit agency. 

Access to independent legal counsel. The IG Act provides for 
independent legal advice for IGs rather than requiring the use of 
agency legal counsel.[Footnote 96] Currently, DCAA relies upon DOD 
legal counsel. DCAA officials told us that the DCAA Director has not 
always been apprised of legal decisions by DOD counsel that have 
impacted DCAA operations. Further, according to the DCAA Director, the 
lack of independent counsel led to a situation where DOD attorneys 
provided questionable legal counsel to a DCAA field office supervisor 
without the DCAA Director's knowledge. Obtaining independent legal 
counsel would avoid conflicts of interest between DOD and DCAA, thereby 
helping to improve DCAA's effectiveness. 

Budget. The IG Act requires separate budgets for Offices of Inspector 
General (OIG) within agency budgets, allowing Congress to review IG 
budget requests separately. DCAA currently does not have this 
protection. IGs that are appointed by the President with Senate 
confirmation receive a separate appropriation, preventing agencies from 
reprogramming IG funds to other programs and activities. However, there 
is currently little visibility of DCAA's budget because it is funded 
under the Operations and Maintenance, Defense-wide appropriation, which 
includes numerous DOD agencies, such as the Defense Contract Management 
Agency (DCMA), the Defense Logistics Agency, the Defense Finance and 
Accounting Service, and some buying command activities. Therefore, 
DCAA's share of annual appropriations is subject to reprogramming, 
sometimes without congressional notification. According to the DCAA 
Director and documentation provided by the Director and Office of 
Comptroller/CFO, in the past, DOD has reprogrammed funding between DCAA 
and other DOD activities on numerous occasions. Because these 
reprogrammings were below the $15 million threshold for congressional 
notification, Congress did not have notice of these funding decreases 
at the time they occurred. For fiscal year 2009, DOD reprogramming 
increased DCAA's funding by $3.5 million. Legislation similar to the IG 
Act could grant DCAA a separate budget[Footnote 97] to provide 
visibility and protections from reprogramming of funds to other agency 
priorities. 

Increased authority and independence. Legislation could strengthen 
DCAA's audit authority by providing the same level of access to records 
and personnel available to IGs.[Footnote 98] Currently, DCAA has 
statutory rights of access to certain records related to cost-type 
contracts or those that contain cost and pricing data, but not to 
contractor personnel. As a result, DCAA's subpoena power is limited to 
certain records and does not cover contractor personnel. While we 
recognize that DCAA auditors have ongoing discussions with contractor 
personnel, they do not have statutory authority to compel contractor 
officials to meet with them and submit to interviews. IGs have 
authority, including subpoena power, to access all records, reports, 
audits, reviews, documents, papers, recommendations, or other material 
available that relate to programs and operations for which the IG has 
responsibilities. Further, IG subpoena authority extends beyond access 
to records and documents in that IG auditors can administer or take an 
oath in order to obtain information. Our discussions with DCAA auditors 
and reviews of audit documentation identified numerous instances where 
requests for contractor records were not met.[Footnote 99] Obtaining 
increased access to contracting companies, especially their staff and 
documentation, would be an important provision to improve the 
effectiveness of DCAA audit staff. 

Reporting and oversight of audit results. The IG Act provides for semi- 
annual reports to the agency head and appropriate committees of 
Congress summarizing results of significant audits and 
investigations.[Footnote 100] DCAA currently has no external reporting 
requirement, reducing opportunities for oversight and transparency. 
Congress could mandate some form of external DCAA reporting in 
legislation similar to the IG Act. Moreover, DCAA does not currently 
provide copies of its audit reports to other federal agencies that use 
the same contractors that DOD uses. According to the DCAA Director, 
DCAA's appropriations are specific to DOD contractor audits, and unless 
federal agencies request and reimburse DCAA for audit services, DCAA 
cannot provide them with copies of its audit reports even though its 
DOD audits of systems and related internal controls, cost accounting 
system compliance, etc. may cover their contractors. Legislation could 
also expressly allow DCAA to provide audit results to other agencies, a 
step that would improve its visibility and effectiveness for the 
government as a whole. 

Legislation to grant DCAA similar protections and authorities as those 
provided in the IG Act could enhance reform efforts that are already 
under way. Although we found that a lack of DOD Comptroller/CFO and IG 
oversight has impaired DCAA's effectiveness, DOD has begun work to 
provide improved oversight of DCAA's operations. In August 2008, the 
DOD Comptroller/CFO conducted a "tiger team" review of DCAA's audit 
quality assurance program, and DOD approved a more comprehensive 
Defense Business Board (DBB) study. The new DOD Comptroller/CFO 
recognized the need for DCAA oversight and on March 16, 2009, approved 
the charter for a DCAA Oversight Committee. Committee members include 
the Auditors General of the Army, the Navy, and the Air Force; the DOD 
Director of Defense Procurement and Acquisition Policy; and the DOD 
Deputy General Counsel for Acquisition and Technology. The Committee 
held its first meeting in early April 2009. During May 2009, the DCAA 
oversight committee members reviewed selected DCAA audits and visited a 
DCAA field office. In addition, the committee members have indicated 
that they plan to review this report, our earlier investigative report, 
the DOD Comptroller/CFO "tiger team" report, the DBB report, and the 
upcoming DOD IG report that follows up on issues from our July 2008 
report. The committee plans to assess DCAA actions on recommendations 
in these reports and identify any gaps for further action. We note that 
DCAA has already taken numerous actions to respond to our initial 
investigative report as well as DOD Comptroller/CFO and DBB 
recommendations. 

Long-Term Legislative Actions To Move DCAA: 

Most of the impairments to DCAA effectiveness that we identified can be 
addressed within DCAA's current organizational placement. However, to 
address the Committee's interest in how changes in DCAA's 
organizational placement could improve DCAA effectiveness and 
independence, we considered potential approaches to moving DCAA. During 
the 1980s, there were numerous proposals to reorganize DCAA's 
organizational structure, including legislative proposals that would 
have placed DCAA in the Office of the Under Secretary of Defense 
(Acquisition), or in the DOD Office of Inspector General (OIG), or 
placed only DCAA's post-contract audits in the OIG. We analyzed these 
proposals in an April 1991 report[Footnote 101] and concluded that they 
were not workable because they posed conflict of interest or 
duplication of effort issues. 

We believe that it is prudent to consider changes in organizational 
placement after DCAA has had sufficient opportunity to effectively 
implement current reform efforts necessary to address fundamental 
operational issues. Legislation to move DCAA as an organization would 
require careful analysis and planning before implementation. Moving 
DCAA at this time would be a bold step with possible unintended 
consequences, and decision makers would need to carefully weigh the 
costs and benefits of moving DCAA before the fundamental operational 
issues are addressed. As discussed below, regardless of its ultimate 
placement in the government, DCAA still needs to address the 
fundamental weaknesses in its mission, strategic plan, metrics, audit 
approach, and human capital management. 

Elevating DCAA within DOD: 

Elevating DCAA within DOD as a separate component reporting to the 
Deputy Secretary of Defense could give more authority to the DCAA 
Director and increase visibility of the organization both within and 
outside of DOD.[Footnote 102] Because DOD positions reporting to the 
Secretary level are established by law, moving DCAA to the department 
level would require new legislation. To avoid any ambiguities or 
questions about whether the Secretary of Defense currently possesses 
the statutory authority to transfer the supervision of DCAA to the 
Deputy Secretary, we believe additional legislation that sets out 
appropriate relationships would be the best approach.[Footnote 103] In 
addition, this option would require some level of administrative 
change. For example, management and oversight of the contract audit 
function would become the responsibility of Deputy Secretary, a 
separate appropriation would need to be established, and some form of 
periodic external reporting to Congress would be appropriate. We note 
that authorizing legislation to move DCAA could also include similar 
protections and authorities as those under the IG Act if these 
provisions have not already been enacted. 

Although this option could enhance DCAA auditor objectivity and 
independence, under this organizational placement, DCAA would still 
need to resolve the management environment and cultural problems that 
have had a negative impact on audit quality, including pressure by 
contractors and contracting officers on audit scope and findings, 
conclusions, and recommendations. DCAA also would need DOD commitment 
to strengthening DCAA's contract audit function through continued 
monitoring and oversight. Leadership from the Deputy Secretary of 
Defense would be critical to help DCAA address these matters. A key 
factor will be whether the Deputy Secretary has the necessary time to 
focus on DCAA. The amount of time needed should be less once the 
fundamental improvements are accomplished. 

Establishing an Independent, Governmentwide Contract Audit Agency: 

Numerous governmentwide acquisition management reform efforts are 
currently under way that could impact the contract audit function. 
These efforts include congressional oversight and reform legislation 
and Presidential direction on developing governmentwide guidance for 
reviews of existing contracts to identify contracts that are wasteful, 
inefficient, or otherwise unlikely to meet agencies' needs, and to 
formulate corrective action in a timely manner, as well as interest 
group studies. For example, in the National Defense Authorization Act 
for Fiscal Year 2008, Congress created the Commission on Wartime 
Contracting to study federal agency contracting for the reconstruction, 
logistical support of coalition forces, and the performance of security 
functions in Iraq and Afghanistan. The Senate Committee on Homeland 
Security and Governmental Affairs also recently created a new 
Subcommittee on Contracting Oversight. Several Members of the House 
Oversight and Government Reform Committee created the Clean Contracting 
Coalition to take a similar governmentwide approach. The House 
Oversight and Government Reform Committee also has been very active in 
this area. In addition, the House Armed Services Committee established 
an acquisition panel to evaluate DOD's current acquisition system, 
analyze the root causes of project or program failures, and the 
administrative and cultural pressures that acquisition and program 
personnel face. The House and Senate Armed Services Committees also led 
the effort to enact the Weapon Systems Acquisition Reform Act of 2009, 
[Footnote 104] which requires oversight of cost estimation, systems 
engineering, and performance assessment; promotes competition; and 
limits organizational conflicts of interest. 

On March 4, 2009, the President issued a memorandum directing executive 
agencies to (1) increase the use of fixed-price contracts, (2) enhance 
the capacity of the acquisition workforce, (3) maximize competition, 
and (4) rationalize the choice of government or contractor resources to 
perform required services. In addition, the Federal Acquisition 
Innovation and Reform Institute--a nonpartisan, nonprofit organization 
led by leaders in acquisition and supply management--has called for 
acquisition workforce reforms, including a single acquisition job 
series that encompasses at a minimum, three functions--program 
management, contracting, and a new function called requirements 
management--and is considered a professional "super COTR" (contracting 
officer's technical representative) position. Over the next several 
years, these reform initiatives likely will have a significant impact 
on government contracting, including the roles and relationships of 
contract auditors and the contracting, program, and finance 
communities. 

Depending on the outcome of the various contract reform initiatives and 
the successful implementation of DCAA management reforms, Congress may 
also want to consider increasing the efficacy of these reforms by 
establishing an independent governmentwide contract audit agency. The 
creation of a statutory governmentwide contract audit agency could 
enhance contract auditor effectiveness and independence by placing the 
audit agency outside DOD and other federal agencies that make 
procurement and contract management decisions. Centralizing the 
contract audit function and mandating its use by all federal agencies 
also could provide for consistent audit coverage and bring efficiencies 
and economies of scale to the contract audit process across the 
government. However, this would likely entail significant costs and 
operational and accountability considerations and would be an extremely 
costly option involving significant infrastructure and reorganization 
and would require substantial planning and analysis before deciding 
whether to proceed and how to implement any changes. Some of the issues 
that would need further study and analysis include the following: 

Governance. Governance is the framework of rules and practices by which 
a governing body, such as a board of directors, ensures accountability, 
fairness, and transparency in the entity's relationship with all of its 
stakeholders, including management, employees, and government. In order 
to improve governance and accountability at federal agencies, a variety 
of laws covering a range of management and administrative practices and 
processes have been enacted. Consideration of such provisions for a 
governmentwide contract audit agency should include application of 
general laws related to funds control, performance and financial 
reporting, accounting and internal control systems, human resources 
management, and recordkeeping and access to information, among others. 
Further, governance issues unique to a contract audit agency, such as 
its relationships to agency contracting officers and the Congress, 
should be assessed. 

Scope of Work. Scope of work considerations would include roles, 
responsibilities, and relationships of the governmentwide contract 
audit agency and IGs with regard to contract audits. Another 
consideration would be whether the new agency would be available for 
consultation as an outside expert on federal agency pre-award issues. 
In addition, a determination would need to be made on the handling of 
fraud referrals. For example, the central new agency could have an 
investigative division or it could refer potential contract fraud to 
federal agency IGs for further investigation. 

Funding. Congress would need to determine how to fund the new contract 
audit agency. For example, funding could be provided through 
appropriations or from reimbursement by federal agencies. This decision 
would likely be tied to decisions on the governmentwide contract audit 
agency's mandate and scope of work and any realignment of contract 
audit resources. 

Further study and analysis of this option would involve input from the 
federal agency IGs and agency contracting and finance communities as 
well as government contractors and public interest groups. Numerous 
additional issues would potentially be identified and require 
substantial time and cost for effective consideration and resolution. 

Conclusions: 

Successful accomplishment of DCAA reforms will require focused and 
committed leadership at the highest levels of DOD and DCAA as well as 
fundamental changes in DCAA's culture and possible congressional 
action. Without leadership commitment to a strong contract audit 
function and substantial changes to DCAA's mission, strategic plan, and 
management environment and culture, DCAA will continue to be challenged 
in its ability to perform quality audits that protect the public 
interest. Many needed changes are planned or under way and can be 
completed in the short-term, including revising DCAA's mission 
statement, strategic plan, and monitoring, and adjusting performance 
metrics. Fundamental structural and cultural changes related to 
developing and implementing a comprehensive, risk-based approach for 
contract audits that comply with professional auditing standards and 
identifying staffing, training, and resource needs will take several 
years to accomplish and implement. However, unless the overall problems 
with DCAA's culture and management environment that resulted in 
pervasive contract audit failures are resolved, billions of taxpayer 
dollars will continue to be at risk for fraud, waste, abuse, and 
mismanagement. 

Recommendations for Executive Action: 

We are making 15 recommendations to the Secretary of Defense to improve 
the quality of the agency's audits and strengthen auditor integrity, 
objectivity, and independence, including recommendations for actions on 
findings in this report that are aligned with certain Defense Business 
Board (DBB) findings and recommendations. 

First, we recommend that the Secretary of Defense revise DCAA's mission 
statement to reflect the need for quality contract audits and related 
nonaudit services that take into account serving the public interest. 

We also recommend that the Secretary of Defense require the Under 
Secretary of Defense (Comptroller/CFO) to establish milestones for 
completing DCAA corrective actions and monitor and regularly report on 
DCAA progress to assure timely completion of critical actions. 

In addition, we recommend that the Secretary of Defense direct the 
Under Secretary of Defense (Comptroller/CFO) to require the Director of 
the Defense Contract Audit Agency (DCAA) to take the following 13 
actions. 

The following five recommendations cover actions to address our 
findings that are similar to DOD Comptroller/CFO and DBB findings. 

* In concert with the revised mission statement, develop a strategic 
plan with short-term and long-term outcome-related goals. 

* To measure progress in achieving strategic goals, ensure that metrics 
are tied to the revised mission statement and strategic plan and 
support the agency's annual work plan. 

* Consult with DOD stakeholders and engage outside experts to develop a 
risk-based contract audit approach that identifies resource 
requirements and focuses on performing quality audits that meet 
generally accepted government auditing standards (GAGAS). 

* Establish an SES-level position with responsibility for audit quality 
assurance that requires demonstrated knowledge and experience in 
applying professional audit standards. 

* Consistent with DBB report observations, establish a separate DCAA 
internal review organization to conduct critical internal inspector 
general functions, including performing periodic internal evaluations 
and reviews and addressing DCAA hotline complaints. 

The following eight recommendations relate to specific GAO findings in 
this report. 

* In consultation with DOD stakeholders, review DCAA's current 
portfolio of audit and nonaudit services to determine if any should be 
transferred or reassigned to another DOD agency or terminated in order 
for DCAA to comply with GAGAS integrity, objectivity, and independence 
requirements. 

* Based on the risk-based audit approach, develop a staffing plan that 
identifies auditor resource requirements as well as auditor skill 
levels and training needs. 

* Establish a position for an expert on auditing standards or consult 
with an outside expert on auditing standards to assist in revising 
contract audit policy, providing guidance on sampling and testing, and 
developing training on professional auditing standards. 

* Revise DCAA audit policy to provide appropriate guidance on what 
constitutes sufficient testing to comply with GAGAS. Update DCAA's 
Contract Audit Manual, as appropriate. 

* Develop agencywide training on government audit standards. This 
training should emphasize the level of assurance intended by the 
various types of engagements and provide detailed guidance on auditor 
independence, planning, fraud risk, level of testing, supervision, 
auditor judgment, audit documentation, and reporting. 

* Conduct a comprehensive, independent review of DCAA's revised audit 
quality assurance function. This review should focus on the consistent 
application of criteria used for assessing audit quality and assuring 
timely, consistent, and appropriate reporting of review results. 

* Make appropriate recommendations to address annual quality assurance 
review findings of serious deficiencies and GAGAS noncompliance, 
provide training, and follow-up to assure that appropriate corrective 
actions have been taken. 

* Establish policies and procedures to ensure that auditors who make 
direct bill decisions are independent of DCAA employees who perform a 
DOD management function by reviewing vouchers of contractors not 
eligible for the direct billing program, thereby reducing situations 
where DCAA auditors are encouraged to reduce their office workload by 
approving contractors for the direct-bill program. 

Further, we recommend that the Department of Defense Inspector General 
take the following two actions. 

* Reconsider its overall conclusions in the May 2007 DOD IG report on 
the audit of DCAA's quality control system in which it reported an 
adequate ("clean") opinion on DCAA system of quality control in light 
of the serious deficiencies and findings included in that report and 
the additional evidence identified in our audit. 

* Based on the above, determine whether the report should be rescinded 
or modified. 

Matters for Congressional Consideration: 

In addition to our recommendations to DOD for improving DCAA audit 
quality and auditor objectivity, integrity, and independence, Congress 
may wish to consider the following legislative actions for enhancing 
DCAA's effectiveness and independence. In considering these options, 
the Congress would need to weigh DCAA's ability to accomplish 
significant reforms within its current environment and the cost and 
administrative effort involved with the alternative options along with 
the potential benefits. Timing would also need to be considered, given 
significant reforms that DCAA is already undertaking and the additional 
burden that a change in organizational placement would add at this 
time. 

* In the short term, as DCAA makes progress in correcting fundamental 
weaknesses that have impacted audit quality, Congress could consider 
enhancing DCAA reform efforts by enacting legislation to grant it 
protections and authorities similar to those embodied in the Inspector 
General Act, as amended. 

* In the medium term, Congress could consider elevating the contract 
audit function within DOD by moving DCAA from under the DOD 
Comptroller/CFO and placing it under the Deputy Secretary of Defense. 

* In the longer term, depending on the outcome of acquisition 
management reform initiatives under way and the success of DCAA 
management reforms, Congress could consider creating an independent, 
governmentwide contract audit agency. Legislation to move DCAA should 
incorporate the protections and authorities similar to those embodied 
in the Inspector General Act, if these have not already been granted to 
DCAA. 

Agency Comments and Our Evaluation: 

We made a total of 17 recommendations, including 15 recommendations to 
DOD to improve DCAA's management environment, audit quality, and 
oversight; and we made 2 recommendations to the DOD IG regarding DCAA's 
last peer review. We received written comments from the Department of 
Defense (DOD) on September 8, 2009, and we received written comments 
from the DOD Inspector General (IG) on September 3, 2009. DOD stated 
that the department concurs with all but one of our 15 recommendations. 
DOD also stated that the Department and DCAA are committed to taking 
the necessary corrective actions to address our findings and that the 
department will continue to monitor DCAA to ensure timely completion of 
critical actions to address our recommendations. DOD also provided 
comments on our matters for congressional consideration. Although DOD 
disagreed with the matters we discussed, we continue to believe these 
are valid matters for congressional consideration. The DOD IG concurred 
with our recommendation to reconsider the conclusions in its May 2007 
peer review report on DCAA; the IG did not concur with our 
recommendation to determine whether to rescind or modify its peer 
review report. DOD's written comments are reprinted in appendix IV, and 
the DOD IG's written comments are reprinted in appendix V. We summarize 
and evaluate the DOD and DOD IG comments and responses to our 
recommendations below. We made technical corrections and clarifications 
suggested by DOD in the body of our report, where appropriate. 

DOD Comments and Our Response: 

DOD's written comments include (1) comments on our 15 recommendations, 
(2) comments on matters we presented for congressional consideration, 
(3) a list of DCAA corrective actions, (4) DCAA clarifications, and (5) 
comments from the Director, Defense Procurement and Acquisition Policy. 
DOD officials fully concurred with 13 of our 15 recommendations for 
improving DCAA audits, partially concurred on one recommendation, and 
did not concur with one recommendation. We view DOD comments as being 
generally responsive to the intent of our recommendations. Our 
discussion of DOD's response to our matters discussion and our findings 
and recommendations follow. We provide additional comments on specific 
sections of the DOD response letter in appendix IV. 

With regard to the matters we presented for congressional 
consideration, DOD stated that it generally opposes providing DCAA with 
authorities similar to those contained in the Inspector General Act. 
DOD stated that it specifically opposes certain recommendations based 
on the IG model if DCAA remains within DOD, including (1) a 
Presidentially-appointed and Senate-confirmed DCAA Director, unless 
DCAA is independent of DOD, (2) fixed terms for the DCAA Director, (3) 
an independent budget, and (4) mandatory public reporting. DOD also 
stated that it plans to take steps to strengthen DCAA's independence by 
establishing an appeals process that permits DCAA to seek resolution 
when there are differences of opinion as to the resolution of its audit 
findings. Finally, DOD opposes moving DCAA from under the DOD 
Comptroller/CFO and placing it under the Deputy Secretary. DOD pointed 
out that the Deputy Secretary is the Chief Management Officer of one of 
the world's largest organizations and backs up the Secretary in the 
wartime chain of command, and he does not have the time to provide 
oversight and support to individual defense agencies. 

Although DOD did not agree with these matters, we believe they provide 
important information for Congress to consider. For example, the 
Inspector General Act provides many important authorities and 
protections for IG's that could enhance DCAA's independence and 
effectiveness. DOD disagreed with the Presidential appointment and 
Senate confirmation provision because it believes this would inject a 
political element into DCAA that is not appropriate and could create 
lengthy periods where there is no Director. DOD also opposes fixed 
terms for the DCAA Director because it believes the Secretary of 
Defense must have the ability to choose an appropriate Director. Our 
position with regard to appointments of IGs has been that Presidential 
appointments with Senate confirmation enhance their independence from 
the entities they audit and investigate. We recognize that DCAA serves 
a different role than IGs. We looked to the IG Act model to identify 
provisions that enhance the independence of auditors. A political 
appointment would elevate the status of the Director among DCAA's 
stakeholders and, as a consequence, give DCAA more authority to respond 
to actions taken by its stakeholders to influence its independent audit 
work. A fixed term would provide stability, especially during a time of 
organizational change. DOD also questioned the wisdom of an independent 
budget because it would limit its ability to move money into DCAA, as 
is occurring now based on funding from the Defense Acquisition 
Workforce Development Fund. Separate appropriations are a key 
independence provision for IGs. The ability to reprogram funds within 
the Defense-wide Operations and Maintenance appropriation can involve 
both increases and decreases. Our analysis of DCAA reprogrammings over 
the last three years showed that funds were also moved from DCAA to 
other DOD organizations within the Defense-wide operations and 
maintenance appropriation. In DCAA's case, the reprogrammings to reduce 
funding generally related to large unobligated balances--showing that 
DCAA under executed its budget. We believe this is important 
information that Congress would want to know. Further, we do not see a 
reason why DOD could not receive approval to transfer funds to DCAA 
from another fund if it had a separate budget. For example, providing 
DCAA with funds from the Defense Acquisition Workforce Development Fund 
constitutes a transfer (not a reprogramming), the authority for which 
is provided in the legislation governing the Fund, 10 U.S.C. § 1705(e). 
DOD also opposed mandatory public reporting by DCAA. We believe that 
periodic reporting to Congress and the public on the results of DCAA's 
work will enhance accountability over DCAA. As discussed in our report, 
DCAA needs time to address the fundamental weaknesses in mission and 
the overall management environment. However, if DCAA is not successful 
in resolving these problems under its current organizational placement, 
it will be necessary to consider additional actions. In this regard, it 
may be worthwhile to consider elevating DCAA as a component agency 
reporting to the Deputy Secretary because this could enhance DCAA's 
independence by providing it more authority within DOD and increase 
DCAA's visibility both within and outside of DOD. 

