According to a November 12, 2014, report issued by the Government Accountability Office, the Defense Contract Audit Agency revised its guidance in the Contract Audit Manual to address documentation requirements regarding the use of internal audit reports, as mandated by section 832 of the National Defense Authorization Act for Fiscal Year 2013 (PL 112-239), but DCAA’s implementation has been inconsistent.
The revisions include provisions for DCAA auditors to document (1) that access to company internal audit reports is necessary to an ongoing DCAA audit, (2) the request sent to the company, and (3) the company’s response.
GAO reviewed selected cases and found DCAA’s implementation of the changes has been inconsistent. GAO selected eight requests for companies’ internal audits and compared them to the mandated requirements and DCAA instructions provided to its auditors as criteria to test whether or not the three documentation requirements had been properly recorded. None of eight cases sampled had complete records for the three required documents.
GAO also concluded DCAA’s revised guidance is specific about physical safeguards for companies’ internal audit information, but that it is less specific about safeguards to prevent unauthorized use of internal audit reports.
The report recommends that DCAA clarify its guidance and establish and monitor internal controls to help ensure that requests for company internal audits are fully documented in accordance with the NDAA, and define authorized use.