Bemusement. Yes, that’s the right word to describe how this GAO audit report makes us feel. Bemusement is the feeling of “wry or tolerant amusement” and that’s how we feel when reading GAO’s latest effort (GAO-12-88), entitled “DEFENSE CONTRACT AUDITS: Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports.” Issued on December 8, 2011, GAO told Senators Levin and McCain that “DCAA auditors are hindered in their ability to effectively plan work and meet auditing standards for evaluating internal controls.” As a result of this sad state of affairs, “GAO recommends that DCAA take steps to facilitate access to internal audits and assess periodically whether other actions are needed.”

Access to contractor internal audit reports has been a bogey-man for quite some time. Somehow the failure to provide DCAA auditors with internal audit reports means that the contractors are hiding something. Sometimes it’s true. But more often, there’s very little in the report that would be of interest to a DCAA auditor. And sometimes, disclosing internal audit reports that were prepared under attorney-client privilege results in a broad waiver of that privilege.

Regardless of our feelings about the matter, GAO told the Senators that they reviewed 1,125 internal audit reports prepared by seven DOD contractors. They identified 520 internal audit reports that “were related to contracting with the Federal government” and, of those, they reviewed 470. They also reviewed detailed working papers associated with five internal audit reports from each contractor.

GAO was, in general, complimentary about the contractors’ internal audit function. GAO wrote—

Our analysis found that five of the companies met the standards for individual audits … including engagement planning, conducting fieldwork and testing, reporting findings, and tracking corrective actions. We were unable to completely assess two companies’ compliance with the standards because the companies did not provide the information needed to do so. Specifically, we found that the 470 audit reports provided by six companies and 25 sets of supporting workpapers provided by five companies followed the Institute [for Internal Audit]’s standards.

Of the 520 internal audit reports it found relevant to Federal contracting, GAO reported that—

• 338 audits related to one or more of the six business systems that DOD audits.

• 97 audits pertained to a specific DOD program and could include reviews of an entire business system, such as the earned value management system, or one component of a business system, such as purchasing.

• 96 audits were associated with a company’s compliance with federal laws and regulations, or company policies related to its management and oversight of its defense contracts.

After concluding that roughly 50% of a contractor’s internal audit reports would be of use by DCAA auditors, GAO then looked at whether the contractors provided DCAA with those reports, and/or whether DCAA was requested access to them. GAO found that—

• Six companies have policies that provide for DCAA access to at least some internal audits reports upon request. Four of the six, however, provide that access on a ‘view-only’ or ‘read-only’ basis, meaning that DCAA auditors may not have physical or electronic copies of the reports but may view them and take notes in the presence of company staff. Company officials explained to us that they adopted this policy because the reports are sensitive and proprietary. One company provides copies only of the sections of the reports and workpapers that company officials consider relevant to DCAA’s work.

• Of those six, four companies have policies that provide for DCAA access to the supporting workpapers for their internal audits upon request. Again, one company’s policy is to provide only workpapers for the sections of internal audit reports the company deems relevant to DCAA’s work. The other two companies have policies to not provide DCAA with access to supporting workpapers.

• One company adopted a policy of not providing DCAA with access to its internal audits or workpapers.

• … one company denied DCAA access to two requested audits because company officials determined that the audits were related to commercial or other activities the company believed were not subject to DCAA’s review. Another company official said that the company would not provide DCAA with access to internal audits related to internal controls for information technology due to the potential threat of unauthorized individuals getting access to networks, critical applications, and confidential company or client data.

GAO reported that DCAA did not take kindly to being denied access to company internal audit reports (in the few instances when they were requested).  It reported—

For the company with the policy of not providing DCAA with access to internal audit reports, DCAA has cited the lack of access as preventing it from obtaining an understanding of the company’s internal controls and reported this as a deficiency in the audit of the company’s overall accounting system. DCAA concluded that without access to the company’s internal audit reports, DCAA could not determine if the company’s monitoring function was operating effectively and whether deficiencies were corrected. …

In another instance, DCAA reported a deficiency in another company’s control environment, citing the company’s policy of limiting access to sections of internal audit reports the company deemed relevant to contract oversight and not providing adequate and timely disclosure of audit reports that identified unallowable costs. The company changed its policy and agreed to provide DCAA with access to all audit reports the company determines to include findings related to government costs. However, auditors at one DCAA office who have requested internal audit reports from the company said that the company has not adhered to the revised policy and has continued to deny DCAA access to reports.

DCAA auditors provide various rationales for not requesting contractor internal audit reports.  We were interested by this paragraph in the GAO report—

Auditors from three DCAA audit teams stated that they did not believe that access to contractor internal audit information is critical to their own audit work and that the internal audit reports do not have enough detail to be helpful. They also stated that they are restricted by auditing standards in relying on the work of others. However, auditing standards do not restrict auditors from relying on the work of other auditors, including internal audit functions. While not reducing the level of work to be performed by DCAA auditors, consideration of relevant internal audit reports in planning related DCAA audits and performing risk assessments can provide useful information for planning DCAA’s scope of work and audit procedures.

We were also interested in this item:

DCAA has issued significantly fewer audit reports since 2008. The annual number of DCAA audits of the seven companies selected for this review decreased by almost 50 percent from 2008 to 2010. The number of internal control audits DCAA performed on the companies decreased from 128 to 62 in the same period. A DCAA policy official noted that DCAA decreased its number of control environment audits because it was waiting for a regulatory change that would redefine critical business systems for contractors.  As a result of this decrease, the number of internal audits necessary to supplement DCAA’s audit work also decreased during this time period.

That item, above, confirms (yet again) what we’ve been reporting on this site about DCAA productivity stats, as measured by audit reports completed. (Enough said about that.)

As we noted at the beginning of this article, GAO recommended that DCAA take a more organized and systematic approach to obtaining contractor internal audit reports. GAO opined—

The work of the internal auditors by no means replaces the work of DCAA auditors, but it could provide DCAA auditors with a basis for making a judgment about a company’s internal controls and help inform their audit planning, thereby making more effective and efficient use of DCAA audits

While we are a bit skeptical about how the average DCAA auditor would (or could) make use of a company’s internal audit reports, we have to agree that some of them might indeed be relevant. This is especially true since the new DFARS rule on contractor business systems mandates internal compliance reviews. It will be difficult, if not impossible, to prove compliance with the self-governance requirements without providing DCAA with the output of those reviews.

However, since not all internal audit reports are going to be relevant to DCAA, it seems prudent for contractors to categorize them, and to provide access to DCAA based on the category into which an internal audit report falls.  We think some of those categories might be:

No doubt many companies will have their own ideas regarding the appropriate categories, and how they will provide access to DCAA.  The point is, one should be proactive about the situation.  A written policy establishing company categories of internal audit reports, and stating how (or if) DCAA will be provided with access to those reports, would seem to be a relatively easy thing to do.