DOD partially concurred with our recommendation that DCAA consult with 
DOD stakeholders and engage outside experts to develop a risk-based 
contract audit approach that identifies resource requirements and 
focuses on performing quality audits that meet GAGAS. DOD stated that 
DCAA already has a risk-based contract audit approach in identifying 
resource requirements and considers audit risk in planning various 
assignments. DOD stated that DCAA will coordinate with the Under 
Secretary of Defense for Acquisition, Technology, and Logistics (USD 
(AT&L)) to assess DCAA audit requirements.[Footnote 105] DOD also noted 
that one of DCAA's cultural transformation projects is identifying and 
resolving differing stakeholder expectations while ensuring DCAA 
performs quality audits that meet GAGAS. DOD expects to complete its 
assessment of stakeholder needs based on regulatory and statutory 
requirements by December 2010. We appreciate these steps; however, we 
remain concerned that DCAA's current approach of performing 30,000 to 
35,000 audits and issuing over 22,000 audit reports with 3,600 auditors 
substantially contributed to the widespread audit quality problems we 
identified. Generating that many reports and doing that many audits 
with 3,600 auditors leaves very little time to perform in-depth, 
complex audits of contractors. While the Director of Defense 
Procurement and Acquisition Policy commented that contract audits need 
to be completed "in time to be useful," to assure timely, quality 
audits, DCAA will need a risk-based approach to determine the 
appropriate level of audit and nonaudit effort and staffing. 

DOD did not concur on our recommendation to develop policies and 
procedures related to direct-billing decisions, stating that (1) the 
department believes that a review of the contractor's interim public 
vouchers is an integral function of DCAA's continual assessment of a 
contractor's billing system (2) DCAA is in the best position to review 
and approve contract interim billings based on its thorough 
understanding of the contractor's system, (3) DOD believes that our 
concerns are mitigated based on the comprehensive supervisory and audit 
manager reviews, and (4) DCAA does not believe that the approval of 
interim vouchers along with the approval for contractors to be on 
direct billing results in a lack of auditor objectivity. 

We continue to believe that DCAA's management (nonaudit) responsibility 
to perform prepayment reviews of contractor vouchers for DOD and the 
auditor's decision making role of approving contractors for direct 
billing privileges based on its audit conclusions about the strength of 
the contractor's system of internal controls, create audit objectivity 
issues. We revised our findings discussion and our recommendation to 
clarify this point. Under normal circumstances, DCAA must review 
contractor vouchers prior to payment--a management support function for 
DOD generally performed by DCAA field office administrative staff. By 
obtaining direct billing privileges, contractors can receive payment 
for goods and services without a voucher review by DCAA prior to 
payment. Because we found that this situation provides an incentive for 
DCAA to reduce its administrative workload by recommending that 
contractors are placed on direct billing, we recommended that DCAA 
develop new policies and procedures to ensure a separation between 
staff reviewing vouchers and staff making direct-bill decisions. In 
addition, DCAA has not explained the basis for its belief that 
administrative staff have a thorough understanding of the contractors' 
systems. Further, we disagree with DOD's statement that our concerns 
are mitigated based on the comprehensive supervisory and audit manager 
reviews because this is not supported by our findings. The fact that 
DCAA approvals of contractor direct-bill privileges were not based on 
sufficient audit procedures as demonstrated by our work and DCAA's 
removal of over 200 contractors from the direct-bill program since our 
July 2008 report[Footnote 106] support our concern that the existence 
of such an incentive presents an objectivity impairment. 

DOD provided additional comments on findings in its transmittal letter. 
DOD stated that it disagrees with the suggestion in our report that the 
department has not yet begun to address the weaknesses we identified. 
Our report neither states nor implies that DOD has not yet begun to 
take action. In fact, one of our objectives was to analyze steps DOD 
has taken so far, and our report describes in detail the progress made. 
Our report acknowledges that several positive steps have been taken by 
DCAA, but much more needs to be done to address the fundamental 
problems. Thus, solutions to the problems documented in this report 
will take time to first implement and then will have to be 
independently assessed to make sure they are effective. Our report also 
notes that fundamental changes have not taken place. For example, to 
date DOD has not revised DCAA's mission statement to reflect the need 
to consider the public interest as a key component of its work. In 
addition, DCAA has yet to assess the feasibility of 3,600 auditors 
issuing over 20,000 reports in one year (22,349 in fiscal year 2008) 
and the appropriateness and need for the current combination of audit 
and non-audit services that drives this workload. Until these and other 
key steps are further along, it will be too early to assess whether 
DCAA has fundamentally changed or whether past practices continue. 

The DOD comments noted that one of our major findings is the lack of 
sufficient testing to support conclusions when giving an opinion on 
contractor internal control systems. The comments incorrectly refer to 
the requirement for sufficient testing as a GAO requirement and state 
that planned staffing increases may not be enough to accomplish audits 
required by regulation in light of additional testing stipulated by 
GAO. Professional audit standards have always required auditors to 
obtain sufficient evidence to provide a reasonable basis for the 
conclusion expressed in the report. As stated in our report, testing 
methodologies are a matter of professional judgment and can involve 
many factors. However, our findings reflect more than a difference of 
opinion with DCAA auditors on their exercise of professional judgment 
as reflected, in part, by the number of audit reports DCAA rescinded 
for insufficient testing. For example, we found insufficient 
documentation to support the methodology chosen and insufficient 
reasons for minimal testing, such as being told by a DCAA auditor that 
a "file size was too large" to test more than two recent vouchers. 
Again, DOD must address the feasibility of 3,600 auditors issuing over 
22,000 reports annually, most of which were reportedly performed under 
auditing standards. This may entail not only a risk-based audit 
approach but also exploring changes to the regulations that DOD 
represents require tens of thousands of these audits. 

DOD also disagreed with our position on the status of actions to 
strengthen DCAA's quality assurance program. DOD stated that DCAA has 
been proactive in standing up its new Integrity and Quality Assurance 
Directorate. DOD also stated that it believes the extensive overhaul of 
the quality assurance function accomplished in fiscal year 2009 will 
mitigate the prior shortcomings in audit quality that we cited. 
Although DOD's comments imply that DCAA has resolved its quality 
assurance problems, DCAA has acknowledged that it is not ready to 
undergo another peer review at this time. On September 1, 2009, we 
received a letter from the DCAA Director, stating that although 
improvements were put in place in fiscal year 2009, several significant 
improvements will be accomplished in fiscal year 2010. To allow 
sufficient time for DCAA to fully implement the necessary corrective 
actions, DCAA contacted us for guidance on (1) deferring its external 
quality control review for 2 years and (2) requesting that the next 
external peer review to cover assignments to be completed in fiscal 
year 2011. We agree with DCAA that it is not cost-effective to undergo 
an external peer review until an adequate system of quality control is 
in place. Expending substantial DOD IG resources when DCAA acknowledges 
that several years are necessary for improvements to be fully 
implemented is, in our view, an inefficient use of resources. DCAA has 
already begun to appropriately disclose in its reports that its audits 
do not comply with GAGAS external peer review requirements. 

The Director of Defense Procurement and Acquisition Policy (DPAP) 
provided additional comments. The Director stated that our report 
impugns DCAA's audits and that we adopt the position that because DCAA 
is serving the interests of contracting officers, DCAA is therefore not 
auditing in the interest of the public. The Director further asserts 
that DCAA serves the public interest by providing useful and timely 
information to contacting officers, and that it is erroneous to imply 
that contracting officers do not seek to protect the public interest. 
Also, the Director states that GAO agrees with the Defense Business 
Board's recommendation to revise DCAA's mission to reflect a focus on 
the taxpayer as the primary customer. Finally, the Director suggests 
that our criticism of DCAA's "production-oriented auditing" sets up a 
dichotomy between quality and timely audits. We disagree with these 
characterizations of our report. 

DPAP's statements that our report impugns DCAA's audits and that we 
take the position that when DCAA is serving the interests of 
contracting officers, it is not auditing in the interest of the public 
relate to our summarization of the Defense Business Board (DBB) report 
and not our findings. Our report does not endorse the specific 
recommendations of the DBB to focus on the taxpayer as the primary 
customer. As our report points out, this recommendation does not take 
into account the regulatory and policy requirements that establish 
DCAA's primary role as an advisor to government contracting officers 
and disbursing officers. However, we agree with the DBB that DCAA 
should consider the public interest when carrying out GAGAS 
engagements. For audits and attestation engagements conducted under 
GAGAS, the auditor is expected to objectively and independently acquire 
and evaluate sufficient, appropriate evidence, and report on the 
results, consistent with the guidance in GAGAS.[Footnote 107] GAGAS 
states the principle that "observing integrity, objectivity, and 
independence in discharging [auditors'] professional responsibilities 
assists auditors in meeting the principle of serving the public 
interest and honoring the public trust."[Footnote 108] 

DPAP also stated that the contracting officer is bound by regulation to 
meet the public interest in the broadest sense, for the entire matter 
surrounding a contract and that this includes factors other than DCAA 
audit findings and recommendations. As reflected in the extensive 
background discussion and elsewhere throughout our report, we recognize 
that contracting officers make final contracting decisions, and DCAA 
engagements support contracting officers in that process. Because we 
did not review the standards that contracting officers must follow, we 
did not include references to the requirements for contracting officers 
to protect the public interest in their actions. Our report also states 
that DCAA contract audit services are intended to be a key control to 
help assure that prices paid by the government for needed goods and 
services are fair and reasonable and that contractors are charging the 
government in accordance with applicable laws, regulations (e.g., 
Federal Acquisition Regulation (FAR) and Defense Federal Acquisition 
Supplement (DFARS), standards (e.g., Cost Accounting Standards (CAS)), 
and contract terms. In providing this assurance, DCAA audits would 
necessarily take into account serving the public interest. However, 
when DCAA audits do not meet GAGAS, they do not provide this assurance 
and thus are not serving the public interest. We found that DCAA 
auditors lacked objectivity and independence when performing GAGAS 
audits and engagements. In many cases, this was a result of auditors' 
focus on expediency to support client needs and, as the Director also 
observes, human capital shortages and poor management decisions. We do 
not question the need for contracting officers to use the services of 
advocates and assistants in carrying out their duties. However, when 
contract auditors represent that they are performing engagements under 
GAGAS, their primary focus should be on the integrity, objectivity, and 
independence of their work, which serves both contracting officers and 
the public interest. Further, the quality of DCAA audits impacts the 
quality of information available for contracting officer decisions. 
Whether DCAA can adhere to GAGAS on contract audits that provide 
minimal time to perform the work is a factor that USD (AT&L) should 
consider when establishing requirements for contract audit services. As 
we recommended, DOD should reconsider the mix of audit and non-audit 
services that it needs. 

DOD IG Comments and Our Response: 

The DOD IG concurred with our recommendation to reconsider its overall 
conclusions in the May 2007 report on the audit of DCAA's quality 
control system in which it reported an adequate ("clean") opinion on 
DCAA's system of quality control in light of the serious deficiencies 
and findings included in that report and the additional evidence 
identified in our audit. The IG also stated that it did not concur with 
our recommendation to rescind the report and, because of that 
statement, we believe the IG misconstrued our recommendation as 
expressly calling for a rescission or modification of its peer review 
report. Our recommendation was for the IG to determine, based on the 
results of our recommended reconsideration of the IG's conclusions, 
whether it should rescind or modify the peer review report. 

The DOD IG also states that it took alternative action that conformed 
to the intent of our recommendation. The DOD IG comments state that it 
notified DCAA on August 24, 2009, that the May 2007 "adequate" opinion 
on DCAA's system of quality control would expire on August 26, 2009. In 
addition, the IG stated, "We have determined that it is not prudent to 
allow the adequate opinion from our May 2007 report to carry forward." 
However, peer review opinions neither "expire" nor "carry forward" 
beyond the period covered by the peer review. Peer review opinions 
cover the period to which the opinion applied--in DCAA's case, as of 
the end of fiscal year 2006--and the peer reviewed audit organization 
need not undergo another peer review during the next 2 years.[Footnote 
109] Because it has been more than 3 years since DCAA's last peer 
review, DCAA is no longer in compliance with the GAGAS requirement for 
an external peer review, and DCAA has taken appropriate action to 
disclose this noncompliance in its reports. 

As stated in our report, the overall conclusion in the DOD IG report is 
inconsistent with the detailed observations in its report, which 
indicate numerous significant deficiencies in DCAA's system of quality 
control. Further, based on DCAA's actions to rescind 80 audit reports, 
39 of which were issued in fiscal year 2006--the period on which the IG 
conclusions are based--and the findings in our audit, we concluded that 
DCAA's quality control system for the period covered by the DOD IG peer 
review was not effectively designed and implemented to provide 
assurance that DCAA and its personnel comply with professional 
standards. 

As agreed with your office, unless you publicly announce the contents 
of this report, we plan no further distribution for 30 days from the 
report date. At that time, we will send copies of this report to the 
Secretary of Defense; the Under Secretary of Defense (Comptroller/CFO); 
the Under Secretary of Defense for Acquisition, Technology, and 
Logistics; the DOD Director for Defense Procurement and Acquisition 
Policy; the Deputy General Counsel for Acquisition; the Secretary of 
the Army; the Secretary of the Navy; the Secretary of the Air Force; 
the Director of DCAA, the Director of DCMA; the DOD Inspector General; 
and the Director of the Office of Management and Budget. In addition, 
this report will be available at no charge on the GAO Web site at 
[hyperlink, http://www.gao.gov]. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. 

If you or your staff have any questions concerning this report, please 
contact me at (202) 512-7922 or kutzg@gao.gov or Gayle Fischer, 
Assistant Director, Financial Management and Assurance at (202) 512- 
9577 or fischerg@gao.gov. 

Signed by: 

Gregory D. Kutz: 
Managing Director: 
Forensic Audits and Special Investigations: 

[End of section] 

Appendix I: Internal Control System Audits Did Not Meet Professional 
Standards: 

In performing its audits, the Defense Contract Audit Agency (DCAA) 
states that it follows generally accepted government auditing standards 
(GAGAS).[Footnote 110] As part of our assessment of DCAA's overall 
management environment and quality assurance structure, we reviewed 
documentation for selected DCAA audits of contractor systems controls 
for compliance with GAGAS. We focused on internal control audits 
because contracting officers rely on DCAA audit opinions on contractor 
system controls for 3 or more years to make decisions on pricing and 
contract awards and DCAA uses the audit opinions to assess risk when 
planning subsequent audits. We selected seven DCAA field audit offices 
(FAO) across the five DCAA regions that reported predominately adequate 
("clean") opinions on contractor controls. For the seven FAOs, we 
reviewed 37[Footnote 111] selected audits of contractor internal 
control systems, including accounting, estimating, billing, and 
indirect and other direct cost systems. As shown in table 5, we 
assessed these audits for compliance with eight key areas of GAGAS 
requirements: (1) auditor independence;[Footnote 112] (2) adequate 
planning; (3) auditor understanding of controls; (4) design of 
procedures to detect risk of fraud, abuse, mismanagement, and contract 
terms; (5) documentation of sampling and testing; (6) audit evidence 
supports conclusions and opinion; (7) proper supervision; and (8) 
timely reporting and disclosures.[Footnote 113] We also considered 
GAGAS requirements for protecting the public interest when using 
auditor judgment.[Footnote 114] As discussed in the body of this 
report, the 37 audits we reviewed did not comply with GAGAS in one or 
more of these areas. However, we determined that 4 of the 37 audits 
included sufficient testing to support reported conclusions and 
opinions. Because the conclusions and opinions in the deficient audits 
were used to make risk assessments and determine the level of testing 
in other DCAA audits, such as annual audits of contract or incurred 
cost claims, audits of contract proposals and contractor forward 
pricing proposals, progress pay audits, and contract close-out audits, 
the audit quality issues related to the GAGAS noncompliance we 
identified potentially impacts hundreds of other audits and contracting 
decisions covering billions of dollars in DOD expenditures. 

Table 5: GAGAS Noncompliance on 37 Selected Audits of Contractor 
Controls: 

Reasons for GAGAS noncompliance: Independence impairments; 
DCAA regions: Northeast: (FAO #1): 0; 
DCAA regions: Mid-Atlantic: (FAO #2): 0; 
DCAA regions: Eastern: (FAO #3): 1; 
DCAA regions: Central (FAO #4 & 5): 2; 
DCAA regions: Western (FAOs #6 & 7): 4; 
DCAA regions: All regions: 7. 

Reasons for GAGAS noncompliance: Inadequate planning; 
DCAA regions: Northeast: (FAO #1): 0; 
DCAA regions: Mid-Atlantic: (FAO #2): 4; 
DCAA regions: Eastern: (FAO #3): 1; 
DCAA regions: Central (FAO #4 & 5): 5; 
DCAA regions: Western (FAOs #6 & 7): 7; 
DCAA regions: All regions: 17. 

Reasons for GAGAS noncompliance: Inadequate auditor understanding of 
controls; 
DCAA regions: Northeast: (FAO #1): 1; 
DCAA regions: Mid-Atlantic: (FAO #2): 4; 
DCAA regions: Eastern: (FAO #3): 0; 
DCAA regions: Central (FAO #4 & 5): 2; 
DCAA regions: Western (FAOs #6 & 7): 5; 
DCAA regions: All regions: 12. 

Reasons for GAGAS noncompliance: Lack of fraud risk detection 
procedures; 
DCAA regions: Northeast: (FAO #1): 4; 
DCAA regions: Mid-Atlantic: (FAO #2): 5; 
DCAA regions: Eastern: (FAO #3): 6; 
DCAA regions: Central (FAO #4 & 5): 11; 
DCAA regions: Western (FAOs #6 & 7): 9; 
DCAA regions: All regions: 35. 

Reasons for GAGAS noncompliance: Insufficient documentation on sampling 
methodology; 
DCAA regions: Northeast: (FAO #1): 3; 
DCAA regions: Mid-Atlantic: (FAO #2): 5; 
DCAA regions: Eastern: (FAO #3): 6; 
DCAA regions: Central (FAO #4 & 5): 9; 
DCAA regions: Western (FAOs #6 & 7): 4; 
DCAA regions: All regions: 27. 

Reasons for GAGAS noncompliance: Insufficient evidence to support 
conclusions and opinion; 
DCAA regions: Northeast: (FAO #1): 3; 
DCAA regions: Mid-Atlantic: (FAO #2): 5; 
DCAA regions: Eastern: (FAO #3): 6; 
DCAA regions: Central (FAO #4 & 5): 11; 
DCAA regions: Western (FAOs #6 & 7): 8; 
DCAA regions: All regions: 33. 

Reasons for GAGAS noncompliance: Improper Supervision; 
DCAA regions: Northeast: (FAO #1): 0; 
DCAA regions: Mid-Atlantic: (FAO #2): 0; 
DCAA regions: Eastern: (FAO #3): 2; 
DCAA regions: Central (FAO #4 & 5): 5; 
DCAA regions: Western (FAOs #6 & 7): 6; 
DCAA regions: All regions: 13. 

Reasons for GAGAS noncompliance: Reporting problems; 
DCAA regions: Northeast: (FAO #1): 4; 
DCAA regions: Mid-Atlantic: (FAO #2): 5; 
DCAA regions: Eastern: (FAO #3): 6; 
DCAA regions: Central (FAO #4 & 5): 12; 
DCAA regions: Western (FAOs #6 & 7): 10; 
DCAA regions: All regions: 37. 

Total GAGAS noncompliance issues: 
DCAA regions: Northeast: (FAO #1): 15; 
DCAA regions: Mid-Atlantic: (FAO #2): 28; 
DCAA regions: Eastern: (FAO #3): 28; 
DCAA regions: Central (FAO #4 & 5): 57; 
DCAA regions: Western (FAOs #6 & 7): 53; 
DCAA regions: All regions: 181. 

Number of audits: 
DCAA regions: Northeast: (FAO #1): 4; 
DCAA regions: Mid-Atlantic: (FAO #2): 5; 
DCAA regions: Eastern: (FAO #3): 6; 
DCAA regions: Central (FAO #4 & 5): 12; 
DCAA regions: Western (FAOs #6 & 7): 10; 
DCAA regions: All regions: 37. 

Rescinded reports: 
DCAA regions: Northeast: (FAO #1): 1; 
DCAA regions: Mid-Atlantic: (FAO #2): 3; 
Eastern: (FAO #3): 3; 
DCAA regions: Central (FAO #4 & 5): 7; 
DCAA regions: Western (FAOs #6 & 7): 4; 
DCAA regions: All regions: 18. 

Source: GAO analysis of selected DCAA audits. 

Note: Because of the large size of the Central and Western regions, we 
tested audits at more than one field audit office in these regions. 

[End of table] 

The following discussion includes examples of GAGAS noncompliance from 
specific audits we reviewed. 

Independence Impairments: 

GAGAS state that the audit organization and the individual auditor 
should be free, both in fact and appearance, from personal, external, 
and organizational impairments to independence.[Footnote 115] Our 
review of 37 audits of contractor internal controls found evidence in 
documentation for 7 audits that DCAA independence was compromised 
because auditors provided material nonaudit services to a contractor 
they later audited; experienced access-to-records problems that were 
not resolved; delayed report issuance, which allowed the contractor to 
resolve cited deficiencies, without proper reporting; and performed 
test work on billings the contractor selected for testing. GAGAS state 
that auditors should be free from influences that restrict access to 
records or improperly modify audit scope.[Footnote 116] GAGAS also 
state that audit organizations should not audit their own work or 
provide nonaudit services if the services are significant or material 
to the subject matter of the audit.[Footnote 117] The following 
examples describe a situation where auditors assisted a Department of 
Defense (DOD) contractor in developing billing system policies and 
procedures after identifying five significant deficiencies and then 
reviewed their own work during a follow-up audit. 

Text box: 
DCAA Auditors Issued an Adequate Opinion on Controls They Helped 
Design; DCAA auditors impaired their independence by performing 
nonaudit services for one of the top five DOD contractors in terms of 
dollars when they helped the contractor develop policies and procedures 
that were material to the billing system they were auditing. On May 12, 
2005, DCAA reported an inadequate-in-part opinion on the contractor's 
billing system internal controls. The report included five significant 
deficiencies, including a failure to maintain current, adequate billing 
system policies and procedures. After issuing the report, DCAA auditors 
helped the contractor develop adequate policies and procedures related 
to accounts receivable, overpayments, and monitoring of the billing 
system before performing the required follow- up audit--an impairment 
to auditor independence. A year later, after performing the follow-up 
audit, DCAA auditors concluded that the contractor had performed 
adequate actions to correct all of the billing system deficiencies 
previously reported. On June 28, 2006, DCAA reported an adequate 
opinion on the contractor's billing system internal controls. Following 
GAO's review of these audits, on March 6, 2009, DCAA rescinded the 
billing system audit follow-up report. 
[End of text box] 

We also noted instances of denials and limitations on access to records 
by contractors that were not handled properly. For example, during a 
billing system audit of one of the top five DOD contractors, an e-mail 
message documented in the audit workpapers showed that the auditors 
were challenged by a contractor official when they requested 
documentation to test whether billing clerks had received required 
training. The contractor's e-mail stated, "Here's a question for you. 
Can you tell me who and what requirement is making this part of the 
[audit]. This is a question that [is] being asked by [the Cash 
Manager]." The auditors eventually obtained limited training 
documentation from the contractor. Audit documentation and our 
interviews with the auditors revealed that the auditors also limited 
testing in several other areas "because the contractor would not 
appreciate it." Access to records problems and strong external 
influence to limit testing are both impairments to independence 
according to GAGAS.[Footnote 118] 

Inadequate Planning: 

GAGAS for attestation engagements state that the work shall be 
adequately planned.[Footnote 119] Auditors should communicate 
information regarding the nature, timing, and extent of planned testing 
and reporting to officials of the audited entity and to the individuals 
contracting for or requesting the attestation engagement. Auditors 
should also plan work to follow up on actions to address significant 
findings and recommendations in previous audits and assess areas of 
risk in planning the engagement. However, our review of the audit 
documentation determined that 17 of the 37 internal control audits we 
reviewed were not adequately planned. 

* In five audits, auditors failed to consider risk associated with new 
systems that had not yet been audited or systems that had not been 
audited in more than 4 years. These audits should have been ascribed a 
higher risk level according to DCAA CAM guidance and testing should 
have been increased.[Footnote 120] DCAA has rescinded three of the five 
audits and is planning new audits, as appropriate. 

* Without documenting the basis for their decisions, auditors deleted 
audit steps from standard audit programs or did not perform all audit 
steps for three of seven audits we reviewed at one FAO. When we asked 
the auditors why they omitted key audit procedures in their work, the 
auditors told us they used "auditor judgment." However, the auditors 
would not explain the basis for their judgments to us or their 
rationale for omitting key procedures, such as assessing the 
contractor's control environment and testing the implementation of a 
contractor's policies and procedures. Because we did not find any 
justification for omitting key audit procedures in these three audits, 
we determined that they were inadequately planned. 

The following case discussion illustrates deficiencies in audit 
planning as well as a lack of auditor understanding of contractor 
processes and controls. 

