Defense companies often conduct internal audits to ensure the integrity of their business systems. These internal audits may contain information about company operations and internal controls related to the performance of government contracts. Many defense contractors are not willing to share their internal audit reports with the government, and for good reasons.
Section 832 of the National Defense Authorization Act (NDAA) for Fiscal Year 2013 (the Act), required the Defense Contract Audit Agency (DCAA) to revise its audit guidance on access to defense contractor internal audit reports by (i) requiring documentation of DCAA’s specific need to access to such reports to perform their required audit functions, and (ii) ensuring that these internal audit reports, if produced, are used by DCAA only to evaluate contractors’ internal audit controls.
The Act requires GAO to examine DCAA’s progress on this guidance and its implementation. This week GAO issued a report assessing first, the extent to which DCAA’s requests for company internal audit reports are being documented in accordance with the Act’s requirements and, second, whether DCAA’s audit guidance contains safeguards to make certain that contractors’ internal audit reports are used only for authorized purposes. GAO was not satisfied with what it saw when it examined DCAA’s guidance and practices. See, GAO Report to Congressional Committees, November 2014.
As the chart from the report shows, of the eight cases sampled by the GAO there is not one instance in which DCAA adequately documented the required connection between DCAA’s audit and its request for the company’s internal audit report:
Missing from this chart, but present in the report, is also the fact that in at least four of the eight cases studied by GAO, the contractor denied DCAA’s request for access to internal audit reports. Why? According to the company representatives interviewed by GAO, contractors believe DCAA will use internal audit reports “as a means of identifying particular transactions to investigate further, a use they believe is not in accordance with the language of the NDAA.” Company representatives also believe there is no specific definition of the term “authorized use,” giving rise to additional concerns regarding DCAA’s use of internal audit reports.
DCAA’s current Audit Manual directs auditors to document requests for company internal audits as required in the NDAA, stating that auditors should document:
- How and why access to the company’s internal reports is necessary to complete DCAA’s required evaluations of the company’s business systems;
- DCAA’s request for access to such reports; and
- The response received from the contractor, including the contractor’s rationale or justification if access to internal reports is not granted.
In addition to the NDAA requirements, DCAA’s audit guidance requires that auditors follow up on denials by initiating “denial of access paperwork” to inform DCAA management about such denials.
But this does not seem to be sufficient. GAO recommends that DCAA “clarify its guidance and establish and monitor internal controls to help ensure that requests for company internal audits are fully documented in accordance with the act, and that the guidance defines authorized use.” DCAA agrees with many of GAO’s findings and, according to its response to GAO’s report, intends to take steps to address the deficiencies, including defining the term “authorized use".
It will be interesting to see what happens next. In the meantime, contractors should be clear regarding their right to deny DCAA access to internal audit reports and, in any event, to demand written justification from DCAA regarding a request for such reports. If a contractor denies DCAA’s request, it should provide the rationale or justification for its denial – and in writing.
Lindsay Simmons is responsible for the contents of this article.
© Jackson Kelly PLLC, 2014