Dear Mr. Fitzgerald,

Happy New Year!  It’s coming up on 60 days since you took over your new position, replacing Ms. April Stephenson.  You’re the first “outside” leader of the Defense Contract Audit Agency since … well, since forever.  You came into the job with a clear mandate for change, and apparently with the support of all the right stakeholders.  Your challenge is to reform the agency while maintaining (or increasing) morale, and to add (and train) desperately needed new auditors while retaining the seasoned auditors you’ve got.  And by the way, you need to restore the agency’s reputation and return it to its preeminent status as the Federal government’s premier audit agency, while keeping the defense acquisition system stakeholders happy.  It’s no small challenge you’ve taken on.

Everybody wants fundamental changes in the way DCAA conducts its audits.  Congress wants to see GAO issue a report that shows DCAA can comply with Generally Accepted Government Auditing Standards (GAGAS).  The DOD Inspector General wants to see a drop-off in the number of allegations of a hostile work environment and retribution for whistleblower allegations.  The Defense Contract Management Agency (DCMA) wants reports issued quickly, with information its Contracting Officers can use to make decisions about contractors’ internal control systems, as well as proposed and billed costs.  The Defense Industrial Base wants accurate audit reports that fairly reflect the facts, and they want the Defense auditors to listen to the facts being presented.

Forgive me my impertinence, but I thought I’d offer you some suggestions for your consideration, in order to help you successfully tackle the challenge in front of you.

First, you need to introduce more flexibility into the audit process.  The agency was criticized for auditing a billing system that didn’t exist (it was found to be adequate); you don’t want that to happen on your watch.  The Defense Department contracts with a diverse set of performing entities, from Federally Funded Research and Development Centers (FFRDCs) to manufacturers, and from service providers to not-for-profit entities.  There is no sense trying to apply a “one-size-fits-all” standard approach to each one.  Instead, start by mapping the control systems endemic to each contractor, and establishing an audit approach tailored to each.  As part of that initial mapping process, examine (and document) the type of work performed, the number and type of contracts received, expected average proposal volume, and the key customers.  From there, develop a risk profile unique to that contractor, and use that risk profile to develop both a short-term (current year) and long-term (next five year) audit plan. Then execute the plan.

Second, consider revamping the audit process.  I’m glad you and DCMA seem to be equitably dividing the workload associated with reviews of contractor internal control systems.  That’s a good first step, as is ending the issuance of an overall system adequacy opinion in favor of simply reporting the system deficiencies found by the auditors.  But more work is needed in this area.  Currently, a draft audit report is provided to the contractor only after the audit work has been completed and the results reviewed by management.  This locks the agency into its position(s) and creates a bit of “pride of authorship” – creating an environment in which revisions are treated as admissions that the audit work (or management review) was substandard.  So if the contractor questions the draft statement of condition or underlying findings, the agency is almost always unwilling to change its initial position.  That is no way to generate high quality audit findings.  Instead, hold off on the management review until the contractor has had a chance to review and discuss the draft SOCAR with the auditor(s), and (if necessary) to provide a written response.  That puts the DCAA management team in a position to review both sides of the story without having already taken sides, and to steer the auditor toward the correct position without having to “backstep” from anything.

Third, consider whether all DCAA audits need to be subject to GAGAS.  Reasonable people will disagree with GAO’s stringent definition of “independence” under GAGAS, but you can avoid the issue altogether if you make certain audits subject to GAGAS while others are not.  There is precedent for this change:  the AICPA has Consulting Standards that differ from Auditing Standards.  Since DCAA performs both financial advisory services and audits, it would seem to make sense to apportion each type of audit into GAGAS-compliant and non-GAGAS-compliant groupings.  And, by the way, DCMA really wants DCAA to participate in the process as an advisor; it wants your audits to offer value-added advice and to support the acquisition process.  Contractors want to hear from auditors as well; they want to know where they need to improve and what should be done to fix system deficiencies.  Your auditors can’t do this if GAO will allege they’ve compromised “independence” whenever this happens—so change the rules of the game to eliminate the issue altogether.

Fourth, bring back the concept of materiality into the audit process.  I heard from a senior member of the DCAA executive team that “all deficiencies at major contractors are significant deficiencies”—which leads to minor issues being blown out of proportion.  Under the current (December 2008) audit guidance, any significant deficiency leads almost inexorably to recommended system disapproval.  Again, one size should not fit all, and not all issues should be treated the same.  Give your auditors discretion to determine which issues are significant and which are minor, and that sense of proportionality will drive proper agency resource allocation.

Fifth, I suggest you empower your auditors to exercise discretion (within broad guidelines) to determine how best to perform their audits and which results should be supported.  But before you do so, you’ll need to train them so that they have the right guidance to permit discretion to be exercised in a manner that will lead to high-quality results.  You’ll have literally hundreds of new auditors joining the agency in the next few years; they’ll need mentoring and training.  You have a cadre of recently retired auditors; consider bringing them back, both as trainers and mentors.  Once you have the auditors trained and have given them robust guidance, then turn them loose to exercise discretion.  I bet you’ll be surprised at the audit quality that will result.

So I’ve given you five suggestions, Mr. Fitzgerald.  I hope you’ll consider them in the sprit they’re intended.  We all want the same thing, sir, which is high quality audits issued timely in a manner that adds value to the acquisition process.