Text box: 
DCAA Erroneously Performed an Audit over a Billing System That Did Not 
Exist; In 2004, a Western Region FAO planned a billing system audit of 
a federally funded research and development center (grantee) that 
receives $1.5 billion annually for research services. However, the 
planning for this billing system audit did not take into account the 
fact that grantees are funded through letters of credit and do not 
actually bill the government. This financial relationship is very 
different--and much less complicated--than a situation where a 
contractor bills the government for contract costs in accordance with 
Cost Accounting Standards and the Federal Acquisition Regulation. For 
example, under a letter of credit financing arrangement, grantees draw 
funds as disbursements are made and are required to prepare reports of 
transactions on their use of the funds and submit them to the funding 
agency. Despite this obvious mistake, on May 6, 2005, DCAA auditors 
issued a report stating that the grantee had an "adequate billing 
system."; Another report issued by the same DCAA office on June 25, 
2004, reviewed the grantee's cash management practices under the Single 
Audit Act for another federal agency. The auditors could have simply 
forwarded this report to the DOD contracting officer--a task that would 
take an hour at the most to complete. Instead, DCAA auditors charged 
over 530 staff hours to generate documentation to meet DCAA's billing 
system audit requirements, even though there was no related "billing 
system." As a result of our review, DCAA reassessed the need to perform 
a billing system audit for the grantee and determined that it would 
rely on the Single Audit Act reports in the future. DCAA has not 
rescinded the audit report even though it expresses an opinion on a 
nonexistent system. 
[End of text box] 

Auditors Did Not Properly Document Understanding of Controls for 
Several Audits: 

GAGAS require that in planning examination-level attestation 
engagements, auditors should obtain a sufficient understanding of 
internal control that is material to the subject matter and design 
procedures to achieve the objectives of the audit.[Footnote 121] The 
subject matter or assertion the auditor is testing may relate to the 
effectiveness and efficiency of operations, including the use of an 
entity's resources; the reliability of financial reporting, including 
reports on budget execution and other reports for internal and external 
use; compliance with applicable laws and regulations, provisions of 
contract, or grant agreements; and safeguarding of assets.[Footnote 
122] Although most of the 37 internal control audits we reviewed met 
this standard, 12 audits did not. The following case study shows an 
example of insufficient understanding of controls. 

* On five audits, auditors overstated the strength of the contractor's 
control environment in the audit documentation and used this 
information to justify performing little or no testing of controls for 
accounting and billing system control audits. On two of the five 
audits, a Mid-Atlantic Region auditor admitted that he included 
inaccurate statements in the audit documentation. These statements 
indicated that the contractor performed internal audits and had a 
formal management-level monitoring process over accounting and billing 
functions. When we requested copies of the internal audits and 
management reviews, the auditor admitted that these statements were not 
true and that he had made "mistakes." He entered the factually 
incorrect information in the audit documentation to justify performing 
little or no testing. The auditor was a GS-13 technical specialist who 
reviewed the work of other auditors and provided them audit guidance. 
DCAA has rescinded four of the five audits and is planning or 
initiating new audits. 

* On another audit involving a business segment of a third contractor 
of the top 5 DOD contractors, auditors did not consider the 
contractor's control environment in planning an audit of a new 
accounting system--a significant factor that resulted in insufficient 
testing. Further, after identifying significant accounting system 
deficiencies, including that certain contract costs are manually 
processed, are not processed timely, or are not adequately reconciled 
to actual incurred costs, the auditors delayed issuance of the audit 
report for about 16 months, waiting to see if the contractor would take 
corrective actions on the identified deficiencies. Although test 
procedures were applied from February 25, 2004, to September 15, 2004, 
DCAA reported an "inadequate-in-part" opinion on the contractor's 
accounting system on March 14, 2006--nearly 1-1/2 years later, without 
performing any additional testing. Following discussions with GAO, DCAA 
rescinded this audit report on November 20, 2008. 

In the audit described below, the auditor relied on the contractor to 
document the auditor's understanding of controls. 

[Text box: 
DCAA Auditors Relied on the Contractor to Document Internal Controls 
without Testing the Accuracy of the Documentation; This case involves a 
billing system audit DCAA conducted in 2006. The last time DCAA had 
tested the billing system for this contractor was in 2000--a clear 
indication that new tests should be performed. At that time, DCAA's CAM 
required that contractor internal control systems be audited every 2 to 
4 years. However, rather than re-testing the billing system, DCAA 
auditors provided the contractor's Information Systems Manager with 6- 
year-old documentation obtained during a DCAA auditor's walkthrough of 
the billing process in the prior audit. The DCAA auditors asked the 
Information Systems Manager to update the documentation by making edits 
where necessary. According to the audit workpapers, the 6-year-old 
documentation was "edited by the contractor" and provided back to the 
DCAA auditor. Based on the contractor's documentation of the billing 
system internal controls, the auditor concluded "we can limit our 
testing of management reviews, policies and procedures, and 
implementation of policies and procedures." The auditor then traced one 
paid voucher through the billing process. This procedure relates to 
determining whether the auditor's understanding of the process is 
correct and is not substantive testing (i.e., detailed tests of 
transactions and balances and analytical review procedures.) The 
auditor told GAO that she used this "low-risk approach" because she 
felt that the contractor's system was "strong" and did not warrant a 
higher risk approach. However, according to the documentation GAO 
reviewed, the billing system was a software package that downloads 
accounting system data to spreadsheets. Manual calculations were then 
used to develop invoice amounts--a process that is prone to errors and 
does not provide assurance of consistent systematic processing of 
invoices. Further, since DCAA's earlier walkthrough in 2000, the 
contractor had experienced significant downsizing and restructuring. 
The auditor performed no testing of the contractor's billing system 
controls in order to determine whether the system was operating 
effectively at the time of the audit. The audit report that was issued 
on June 21, 2006, with an adequate opinion was not based on sufficient 
audit procedures to provide assurance over approximately $76 million in 
sales to the government. After GAO raised concerns about this audit, 
DCAA rescinded the audit report on March 3, 2009. 
[End of text box] 

Failure to Design and Perform Procedures to Detect Fraud Risk: 

For DCAA examination-level attestation audits of contractor controls 
that we reviewed, GAGAS requires auditors to design and perform audit 
steps to obtain reasonable assurance of detecting fraud, illegal acts, 
or violations of provisions of contracts that could have a material 
effect on the subject matter of the engagement or internal control. 
[Footnote 123] DCAA management asserts that its examination-level 
audits are designed to provide this assurance, and DCAA internal 
guidance requires auditors to consider a list of fraud indicators 
included in DCAA's CAM[Footnote 124] or the DOD Inspector General's 
Handbook on Fraud Indicators[Footnote 125] in planning and performing 
their work. However, for 35 of the 37 internal control audits we 
reviewed there was no evidence that DCAA auditors designed specific 
procedures to identify risk of fraud, illegal acts, violations of 
contract terms, or other improprieties. Further, our analysis of audit 
workpapers showed that DCAA auditors lacked an understanding of fraud 
indicators associated with weak internal controls. For example, 
although segregation of duties is a key fraud-prevention control, in 
the seven audits where workpapers identified segregation of duties 
issues, the auditors did not consider a lack of segregation of duties 
to be a fraud risk in 6 of the audits. The auditors did not look for a 
compensating control or perform additional procedures to determine 
whether the lack of segregation of duties had allowed fraud to occur. 
Occurrences of duplicate invoices also would increase the risk of 
fraud. However, DCAA's audit program for testing contractor billing 
system controls does not include specific procedures to test for 
duplicate contractor invoices. We found evidence of testing related to 
duplicate invoices in only 2 of the 37 internal control audits we 
reviewed. Moreover, in the audit described below, DCAA FAO managers 
ordered an auditor to ignore significant fraud risks during an audit. 

[Text box: 
DCAA FAO and Region Management Prevented an Auditor from Pursuing 
Significant Fraud Risks during a Billing System Audit; During a fiscal 
year 2003 incurred cost audit of a major defense contractor, a DCAA 
Central Region auditor learned of a fraud investigation initiated by 
the Army's Criminal Investigative Division (CID) in response to 
allegations of contractor fraud reported in August 2002. In July 2004, 
during a billing system audit of the same contractor, the auditor 
contacted the Army CID investigator to discuss the ongoing fraud 
investigation and learned that the fraud related to improper billings. 
As a result of this elevated fraud risk, the auditor requested several 
nominal increases in budget hours to perform additional testing to 
determine the extent of the fraud. The auditor had prior DOD contract 
administration experience and intended to use this experience in 
applying her audit testing procedures. After approving increases in 
budgeted hours for this assignment, the regional audit manager told the 
auditor that her concerns were not valid and to remove her "contracting 
hat." Eight months later, on April 28, 2005, the auditor submitted a 
draft audit report to her supervisor. She concluded that the 
contractor's billing system was inadequate--a finding that would have 
resulted in the contractor losing its direct-billing privileges. The 
auditor noted several deficiencies and concerns, including (1) the lack 
of billing policies and procedures, (2) a lack of training for 
contractor employees responsible for preparing invoices, (3) 
indications that the contractor may have billed the government for 
unapproved and unfunded work, and (4) evidence of an ongoing criminal 
investigation by the Army CID. After reviewing the report, the 
supervisor and FAO manager directed the auditor to change the opinion 
from inadequate to inadequate-in-part because the auditor had not 
identified any excess or unallowable costs. The audit report, issued on 
August 31, 2005, reported an inadequate-in-part opinion and combined 
the first two deficiencies, reporting a total of three significant 
deficiencies. However, DCAA did not remove the contractor from the 
direct-bill program, whereby contractors are authorized to submit 
invoices directly to a government paying office without prior review. 
The auditor assigned to the original audit was also assigned to the 
billing system follow-up audit, but she was subsequently removed from 
the follow-up audit because, according to her supervisor, she was 
documenting her audit in too much detail. In January 2006, during the 
follow-up audit, Army CID concluded its fraud investigation. The 
contracting officer's technical representative (COTR) and several 
contractor employees were convicted of fraudulently billing the 
government using the billing system that DCAA later deemed adequate. 
The investigation found that the COTR and the contractor employees were 
charging the government for travel to contract-related conferences and 
arranging the trips so they could attend a NASCAR race at government 
expense. They took government cars on the trips and various contractor 
employees each charged the government for use of their personal cars, 
with the COTR approving the travel vouchers. In addition, the COTR had 
contractor employees cut scrap lumber on government land and stack it 
at his home for use as firewood. The government was billed for the 
contractor employees' time on behalf of the COTR. In the January 2006 
settlement, which totaled over $2.8 million, the COTR and contractor 
employees paid fines and restitution, and the COTR also served jail 
time. The Army CID Special Agent in charge of the fraud investigation 
told us that he had tried on numerous occasions to get the DCAA FAO 
manager to stop issuing incurred cost audit reports with "clean" 
opinions because the opinions would be contradicted by the findings in 
the ongoing fraud investigation. The FAO issued the 2002 incurred cost 
audit report on January 5, 2005, stating its opinion that except for 
the qualification that the ongoing fraud investigation had developed 
information which may impact the costs and transactions in this report, 
the claimed direct costs are acceptable and are provisionally approved, 
pending final acceptance. DCAA did not include a cautionary note or 
similar qualification in the billing system audit report. In September 
2006, DCAA reported an adequate ("clean") opinion in the follow-up 
audit report on the contractor's billing system controls without 
performing work to confirm that the contractor's billing system 
policies and procedures were effectively implemented. Following GAO's 
review of these audits, on November 20, 2008, DCAA rescinded both 
reports because the audit documentation did not support the reported 
opinions and initiated a new audit of the contractor's billing system 
controls.
[End of text box] 

Insufficient Documentation of Sampling and Testing Methodology: 

Testing is a critical auditing procedure that allows auditors to 
determine whether controls are operating effectively. Although some 
testing can involve statistical samples, such samples are not required 
under GAGAS. Instead, GAGAS require that auditors prepare attest 
documentation in sufficient detail to enable an experienced auditor, 
having no previous connection to the audit, to ascertain from the 
attest documentation that the evidence supports the auditors' 
significant judgments and conclusions. Under GAGAS, attest 
documentation should contain the objectives, scope, and methodology of 
the attestation engagement, including any sampling and other selection 
criteria used.[Footnote 126] Of the 37 internal control audits we 
reviewed, 27 audits did not contain workpaper documentation to 
demonstrate that the auditors' nonstatistical samples met these 
requirements. for example: 

* On one billing system audit, the auditor performed testing on two 
vouchers. The auditor did not document how he selected the two 
vouchers, and he did not document the population of contractor vouchers 
in the workpapers or the basis for his judgment on selecting the two 
vouchers for testing. When we asked the auditor why he selected two 
most recent vouchers for testing and did not document the voucher 
population, the auditor told us it was because "the file size was too 
large," and he saves the population files on his desktop computer. 

* On a billing system audit of one of the five largest DOD contractors 
we asked the auditor why he tested only one voucher to assess the 
contractor's controls for subcontractor accounting and billing. The 
auditor said this was reasonable because DCAA "had tested so many 
vouchers before." Other workpaper documentation noted testing was not 
performed on the direct-bill section of the audit program. When we 
asked the auditor why these procedures were not performed, the auditor 
told us that testing was performed by another FAO when the contractor 
implemented a new system 2 months earlier, and he decided not to do 
testing again because "the contractor would not appreciate it"--an 
indication of an auditor independence problem. Moreover, tests of new 
billing systems focus on data processing controls and would not take 
the place of tests of invoices for compliance with CAS, FAR, and 
contract terms. 

Although the CAM includes guidance on sufficient testing,[Footnote 127] 
auditors appeared to follow general guidance throughout the manual that 
advises auditors to use their judgment "to 'test check' a procedure, to 
make verifications 'on a selective basis,' or to review a 
'representative number' of transactions or items." Several auditors, 
field office managers, and DCAA headquarters officials told us that 
they believed "spot checks" were sufficient testing to conclude on 
controls overall and they did not believe they were required to 
document their sampling plans. 

[Text box: 
DCAA Relied on Faulty Auditor Judgment to Approve Contractor Controls; 
An Eastern Region auditor performed minimal testing in an audit of 
controls over indirect and other direct cost for a business segment of 
one of the top five DOD contractors that billed the government for 
about $1 billion during 2006. The auditor did not use statistical 
sampling or test a representative selection of accounts payable 
transactions. Instead, without documenting the reasons for his 
judgments, the auditor tested 6 of 16,000 accounts payable transactions 
($86 of $50 million), 3 of 4,500 travel transactions ($2,700 of $15 
million), and 3 of 1,600 interdivisional transactions ($5,000 of $16 
million). On September 27, 2006, DCAA reported an adequate opinion on 
the contractor's controls over direct and indirect costs. However our 
review of the audit workpapers revealed: 
* no explanation of why so few transactions were tested; 
* no rationale for why transactions selected for testing covered the 
months of May through July 2005, when transactions occurred throughout 
the year, or; 
* how the auditor concluded that the system was adequate based on 
testing 12 out of about 22,000 transactions. 

When we asked the auditors to explain the basis for their selection of 
transactions used for testing, FAO management said the selection was 
based on auditor judgment; implying auditors could use their 
professional judgment without the need to meet any specific criteria in 
doing so. GAGAS section 3.34 (GAO-03-673G) states that auditors should 
consider the need to protect the public interest when making 
professional judgments. GAGAS section 6.02a requires auditors to 
perform sufficient testing to support audit conclusions and opinions on 
controls. Determining what is sufficient testing requires auditors to 
determine an appropriate sample size considering risks, expectation of 
misstatements or deviations, and materiality, and select a 
representative sample from the population, meaning that all 
transactions have a known chance of being selected. GAGAS section 6.24 
a. and c. require auditors to document the sampling plan and auditor 
judgments made in sampling and testing. This audit did not meet these 
GAGAS requirements.
[End of text box] 

Insufficient Evidence to Support Audit Conclusions and Opinions: 

We found that audit procedures for most of the 37 internal control 
audits we reviewed documented the design of controls but did not test 
the implementation of controls. As a result, the audits lacked 
sufficient evidence to support audit opinions that covered both the 
design and implementation of controls. GAGAS for examination-level 
attestation engagements require that sufficient evidence be obtained to 
provide a reasonable basis for the conclusion that is expressed in the 
report.[Footnote 128] GAGAS state that attest documentation serves to 
(1) provide the principal support for the auditor's report, (2) aid 
auditors in conducting and supervising the attestation engagement, and 
(3) allow for the review of the quality of the attestation engagement. 
The preparation of attest documentation should be appropriately 
detailed to provide a clear understanding of its purpose and source and 
the conclusions the auditors reached, and it should be appropriately 
organized to provide a clear link to the findings, conclusions, and 
recommendations contained in the auditors' report.[Footnote 129] 

Overall, we found that 33 of the 37 internal control audits did not 
include sufficient testing of internal controls to support auditor 
conclusions and opinions. Our review of audit workpapers often found 
that only two, three, or sometimes five transactions were tested to 
support audit conclusions, for example: 

* On several audits, DCAA concluded that a contractor had adequate 
controls for removing system access for terminated or transferred 
employees. However, the auditors did not document the employee 
population from which individual employees were selected for testing 
system access, or the methodology used to select them. On none of these 
audits did we see evidence that DCAA auditors checked alphabetical 
listings of individuals having system access to lists of current 
personnel to confirm that access was removed when employees transferred 
or left the company. Without documentation of sampling and testing 
methodologies, there is no way to ascertain how the auditors came to 
their conclusions that controls were adequate or that sufficient 
testing was done to support audit conclusions. 

* For many controls, DCAA did not perform any testing at all. For 
example, at least 6 of the 9 accounting audits we reviewed did not 
include procedures for testing contractor segregation of allowable and 
unallowable cost; 20 of 22 billing system audits we reviewed did not 
include tests to identify duplicate invoices, and 10 of the 22 billing 
system audits of contractors that relied on manual procedures to 
prepare invoices from accounting system data queries did not check for 
compensating controls. For one audit, DCAA issued an adequate opinion 
on the accounting system for a major DOD contractor after performing a 
walkthrough of the accounting process and interviewing two employees. 

[Text box: 
Adequate Opinion on Contractor Billing System Was Based on Spot Checks 
of 4 Vouchers Generated on the Same Day; A Mid-Atlantic Region auditor 
used interviews with contractor staff and limited testing as evidence 
that billing system controls were adequate for a DOD contractor with 
about $40 million in annual government sales. Workpapers documenting 
audit procedures on key internal controls referred to "discussions with 
the contractor" rather than independent auditor verification, including 
(1) verification of periodic reviews of contractor policies and 
procedures, (2) implementation and effectiveness of policies and 
procedures, (3) frequency and sufficiency of the contractor's 
management reviews, (4) timely processing of offsets, and (5) exclusion 
of non-billable items from government billings. Although the audit was 
performed from November 2004 through July 2005, according to the 
workpapers, the auditor tested a nonstatistical selection of four 
vouchers (invoices) totaling $2.3 million that were all processed on 
the same day--February 28, 2005. The workpapers contained no 
documentation on the population of invoices or the basis for selecting 
four vouchers for testing that were all processed on the same day out 
of the 8-month period covered by the audit. GAO also determined that 
the auditors performed no testing of the contractor's billing system 
information technology (electronic data processing) controls. As a 
result, this audit can not be relied on for assurance that the 
contractor's billing system and related internal control policies and 
procedures were adequate as of June 16, 2005. 
[End of text box] 

Audit Supervision Problems: 

GAGAS require that assistants (audit staff) be properly supervised and 
that audit documentation contain evidence of supervisory reviews of the 
work performed that supports findings, conclusions, and recommendations 
contained in the report before the report on the attestation engagement 
is issued.[Footnote 130] Although workpaper documentation for the 
majority of the 37 audits of contractor internal control systems we 
reviewed evidenced supervisory review, we found: 

* A lack of proper documentation of supervisory review in 13 audits. 
For example, for an Eastern Region accounting system audit, the 
supervisory auditor who signed the audit report did not review key 
workpapers related to accounting system transaction processing and 
transaction testing and cost allocations until 1 to 2 days after the 
audit report was issued. This was similar to a situation we found in 
our prior investigation, when supervisors at one DCAA field office 
frequently reviewed the workpapers for forward pricing reports after 
the reports were issued. The auditors also performed insufficient 
testing on this audit. 

* Audit steps were deleted from the standard audit program in an 
accounting system audit and a billing system audit after the 
supervisors approved the audit programs. The supervisors did not ensure 
that the deleted steps were addressed or that documentation was added 
to the workpapers to explain the reasons why the related audit 
procedures were not performed. 

* For six other audits, audit documentation shows that the supervisors 
and FAO managers extended the audit time frames while contractors took 
actions to correct significant deficiencies. The audit reports were 
issued 1 to 2 years later with adequate ("clean") opinions on controls. 
Although this raises serious auditor independence and reporting issues 
because identified deficiencies were not reported, we are highlighting 
these cases under our discussion of poor supervision to also 
demonstrate the importance of "tone at the top." 

[Text box: 
DCAA Extended Audit and "Scrubbed" Audit Documentation after Contractor 
Objected to Findings; A DCAA Western Region FAO failed to provide 
proper supervision of auditors throughout an accounting system audit of 
one of DOD's five largest contractors working in Iraq. For contractor 
fiscal year ended December 31, 2004, the contractor reported over $900 
million in sales of which 98 percent related to government contracts, 
including $250 million for work in Iraq. The 2004 audit, which was 
initiated in November 2003, was transferred among several auditors and 
at least three supervisors before its completion and August 2006 
publication. In September 2005, the contractor objected to draft 
findings and recommendations that included eight significant 
deficiencies in the design and operation of the contractor's accounting 
system, including inadequate system access controls, lack of policies 
and procedures for segregation of duties, lack of periodic 
reconciliations of cost accounts to the general ledger, and 
insufficient cost ledger information on total base costs by contract 
and cost elements for applying indirect rates. The contractor stated 
that the auditors did not fully understand the new policies and 
procedures that were just being developed for the fast track effort in 
Iraq. Following the contractor's objections, the auditors revised and 
deleted some workpapers and created new workpapers. GAO's review of the 
audit documentation identified several workpapers that were indexed to 
supporting documentation that no longer existed. Further, the auditors 
told GAO that because they had difficulty finding support for Iraq 
vouchers, they relied on voucher reviews performed under other DCAA 
audits. GAO also found evidence in the audit documentation that the 
final supervisor instructed the final lead auditor to insert the 
signature of a prior supervisor on an electronic workpaper after it had 
been revised, thereby making it appear that the prior supervisor had 
approved the workpaper revisions. On August 31, 2006, after "scrubbing" 
the audit documentation at the supervisor's request, dropping five 
significant deficiencies and downgrading three significant deficiencies 
to suggestions for improvement, DCAA reported an adequate ("clean") 
opinion on the contractor's accounting system. Waiting to review audits 
with significant deficiencies until the end of the job after the work 
has been completed, raises questions about proper and timely 
supervision. The audit supervisor, who authorized the electronic 
recording of the prior supervisor's name on the audit documentation and 
supervised the issuance of the audit report, was subsequently promoted 
to be the Western Region Quality Assurance Manager, where he went on to 
act as a quality control check over thousands of audits--including 
several of the audits investigated in GAO's prior work. Following GAO's 
review, DCAA rescinded the audit report on December 2, 2008. 
[End of text box] 

Reporting Problems: 

Audit reports are DCAA's principal work product. According to GAGAS, 
audit reports should, among other criteria, (1) identify the subject 
matter being reported, the criteria used to evaluate the subject 
matter, the conclusion or opinion, and state that the opinion was as of 
a certain date; (2) include a statement of the nature and scope of the 
work performed and state that the audit was performed in accordance 
with GAGAS; (3) disclose any reservations about the engagement, 
including any scope limitations; (4) state the intended use of the 
report, if limited; and (5) state the time frame[Footnote 131] covered 
by the audit. Our review of audit documentation and DCAA final audit 
reports determined that none of the 37 DCAA reports on contractor 
systems internal controls met these reporting standards, for example: 

* The reports did not cite the specific criteria used in individual 
audits. Criteria represent the laws, regulations, contracts, grant 
agreements, standards, measures, expected performance, defined business 
practices, and benchmarks against which performance is compared and 
evaluated. Criteria identify the required or desired state or 
expectation with respect to the program or operation and provide a 
context for evaluating evidence and understanding the findings. 
[Footnote 132] Instead, the DCAA reports uniformly used boilerplate 
language to state that DCAA audited for compliance with the "FAR, CAS, 
DFARS, and contract terms." As a result the user of the report does not 
know the specific Federal Acquisition Regulation (FAR), Cost Accounting 
Standards (CAS), or contract terms used as criteria to test contractor 
controls. This makes it very difficult for users of the reports to 
determine whether the report provides the level of assurance needed to 
make contract management decisions. In addition, audit documentation 
for many of the audits we reviewed did not identify the audit work 
performed to provide assurance that contractors complied with specific 
requirements in CAS, FAR, DFARS, or contract terms. 

