Header graphic for print
Focus on Regulation

DoD to Increase Requests for Contractor Internal Audit Information and Supporting Documents

On August 14, 2012, the Defense Contract Audit Agency (DCAA) released audit guidance, along with an adjustment to the DCAA Contracts Audit Manual (CAM), that directs auditors to increase requests for contractors’ internal audit records and work papers.[1]

For major contractors,[2] this guidance requires DCAA Contract Audit Coordinator (CAC) offices and Field Audit Offices (FAOs) to:

  1. establish a centralized point of contact (POC) to obtain and monitor DCAA’s access to and the use of internal audits;
  2. track DCAA requests to internal audit reports and working papers; and
  3. track contractors’ response to DCAA requests for information regarding internal audits.

Perhaps most concerning is the updated CAM 4-202.  In addition to other requirements, it now states that the newly-established POC must:

  1. obtain from the contractor, and subsequently review, a semi-annual summary of all internal audits, which provides enough detail to determine whether any internal audit is relevant to a DCAA audit; and
  2. send a request to the contractor for reports and/or working papers considered pertinent by the auditors, and provide the auditors copies of the information obtained from the contractor.

If contractors deny access to internal audit reports or working papers, the CAC or FAO manager can follow DCAA’s Access to Records procedures, set forth in CAM 1-504.

Similarly, the current Senate version of the National Defense Authorization Act (NDAA) for Fiscal Year 2013 includes a section that would allow DCAA to access internal audits and supporting documents “for the purpose of assessing risk and evaluating the efficacy of contractor internal controls and the reliability of associated business systems.” [3]  It requires that DoD draft guidance on access to internal audits and supporting materials.  This version of the bill has been placed on the Senate calendar for a vote.[4]

The proposed NDAA also states that a contractor’s failure to provide access to internal audits and related documents can serve as a basis for deeming any related contractor business systems inadequate.  This language would effectively block the Federal Circuit’s holding that contractors may deny access to internal audits when DCAA exceeds its audit authority.[5]

Neither DCAA nor the Senate bill addresses what DoD will consider an “internal audit.”  Contractors may have to assist auditors in determining what constitutes an internal audit within their organization.  And, unless Section 843 of the NDAA passes, a contractor still has a legal basis in Newport News to resist access to internal audits when it believes DCAA has overstepped its audit authority.

[1] DCAA, “Audit Guidance on Access to Contractor Internal Audit Reports,” 12-PPS-019(R) (Aug.14, 2012).

[2] Major contractors are those with over $100-million in auditable dollar volume.  For non-major contractors, the guidance notes that internal audit information is still useful and the CAM states that access to information from non-major contractors may be requested “when warranted.”

[3] S. 3254 § 843, 122 Cong. (2d Sess. 2012). 

[4] The version passed in the House did not include similar language.  See H.R. 4310, 122 Cong. (2d Sess. 2012).

[5] United States v Newport News Shipbuilding & Dry Dock Co., 837 F.2d 162 (Fed. Cir.1988); United States v Newport News Shipbuilding & Dry Dock Co., 862 F.2d 464 (Fed. Cir. 1988).