* Six of the 37 audit reports were not issued at the time[Footnote 133] 
the work was completed. These reports were issued from 8 months to over 
2 years after the audits were completed. Frequently, we found that the 
delays were the result of serious findings, which led DCAA to withhold 
issuance of the report while the contractor addressed the problems. 
Because testing was not updated or was not sufficiently updated, the 
reported audit opinions, which related to controls at the time the 
reports were issued, were not adequately supported and may have been 
inaccurate. 

* The audit reports stated the period during which the audit was 
performed but did not disclose the scope and timing for tests of 
vouchers, transactions, or control attributes. Some tests covered a few 
days in only one month or a 3-month period and did not test controls 
across the year audited. As a result, testing did not support the 
reported audit opinions as of the report dates. 

* Contractors imposed restrictions on the scope of four audits by 
denying DCAA access to certain records. The access-to-records issues 
were not fully resolved or disclosed by the auditors. 

* The scope of 33 audits was limited by DCAA imposed, or implied, 
restrictions, including inadequate audit resources, unclear audit 
guidance on nature and extent of testing, and time constraints that 
prevented auditors from performing sufficient work to support reported 
opinions on contractor internal controls. DCAA officials told us that 
DCAA does not have sufficient resources to perform full-scope audits of 
contractor internal controls. 

Failure to issue reports when sufficient evidence has been obtained to 
support an auditor's conclusion puts decision makers at risk of relying 
on out-dated or inaccurate information. Also, when DCAA auditors do not 
perform the scope of work necessary to support the reported audit 
opinions, the audit reports provide a false level of assurance. 
Following our discussion of these audits with DCAA headquarters 
officials, DCAA rescinded 4 of the 6 audit reports that did not 
accurately relate the period of testing to the audit opinion, and it 
rescinded 18 audit reports where the scope of work did not support the 
audit opinions. The discussion below describes a particularly egregious 
example of this problem. 

[Text box: 
Two Years after Testing Controls, DCAA Reported the Results of an Audit 
of a Multibillion Dollar Contractor's Billing System; In July 2003, 
DCAA initiated a billing system audit of a contractor doing business in 
Iraq with sales of $6.3 billion at the two divisions under audit. More 
than 2 years after performing test procedures and after spending 1,025 
hours on the audit, the FAO issued an opinion that the contractor's 
billing system controls were adequate as of August 31, 2005, without 
updating the testing. In 2003, DCAA auditors tested 38 vouchers 
submitted for payment within a 12-day period. DCAA auditors identified 
numerous billing errors, including two instances where billings did not 
comply with the Federal Acquisition Regulation (FAR). On August 12, 
2004, DCAA auditors prepared a draft report with an adequate opinion 
and three suggestions for improvement. DCAA auditors did not perform 
testing in 2004 or in 2005 despite the number of errors found as a 
result of limited test procedures performed in 2003. As a result, the 
evidence does not support the opinion that the contractor's billing 
system controls are adequate as of August 31, 2005. Additionally, there 
is no evidence in the workpapers that the contractor resolved the 
errors DCAA identified and the underlying system deficiencies that 
caused those errors. This is of special concern because billing errors 
and system deficiencies at this contractor put multiple agencies at 
risk. For example, this contractor does work not only for DOD but also 
for the Departments of Agriculture, Commerce, Interior, and NASA, and 
several other agencies. The lead auditor told us that this audit was 
delayed because numerous auditors were assigned over the course of this 
audit, and the contractor's work in Iraq took precedence over this 
audit. However, we found no evidence supporting a decision not to issue 
this report when the testing was completed in 2003. Following GAO's 
review, DCAA rescinded the audit report on April 7, 2009. 
[End of text box] 

[End of section] 

Appendix II: DCAA Does Not Perform Sufficient Work to Identify and 
Collect Contractor Overpayments: 

DCAA performs assignments that are designed to test various contractor 
costs as allowable, reasonable under the related contracts, the Federal 
Acquisition Regulation (FAR), and Cost Accounting Standards (CAS). 
Although DCAA uses the term "audit" generically, some of these 
assignments are audits and other assignments relate to financial and 
advisory services. We reviewed 32 cost-related assignments[Footnote 
134] performed by seven geographically disperse field audit offices 
(FAO) across the five DCAA regions (the same offices as in appendix I) 
to assess whether (1) the tests of contractor costs, billings, and 
payments were effective in identifying overpayments, billing errors, 
and unallowable cost[Footnote 135] and (2) DCAA identified and reported 
unallowable and unsupported costs, overpayments, and billing errors so 
that the government was in a position to collect or recover improper 
costs and billings through refunds, contract adjustments, or offsets. 
The 32 DCAA cost-related assignments we reviewed included 16 paid 
voucher reviews, 10 overpayment assignments, 4 incurred cost audits, 
and 2 request for equitable adjustment (REA) audits.[Footnote 136] 
Although DCAA performs incurred cost and REA audits as engagements in 
accordance with generally accepted auditing standards (GAGAS), DCAA 
does not consider paid voucher reviews or overpayment audits to be 
GAGAS assignments. DCAA performed the paid voucher reviews to assess 
the accuracy of contractor billings to support decisions to approve 
contractors for participation in the direct-bill program,[Footnote 137] 
whereby the contractor submits invoices directly to a federal agency 
paying office without government review of the invoices prior to 
payment. Overpayment assignments review contractor controls for 
identifying and refunding, offsetting, or adjusting contract 
overpayments and billing errors. 

Similarly, DCAA performs overpayment assignments at the request of 
contracting officers to determine (1) whether contractor controls are 
effective in identifying overpayments made by disbursing officers or 
over billings and billing errors made by contractors and (2) if 
contractors are making timely refunds, offsets, or adjustments. 

At the time the 32 cost-related assignments were performed, FAR § 
52.232-25(d) imposed a requirement on contractors to immediately notify 
the contracting officer and request instructions for disposition of any 
overpayment when the contractor becomes aware of a duplicate or 
overpaid contract financing or invoice payment.[Footnote 138] Also, FAR 
32.604(b)(4) provides that contractors shall repay debts under a demand 
letter within 30 days, except for certain debts covered by specific 
terms of the contract.[Footnote 139] This time period is incorporated 
into most contracts under FAR Clause 52.232-17(a). We found that DCAA 
auditors are not consistent when assessing the timeliness of refunds 
and offsets. Specifically, although DCAA's overpayment work program 
cites 30 to 60 days after the overpayment occurred as timely,[Footnote 
140] some DCAA auditors considered 90 days as timely which effectively 
minimized the impact on the contractors' cash flow. 

We also found limited testing in the four incurred cost audits we 
reviewed. DCAA considers incurred cost audits to be GAGAS attestation 
engagements. Incurred cost audits examine contractors' annual claims 
for payment of cost incurred. DOD contracting officers rely on DCAA 
incurred cost audits to approve contractor claims for payment.[Footnote 
141] DCAA incurred cost audits and proposal audits are the source of 
most DCAA questioned costs and dollar recoveries. Dollar recoveries are 
based on contracting officer agreement with DCAA questioned costs. 
[Footnote 142] DOD contracting officers are responsible for enforcing 
DCAA recommendations to disallow questioned cost. Figure 3 provides a 
comparison of costs questioned by DCAA auditors and questioned costs 
sustained (recovered) by DOD contracting officers. 

Figure 3: DCAA Questioned Costs and Amounts Sustained by Contracting 
Officers: 

[Refer to PDF for image: multiple line graph] 

Fiscal year: 2000; 
Questioned costs: $5.0 billion; 
Questioned costs sustained: $3.4 billion. 

Fiscal year: 2001; 
Questioned costs: $6.8 billion; 
Questioned costs sustained: $4.6 billion. 

Fiscal year: 2002; 
Questioned costs: $4.0 billion; 
Questioned costs sustained: $3.0 billion. 

Fiscal year: 2003; 
Questioned costs: $4.2 billion; 
Questioned costs sustained: $2.8 billion. 

Fiscal year: 2004; 
Questioned costs: $4.7 billion; 
Questioned costs sustained: $3.5 billion. 

Fiscal year: 2005; 
Questioned costs: $5.5 billion; 
Questioned costs sustained: $3.2 billion. 

Fiscal year: 2006; 
Questioned costs: $5.3 billion; 
Questioned costs sustained: $3.4 billion. 

Fiscal year: 2007; 
Questioned costs: $4.9 billion; 
Questioned costs sustained: $3.1 billion. 

Fiscal year: 2008; 
Questioned costs: $6.7 billion; 
Questioned costs sustained: $4.2 billion. 

Source: GAO analysis of DCAA data. 

[End of figure] 

For one of the four incurred cost audits we reviewed, DCAA rescinded 
the related accounting system audit report in response to concerns we 
identified with that report. For a second incurred cost audit we 
reviewed, DCAA rescinded the related billing system report. Risk 
assessments for determining the nature, extent, and timing of testing 
for incurred cost audits are based in part on the results of accounting 
and billing system audits. Therefore, a rescission of an accounting or 
billing system audit would call into question the risk assessment 
performed for the related incurred cost audits. 

The case study examples in table 6 illustrate significant problems we 
identified with the DCAA cost-related assignments we reviewed. As 
previously discussed, the level of testing in these assignments was not 
sufficient to identify all potential contractor billing errors and 
overpayments. 

Table 6: Case Studies of Problem DCAA Cost-Related Assignments: 

Region: Central; 
Type of assignment: Paid voucher review (2006); Non-GAGAS; 
Details of review: 
* For this review of paid contractor invoices, the auditor relied on 
the results of DCAA's 2005 billing system audit and did not test any 
invoices. The workpapers stated that the auditor also relied on the 
results of the 2005 paid voucher assignment. However, that assignment 
did not test any 2006 invoices; 
* Further, as a result of GAO's work, DCAA had rescinded the 2005 
billing system audit report on February 10, 2009; 
* As a result, there is no audit support for DCAA's approval for this 
contractor to directly bill the government. 

Region: Central; 
Type of assignment: Paid voucher; review (2005); Non-GAGAS; 
Details of review: 
* In planning this work, the auditor improperly assessed risk as low 
and deleted several steps from the standard "audit" program; 
* The auditor did not identify the population of vouchers (invoices) 
and selected two invoices for testing, but only tested one of them; 
* The auditor tested one invoice to see if the payment received by the 
contractor matched the amount billed; 
* On January 23, 2006, DCAA issued a Memorandum for the Record, stating 
"reliance can be placed on the contractor's procedures for preparation 
of interim vouchers. Accordingly, the contractor has met the criteria 
for continued participation in the direct billing program." 

Region: Western; 
Type of assignment: Paid voucher; review (2005); Non-GAGAS; 
Details of review: 
* Without documenting the population of vouchers or the total dollars 
billed during the contractor's fiscal year, the auditor tested 8 of 734 
vouchers issued from April 16, 2004, through March 25, 2005; 
* The supervisor incorrectly directed the auditor to test a final 
voucher. Paid voucher assignments focus on interim vouchers as a basis 
for making direct-bill decisions. Final vouchers are submitted to close 
out a contract; 
* The auditor did not identify any errors in the vouchers tested; 
* On September 30, 2005, the auditor prepared a Memorandum for the 
Record, stating that "continued reliance can be placed on the 
contractor's procedures for preparation of interim vouchers. 
Accordingly, the contractor has met the criteria for continued 
participation in the direct billing program." 

Region: Eastern; 
Type of assignment: Paid voucher review (2004); Non-GAGAS; 
Details of review: 
* Although the contractor generated $1.1 billion in annual billings to 
the government, the auditor assessed risk as low for this assignment. 
Without documenting the basis for the risk assessment, the auditor 
judgmentally selected 3 vouchers totaling $88,000 for testing out of a 
total of 222 vouchers submitted to the government for payment from 
March 2003 through February 2004; 
* The auditor tested the first voucher selected and performed limited 
testing on the remaining 2 vouchers; 
* The workpapers do not include any evidence to show that the auditor 
performed most of the audit steps required in the standard audit 
program; 
* Despite limited testing, on March 31, 2004, DCAA prepared a 
memorandum for the record, stating "continued reliance can be placed on 
the contractor's procedures for the preparation of interim vouchers" 
and "the contractor has met the criteria for continued participation in 
the direct billing program." 

Source: GAO analysis of DCAA audit documentation. 

[End of table] 

[End of section] 

Appendix III: Objectives, Scope, and Methodology: 

Pursuant to a request from the Chairman and Ranking Member of the 
Senate Committee on Homeland Security and Governmental Affairs, we 
conducted an agencywide performance audit to assess the effectiveness 
of Defense Contract Audit Agency (DCAA) audits for helping to assure 
that prices paid by the government for needed goods and services are 
fair and reasonable and that contractors are charging the government in 
accordance with applicable laws, regulations, cost accounting 
standards, and contract terms. The overall objectives of our work were 
to (1) conduct a broad assessment of DCAA's management environment and 
quality assurance structure, (2) evaluate DCAA corrective actions in 
response to our prior investigation[Footnote 143] and DOD Comptroller/ 
CFO "tiger team" and Defense Business Board (DBB) studies, and (3) 
identify potential legislation and other actions that could improve 
DCAA's effectiveness and independence. 

To address our first objective, we evaluated DCAA's contract audit 
guidance and policies and its quality assurance program and assessed 
the quality of a nationwide selection of DCAA audits. We evaluated the 
results of internal DCAA audit quality assurance reviews on audits 
issued from fiscal year 2003 through 2008. We also reviewed a total of 
69 DCAA audits and cost-related assignments.[Footnote 144] In reviewing 
DCAA audits, we used generally accepted government auditing standards 
as our criteria.[Footnote 145] The 69 DCAA audits and cost-related 
assignments we reviewed included 37 audits of contractor internal 
controls and 32 cost-related audits and assignments. We did not assess 
a statistical sample of DCAA audits. Rather, we focused on DCAA offices 
that reported predominately adequate, or "clean," opinions on audits of 
contractor internal controls over cost accounting, billing, and cost 
estimating systems issued in fiscal years 2005 and 2006.[Footnote 146] 
We selected DCAA offices that reported predominately adequate ("clean") 
opinions on contractor systems and related internal controls because 
contracting officers rely on these opinions for three or more years to 
make decisions on pricing and contract awards, and payment. For 
example, audits of estimating system controls support negotiation of 
fair and reasonable prices.[Footnote 147] Also, the Federal Acquisition 
Regulation (FAR) requires contractors to have an adequate accounting 
system prior to award of a cost-reimbursable or other flexibly-priced 
contract.[Footnote 148] Billing system internal control audit results 
support decisions to authorize contractors to submit invoices directly 
to DOD and other federal agency disbursing offices for payment without 
government review.[Footnote 149] In addition, DCAA uses the results of 
internal control audits to assess risk and plan the nature, extent, and 
timing of tests for other contractor audits. When a contractor has 
received an adequate opinion on its systems and related controls, DCAA 
would assess the risk for subsequent internal control and cost-related 
audits as low and would perform less testing on these audits. 

Using this approach, we identified seven geographically disperse DCAA 
field offices within the 5 DCAA regions and targeted 39 audits of 
contractor cost accounting, billing, and estimating system controls 
issued during fiscal years 2004 through 2006 for review.[Footnote 150] 
These were the most recent completed fiscal years at the time we 
initiated our audit. Two of the 39 internal control audits we 
identified were performed as assist audits to a billing system audit 
and we considered them as part of the billing system audit we reviewed. 
Therefore, we reviewed a total of 37 audits of contractor internal 
controls for compliance with GAGAS and DCAA policy. We also considered 
whether DCAA adequately applied internal control standards in its 
audits that are applicable to the private sector.[Footnote 151] We did 
not review classified audits performed by DCAA's field detachment 
office. Although our selection of the seven offices and 37 internal 
control audits was not statistical, it represented about 9 percent of 
the total 76 DCAA offices that issued audit reports on contractor 
internal controls and nearly 18 percent of the 40 offices that issued 8 
or more reports on contractor internal controls during fiscal year 
2006. Of the 37 internal control audits we reviewed, 32 reports were 
issued with adequate opinions and 5 reports were issued with inadequate-
in-part opinions. Table 7 summarizes the number and types of contractor 
internal control audits we reviewed for seven FAOs across the 5 DCAA 
regions. 

Table 7: Summary of DCAA Audits Reviewed for GAGAS Compliance: 

Region/FAO: Northeast: FAO #1; 
Type of internal control audit: 
Accounting system: [Empty]; 
Indirect & other direct cost: [Empty]; 
Billing system: 3; 
Estimating system: 1; 
Total internal control audits: 4. 

Region/FAO: Mid-Atlantic: FAO #2; 
Type of internal control audit: 
Accounting system: 2; 
Indirect & other direct cost: [Empty]; 
Billing system: 3; 
Estimating system: [Empty]; 
Total internal control audits: 5. 

Region/FAO: Eastern: FAO #3; 
Type of internal control audit: 
Accounting system: 1; 
Indirect & other direct cost: 1; 
Billing system: 3; 
Estimating system: 1; 
Total internal control audits: 6. 

Region/FAO: Central: FAO #4; 
Type of internal control audit: 
Accounting system: 2; 
Indirect & other direct cost: [Empty]; 
Billing system: 2; 
Estimating system: 1; 
Total internal control audits: 5. 

Region/FAO: Central: FAO #5; 
Type of internal control audit: 
Accounting system: 2; 
Indirect & other direct cost: [Empty]; 
Billing system: 5; 
Estimating system: [Empty]; 
Total internal control audits: 7. 

Region/FAO: Western: FAO #6; 
Type of internal control audit: 
Accounting system: [Empty]; 
Indirect & other direct cost: 1; 
Billing system: 3; 
Estimating system: 1; 
Total internal control audits: 5. 

Region/FAO: Western: FAO #7; 
Type of internal control audit: 
Accounting system: 2; 
Indirect & other direct cost: [Empty]; 
Billing system: 1; 
Estimating system: 2; 
Total internal control audits: 5. 

Total: 
Type of internal control audit: 
Accounting system: 9; 
Indirect & other direct cost: 2; 
Billing system: 20; 
Estimating system: 6; 
Total internal control audits: 37. 

Source: GAO analysis of DCAA management information system data. 

[End of table] 

At the same seven DCAA field offices, we selected 34 cost-related 
assignments performed during the same period as the internal control 
audits we reviewed and analyzed supporting documentation to determine 
whether the assignments included sufficient testing to assess whether 
(1) the tests of contractor costs, billings, payments were effective in 
identifying overpayments, billing errors, and unallowable cost[Footnote 
152] and (2) DCAA reported overpayments, billing errors, and 
unallowable and unsupported costs, so that the government was in a 
position to recover improper payments through refunds, contract 
adjustments, or offsets and avoid payment of unsupported and 
unallowable costs. Upon reviewing documentation for the 34 cost-related 
audits, we determined that one of these assignments covered the risk 
assessment portion of an incurred cost audit and was not a complete 
audit. Documentation for a second assignment to test for overpayments 
was terminated and the audit procedures were rolled into a billing 
system audit. Consequently, as shown in table 8, we reviewed a total of 
32 cost-related DCAA assignments. These assignments included paid 
voucher reviews and overpayment control assignments and audits of 
requests for equitable adjustment (REA)[Footnote 153] and contractor 
incurred cost claims. 

Table 8: Summary of DCAA Cost-Related Assignments Reviewed: 

Region/FAO: Northeast: FAO #1; 
Type of Assignment: 
Paid Voucher review: [Empty]; 
Over payment assignment: 1; 
REA audit: 2; 
Incurred Cost audit: 2; 
Total assignments: 5. 

Region/FAO: Mid-Atlantic: FAO #2; 
Type of Assignment: 
Paid Voucher review: 4; 
Over payment assignment: 1; 
REA audit: [Empty]; 
Incurred Cost audit: 1; 
Total assignments: 6. 

Region/FAO: Eastern: FAO #3; 
Type of Assignment: 
Paid Voucher review: 3; 
Over payment assignment: 3; 
REA audit: [Empty]; 
Incurred Cost audit: [Empty]; 
Total assignments: 6. 

Region/FAO: Central: FAO #4; 
Type of Assignment: 
Paid Voucher review: 1; 
Over payment assignment: 1; 
REA audit: [Empty]; 
Incurred Cost audit: [Empty]; 
Total assignments: 2. 

Region/FAO: Central: FAO #5; 
Type of Assignment: 
Paid Voucher review: 5; 
Over payment assignment: 2; 
REA audit: [Empty]; 
Incurred Cost audit: [Empty]; 
Total assignments: 7. 

Region/FAO: Western: FAO #6; 
Type of Assignment: 
Paid Voucher review: 3; 
Over payment assignment: 1; 
REA audit: [Empty]; 
Incurred Cost audit: [Empty]; 
Total assignments: 4. 

Region/FAO: Western: FAO #7; 
Type of Assignment: 
Paid Voucher review: [Empty]; 
Over payment assignment: 1; 
REA audit: [Empty]; 
Incurred Cost audit: 1; 
Total assignments: 2. 

Total: 
Type of Assignment: 
Paid Voucher review: 16; 
Over payment assignment: 10; 
REA audit: 2; 
Incurred Cost audit: 4; 
Total assignments: 32. 

Source: GAO analysis of DCAA management information system data. 

[End of table] 

The details of our assessments of DCAA audits of contractor internal 
control systems and cost-related audits and assignments are included in 
appendixes I and II, respectively. Examples of our findings are 
included in the body of this report to help illustrate the effect of 
our findings related to DCAA's management environment. 

To assess DCAA's management environment and quality control system, we 
reviewed DCAA's mission statement, strategic plan, performance metrics, 
quality assurance program, audit planning and policy guidance, and 
human capital management. We evaluated the results of internal DCAA 
audit quality assurance reviews on audits issued from fiscal year 2004 
through 2008. We used requirements in the Government Performance and 
Results Act,[Footnote 154] GAGAS,[Footnote 155] and GAO's Standards for 
Internal Control in the Federal Government[Footnote 156] as our 
criteria. 

We analyzed the findings, conclusions, and recommendations in the DOD 
Inspector General's (IG) 2007 report on its oversight review of DCAA, 
[Footnote 157] which serves the purpose of a peer review. We did not 
review DOD IG documentation for the oversight review. In assessing the 
DOD IG peer review conclusions and opinion, we considered the 
inconsistencies between the findings and recommendations in the IG 
report. In addition, we considered the results of our analysis of DCAA 
audits in our prior investigation; our review of the 69 DCAA audits and 
related assignments covered in this report; the results of DCAA's 
internal quality assurance reviews; and DCAA's actions to rescind 80 
audit reports. 

To achieve our second objective, we reviewed the status of several key 
actions that DCAA initiated as a result of our earlier investigation, 
including efforts to: 

* revise DCAA's mission statement and strategic plan to focus on 
protecting the public interest; 

* change performance metrics to focus on audit quality instead of 
performing large quantities audits; 

* end DCAA involvement with integrated product teams, which we 
identified as an impairment to DCAA's independence; 

* improve audit quality by revising audit policy guidance and 
realigning DCAA's audit quality assurance structure; and: 

* update training courses to reflect changes in DCAA's mission, 
metrics, and audit policy. 

Although the October 2008 Defense Business Board report recommended 
that the Secretary of Defense revise DCAA's mission statement to focus 
on protecting the public interest, at the time we completed our work in 
July 2009, DCAA's mission statement had not yet been revised. To assess 
changes in performance metrics, we analyzed DCAA's new metrics and 
determined whether changes made in September 2008 were effective in 
shifting DCAA focus from report production to performing quality audits 
and if the new metrics had been integrated into DCAA's performance 
plans, auditor expectations, and performance appraisal standards. In 
addition, we made selected calls to one or more auditors in 15 selected 
DCAA offices that were separate from the offices we visited to review 
audit documentation and interviewed auditors about their experience 
with changes in DCAA policies and performance metrics. We also 
considered 34 additional hotline allegations we received from auditors 
across the 5 DCAA regions after our investigative report was issued. We 
used GAGAS criteria[Footnote 158] to assess the effectiveness of DCAA 
policy changes and DCAA's centralization of the audit quality function 
aimed at improving auditor independence and audit quality. We used 
GAO's Internal Control Standards as our criteria for assessing DCAA's 
management environment, culture, need for a risk-based audit approach, 
and human capital practices. 

To achieve our third objective to identify potential legislative and 
other actions to improve DCAA's effectiveness, we considered DCAA's 
current role and responsibilities; the framework of statutory authority 
for auditor independence in the Inspector General Act of 1978, as 
amended;[Footnote 159] best practices of leading organizations that 
have made cultural and organizational transformations; our past work on 
DCAA organizational alternatives;[Footnote 160] GAGAS criteria for 
auditor integrity, objectivity, and independence; and GAO's Standards 
for Internal Control[Footnote 161] on managerial leadership and 
oversight. We identified potential short-term and longer term 
legislative actions and organizational changes that could enhance 
DCAA's effectiveness and independence. 

Throughout our audit we met with the DCAA Director and DCAA 
headquarters policy, quality assurance, and operations officials and 
DCAA Region and FAO managers, supervisors, and auditors. We also met 
with DOD Office of Inspector General (OIG) auditors responsible for 
DCAA audit oversight and DOD IG hotline office staff. We assessed the 
reliability DCAA data used in our work by reviewing DCAA procedures for 
assuring the reliability of reported performance data, discussing the 
compilation and use of these data with DCAA operations personnel, and 
performing analytical procedures to determine the reliability of 
specific data used in our analysis. For example, we determined that 
DCAA assignments initiated in one year and completed in the second year 
were double counted. We eliminated duplicate records from data used for 
our analysis. We also met with the former DOD Comptroller/CFO to 
discuss plans for the Office of Comptroller/CFO and Defense Business 
Board reviews, and we continued to meet with and obtain information 
from the new DOD Comptroller/CFO and his staff. We also met with the 
Comptroller's new DCAA Oversight Committee, which includes the Auditors 
General of the Army, the Navy, and the Air Force; the DOD Director of 
Defense Procurement and Acquisition Policy; and the DOD Deputy General 
Counsel for Acquisition. 

We conducted this performance audit from August 2006 through December 
2007, at which time we suspended this work to complete our 
investigation of hotline complaints regarding audits performed at three 
DCAA field offices. We resumed our work on this audit in October 2008 
and performed additional work through July 2009 to evaluate DCAA's 
quality assurance program during fiscal years 2007 and 2008, assess 
DCAA corrective actions, and consider organizational placement options. 
We conducted our audit in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for findings and conclusions based on our audit objectives. We 
performed our investigative procedures in accordance with quality 
standards set forth by the Council of the Inspectors General on 
Integrity and Efficiency (formerly the President's Council on Integrity 
and Efficiency). 

[End of section] 

Appendix IV: Comments from the Department of Defense: 

Note: GAO comments supplementing those in the report text appear at the 
end of this appendix. 

Under Secretary Of Defense: 
Comptroller: 
1100 Defense Pentagon: 
Washington, Dc 20301-1100: 

September 4, 2009: 

Mr. Gregory Kutz: 
Managing Director, Forensic Audits and Special Investigations: 
Government Accountability Office (GAO): 
441 G. St., NW: 
Washington, DC 20548: 

Dear Mr. Kutz: 

This is the Department of Defense (DoD) response to the GAO draft 
report GAO09-468, "DCAA Audits: Widespread Problems with Audit Quality 
Require Significant Reform," dated July 31, 2009 (GAO code 195099). We 
thank you for the opportunity to respond to the GAO draft report and 
recommendations. Those recommendations directed to the DoD Inspector 
General will be provided directly by that office under separate cover. 

The Department concurs with all but one of the GAO recommendations 
(Enclosure 1). We disagree with some of GAO comments for Congressional 
consideration (Enclosure 2). Enclosure 3 contains a listing of 
corrective actions DCAA has implemented since 2008. As part of our 
review of the GAO draft report, we noted several areas where we believe 
further clarification and explanation are needed so the circumstances 
can be completely understood. The clarifying comments are provided in 
Enclosure 4. Comments from the Director, Defense Procurement and 
Acquisition Policy are provided as Enclosure 5. 

The Department and the Defense Contract Audit Agency (DCAA) are 
committed to taking the necessary corrective actions to address the GAO 
findings. This office will continue to monitor DCAA to ensure timely 
completion of critical actions to address the GAO's recommendations. To 
assist with this monitoring, in March 2009, I established a DCAA 
Oversight Committee to provide my office advice and recommendations 
related to the oversight of DCAA. This committee includes Auditors 
General of the Army, the Navy, and the Air Force; the Director of 
Defense Procurement and Acquisition Policy; and the DoD Deputy General 
Counsel for Acquisition and Technology. The committee will assess 
DCAA's activities, its corrective actions taken to this and other 
oversight reports, and identify any gaps. I have also assigned a member 
of my senior staff to assist in the oversight efforts. 

We acknowledge that the draft GAO report raises serious issues that we 
need to continue to address. We will continue to improve audit quality, 
especially for internal control audits. We will reassess the number of 
audits that DCAA performs and ensure that adequate staffing is 
available to conduct those audits in accordance with generally accepted 
government auditing standards (GAGAS). We will ensure that DCAA has 
adequate independence. We will also ensure that an appeals mechanism is 
created to provide a process for resolving disputes between DCAA and 
the contracting organizations. 

While we acknowledge that continued work on these serious issues is 
required, we disagree with the suggestion in the GAO report that we 
have not yet begun to address the weaknesses. The GAO report states 
that "DoD and DCAA have not yet addressed the fundamental weaknesses in 
DCAA's mission, strategic plan, metrics, audit approach, and human 
capital practices that have had a detrimental effect on audit quality." 
We believe that we have begun to address these issues. The audit 
assignments covered by this review were completed 3-5 years ago, 
several years before DCAA implemented a series of corrective actions 
beginning in late 2008. Although a significant number of short-term 
actions have been completed, DCAA has many long-term actions still in-
process. It may take several years to experience the full effect on the 
execution of the DCAA audits. Enclosure 3 contains the list of 
corrective actions DCAA has implemented in late 2008 and to-date in 
2009. 

While we acknowledge GAO's findings are serious, DCAA has and continues 
to play a vital role in support of the contracting process in ensuring 
that DoD pays a fair and reasonable price in accordance with applicable 
regulations in protecting the taxpayers' dollars. In FY 2008 alone, 
DCAA audits recommended reductions in proposed or billed costs of $17.9 
billion (referred to as questioned costs) and $7.2 billion in estimated 
costs where the contractor did not provide sufficient information to 
explain the basis of the estimated amounts (referred to as unsupported 
costs). Additionally, the current Director of Defense Procurement and 
Acquisition Policy, a key DCAA stakeholder, has stated that he finds 
DCAA's work critical to the acquisition process (Enclosure 5). 

DCAA's important work was showcased in three hearings of the Commission 
on Wartime Contracting in 2009. One hearing focused on contractor 
business systems, a type of audit that is the subject of the GAO 
report. Through June 2009, DCAA has cited deficiencies in contractor 
systems in over half of the 200 audits performed on the contractors 
performing effort in-theater. The Commission remarked that hundreds of 
millions of dollars have been recovered as a result of DCAA's audits 
and that DCAA's efforts were extraordinary considering the performance 
of audits in a war zone. Several of the Commissioners remarked during a 
recent hearing that DCAA was the finest audit organization they had 
worked with and the most forthright and responsive of all the 
organizations that have interacted with the Commission to date. 

Several of the key actions DCAA has taken to address DCAA's management 
environment involved the use of external organizations to guide DCAA 
through its "cultural transformation." For example, DCAA has engaged 
the Naval Post Graduate School's Center for Defense Management Reform 
to assist with the development and execution of various long-term 
organizational improvement projects. These projects address the 
following questions: 

1. How can DCAA put people first to guide its decisions, actions and 
values? For example, how can DCAA place an increased emphasis on "soft 
skills" such as building morale and developing employees (in terms of a 
broad understanding as well as technical proficiency)? 

2. How can DCAA develop leaders to serve the employees and the 
organization? 

3. How can DCAA structure the organization to facilitate compliance 
with GAGAS, maximize audit results/return on investment (ROI), and 
better align Agency workload/resources? 

4. How can DCAA identify and resolve differing stakeholder expectations 
with contracting officers, contractors, the public (Congress), and 
external review organizations? 

DCAA has also engaged the Army Force Management Support Agency (AFMSA) 
to assess DCAA's risk-based audit requirements planning process for FY 
2010. AFMSA will also assist in translating the requirements planning 
into staffing needs. 

One of the major findings reported by the GAO is the lack of sufficient 
transaction testing to support the conclusions when giving an opinion 
on contractor internal control systems. We concur that many of the 
assignment working papers did not reflect the level of testing required 
by the GAO to opine on the system of internal controls. DCAA has 
rescinded audit reports and initiated full scope internal control 
audits at these locations. In light of the GAO's findings, DCAA will be 
assessing the need to opine on contractor internal controls or whether 
an opinion on the sufficiency of the contractors' business systems for 
Government contracting purposes is appropriate. We suggest that the GAO 
and the DoD Inspector General (IG) work closely with DCAA in its 
assessment and redesign of testing procedures for opining on contractor 
business systems. 

It is worth noting that the additional transaction testing will require 
an increase in audit staff at DCAA. Some of the increase is already 
underway through the use of the Defense Acquisition Workforce 
Development Fund. Using this fund, DCAA has increased staffing by 300 
in FY 2009 and plans to increase by an additional 200 each in FYs 2010 
and 2011, with a total increase of 700 by the end of FY 2011. However, 
this may not be enough to accomplish the audits required by regulation 
in light of the additional testing stipulated by the GAO. We will 
continue to monitor the staffing situation at DCAA. But to accomplish 
the significant increase in testing during internal control audits, 
DCAA will be required to defer lower risk assignments to FYs 2010 and 
2011, which could have a negative impact on the timely closing of 
contracts prior to the cancellation of funds. The overall issue of risk 
assessment, as outlined in the GAO draft report, is one of the main 
discussion topics I have assigned to the DCAA Oversight Committee. 

The Department concurs with the GAO that the root causes for many of 
the GAGAS noncompliances related to the prior DCAA performance 
measures. As the GAO acknowledges, in September 2008, DCAA took 
aggressive action by revising the performance measures to promote 
quality audits. During FY 2009, DCAA has continually assessed the 
performance measures by conducting focus groups in several regions 
(including the DCAA Western Region). In general, the focus groups 
confirmed that there was much less emphasis on performance measures 
than in the past. 

The GAO draft report states that DCAA has taken some actions to improve 
its quality assurance program; however, it stated that staffing 
difficulties and other issues have left the outcome of this important 
initiative uncertain. We disagree. DCAA has been proactive in standing 
up its new Integrity and Quality Assurance Directorate - essentially a 
new quality assurance organization that reports directly to the 
Director/Deputy Director. DCAA has revised its quality assurance 
program for reporting GAGAS noncompliances and requires audit offices 
to provide corrective action plans that address all GAGAS 
noncompliances reported. The Headquarters Quality Assurance 
organization will follow-up on each systemic noncompliance to ensure 
the field audit offices have corrected their processes. In July 2009, 
DCAA was authorized a Senior Executive Service position to lead the 
Quality Assurance Directorate. We believe the extensive overhaul of the 
quality assurance function accomplished in FY 2009 will mitigate the 
prior shortcomings in audit quality cited by the GAO. 

In January 2009, the DCAA Director established a Senior Advisory 
Council for Improvement which is led by the Director and comprised of 
Headquarters senior executives. The Council's primary purpose is to 
establish and monitor the actions in response to the report issued in 
January 2009 by the Independent Review Panel to the Defense Business 
Board and findings from the GAO and DoD IG reviews. The establishment 
of this council exemplifies the Director's efforts in ensuring key 
Agencywide actions are managed at the Headquarters level versus the 
regional level. We believe the establishment of this DCAA Headquarters 
council, in addition to re-aligning the Quality Assurance Program to 
report directly to the Director/Deputy Director, results in significant 
progress toward addressing the GAO's concerns with DCAA's 
"decentralized structure that has fostered a culture of DCAA region 
autonomy." 

The GAO draft report states that the supervisors responsible for 
deficient audits identified in GAO's prior investigation were promoted 
even though the GAO investigation disclosed significant GAGAS 
noncompliances with the audits they supervised. The GAO states that 
"despite these findings, we found no evidence that supervisors and 
auditors who did not follow GAGAS and DCAA policy were disciplined, 
counseled or required to take additional training." DCAA has required 
several of the supervisors to take additional supervisory and 
management training courses. They have completed some of these courses 
and are scheduled to take additional training in the next fiscal year. 
Based on advice provided by the DoD Washington Headquarters Services 
Office of General Counsel, DCAA did not take performance or conduct 
actions against these supervisor;. Additionally, all DCAA employees, 
including the employees involved in the GAO's 2008 hotline 
investigation, have completed annual training on auditor "independence" 
and training in audit quality, including GAGAS, at mandatory standdown 
days in August 2008 and 2009. 

We appreciate the recommendations made by the GAO. We believe the 
implementation of these recommendations along with the many actions 
that the Department and DCAA have already completed will improve DCAA 
culture and management environment to ensure taxpayer dollars are 
protected and DoD audit needs are met. DoD and DCAA leaders are 
committed to maintaining a strong contract audit function. 

My point of contact on this matter is Mr. M. Wayne Goff. He can be 
reached by e-mail at wayne.goff@osd.mil or by telephone at 703-602-
0374. 

Sincerely, 

Signed by: 

Robert F. Hale: 

Enclosures: As stated: 

[End of letter] 

Enclosure 1: 

GAO Draft Report Dated July 31, 2009: 
GAO-09-468 (GAO Code 195099): 
"DCAA Audits: Widespread Problems With Audit Quality Require 
Significant Reform" 

Department Of Defense Comments To The GAO Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
revise the Defense Contract Audit Agency's (DCAA) mission statement to 
reflect the need for quality contract audits and related nonaudit 
services that take into account serving the public interest. 

DOD Response: Concur. The Department is currently seeking final 
coordination on a revised DCAA mission statement which is included in 
an updated DoD Directive 5105.36, DCAA. 

Recommendation 2: The GAO recommends that the Secretary of Defense 
require the Under Secretary of Defense (Comptroller/CFO) to establish 
milestones for completing DCAA corrective actions and monitor and 
regularly report on DCAA progress to assure timely completion of 
critical actions. 

DOD Response: Concur. The Department will continue to establish 
milestones for completing DCAA corrective actions. DCAA already 
provides USD(C) a monthly status report of the actions taken in 
response to the recommendations made by the Independent Review Panel of 
the Defense Business Board as well as recommendations from various GAO 
and DoD IG reviews. DCAA will expand its improvement plan to 
incorporate the GAO's recommendations. USD(C) has assigned a senior 
staff member to assist in oversight and has created the DCAA Oversight 
Committee, including all three auditors general from the Services, the 
OSD Deputy General Counsel for Acquisition and Logistics, and the 
Director of Defense Procurement and Acquisition Policy, to assist in 
oversight efforts. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the Defense Contract Audit Agency (DCAA) in concert with 
the revised mission statement, develop a Strategic Plan with short-term 
and long-term outcome-related goals. 

DOD Response: Concur. DCAA has already started developing a revamped 
Strategic Plan with short-term and long-term outcome-related goals that 
is in concert with the proposed mission statement. Assuming the revised 
mission statement will be approved by about October 2009, DCAA is 
expected to complete its strategic plan by November 30, 2009 for 
publication and dissemination to the DCAA workforce. 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to measure progress in achieving strategic goals, 
ensure that metrics tie to the revised mission statement and strategic 
plan and support the agency's annual work plan. 

DOD Response: Concur. USD(C) will require DCAA to measure progress in 
achieving strategic goals. Once DCAA's revised mission statement and 
strategic plan are finalized, USD(C) will require DCAA to ensure that 
DCAA performance measures tie to the revised mission statement and 
strategic plan and support the Agency's annual work plan. 

Recommendation 5: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to consult with DoD stakeholders and engage 
outside experts to develop a risk-based contract audit approach that 
identifies resource requirements, and focuses on performing quality 
audits that meet generally accepted government auditing standards 
(GAGAS). 

DOD Response: Partially Concur. The majority of DCAA audits and other 
services are required by laws and regulations as outlined in the GAO 
draft report. DCAA already has a risk-based contract audit approach in 
identifying resource requirements. DCAA performs annual audit 
requirements planning procedures to establish staffing requirements 
based on its regulatory/statutory audit requirements and audit risk. An 
example of DCAA's risk-based audit approach for incurred cost audit 
requirements is DCAA's performance of desk reviews of the low risk 
contractor's incurred costs on a cyclical basis in lieu of performing a 
full incurred cost audit every year. Nevertheless, USD(C) will task 
DCAA to coordinate with the Under Secretary of Defense for Acquisition, 
Technology, and Logistics to assess DCAA audit requirements since any 
significant change in DCAA audit requirements would involve a change in 
acquisition policy. In addition, DCAA has engaged the Naval Post 
Graduate School to assist in its "cultural transformation." One of the 
projects is identifying and resolving differing stakeholder 
expectations while ensuring DCAA performs quality audits that meet 
GAGAS. DCAA's efforts will include consulting with DoD stakeholders and 
engaging outside experts as part of this project. The Department will 
complete its assessment by December 2010. 

Recommendation 6: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to establish an SES-level position with 
responsibility for audit quality assurance that requires demonstrated 
knowledge and experience in applying professional audit standards. 

DOD Response: Concur. In August 2008, DCAA established the position of 
Assistant Director, Integrity and Quality Assurance with responsibility 
for DCAA's quality assurance program. On July 9, 2009, this position 
was approved as an SES-level position and the job announcement has been 
published. DCAA expects to fill this position by October 2009. 

Recommendation 7: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to establish a separate DCAA internal review 
organization to conduct critical internal inspector general functions, 
including performing periodic internal evaluations and reviews and 
addressing DCAA hotline complaints. 

DOD Response: Concur. DCAA will establish a separate internal review 
organization to conduct critical internal inspector general functions, 
including performing periodic internal evaluations and reviews and 
addressing DCAA hotline complaints and serve as the Agency's ombudsman. 
The new organization will be established by December 2009. 

Recommendation 8: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to review DCAA's current portfolio of audit and 
nonaudit services to determine if any should be transferred, or 
reassigned to another DoD agency, or terminated in order for DCAA to 
comply with GAGAS integrity, objectivity, and independence 
requirements. 

DOD Response: Concur. USD(C) will require DCAA to assess its current 
portfolio of audit and nonaudit services to determine if any should be 
transferred, or reassigned to another DoD agency, or terminated in 
order for DCAA to comply with GAGAS integrity, objectivity, and 
independence requirements. DCAA will report the results of its 
assessment to USD(C) by March 2010. However, as stated above, the 
majority of DCAA audits and non-audit services are required by 
regulation or statute. As acknowledged by the GAO in its report, DCAA 
has already performed some of this assessment resulting in
the elimination of DCAA auditor participation as members of Integrated 
Product Teams and Source Selection Evaluation Boards. 

Recommendation 9: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA based on the risk-based audit approach to develop 
a staffing plan that identifies auditor resource requirements as well 
as auditor skill levels and training needs. 

DOD Response: Concur. DCAA is entering into an agreement with the Army 
Management Support Agency to evaluate DCAA's requirements planning 
process and resulting staffing assessment for FY 2010. The Army will 
also provide an overall opinion on the sufficiency of DCAA staffing to 
provide audit coverage in line with its mission and strategic plan and 
fully comply with Generally Accepted Government Auditing Standards. In 
addition, DCAA has an internal education specialist to provide expert 
advice on DCAA training and an internal statistician to provide expert 
advice on statistical sampling audit techniques and training. 

Recommendation 10: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to establish a position for an expert on auditing 
standards or consult with an outside expert on auditing standards to 
assist in revising contract audit policy, providing guidance on 
sampling and testing, and developing training on professional auditing 
standards. 

DOD Response: Concur. The USD(C) will require DCAA to consult with an 
outside expert on auditing standards to assist in revising contract 
audit policy, providing guidance on sampling and testing, and 
developing training on professional auditing standards. 

Recommendation 11: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to revise DCAA audit policy to provide appropriate 
guidance on what constitutes sufficient testing to comply with GAGAS. 
Update DCAA's Contract Audit Manual, as appropriate. 

DOD Response: Concur. USD(C) will require DCAA to issue audit policy on 
what constitutes sufficient testing to comply with GAGAS and update 
DCAA's Contract Audit Manual. DCAA will complete this action by 
December 2009. 

Recommendation 12: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to develop agency wide training on government 
audit standards. This training should emphasize the level of assurance 
intended by the various types of engagements and provide detailed 
guidance on auditor independence, planning, fraud risk, level of 
testing, supervision, auditor judgment, audit documentation, and 
reporting. 

DOD Response: Concur. DCAA is currently developing a revised training 
course on Generally Accepted Government Auditing Standards. This course 
will emphasize the level of assurance intended by the various types of 
engagements and provide guidance on auditor independence, planning, 
fraud risk, level of testing, supervision, auditor judgment, audit 
documentation, and reporting. All DCAA employees have been notified 
that they will be required to take this course in FY 2010. DCAA is also 
increasing the level and complexity of GAGAS training in all courses. 

Recommendation 13: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to conduct a comprehensive, independent review of 
DCAA's revised audit quality assurance function. This review should 
focus on the consistent application of criteria used for assessing 
audit quality and assuring timely, consistent and appropriate reporting 
of review results. 

DOD Response: Concur. On July 30, 2009, DCAA requested the DoDIG to 
perform its external quality review of DCAA's Quality Control System 
for audits and attestation engagements for the period ending September 
30, 2009. 

Recommendation 14: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to make appropriate recommendations to address 
annual quality assurance review findings of serious deficiencies and 
GAGAS noncompliance, provide training, and follow-up to assure that 
appropriate corrective actions have been taken. 

DOD Response: Concur. The DCAA Integrity and Quality Assurance 
organization has already established a process for making 
recommendations to address annual quality assurance review findings of 
serious deficiencies and GAGAS noncompliance to the Director DCAA on a 
real-time basis. Based on these recommendations, DCAA will ensure that 
any necessary training is provided and appropriate corrective actions 
have been taken. 

Recommendation 15: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense (Comptroller/CFO) to require the 
Director of the DCAA to establish policies and procedures to ensure 
that auditors who make direct bill decisions are independent of 
management employees who review vouchers of contractors not eligible 
for the direct bill program, thereby reducing situations where DCAA 
auditors are encouraged to reduce their workload by approving 
contractors for the direct bill program. 

DOD Response: Nonconcur. The Department believes that a review of the 
contractor's interim public vouchers is an integral function of DCAA's 
continual assessment of a contractor's billing system. A DCAA auditor 
who audits the contractor's billing system (and potential subsequent 
approval for direct bill) is in the best position to review and approve 
contract interim billings based on their thorough understanding of the 
contractor's system. In regards to the GAO concern that DCAA auditors 
may not report findings to reduce their workload by approving 
contractors for the direct bill program, the Department believes the 
GAO's concerns are mitigated based on the comprehensive supervisory and 
audit manager reviews. DCAA does not believe that the approval of 
interim vouchers along with the approval for contractors to be on 
direct bill results in a lack of auditor objectivity (see Enclosure 4, 
Comment 8). It should also be noted that since July 2008, the number of 
contractors on the direct bill program have been reduced by over 200 
contractors and segments of many of the largest defense contractors 
have been removed from the direct bill program in FY 2009. In October 
2008, DCAA issued clarifying guidance on contractor eligibility to 
participate in the direct bill program. This memorandum includes 
guidance on ensuring sufficient testing is performed when determining a 
contractor is eligible for direct bill. 

[End of Enclosure 1] 

Enclosure 2: 

GAO Draft Report Dated July 31, 2009
GAO-09-468 (GAO Code 195099)
"DCAA Audits: Widespread Problems With Audit Quality Require 
Significant Reform" 

Department Of Defense Comments To The GAO Recommendations For 
Congressional Consideration 

Recommendation 1: In the short term, as DCAA makes progress in 
correcting fundamental weaknesses that have impacted audit quality, 
Congress could consider enhancing DCAA reform efforts by enacting 
legislation to grant it protections and authorities similar to those 
embodied in the Inspector General Act, as amended. 

DOD Response: Nonconcur. DoD generally opposes providing DCAA with 
authorities similar to those contained in the Inspector General Act. 
DoD specifically opposes certain recommendations based on the IG model. 
We do not believe that the DCAA Director should be a Senate confirmed 
position unless DCAA is independent of DoD. Presidential nomination and 
Senate confirmation injects a political element into DCAA that is not 
appropriate and inevitably creates lengthy periods when there is no 
Director. We also oppose fixed terms for the DCAA Director. If DCAA 
remains part of DoD, the Secretary of Defense must have the ability to 
choose an appropriate Director. We also question the wisdom of an 
independent budget (which would prevent or limit our ability to move 
money into DCAA, as is occurring now based on funding from the Defense 
Acquisition Workforce Development Fund). Nor do we support mandatory 
public reporting, an additional burden on an agency that is already 
struggling to meet its many mission demands. 

While we do not support independence based on the IG model, we plan to 
take steps to strengthen DCAA's independence by establishing an appeals 
process that permits DCAA to seek resolution when there are differences 
of opinion as to the resolution of its audit findings. Under this 
process, DCAA could appeal differences first to the Director of Defense 
Procurement and Acquisition Policy (DPAP). If DCAA disagreed with the 
DPAP decision, DCAA would be permitted to appeal to the Under 
Secretaries of Acquisition, Technology, and Logistics and Comptroller, 
acting as a team. We expect that appeals at the Under Secretary level 
would be rare and would involve only the most important issues. 

Recommendation 2: In the medium term, Congress could consider elevating 
the contract audit function within DOD by moving DCAA from under the 
DOD Comptroller/CFO and placing it under the Deputy Secretary of 
Defense. 

DOD Response: Nonconcur. DoD strongly opposes this recommendation. The 
Deputy Secretary is the Chief Management Officer of one of the world's 
largest organizations and backs up the Secretary in the wartime chain 
of command. The Deputy simply does not have the time to provide 
oversight and support to individual defense agencies. 

[End of Enclosure 2] 

Enclosure 3: 

DCAA Actions Taken Since the Issuance of GAO Report GAO-08-857: 

Structure: 

* Approved Agency-wide reduction in supervisory span of control (June 
2008). 

* Approved 25 new field audit offices and 5 new Regional Audit Managers 
lowering the span of control (May - February 2009). 

* Completed Agency-wide staffing assessment and requested staffing 
increase to Comptroller on September 10, 2008. Updates on staffing 
shortfalls were provided to the Comptroller at regular intervals 
throughout FY 2009. 

* Realigned Quality Assurance to report directly to the Deputy Director 
(August 2008). 

- Submitted request to OSD for SES level position for the Integrity and 
Quality Assurance (QA) function (September 2008). Request was initially 
denied by DoD in January 2009 and the position was filled at the GS-15 
level. However, after another attempt by the Director for a SES 
position, DCAA received approval in July 2009 and a job announcement 
was issued shortly thereafter. 
- Expanded the next round of QA reviews.
- Revised process for tracking and following-up on QA findings.
- Revised process for next 3-year cycle to ensure all audit offices are 
covered, after consultation with the DoD IG.
- Completed assessment on level of QA staffing.
- Issued revised comprehensive instruction on DCAA's QA program 
(December 2008). 

* Submitted request for funds under Section 852 acquisition workforce 
fund in December 2008. Under the Defense Acquisition Workforce 
Development Fund, DCAA has received $17.2 million to date (allotments 
in March, April, and August). 

* DCAA brought on-board 245 new interns by the end of July and have 
many offers with on-board dates in late FY 2009. As a result, DCAA will 
easily meet the goal of 300 by the end of September and will probably 
exceed it. 

* Realigned all Financial Liaison Advisors from the Field Detachment 
region (region that handles all Top Secret audits) to Headquarters to 
avoid the appearance of a lack of independence. As of November 2008, 
all Financial Liaison Advisors report directly to Headquarters. 

* At the request of the Director, the DCAA point of contact for the 
Office of Special Counsel investigation was moved from the DCAA General 
Counsel to the DoD General Counsel's office due to the investigation 
being expanded. 

Culture: 

* Revised policy for resolving differences in audit results and 
opinions - elevate within management structure from two to four levels 
(July 2008). 

* Ceased participation as members of Integrated Product Teams (IPTs) to 
avoid the appearance of a lack of independence (August 2008). 

* Revised performance measures - eliminated 18 measures and added 8 
measures (September 2008). 

* Established an anonymous website for employees to voice concerns with 
the inappropriate use of performance measures and other inappropriate 
actions (September 2008). 

* Engaged OPM to conduct an organizational assessment survey and are 
assessing results of the survey conducted by OPM - the working group is 
evaluating results and developing actions (assessment due August 2009). 

* Ceased participation as members of Source Selection Evaluation Boards 
to avoid the appearance of a lack of independence - requested audits 
will still be provided (November 2008). 

* Director/Deputy Director staff presentations emphasize the need to 
perform quality audits and discuss performance measures (various 
presentations through 2008 and 2009). 

* Established a Senior Advisory Council for Improvement chaired by the 
Director to Oversee the implementation of improvements as a result of 
the Defense Business Board recommendations (report issued January 22, 
2009). 

* Issued several memorandums reiterating the importance of cooperating 
with GAO, IG and other reviewers/investigators. 

* Held stand down day for audit quality at all DCAA locations (August 
/September 2008 and again in August 2009). 

* Completed annual independence training (September 2008). 

* Held focus groups to obtain feedback on implementation of performance 
measures issued in September 2008 which revealed minimal problems with 
implementation of new measures (February/March 2009). 

* The Director required all regions to assess whether exceeding budget 
hours on individual assignments was inappropriately used to lower 
performance ratings. The regions completed the assessments and, where 
needed, have implemented corrective actions (December 2008). 

* Established new process to obtain input regarding the new hire 
employment experience and to identify reasons why employees leave DCAA 
(November 2008). 

* Revised job objectives/performance plans for the 0511 (auditor) 
positions to eliminate the language on meeting audit budget hours and 
productivity measures and added language strengthening the need to 
execute audits in accordance with the auditing standards and Agency 
policy (February 2009). 

* Revised supervisory development curriculum based on feedback from 
focus groups and other feedback mechanisms to emphasize leadership 
skills and the more common day-today activities which supervisors 
perform (April 2009). 

Processes: 

* Issued memorandum on adequate working paper documentation (July 
2008). 

* Completed Agency-wide assessment to determine whether GAO's findings 
are systemic across DCAA. Six of the forty assignments reviewed 
contained noncompliances. Actions being taken to address issues 
(September 2008). 

* Raised the field audit office signature authority for all audit 
reports to the level of the manager or higher (August 2008). 

* Revised policy for the monthly quality review of issued audit reports 
from regions to the Headquarters Quality Assurance division (October 
2008). 

* Revised DCAA Quality Checklist for Review of Audit Working Papers 
(checklist is used by auditors and supervisors prior to report 
issuance) (December 2008). 

* Issued guidance clarifying DCAA's process for pursuing access to 
contractor records and initiating a subpoena (December 2008). 

* Issued clarifying guidance on what constitutes a significant 
deficiency in contractor internal control systems (December 2008). 

* Revised policy on reporting results of the review of contractor 
systems and related internal controls to eliminate the inadequate in-
part opinion so that the overall opinion on the system is either 
adequate or inadequate (December 2008). 

* Issued guidance on performing and reporting on limited scope internal 
control audits (December 2008). 

* Issued guidance reminding auditors to report suspected contractor 
fraud and other irregularities encountered during the audit and 
emphasized that managers do not approve the Form 2000, but rather 
review it for clarity (February 2009). 

* Issued guidance on documentation of judgmental sampling (February 
2009). 

* Revised guidance for reporting unsatisfactory conditions related to 
actions of Government officials wherein certain unsatisfactory 
conditions will be reported directly to the DoDIG in lieu of reporting 
the conditions to a higher level of management (March 2009). 

* Issued guidance clarifying requirements for contractor eligibility to 
participate in the direct bill program (April 2009). 

* Issued guidance to remove major contractors from direct billing where 
contractor has implemented a new billing system or accounting system 
that significantly impacts Government billings and the new system has 
not been examined (April 2009). 

* Revised a self-study training course (CMTL 1326) to include new 
guidance on identifying key elements of an effective internal control 
audit report and the requirements for issuing a real-time (flash) 
report (May 2009). 

* Issued an audit alert emphasizing existing guidance which requires 
that a separate cost accounting standards (CAS) noncompliance audit 
report will be issued when a CAS noncompliance is found during any 
audit (June 2009). 

* Issued an audit alert to clarify that forward pricing due dates 
should be based on the realistic assessment of risk factors for each 
specific contractor and proposal under review (June 2009). 

* Issued guidance on contract audit closing statement reviews in July 
(after receipt of DoD IG comments). This completes the last action item 
from the peer review. 

Long-Term Planned Actions: 

* Obtained the services of the Naval Postgraduate School, Center for 
Defense Management Reform to assist with the Agency-wide cultural 
transformation. The initial effort started June 2"d with the DCAA 
executive team. As a result, four major initiatives were adopted for 
incorporation in the DCAA Strategic Plan. Teams of executives were 
assigned to each initiative to further develop the milestone plan for 
executing the objective. The four items are: 

1. How can DCAA put people first to guide its decisions, actions and 
values? For example, how can DCAA place an increased emphasis on "soft 
skills" such as building morale and developing employees (in terms of a 
broad understanding as well as technical proficiency)? 

2. How can DCAA develop leaders to serve the employees and the 
organization? 

3. How can DCAA structure the organization to facilitate compliance 
with GAGAS, maximize audit results/ROI, and better align Agency 
workload/resources? 

4. How can DCAA identify and resolve differing stakeholder expectations 
with contracting officers, contractors, the public (Congress), and 
external review organizations? 

These items will be worked for about the next three years. Once the 
milestone plan for each of the four initiatives is developed, it is 
envisioned that each objective will have various completed actions 
throughout the next three years. Once the milestone plans are 
developed, the objectives will be communicated to the workforce. 

* Performing a comprehensive assessment and revision to DCAA training 
by instituting a life-cycle training process. Effort started in FY 2008 
and will conclude in about three years. 

* Conducting a comprehensive organizational assessment (based on 
Baldrige). Estimated completion in FY 2010. 

* Performing a comprehensive review of DCAA's approach for performing 
internal control audits. Estimated completion of baseline audit 
opinions in FY 2010. 

* Engaging the Army Force Management Support Agency to evaluate DCAA's 
process for planning FY 2010 audit needs as well as staffing 
requirements. The effort is expected to be completed by the end of 
September. 

[End of Enclosure 3] 

Enclosure 4: 

GAO Draft Report Dated July 31, 2009: 
GAO-09-468 (GAO Code 195099): 
"DCAA Audits: Widespread Problems With Audit Quality Require 
Significant Reform" 

Department Of Defense Comments To The GAO Report Narrative: 

1. GAO Narrative: Nationwide audit quality problems are rooted in 
DCAA's poor management environment (page 11). 

DOD Comments: GAO stated about half of the rescinded reports relate to 
unsupported opinions on contractor internal controls. This is 
incorrect. The majority of the rescinded reports relate to forward 
pricing reports based on the prior GAO investigation report issued in 
2008. [See comment 1] 

2. GAO Narrative: Audit Quality Problems Found in All Audits GAO 
Reviewed, Independence Issues (page 12). 

DOD Comments: GAO stated that in 8 audits they reviewed, DCAA 
independence was compromised because auditors provided material 
nonaudit services to a contractor they later audited; experienced 
access to records problems that were not fully resolved; or 
significantly delayed report issuance in order to allow the contractors 
to resolve cited deficiencies. The Department understands the GAO's 
concerns, however, we believe the auditors' intent of providing 
preliminary audit results and discussing draft policies and procedures 
was generally an attempt to ensure the evidence was accurate and to 
expedite contractor actions so that contractor systems would be 
corrected promptly to minimize the risk of overpayments. DCAA 
acknowledges that significant time lapsed in several of these 
assignments between the time the contractor was provided the draft 
findings and the issuance of the final audit report. DCAA concurs that 
auditors should not provide input to contractors on draft policies and 
procedures and that the reports should identify all deficiencies found 
even though they have been corrected at the time of report issuance. In 
memorandums issued in August and September 2008, DCAA issued guidance 
prohibiting auditors from providing input to contractors on such items 
as draft proposals, draft policies and procedures, and draft disclosure 
statements and to require auditors to report all deficiencies found 
even when the contractor corrects the deficiencies during the audit. 

3. GAO Narrative: Audit Quality Problems Found in All Audits GAO 
Reviewed, Insufficient Evidence (page 12). 

DOD Comments: GAO stated that 33 of the 37 internal control audits did 
not include sufficient testing to support auditor conclusions and 
opinions. GAO stated that GAGAS for examination-level attestation 
engagements require that sufficient evidence be obtained to provide a 
reasonable basis for the conclusion that is expressed in the report. We 
agree with GAO that in several cases the testing was insufficient. The 
level of testing was based on the auditor's judgment and the total 
audit concept - drawing on an accumulation of knowledge and experience 
previously gained at the contractor based on auditing that contractor 
on a continual basis. Nevertheless, DCAA acknowledges the testing was 
insufficient to support an internal control audit opinion, and 
therefore, has rescinded several of these reports, increased the level 
of testing on related audits and commenced new full scope internal 
control audits at these locations. 

4. GAO Narrative: Table 2, Summary of Five Selected Internal Control 
Audits, Eastern Region - Billing System Audit (page 16). 

DOD Comments: GAO stated that the subject audit had an impairment to 
auditor independence because the auditors helped the contractor develop 
policies and procedures. We generally concur with the GAO in that the 
FAO was performing IPT type effort in providing the contractor comments 
on draft policies and procedures. DCAA believes the intent of these 
actions was to expedite contractor corrective action so that the 
contractor's system would be corrected to minimize the risk of 
overpayments and protect the taxpayer's interests. DCAA recognized the 
potential appearance of a lack of independence related to this kind of 
effort and on August 11, 2008, issued audit guidance that prohibited 
auditors from providing input to contractors on such items as draft 
policies and procedures regardless of the circumstances. 

5. GAO Narrative: Table 2, Summary of Five Selected Internal Control 
Audits, Central Region - Billing System Audit (page 16). 

DOD Comments: GAO stated that the subject audit had an impairment to 
auditor independence because the auditors monitored contractor 
corrective action for 7 months instead of issuing the audit report when 
the work was completed. DCAA concurs with the GAO that the significant 
lapse of time from the date the draft results were provided to the 
contractor and the date the audit report was issued gives the 
appearance of a lack of independence. However, the field audit office 
does not believe it intentionally delayed the issuance of the report to 
allow the contractor to correct the system. Staffing issues and an 
increase in higher risk assignments played a significant role in the 
delay. [See comment 2] 

6. GAO Narrative: Table 2, Summary of Five Selected Internal Control 
Audits, Central Region - Billing System Audit (page 16/17). 

DOD Comments: The GAO narrative appears to imply that DCAA was not 
aggressive in pursuing the potential fraud at this contractor. It 
should be noted that the DCAA Investigative Support Team was 
instrumental in assisting in this fraud investigation that resulted in 
recovering more than $2.8 million dollars in a civil case settlement. 
[See comment 3] 

7. GAO Narrative: Cost Related Assignments (page 17). 

DOD Comments: GAO stated that the 32 cost-related assignments did not 
contain sufficient testing to provide reasonable assurance that 
overpayments and billing errors that might have occurred were 
identified. It appears that the GAO is holding DCAA to the GAGAS
requirements for these assignments even though the majority is not 
GAGAS-type audits based on Agency policy. DCAA does not agree that all 
of the 32 cost-related assignments contained insufficient testing, 
however, DCAA is continuing to assess the GAO's comments and will 
develop an appropriate action plan. [See comment 4] 

8. GAO Narrative: Auditor objectivity issues (page 20). 

DOD Comments: GAO stated that DCAA's role in approving contractors for 
participation in the direct bill program presented an impairment to 
auditor objectivity- which includes being independent in fact and 
appearance when providing audit and attestation engagements. The GAO 
noted that GAGAS state that audit organizations should not authorize an 
entity's transactions or audit their own work. GAO further stated that 
DCAA's role in authorizing contractors to participate in the direct 
bill program places it in the position of making decisions that impact 
its own workload related to review of contractor invoices prior to 
payment. Although not explicitly stated, the GAO seems to imply that 
when DCAA performs an audit of the contractor's billing system (and 
potentially approves the contractor for the direct bill program) while 
also having the responsibility for approving interim vouchers, DCAA is 
authorizing the contractor's transactions and it is auditing its own 
work. In addition, the GAO seems to imply that DCAA's objectivity is 
impaired and DCAA auditors may overlook findings to reduce their 
workload by approving contractors for the direct bill program. DCAA 
disagrees with both implications. [See page 76] 

DCAA is not authorizing a contractor's transaction or auditing its own 
work either when it approves the contractor for direct bill or approves 
an interim voucher for payment. GAGAS 3.14 (GAO-03-673G) defines 
authorizing an entity's transactions as an example of performing 
management functions or making management decisions. When DCAA approves 
a contractor's voucher for payment it is not acting on behalf of the 
contractor (i.e., performing a contractor management function) but 
acting as a representative of the Government in its role as an 
independent external oversight organization based on the authority 
provided for in DFARS 242.803. The contractor's interim vouchers 
submitted to the Government for payment are prepared by contractor 
employees and authorized by contractor management. 

DCAA also does not believe that performing the function of an external 
oversight organization by approving contractor's interim vouchers or 
approving the contractor for the direct bill program places DCAA in the 
position of auditing its own work when it later audits the contractor's 
billing system. These functions do not involve developing the 
contractor's billing system policies and procedures and internal 
controls. In addition, as stated above, DCAA also is not involved in 
preparing the contractor's vouchers. Therefore, approving contractor's 
interim vouchers or approving the contractor for the direct bill 
program and subsequently auditing the contractor's billing system does 
not result in DCAA auditing its own work. Furthermore, DCAA believes 
that its role in reviewing and approving interim vouchers falls within 
the category of nonaudit services discussed in GAGAS A3.02 and A3.03 
(GAO-07-731G) that do not impair independence. 

We also disagree that DCAA's role in authorizing contractors to 
participate in the direct bill program results in an impairment to 
independence because performing that function places DCAA in the 
position of making decisions that impact its own workload. In our 
opinion the GAGAS independence standards do not preclude the auditor 
from performing such functions. In fact, conclusions reached in many of 
the audits and other functions typically performed by auditors have the 
potential to impact the audit organization's workload. For example, a 
qualified or adverse opinion on the company's financial statements 
could prompt the company to replace the independent public accountant 
(IPA) that performed the audit; thereby negatively impacting the IPA's 
future workload and revenue. The GAO's concerns are mitigated by the 
fact that DCAA supervisors are actively involved in all aspects of the 
audit including review and approval of the risk assessment, interim 
reviews as needed, and a final comprehensive supervisory review of the 
working papers and draft report. Technical specialists may also review 
the risk assessment and audit conclusion. In addition, field audit 
office managers review sensitive and high risk audits and may elevate 
them for regional management review prior to report issuance. 

GAO stated that DCAA had approved direct billing on all but 2 of the 16 
contractors they reviewed. GAO reviewed 20 billing system audits 
covering 17 contractors, only 2 of those contractors are still on 
direct billing. It should also be noted that since July 2008, the 
number of contractors on the direct bill program have been reduced by 
over 200 contractors. 

9. GAO Narrative: DCAA's audit quality assurance program was 
ineffective (page 25). 

DOD Comments: GAO stated that DCAA's audit quality assurance program 
was not properly implemented, resulting in an ineffective quality 
control process that accepted audits with significant deficiencies and 
noncompliance with GAGAS and DCAA policy. We do not agree with the 
statement that the quality assurance process accepted audits with 
significant deficiencies. As the GAO states in its report, the quality 
assurance reviews did identify significant GAGAS noncompliances which 
they reported to the field audit office for corrective action - they 
did not "accept" these audits. DCAA has recently made several 
improvements to the quality assurance program to include increasing the 
level of management responsible for developing and implementing a 
corrective action plan. The current program requires the Regional 
Director to ensure corrective actions have been taken and all 
corrective actions will be tested by the Headquarters quality assurance 
staff to ensure the noncompliances have been corrected. [See page 78] 

10. GAO Narrative: DCAA lacks a risk-based audit planning approach 
(page 28). 

DOD Comments: GAO stated that DCAA lacks a risk-based audit planning 
approach. We do not agree with this statement. DCAA has a risk-based 
contract audit approach in identifying resource requirements. DCAA 
performs annual audit requirements planning procedures to establish 
staffing requirements based on its regulatory/statutory audit 
requirements and audit risk. [See page 75] 

11. GAO Narrative: Allegations about abusive management actions have 
continued (page 32). 

DOD Comments: The GAO states that allegations about abusive management 
actions have continued. The report further states that "DCAA 
Headquarters officials explained that in several cases, Western Region 
management has not agreed to take disciplinary or other available 
corrective action. The officials told us that DCAA hotline staff has no 
recourse in these situations." The DCAA hotline group functions as a 
finder of fact, and they recommend corrective actions. While it is true 
that the DCAA hotline group has no authority to take disciplinary 
action itself or to require corrective action, any disagreement between 
the hotline team and the region may be resolved by the DCAA Director or 
Deputy Director. The Western Region management has agreed with the 
recommended actions provided by the hotline team in a final formal 
report. Several cases are still in the investigative stage and although 
interim recommendations may not have been adopted yet by the region, we 
fully expect the Western Region management to support the 
recommendations made in a final report. 

12. GAO Narrative: Increase authority and independence (Page 50). 

DOD Comments: GAO stated that legislation could strengthen DCAA's audit 
authority by providing the same level of access to records and 
personnel available to IGs. GAO goes on to state that currently, DCAA 
has access to certain records related to cost-type contracts or that 
contain cost and pricing data, but not to contractor personnel. We do 
not agree with the statement that DCAA does not have access to 
contractor personnel. DCAA interfaces with contractor employees during 
all phases of the audit, which include interviews, inquiry, observation 
as well as providing draft audit results for comment and verification 
of factual content. [See comment 5] 

13. GAO Narrative: Independence Impairments, (Pages 60-61). 

DOD Comments: The GAO provides an example in this narrative section 
where the GAO contends that the field audit office experienced an 
access to records issue. The GAO concludes that since the contractor 
inquired regarding the auditor's need for certain data, there was an 
access to records issue. DCAA routinely encounters "push back" from 
contractors, this does not constitute an access to records impairment 
if the auditor does not succumb to the pressure and obtains the 
requested data. The field audit office does not believe its access to 
data relating to the training records was denied by the contractor as 
cited by the GAO. The contractor subsequently provided the requested 
data to the auditor. [See comment 6] 

14. GAO Narrative: Failure to Design and Perform Procedures to Detect 
Fraud Risk (Pages 64-66). 

DOD Comments: The GAO provides an example in this narrative section 
where the GAO contends the FAO manager and supervisor ordered an 
auditor to ignore significant fraud risks during the audit. DCAA does 
not agree with this conclusion and has not been provided evidence to 
support this assertion. It should be noted that the DCAA was 
instrumental in assisting in this fraud investigation that resulted in 
recovering more than $2.8 million dollars in a civil case settlement. 
[See comment 3] 

Defense Procurement and Acquisition Policy (DPAP): 
Collateral Action Officer's Comments on GAO Draft Report: "DCAA Audits: 
Widespread Problems With Audit Quality Require Significant Reform" 

Following are the DPAP's Collateral Action Officer's (CAO's) technical 
comments regarding the Government Accountability Office's (GAO's) July 
31, 2009 Draft Report GAO-09-468 (GAO Code 195099) "DCAA Audits: 
Widespread Problems With Audit Quality Require Significant Reform". 

1. Auditing in the Public Interest: 

The report, in part, impugns DCAA's audits stating, "DCAA's management 
environment ... put DCAA in the role of facilitating DoD contracting 
without also protecting the public interest."[Footnote 1] Likewise, the 
GAO mentions that the "DCAA mission should be refocused to protect the 
taxpayer interest ..." compared to the current mission that "fostered 
the culture of supporting contracting officials[Footnote 2] 2 As a 
result, the GAO agrees with the Defense Business Board's recommendation 
to "revise DCAA's mission to focus on protecting the interest of 
taxpayers, with the taxpayer as the primary customer...[Footnote 3] 
[See page 78] 

The report adopts a position that because DCAA is serving the interests 
of Contracting Officers, that DCAA is not auditing in the interest of 
the public. DCAA is a service organization created to provide financial 
information, audits, and advice to support decision making by DoD 
Contracting Officers. DCAA serves the public interest by providing 
timely and useful information to Contracting Officers. It is erroneous 
to imply that contracting officers do not seek to protect the public 
interest. 

The contracting officer is bound by regulation to meet the public 
interest in the broadest sense, for the entire matter surrounding a 
contract. The contracting officer, in the award and administration of a 
contract, is the government official responsible for insuring that all 
requirements of law, executive orders, regulations, and all other 
applicable procedures, including clearances and approvals, have been 
met. Any logic that presumes that by focusing on supporting contracting 
officials DCAA somehow failed to act in the public interest is flawed 
in our view. Someone trained and named in both law and regulation has 
to look at the larger picture, and not just the audit, if the public 
interest is to be served-the contracting officer is that person. 

Numerous provisions of the Federal Acquisition Regulations (FAR), for 
instance, speak to the issue of all members of the acquisition and 
administration community serving the public interest: 

An essential consideration in every aspect of the System is maintaining 
the public's trust. Not only must the System have integrity, but the 
actions of each member of the Team must reflect integrity, fairness, 
and openness. The foundation of integrity within the System is a 
competent, experienced, and well-trained, professional workforce. 
Accordingly, each member of the Team is responsible and accountable for 
the wise use of public resources as well as acting in a manner which 
maintains the public's trust. Fairness and openness require open 
communication among team members, internal and external customers, and 
the public.[Footnote 4] 

Specifically to contracting officers, FAR states: 

Contracting officers are responsible for ensuring performance of all 
necessary actions for effective contracting, ensuring compliance with 
the terms of the contract, and safeguarding the interests of the United 
States in its contractual relationships. In order to perform these 
responsibilities, contracting officers should be allowed wide latitude 
to exercise business judgment.[Footnote 5] 

By serving the interests of Contracting Officers well, DCAA does serve 
the public interest. It is not one or the other as might be interpreted 
in the report. 

2. Production Auditing: 

Throughout the report, the GAO implies and in some instances states 
that the problem is "Production-Oriented Auditing" and that audits have 
been rushed by contracting officer requirements. This sets up a 
dichotomy between "quality" audits and timely audits. We strongly urge 
the GAO to consider that an audit not delivered in time to be useful, 
is of limited value to the Government. [See comment 7] 

For example, a proposal review delivered after negotiation has started 
and decisions have already been made is of greatly diminished 
usefulness. Likewise, an incurred cost review that is not completed in 
a reasonable period after the costs are incurred loses contemporaneous 
support-employees of the contractor and the Government leave, some 
records are lost or are placed in deep storage. Similarly, business 
system reviews need to be issued while a problem is still subject to 
correction before the fact to protect the Government's interests, not 
two and three years later. 

Timeliness is a critical element of quality. Delays in award have 
consequences to the warfighter. Contracting officers are required to 
consider those consequences and hence, they are very concerned that 
DCAA has not been able to consistently deliver timely reports and 
advice. The GAO has previously recognized there are consequences to 
award delays:[Footnote 6] 

"Although federal regulations do not specify how long the contract 
award process should take, the regulations state that the purpose of 
planning the contract award process is to ensure that the government 
obtains the needed goods or services in the most effective, economical, 
and timely manner. Therefore, written plans for carrying out the award 
process must include milestones for completing the steps in the 
process, such as when the agency plans to solicit and evaluate 
proposals and make the award. Developing and adhering to these 
schedules can help ensure that the department conducts the process 
efficiently and can help companies make informed business decisions 
regarding the allocation of their resources and whether to compete for 
a contract." 

"Delays in awarding contracts could increase costs... and could also 
affect the willingness of companies to compete for future...contracts 
....Specifically, in addition to investing time and resources in 
developing proposals, once a company submits a proposal ... the company 
is generally required to ensure that the key personnel identified in 
the proposal continue to be available until the decision is made and 
the contract awarded....Increased costs and the length of time it takes 
...to award a contract also have the potential to affect competition 
for future...work." 

GAO's recognition of this fact in the aforementioned report, while 
important, is still a comparatively limited view of timeliness compared 
to a contracting officer's point of view. A contracting officer knows 
that delays can impact funding decisions and disrupt program management 
plans. Contracts are often interrelated and codependent, such that a 
delay in awarding one contract can delay an entire system and put off 
fielding dates, with consequences distributed and cascading through a 
range of other contracts and plans, and might ultimately result in 
mission failure. The contracting officer, also by regulation, has to 
consider and respect the opinions of other specialists that he works 
with, and not just that of the auditor. A good audit in time is better 
than an extraordinary audit that is late and never used. An audit is a 
tool the contracting officer uses to negotiate and administer a 
contract, but in order to realize the benefits of the auditor's work, 
the audit must be timely. 

3. Generally Accepted Government Auditing Standards (GAGAS): 

As the GAO correctly points out, DCAA performs most of its audits and 
reviews in conformance with GAGAS. We believe that for some reviews and 
financial advice provided by DCAA, it is possible that it may not be 
necessary to provide a fully conforming GAGAS audit report to support 
certain contracting officer functions (e.g., providing an attestation 
review rather than a financial audit). DCAA should use auditing 
standards and techniques that produce creditable information that can 
be relied upon by the contracting community in the awarding and 
administrating of contracts. However, we believe that all types of DCAA 
reports and reviews should be examined to determine if the standard 
being applied and reported by DCAA is the appropriate standard given 
the requirement causing the audit or review to be performed. [See 
comment 8] 

4. Staffing: 

While the report cites examples of poor quality audits and some poor 
decisions made by DCAA management, most would seem to be heavily 
influenced by lack of adequate staffing. Based on our discussions with 
contracting officers, contractors, and auditors, some and possibly most 
of the reductions in audit scope and responsiveness by DCAA is a direct 
result of the staffing drawdown while workload increased. Until the 
staffing issues are resolved, it will not be possible for DCAA to 
perform at the level of quality and efficiency that is desired. 
Rebuilding the DCAA workforce, while a challenge, can and must be done. 
The workforce build-up will require years of effort to hire and train 
the staff required to do the work envisioned by the GAO audit. [See 
comment 9] 

5. Placement of DCAA in the Executive Branch: 

The report raises the question of DCAA's placement within DoD or the 
Executive Branch. Currently DCAA performs most of the contract auditing 
functions within the Executive Branch. Even if DCAA performed the 
remaining contract audits it currently is not performing, DoD would 
remain by a large factor the majority user of the DCAA services. We do 
not believe that any useful purpose would be served by moving DCAA
outside DoD. DoD has the most vested interests in a well functioning 
DCAA. [See page 74] 

In our view, in reporting to the Comptroller, DCAA is insulated from 
direct influence from contract procurement and contract administration 
offices. For similar reasons DCMA is in the AT&L chain of command to 
insulate it from pressures it might have placed on it, if it were in 
the same chain of command as the procurement offices. The Comptroller 
is in the best position to understand the DCAA requirements while 
maintaining its independence from the audit report users. 

6. Risk Based Auditing: 

According to the DCAA Contract Audit Manual,[Footnote 7] all audit 
planning is risk based. This applies to both the annual planning for 
types of audits and staff requirements as well as for the planning of 
specific audits. The Audit Manual is quite clear that the final budget 
set for the assignment is to be based on the circumstances and risk 
attached to the assignment being planned. Further, it also clearly sets 
out that as circumstances change or the risk is found to be different 
than considered during the planning stage, that budget changes should 
be made. [See page 75] 

We are faced in the GAO report with the finding that budgeted hours do 
not reflect the risk and that changed risk found during the field work 
has not resulted in changed budgets. This is obviously not a policy 
matter of DCAA not doing risk-based auditing, since the findings are 
clearly at odds with the DCAA policy. We believe that the failure to 
follow the policy is a result of staffing constraints that made it 
impossible for DCAA to perform all the assigned review requirements to 
the standards expected. 

7. Direct Billing: 

This GAO draft report seems to misunderstand the Direct Billing program 
and the problems noted in DCAA administration of voucher reviews. 
Direct Billing approval was not designed to reduce review of vouchers. 
It was designed to administratively take advantage of technology to 
better process vouchers in an efficient manner and to better comply 
with the Prompt Payment Act. In appropriate circumstances using risk-
based analysis of contractor past performance and the quality of its 
business systems, contractors were to be allowed to be paid before 
review of vouchers instead of requiring review of the vouchers before 
payment. [See page 76] 

The nature of the review program for any given contractor should not 
have changed due to placement on Direct Billing. The DCAA guidance 
requires voucher reviews of all contractors every year that the 
contractor has Direct Billing authority. Where DCAA believed based on 
past performance or poor systems that there was a significant chance of 
improper billing, the contractor was not to be included in the Direct 
Billing program. The review program for the contractors should have 
been the same as it would have been based on risk factors even if there 
was no Direct Billing program. 

The problem with voucher reviews both before the Direct Billing program 
and after the initiation of the program is that DCAA did not have 
sufficient staff to perform the reviews required by the risk-based 
analysis. New contractors and problem contractors should have voucher 
reviews before payment just as required by DCAA policy. Established 
contractors with adequate past performance should have vouchers 
reviewed after payment using a reasonable plan tailored to the 
contractor's circumstances just as required by DCAA guidance. Changing 
the decision authority for participation in Direct Billing should have 
no impact on what vouchers are reviewed. Taking a contractor off of the 
program does not ensure that the vouchers will be properly reviewed 
prior to payment if there is not sufficient staff to perform the 
reviews. 

Footnotes for Appendix IV: 

[1] Executive Summary. 
[2] Page 34.
[3] IBID. 
[4] FAR 1.102-2 (c)(1) Performance standards. 
[5] FAR 1.602-2 Responsibilities. 
[6] GAO-06-722, DOE Contracting, Better Performance Measures and 
Management Needed to Address Delays in Awarding Contracts, June 30, 
2006. 
[7] Chapter 3, Section 100. 

The following are GAO's comments on the U.S. Department of Defense 
letter dated September 4, 2009. 

GAO Comments: 

1. Rescinded reports. DOD stated that we were incorrect in stating that 
about half of the rescinded reports relate to unsupported internal 
control reports. DOD is correct. Of the 80 rescinded audit reports, 24 
(31 percent) relate to unsupported opinions on contractor internal 
controls, 47 (61 percent) relate to forward pricing reports, and 6 (8 
percent) relate to defective pricing, compliance with cost accounting 
standards, and a labor floor check. We have corrected this information 
in the body of our report. 

2. Central Region billing system audit. DOD stated that the DCAA field 
audit office does not believe that it intentionally delayed issuance of 
the report to allow the contractor to correct the system. Audit 
documentation clearly shows that the auditors monitored the 
contractor's actions for 7 months and issued the audit report 9 months 
after the exit conference, once the contractor had prepared "written 
desk procedures to ensure liquidation progress billings would be 
handled correctly." Opinions should be based on the findings at the end 
of the audit, and reports should be issued when the audit is completed. 

3. Central Region billing system audit during fraud investigation. DOD 
stated that our report appears to imply that DCAA was not aggressive in 
pursuing the potential fraud at this contractor and noted that the DCAA 
Investigative Support Team was instrumental in assisting in the fraud 
investigation that recovered over $2.8 million in a civil case 
settlement. The audit documentation shows that the Regional Audit 
Manager, in the presence of the field office manager and the 
supervisory auditor, directed the auditor not to pursue contractor 
charges of costs to future-year, unfunded contract lines and to forget 
what she learned in her previous DOD contract administration job where 
she had been responsible for reviewing similar types of contracts. In 
addition, after reassignment of the first supervisor, the second 
supervisory auditor instructed the auditor to stop "over documenting" 
her audit, to complete the assignment, and issue the report. Moreover, 
the DCAA auditors who investigated the fraud worked with the Army 
Criminal Investigative Division special agent and Department of Justice 
Attorneys, not the DCAA field audit office. Finally, we did, in fact, 
discuss additional documentation we received from the investigative 
auditors with DCAA headquarters officials and provided them a summary 
of the key audit-related issues that we obtained from the 
investigators. 

4. Insufficient testing in cost-related assignments. DOD stated that it 
appears that GAO is holding DCAA to the GAGAS requirements for these 
assignments even though the majority of these audits are not GAGAS-type 
audits. As discussed in our report, DCAA does not consider its paid 
voucher reviews and overpayment assignments to be GAGAS assignments. 
However, this is important work intended to assure the reliability of 
contract payments. Specifically, DCAA paid voucher reviews are relied 
on for making billions of dollars in continuing contract payments 
without prior review by the government. The Defense Finance and 
Accounting Service (DFAS) relies on DCAA voucher reviews, and DFAS 
certifying officers do not repeat review procedures they believe were 
performed by DCAA. Because paid voucher reviews constitute a payment 
audit, they require sufficient testing to support reported DCAA 
conclusions that the government can rely on contractor controls over 
preparation of interim vouchers to continue to make contract payments 
without prior review. In addition, DCAA's overpayment audits are 
intended to determine whether the contractor has adequate controls in 
place to detect and correct causes of overpayments and billing errors 
and make timely refunds and adjustments. The limited testing we 
observed in our work does not provide the intended assurance. 

5. Increase authority and independence. DOD stated that it did not 
agree with our statement that DCAA does not have access to contractor 
personnel. The discussion in our report is based on DCAA's authority in 
10 U.S.C. 2313(a)(B)(2), which gives DCAA legal access to certain 
contractor records but not access to contractor personnel. Further, 
DCAA subpoena authority in 10 U.S.C. 2313(b) is specific to the 
production of contractor records that DCAA is authorized to audit or 
examine and does not cover contractor personnel. We agree that in 
practice, DCAA auditors have numerous ongoing discussions with 
contractor personnel. However, if a contractor official refuses to talk 
to an auditor, DCAA does not have legal authority to compel contractor 
officials to meet with or talk to DCAA auditors. Our point is that 
under authority similar to the IG Act, DCAA's authority to interview 
contractor officials would be enhanced. 

6. Independence impairments. DOD stated that DCAA routinely encounters 
"push back" from contractors and that the DCAA field office 
subsequently received training records from the contractor. We 
recognize that the field office received some training records from the 
contractor. However, we saw a pattern throughout this audit where the 
auditor limited requests for contractor documentation and also 
performed little or no testing in various areas because "the contractor 
would not appreciate it" if he did more testing. The audit 
documentation shows that the auditor performed limited testing of 
selected billing clerk training. Additionally, documentation on testing 
of the contractor's review of subcontractor costs shows that although 
the auditor should have tested cost data for three of the top five 
subcontractors, the auditor asked the contractor to "provide a list of 
the top 3-5 subcontracts, including subcontract values.... Three 
subcontractors would be fine." This indicates that the auditor not only 
accepted data the contractor was willing to provide for testing, but he 
also let the contractor select the data to be used for testing. The 
auditor then tested costs of only one subcontractor. The pattern of 
backing off on requests for documentation and limiting the extent of 
testing based on concerns about the contractor's reaction indicates 
that the auditor was influenced by the contractor and limited his audit 
procedures as a result--a clear independence impairment. DCAA rescinded 
the audit report on February 10, 2009. 

7. Production auditing. USD AT&L comments suggest that there is a trade-
off between audit timeliness and audit quality. We view both quality 
and timeliness as critical to effective contracting officer decision 
making. However, timely audits that do not meet professional standards 
are not quality audits and could be misleading or impair important 
contract decisions. For example, our audit identified three contractor 
internal control audits--an accounting system audit and two billing 
system audits--that were completed in 9, 13, and 15 days, respectively--
all with adequate opinions on the contractor's internal controls. 
Apparently, the contracting officers involved thought these audits were 
timely and met their needs because there was no audit documentation to 
the contrary. However, in response to our work, DCAA has rescinded all 
three of these audits. USD AT&L comments also stated, "A good audit in 
time is better than an extraordinary audit that is late and never 
used." Our report did not call for extraordinary audits. DOD has 
determined that certain DCAA audits should comply with professional 
standards. When audit organizations state that their audits comply with 
professional standards, they must follow these standards. Further, 
until DCAA and AT&L address the need for DCAA to perform 30,000 
assignments and issue over 20,000 reports annually, DCAA will continue 
to face audit quality and timeliness problems. 

8. Contract audits in conformance with GAGAS. USD AT&L states that it 
believes that for some reviews and financial advice provided by DCAA, 
it is possible that it may not be necessary to perform GAGAS work to 
support certain contracting officer functions. We agree. As discussed 
in our report, a risk-based audit approach may require an appropriate 
delegation of nonaudit contract administration activities and audit 
responsibilities among DCMA, buying commands, finance community, and 
DCAA. An effective risk-based approach would include an effort by these 
communities to re-evaluate whether all such services should be provided 
as audits and whether DCAA, as an independent audit organization, would 
perform any nonaudit services. 

USD AT&L also stated that DCAA may be able to support contracting 
officer functions through an attestation review rather than a financial 
audit. However, DCAA does not perform financial audits. Instead, DCAA 
performs examination-level attestation audits and reports conclusions 
and opinions on subject matter as a whole. Examinations provide the 
highest level of assurance, and they must be based on sufficient 
evidence, often referred to as positive assurance work. For an 
attestation review, GAGAS require auditors to perform sufficient 
testing to form a conclusion based on the work performed. It is 
important to note that GAGAS prohibit auditors from performing review- 
level attestation work for reporting on internal control or compliance 
with laws and regulations. 

9. DCAA staffing. USD AT&L stated that "the [DCAA] workforce build-up 
will require years of effort to hire and train the staff required to do 
the work envisioned by the GAO audit." We did not call for a build-up 
of the DCAA workforce. Instead, we noted that DCAA production metrics 
had a direct impact on audit quality. Therefore, it will be important 
to perform a risk-based analysis of FAR requirements and determine the 
mix of audit and nonaudit services that will best meet these 
requirements with consideration of appropriate roles and 
responsibilities of the contracting and finance communities. 

[End of section] 

Appendix V: Comments from the Department of Defense Inspector General: 

Inspector General: 
Department Of Defense: 
400 Army Navy Drive: 
Arlington, Virginia 22202-4704: 

September 3, 2009: 

Gregory D. Kutz: 
Managing Director: 
Forensic Audits and Special Investigations: 
Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Re: GAO Draft Report, "DCAA Audits: Widespread Problems with Audit 
Quality Require Significant Reform," dated July 31, 2009 (GAO Code 
195099/GAO-09-468): 

Dear Mr. Kutz: 

Thank you for the opportunity to respond to the subject draft report. 
We recognize the critical role that the Defense Contract Audit Agency 
(DCAA) plays in contractor oversight inside and outside the Department 
of Defense, and we take very seriously concerns about compliance with 
generally accepted government auditing standards (GAGAS) by DoD audit 
organizations. 

Our narrative response to your recommendations are included at 
Enclosure 1. As an alternative to the recommendation that this office 
rescind or modify our May 2007 External Review of the DCAA Quality 
Control System opinion report, we instead notified DCAA on August 24, 
2009, that our May 2007 "adequate" opinion on the DCAA system of 
quality control would expire on August 26, 2009 (See Enclosure 2). On 
the basis of our action, DCAA has begun to qualify its GAGAS-compliant 
audits with a statement noting an exception to compliance with the 
Quality Control and Assurance Standard. In addition, it was recommended 
that DCAA publicly disclose the concerns of your office to include 
questioning the reliability of audit reports issued during the period 
covered by our May 2007 opinion. Our August 24, 2009, memorandum to the 
DCAA will he made public upon the release of your report. 

Please contact Ms. Carolyn R. Davis at (703) 604-8877 if you have any 
questions. 

Sincerely, 

Signed by: 

Gordon S. Heddell: 

Enclosures: As stated: 

[End of letter] 

Enclosure 1: 

GAO Draft Report Dated July 31, 2009
GAO-09-468 (GAO Code 195099)
"DCAA Audits: Widespread Problems With Audit Quality Require 
Significant Reform" 

Department Of Defense Inspector General Comments To The GAO 
Recommendations: 

Recommendation 1: The GAO recommends that the Department of Defense 
Inspector General (DoD IG) reconsider its overall conclusions in the 
May 2007 DoD IG report on the audit of DCAA's quality control system in 
which it reported an adequate ("clean") opinion on DCAA system of 
quality control in light of the serious deficiencies and findings 
included in that report and the additional evidence identified in our 
audit. (Page 57/GAO Draft Report) 

DODIG Response: Concur. 

Recommendation 2: The GAO recommends that the Department of Defense 
Inspector General based on the above, determine whether the report 
should be rescinded or modified. (Page 57/GAO Draft Report) 

DODIG Response: Nonconcur. In reference to your recommendation that we 
rescind or modify our May 2007 External Review of the DCAA Quality 
Control System opinion report, we have taken an alternative action that 
conforms to the intent of your recommendations. The DoD IG has taken 
the extraordinary action of notifying DCAA that our "adequate" opinion 
on DCAA's system of quality control as detailed in the May 2007 
External Review of the Defense Contract Audit Agency (DCAA) Quality 
Control System report will expire as of August 26, 2009 (See Enclosure 
2). 

Our action recognizes that our May 2007 report was based upon a quality 
review methodology that differed substantially from your audit, but 
acknowledges that additional concerns about DCAA quality controls must 
be addressed. On August 5, 2009, we announced a project under the title 
"Evaluation of the Defense Contract Audit Agency Quality Assurance 
Program" (Project No. D2009-DIPOAC-0283). The results of this 
evaluation will be used in formulating our next opinion on the DCAA 
external quality control system for the period ending September 30, 
2009. The overall opinion will take into consideration repeated non-
compliances with Government Auditing Standards identified in our May 
2007 and December 2003 opinion reports on the DCAA quality control 
system. By not rescinding our May 2007 report, we can also use the 
repeat deficiencies in formulating our next opinion. 

Placing an expiration date on the opinion means that after August 26, 
2009, DCAA will be operating without an opinion on its system of 
quality control. We have recommended to the Director, DCAA, that her 
agency immediately begin to qualify its GAGAS-compliant audits with a 
modified GAGAS statement noting an exception to compliance with the 
Quality Control and Assurance Standard. Additionally, we have 
recommended that DCAA publicly disclose on its official website your 
concerns, including the questioning of the reliability of audit reports 
issued during the period covered by this office's May 2007 opinion. 

Our May 2007 report and the GAO July 2009 draft report focused on the 
period ended September 30, 2006. 1 believe it is paramount that we move 
forward and critically analyze the existing DCAA environment, its 
organizational effectiveness, and the quality of its recent audit work. 
Given the critical mission of DCAA, we plan to focus our attention and 
resources on a current analysis to yield real-time effective 
recommendations to improve DCAA audit quality. 

[End of Enclosure 1] 

Enclosure 2: 

Inspector General: 
Department Of Defense: 
400 Army Navy Drive: 
Arlington, Virginia 22202-4704: 

August 24, 2009: 

Memorandum For Director, Defense Contract Audit Agency: 

Subject: Review of the Defense Contract Audit Agency Quality Control 
System (OIG Report No. D-2007-6-006) and GAO Draft Report, "DCAA 
Audits: Widespread Problems with Audit Quality Require Significant 
Reform" (GAO-09-468): 

Our May 2007 External Review of the Defense Contract Audit Agency 
(DCAA) Quality Control System provided DCAA with an adequate opinion on 
its internal quality control system while still identifying significant 
audit quality problems. However, our significant findings in 2007 
coupled with the results of the July 2009 Government Accountability 
Office (GAO) draft report, "DCAA Audits: Widespread Problems with Audit 
Quality Require Significant Reform" (GAO-09-468), necessitates that we 
take further action. We have determined that it is not prudent to allow 
the adequate opinion from our May 2007 report to carry forward. 
Therefore, effective August 26, 2009, our adequate opinion will no 
longer apply to the DCAA system of quality control and will require 
further actions on your part. Specifically, we recommend the following 
be implemented immediately: 

1. After August 26, 2009, all DCAA audits identified as being in 
compliance with generally accepted government auditing standards 
(GAGAS) must be qualified with a modified GAGAS statement noting an 
exception to compliance with the Quality Control and Assurance 
standard. 

2. DCAA should publicly disclose on the DCAA website GAO's concerns 
regarding the reliability of DCAA audit reports issued during the 
period covered by this office's May 2007 opinion. 

As requested by your July 30, 2009, letter to my office, we have 
started preparing for the external quality control review ("peer 
review") of DCAA for the period ending September 30, 2009. On August 5, 
2009, we announced that project under the title "Evaluation of the 
Defense Contract Audit Agency Quality Assurance Program" (Project No. 
D2009-DIPOAC-0283.000). The results of this evaluation will be used in 
formulating our overall opinion of the DCAA quality control system. The 
overall opinion will also take into consideration repeated non-
compliances with Government Auditing Standards identified in our May 
2007 and December 2003 opinion reports on the DCAA quality control 
system. 

This action is necessary to maintain the integrity of this office's 
oversight responsibilities for audits conducted by Department of 
Defense agencies. This memorandum is being distributed to the 
recipients of our May 1, 2007, opinion report, and will be posted with 
the May 2007 opinion report on our DoDIG website. 

Please contact me or Mr. Charles W. Beardall at (703) 602-1017 or Ms. 
Carolyn R. Davis at (703) 604-8877 if you have any questions. 

Signed by: 

Gordon S. Heddell: 

cc: Under Secretary of Defense (Comptroller)/Chief Financial Officer: 

[End of Enclosure 2] 

[End of section] 

Footnotes: 

[1] GAO, DCAA Audits: Allegations That Certain Audits at Three 
Locations Did Not Meet Professional Standards Were Substantiated, 
[hyperlink, http://www.gao.gov/products/GAO-08-993T] (Washington, D.C.: 
Sept. 10, 2008). 

[2] GAO, DCAA Audits: Allegations That Certain Audits at Three 
Locations Did Not Meet Professional Standards Were Substantiated, 
[hyperlink, http://www.gao.gov/products/GAO-08-857] (Washington, D.C.: 
July 22, 2008). 

[3] Hereafter referred to as the DOD Comptroller/CFO. 

[4] Under Secretary of Defense--Comptroller, Memorandum for Director 
Defense Contract Audit Agency, Subject: Implementation of Corrective 
Actions, (Washington, D.C.: Aug. 20, 2008). 

[5] Defense Business Board, Report to the Secretary of Defense: 
Independent Review Panel Report on the Defense Contract Audit Agency, 
October 2008. 

[6] GAO, Generally Accepted Government Auditing Standards, [hyperlink, 
http://www.gao.gov/products/GAO-03-673G] (Washington, D.C.: June 2003) 
and GAO-07-731G (Washington, D.C.: July 2007). 

[7] In the case of follow-up audits, we also reviewed the documentation 
for the previous audit to gain an understanding of the scope of work 
and deficiencies identified in the prior audit. 

[8] In selecting the seven DCAA offices, we considered a 2-year history 
of internal control audit results. The seven DCAA offices we selected 
reported adequate opinions on 89 percent or more of the internal 
control reports they issued during fiscal year 2006. During fiscal year 
2005, 4 of the 7 offices reported adequate opinions in 85 percent or 
more of the internal control reports they issued, and the other 3 
offices issued adequate opinions in 50 to 69 percent of the internal 
control audit reports they issued. 

[9] DCAA, Contract Audit Manual (CAM) 5-1202.1a and Defense Federal 
Acquisition Regulation Supplement (DFARS) 215.407-5. 

[10] FAR §§ 16.104(h) and 16.301-3(a)(1). 

[11] FAR § 42.101 and DFARS § 242.803. 

[12] Contractor overpayments can occur as a result of errors made by 
paying offices, such as duplicate payments and payments in excess of 
amounts billed, and contractor billing errors, such as using the wrong 
overhead rate, failing to withhold designated amounts on progress 
payments, duplicate billings, or billing for unallowable cost. 
Recoveries of overpayments can be accomplished through refunds, 
subsequent billing offsets, or other adjustments to correct billing 
errors. 

[13] Although we selected 73 assignments for review, two internal 
control assignments were assist audits and two cost related assignments 
were not completed assignments. As a result, we did not consider these 
four assignments in our analysis, and we discuss the results of our 
analysis of the 69 completed assignments that we reviewed. 

[14] On August 19, 2008, at the request of the DOD Defense, 
Comptroller, the Deputy Secretary of Defense established an independent 
review panel under the Defense Business Board (DBB) to review DCAA 
operations and make recommendations for improvements. 

[15] Codified in an appendix to Title 5 of the United States Code 
(hereafter 5 U.S.C. App.). 

[16] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[17] GAO, High-Risk Series: An Update, GAO-09-271 (Washington, D.C.: 
January 2009). 

[18] GAO, Global War on Terrorism: DOD Needs to More Accurately Capture 
and Report the Costs of Operation Iraqi Freedom and Operation Enduring 
Freedom, [hyperlink, http://www.gao.gov/products/GAO-09-302] 
(Washington, D.C.: Mar. 17, 2009); Centers for Medicare and Medicaid 
Services: Internal Control Deficiencies Resulted in Millions of Dollars 
of Questionable Contract Payments, [hyperlink, 
http://www.gao.gov/products/GAO-08-54] (Washington, D.C.: Nov. 15, 
2007); Defense Contract Management: DOD's Lack of Adherence to Key 
Contracting Principles on Iraq Oil Contract Put Government Interests at 
Risk, [hyperlink, http://www.gao.gov/products/GAO-07-839] (Washington, 
D.C.: July 31, 2007); Hanford Waste Treatment Plant: Department of 
Energy Needs to Strengthen Controls over Contractor Payments and 
Project Assets, [hyperlink, http://www.gao.gov/products/GAO-07-888] 
(Washington, D.C.: July 20,2007); Iraq Contract Costs: DOD 
Consideration of Defense Contract Audit Agency's Findings, [hyperlink, 
http://www.gao.gov/products/GAO-06-1132] (Washington, D.C. Sept. 25, 
2006); Department of Energy, Office of Worker Advocacy: Deficient 
Controls Led to Millions of Dollars in Improper and Questionable 
Payments to Contractors, [hyperlink, 
http://www.gao.gov/products/GAO-06-547] (Washington, D.C.: May 31, 
2006); and Federal Bureau of Investigation: Weak Controls over Trilogy 
Project Led to Payment of Questionable Contractor Costs and Missing 
Assets, [hyperlink, http://www.gao.gov/products/GAO-06-306] 
(Washington, D.C.: Feb. 28, 2006). 

[19] GAO, Defense Acquisitions: Assessments of Selected Weapon 
Programs, [hyperlink, http://www.gao.gov/products/GAO-09-326SP] 
(Washington, D.C.: Mar. 30, 2009); Defense Management: Actions Needed 
to Overcome Long-standing Challenges with Weapon Systems Acquisition 
and Service Contract Management, [hyperlink, 
http://www.gao.gov/products/GAO-09-362T] (Washington, D.C.: Feb. 11, 
2009); and Defense Acquisitions: DOD's Increased Reliance on Service 
Contractors Exacerbates Long-standing Challenges, [hyperlink, 
http://www.gao.gov/products/GAO-08-621T] (Washington, D.C.: Jan. 23, 
2008). 

[20] DCAA, Contract Audit Manual (CAM), DCAAM 7640.1. 

[21] Project 60 also resulted in consolidation of the military 
services' contract management activities under the Defense Contract 
Management Agency (DCMA), formerly the Defense Contract Management 
Command (DCMC) within the Defense Logistics Agency. On March 27, 2000, 
DCMC was established as DCMA under the authority of the Under Secretary 
of Defense (Acquisition, Technology, and Logistics). 

[22] DOD, General Plan: Consolidation of Department of Defense Contract 
Audit Activities into the Defense Contract Audit Agency (Feb. 17, 
1965). 

[23] DODD 5105.36, paragraph 4.2, reissued on February 28, 2002. 

[24] DODD 5105.36, paragraphs 5.1 through 5.14. 

[25] Contract administration responsibilities are set forth in FAR 
Subparts 42.2 and 42.3. 

[26] CAM 2-001. 

[27] Disbursing officers are authorized to make payments on the 
authority of a voucher certified by an authorized certifying officer, 
who is responsible for the legality, accuracy, and propriety of the 
payment. 31 U.S.C. §§ 3325, 3521(a), and 3528(a). 

[28] FAR § 32.503-4. 

[29] CAM, 2-101. Except where stated otherwise in this report, various 
types of evaluations entailing different levels of assurance that DCAA 
refers to as audits--such as examinations, attestations, and reviews-- 
were subject to GAGAS. 

[30] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §1.01, and 
[hyperlink, http://www.gao.gov/products/GAO-07-731G], §1.03. 

[31] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 1.11. 

[32] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 6.01, and 
[hyperlink, http://www.gao.gov/products/GAO-07-731G], § 6.01. 

[33] [hyperlink, http://www.gao.gov/products/GAO-07-731G], §§ 2.06 
through 2.10. 

[34] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 2.01. 

[35] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 2.10. 

[36] According to documentation provided by DCAA as of the end of July 
2009, the 80 rescinded reports include 62 reports related to findings 
in our July 2008 investigative report and 18 reports related to this 
audit. 

[37] See [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.19, 
and [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.10. 

[38] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 6.04b. 

[39] AICPA Statements on Auditing Standards, AU 350, and Audit and 
Accounting Guide: Audit Sampling, §§ 3.14, 3.29-3.34, 3.58, and 3.61. 

[40] GAO/PCIE, Financial Audit Manual, GAO-08-585G (Washington, D.C.: 
July 2008). 

[41] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 4.15. 

[42] FAR §§ 16.104(h) and 16.301-3(a)(1). 

[43] FAR § 42.101 and DFARS § 242.803(b)(i)(C). 

[44] DFARS § 215.407-5-70; see FAR § 15.407-5. 

[45] DCAA, "Audit Guidance on Significant Deficiencies/Material 
Weaknesses and Audit Opinions on Internal Control Systems," 08-PAS-043R 
(Dec. 19, 2008). 

[46] Under its decentralized management environment, DCAA headquarters 
obtains field office agreement to rescind audit reports that do not 
meet GAGAS. 

[47] DOD, Fiscal Year 2008 Agency Financial Report, Department of 
Defense (Washington, D.C.: Nov. 17, 2008). 

[48] DCAA does not perform paid voucher reviews during the year that it 
performs an audit of the contractor's billing system internal controls. 

[49] CAM 6-1007. 

[50] AU § 350.19 and SSAE §§15.64 and 15.69. 

[51] AU §§ 350.07 through 350.14. 

[52] [hyperlink, http://www.gao.gov/products/GAO-08-585G], § 450. 

[53] Confidence interval is the probability associated with the 
precision, that is, the probability that the true misstatement is 
within the confidence interval. 

[54] For example, for a confidence level of 90 percent and a tolerable 
rate of 5 percent, a sample size of 45 transactions would have an 
acceptable number of deviations of zero and a sample size of 78 
transactions would have an acceptable number of deviations of one. For 
the same confidence level of 90 percent and a tolerable rate of 10 
percent, a sample size of 45 would have an acceptable number of 
deviations of one and a sample size of 78 would have an acceptable 
number of deviations of four. 

[55] The AICPA Audit Guide is an interpretive publication pursuant to 
AT section 50, SSAE Hierarchy (AICPA, Professional Standards, vol. 1). 

[56] AICPA Audit Guide § I-17, and AU § 350.23. Statements on Auditing 
Standards (SAS) 39 is referred to as AU 350. 

[57] DCAA, "Audit Program: Audit of Contractor Overpayments," (Activity 
Code 17310), April 2004, September 2007, and May 2008. 

[58] CAM 6-102. 

[59] FAR 42.101, DFARS 242.803(b)(1)(c), and CAM 6-1007. 

[60] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 3.03 
through 3.18. 

[61] Canceling funds refers to the point in time at which the 
availability of a fixed-year appropriation cancels and is no longer 
available for recording, adjusting, and liquidating obligations 
properly chargeable to the appropriation. (31 U.S.C. §§ 1552(a) and 
1553(b)). 

[62] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). 

[63] [hyperlink, http://www.gao.gov/products/GAO-07-731G], §§ 3.50-
3.52. 

[64] In using professional judgment, GAGAS [hyperlink, 
http://www.gao.gov/products/GAO-07-731G], §§ 3.32 and 3.35, require 
auditors to act diligently in accordance with applicable professional 
standards and ethical principles in all aspects of carrying out their 
professional responsibilities. 

[65] All 10 categories of recommendations in the DOD IG's report 
related to GAGAS compliance problems. 

[66] DOD Inspector General, Oversight Review: Review of the Defense 
Contract Audit Agency Quality Control System, Report No. D-2007-6-006 
(Arlington, VA: May 1, 2007). 

[67] Of the 80 rescinded audit reports, 39 reports were issued in 
fiscal year 2006--the period covered in the DOD IG peer review report 
on DCAA. 

[68] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[69] Codified, as amended, at 31 U.S.C. ch. 75. The Single Audit Act 
requires that a state, local government or non-profit organization that 
expends more than $500,000 in a fiscal year undergo a single audit, 
which includes an audit of the entity's financial statements and 
Schedule of Expenditures of Federal Awards, as well as testing of and 
reporting on certain internal controls. 

[70] [hyperlink, http://www.gao.gov/products/GAO-07-731G] §§ 3.40 
through 3.49, and [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[71] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.43. 

[72] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 60.04a, 
and [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 6.04a. 

[73] [hyperlink, http://www.gao.gov/products/GAO-08-857]. 

[74] [hyperlink, http://www.gao.gov/products/GAO-08-857]. 

[75] We spoke to the auditors and reviewed documentation they provided. 
To the extent that the auditors also submitted complaints to DCAA's 
anonymous Web site, we reviewed DCAA's handling of their complaints. 

[76] After we provided our report to DOD for comment, we received 
updated information on DCAA anonymous Web site complaints. As of the 
end of July 2009, DCAA had established 209 cases. Eight of those cases 
were immediately referred to the DOD IG for investigation. Of the 209 
cases, 82 were for the Western Region. 

[77] [hyperlink, http://www.gao.gov/products/GAO-08-857]. 

[78] Based on audit quality problems identified in our July 2008 
report, in August 2008, the DOD Comptroller/CFO conducted a tiger team 
review in August 2008 and also asked the Secretary of Defense for 
support in conducting a study of DCAA. With the Secretary's approval, 
the DOD Advisory Panel determined that the Defense Business Board would 
perform this study. 

[79] On most contracting matters with DCAA involvement, the cognizant 
agency contracting officer makes final decisions based on DCAA's 
findings and recommendations. 

[80] DCAA also established contracting officer sustention rates related 
to questioned cost and net savings as an informational goal to show 
return to the taxpayer. 

[81] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.40. 

[82] [hyperlink, http://www.gao.gov/products/GAO-07-731G], §§ 3.49-
3.52. 

[83] 10 U.S.C. § 2313 and § 2306a. 

[84] FAR §§ 52.214-26, 52.215-2. 

[85] The Army Force Management Support Agency's mission includes 
providing requirements studies and staffing analysis as well as 
determining whether organizations have the appropriate staff to carry 
out their mission. The Army Force Management Support Agency also 
provides services to DOD components. 

[86] Pub. L. No. 110-181, §1705, 122 Stat. 3 (Jan. 28, 2008), the 
National Defense Authorization Act for Fiscal Year 2008, authorized the 
Secretary to establish the Department of Defense Acquisition Workforce 
Fund, in addition to other funds that may be available, for the 
recruitment, training, and retention of department acquisition 
personnel. The fund is managed by the Under Secretary of Defense for 
Acquisition, Technology, and Logistics. 

[87] According to a DOD Comptroller official, DCAA will receive an 
additional 300 positions in fiscal year 2009 and additional 200 
positions in each of fiscal years 2010 and 2011. 

[88] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.38 and 
AU § 339.12. 

[89] Disbursing officers are authorized to make payments on the 
authority of a voucher certified by an authorized certifying officer, 
who is responsible for the legality, accuracy, and propriety of the 
payment. 31 U.S.C. §§ 3325, 3527(c). DOD 7000.14-R, Department of 
Defense Financial Management Regulation (DFMR), Vol. 5, Ch. 11 (March 
2009), paras. 110102, 110203. In general, certifying officers 
designated in writing by the agency are financially liable for any 
improper, illegal, or incorrect payment made, and each payment made 
must be audited (or "examined"). 31 U.S.C. §§ 3521(a), 3528(a). DFMR, 
Vol. 5, Ch. 33 (April 2005), para. 330303. However, 31 U.S.C. § 3521(b) 
authorizes heads of agencies to carry out a statistical sampling 
procedure, within certain parameters, to audit vouchers when the head 
of the agency determines that economies will result. Further, 31 U.S.C. 
§ 3521(c) provides that certifying and disbursing officials are not 
liable for payments that are not audited if they were made in good 
faith under a statistical sampling procedure. See 68 Comp. Gen. 618 
(1989); also see generally, GAO, Policy and Procedures Manual for 
Guidance of Federal Agencies, title 7, §§ 6.5, 7.4, and 7.5 
(Washington, D.C.: May 18, 1993). 

[90] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[91] The Baldrige National Quality Program is named for Malcolm 
Baldrige, a former Secretary of Commerce, who was a proponent of 
quality management as a key to national prosperity and long-term 
strength. The seven Baldrige performance excellence criteria are: 
leadership; strategic planning; customer and market focus; measurement, 
analysis, and knowledge management; workforce focus; process 
management; and results. 

[92] Codified in an appendix to Title 5 of the United States Code 
(hereafter 5 U.S.C. App.). 

[93] The IG Act also requires the heads of many "designated federal 
entities" to appoint an inspector general for each entity. 5 U.S.C. 
App. 8G. 

[94] 5 U.S.C. App. § 3(a). 

[95] 5 U.S.C. App. § 3(b). 

[96] 5 U.S.C. App. °Ţ 8F(4)(A). 

[97] 5 U.S.C. App. °Ţ 6(f)(1). 

[98] 5 U.S.C. App. °Ţ 6(a)(1), (4), and (5). 

[99] As noted previously, in these cases, there was no evidence that 
DCAA supervisors elevated the issue to management or to procurement 
officials to initiate enforcement action, as set out in DCAA policy. 

[100] 5 U.S.C. App. °Ţ 5(a). 

[101] GAO, Defense Contract Audits: Current Organizational 
Relationships and Responsibilities, [hyperlink, 
http://www.gao.gov/products/GAO/AFMD-91-14] (Washington, D.C.: Apr. 3, 
1991). 

[102] The Deputy Secretary of Defense is appointed by the President 
after confirmation by the Senate. 10 U.S.C. § 132(a). Among other 
duties as assigned by the Secretary of Defense and in statute, the 
Deputy Secretary serves as the Chief Management Officer of the 
department with primary responsibility for "effectively and efficiently 
organizing the business operations of the Department of Defense." Pub. 
L. No. 110-181, div A, title IX, § 904(a)(2) (Jan. 28, 2008). In that 
capacity, the Deputy Secretary is to be assisted by a Deputy Chief 
Management Officer, who also is appointed by the President after 
confirmation by the Senate, and who supervises the Defense Business 
Transformation Agency. 10 U.S.C. §§ 132(c), 192(e). 

[103] Current provisions of law relevant to the Secretary of Defense 
establishing and assigning defense agencies and defense field 
activities within the Office of the Secretary of Defense include 10 
U.S.C. §§ 125(a), 131(b), 191(b), 192(a), and 194. 

[104] Pub. Law No. 111-23, 123 Stat. 1704, May 22, 2009. 

[105] The USD(AT&L) is responsible under 10 U.S.C. § 133 for 
establishing DOD policies related to the negotiation, award, and 
administration of contracts, such as those related to the use of 
contract audit services, and for coordinating contract audit activities 
within DOD. 

[106] [hyperlink, http://www.gao.gov/products/GAO-08-857]. 

[107] See [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 1.03. 

[108] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 2.06. 

[109] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.55. 

[110] CAM 2-101(a) and 2-103c(1). 

[111] We originally selected 39 internal control audits for our review. 
Because two audit assignments were performed as assist audits to an 
internal control audit in our selection, we considered these three 
assignments as one audit, and therefore, we reviewed a total of 37 
audits of contractor system internal control audits. 

[112] [hyperlink, http://www.gao.gov/products/GAO-03-673G], Chapter 3, 
especially §§ 3.03, 3.04, and 3.13-3.17. 

[113] GAGAS for attestations audits related to requirements 2 through 8 
are covered in [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 
6.04a; 6.13-6.14; 6.24a & c; 6.15a, and 6.16-6.20; 6.02a, 6.04b, 6.22 
and 6.24; and 6.28-6.54. 

[114] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.33-
3.38. 

[115] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.03, and 
[hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.02. 

[116] See [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.19 
and [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.10. 

[117] [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.16. 

[118] See [hyperlink, http://www.gao.gov/products/GAO-03-673G], § 3.19, 
and [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 3.10. 

[119] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 6.04a, 
6.06, and 6.11. 

[120] CAM 5-103. 

[121] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§6.13-
6.14. 

[122] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§6.13 and 
6.14. 

[123] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §6.15a. 

[124] CAM, Figure 4-7-3. 

[125] DOD Inspector General, Handbook on Fraud Indicators for Contract 
Auditors, Section II.4 (IGDH 7600.3 APO, March 31, 1993). 

[126] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 6.04b, 
6.22, and 6.24a. 

[127] CAM 4-600 and Appendix B. 

[128] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §6.04b. 

[129] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §6.24. 

[130] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 6.04a 
and 6.24e. 

[131] AICPA, Standards for Attestation Engagements, AT §101.63 
incorporated by reference in [hyperlink, 
http://www.gao.gov/products/GAO-03-673G], § 6.01, and [hyperlink, 
http://www.gao.gov/products/GAO-07-731G], § 6.01. 

[132] [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 7.37. 

[133] [hyperlink, http://www.gao.gov/products/GAO-03-673G], §§ 6.50 and 
6.24, and [hyperlink, http://www.gao.gov/products/GAO-07-731G], § 6.24. 

[134] We initially selected 34 cost-related audit assignments for 
review. After reviewing the audit documentation, we determined that one 
assignment only covered part of an audit and the other assignment was 
terminated and the procedures were incorporated into a related billing 
system audit. Therefore, we reviewed a total of 32 completed cost- 
related assignments. 

[135] Contractor overpayments can occur as a result of errors made by 
paying offices, such as duplicate payments and payments in excess of 
amounts billed, and contractor billing errors, such as using the wrong 
overhead rate, failing to withhold designated amounts on progress 
payments, duplicate billings, or billings for unallowable cost. 
Recoveries of overpayments can be accomplished through refunds, 
subsequent billing offsets, or other adjustments to correct billing 
errors. Unallowable costs include lobbying cost, certain legal 
expenses, executive and management bonuses, luxury items, and certain 
overhead costs. 

[136] REA relates to contractor requests to adjust contract terms for 
rates and payments resulting from contract modifications. In the case 
of the two REA audits, contract modifications related to requests for 
increased hours of service and related labor and materials. 

[137] FAR § 42.101 and DFARS § 242.803. 

[138] FAR 52.232-25(d) was amended in October 2008 to require 
contractors to monitor for and make adjustments to correct overpayments 
they may receive, but it still does not specify a timeframe for making 
any needed adjustments. 

[139] FAR 32.606(a). 

[140] DCAA, Audit of Contract Overpayments Audit Program, version 2.1, 
October 2006. 

[141] Although the government pays contractor invoices on a provisional 
basis when they are submitted for payment, DCAA incurred cost audits 
provide the basis for final approval of contractor incurred costs 
claims. 

[142] Questioned costs include costs questioned by DCAA auditors as 
unallowable or unsupported. 

[143] [hyperlink, http://www.gao.gov/products/GAO-08-857]. 

[144] As stated in DCAA's Contract Audit Manual, CAM 2-100, DCAA uses 
the term audit to refer to a variety of audits, evaluations, reviews, 
assessments, and analyses. 

[145] GAO, Government Auditing Standards: 2003 Revision, [hyperlink, 
http://www.gao.gov/products/GAO-03-673G] (Washington, D.C: June 2003) 
and Government Auditing Standards: 2007 Revision, [hyperlink, 
http://www.gao.gov/products/GAO-07-731G] (Washington, D.C: July 2007). 

[146] In selecting the seven DCAA offices, we considered a 2-year 
history of internal control audit results. The seven DCAA offices we 
selected reported adequate opinions on 89 percent or more of the 
internal control reports they issued during fiscal year 2006. During 
fiscal year 2005, four of the seven offices reported adequate opinions 
in 85 percent or more of the internal control reports they issued, and 
the other 3 offices issued adequate opinions in 50 to 69 percent of the 
internal control audit reports they issued. 

[147] DCAA Contract Audit Manual (CAM) 5-1202.1a and Defense Federal 
Acquisition Regulation Supplement (DFARS) § 215.407-5. 

[148] FAR § 16.301-3(a)(1). 

[149] FAR § 42.101, and DFARS § 242.803. 

[150] In the case of follow-up audits, we also reviewed the 
documentation for the previous audit to gain an understanding of the 
scope of work and deficiencies previously identified. 

[151] The Internal Control Integrated Framework developed by the 
Committee on Sponsoring Organizations (COSO) of the Treadway 
Commission, September 1993, are applicable to private sector entities. 
We considered whether DCAA audits addressed contractor controls related 
to the five key control activities: (1) contractor control environment; 
(2) contractor risk assessment; (3) control activities, including 
policies and procedures and segregation of duties; (4) information and 
communication (i.e., information system processing controls); and (5) 
monitoring. 

[152] Contractor overpayments can occur as a result of errors made by 
paying offices, such as duplicate payments and payments in excess of 
amounts billed, and contractor billing errors, such as using the wrong 
overhead rate, failing to withhold designated amounts on progress 
payments, duplicate billings, or billing for unallowable cost. 
Recoveries of overpayments can be accomplished through refunds, 
subsequent billing offsets, or other adjustments to correct billing 
errors. Unallowable cost include lobbying cost, certain legal expenses, 
executive and management bonuses, luxury items, and certain overhead 
costs. 

[153] REA audits relate to reviewing contractor requests for 
adjustments in billing rates pursuant to contract modifications. For 
example, if a contractor is asked to provide additional services or 
expand hours of service, contract costs would need to be recalculated 
and adjusted rates verified. REA audits relate to audits of contractor 
estimating system controls. 

[154] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). 

[155] [hyperlink, http://www.gao.gov/products/GAO-03-673G], and 
[hyperlink, http://www.gao.gov/products/GAO-07-731G]. 

[156] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-21.32.1] (Washington, 
D.C.: November 1999). 

[157] DOD Inspector General, Oversight Review: Review of the Defense 
Contract Audit Agency Quality Control System, Report No. D-2007-6-006 
(Arlington, VA: May 1, 2007). 

[158] [hyperlink, http://www.gao.gov/products/GAO-03-673G], and 
[hyperlink, http://www.gao.gov/products/GAO-07-731G]. 

[159] 5 U.S.C., App. 

[160] GAO, Defense Contract Audits: Current Organizational 
Relationships and Responsibilities, [hyperlink, 
http://www.gao.gov/products/GAO/AFMD-91-14] (Washington, D.C.: Apr. 3, 
1991). 

[161] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: