Earlier this week, the Senate-House Conference Committee Report on the National Defense Authorization Act for Fiscal Year 2013 (NDAA) was released. As we reported here, the Senate’s original version of the NDAA  would expressly permit access to contractor internal audit reports by the Defense Contract Audit Agency (DCAA). The House’s original version of the NDAA which passed in May did not include a similar provision.
The Conference Report now includes a revised version of the Senate language; that is, amended language regarding DCAA’s access to contractor internal audits. The new language directs DCAA to (1) issue revised guidance on access to internal audits, and (2) properly document any request for access.
Specifically, Congress directs DCAA to issue guidance that clarifies that internal audit reports cannot be used for any purpose other than evaluating and testing the efficacy of internal controls or reliability of business systems. Also, DCAA’s documentation must include a written determination that access is necessary to complete evaluations of the contractor business systems, as well as DCAA’s request for access and the contractor’s response. After a year, the NDAA tasks the Government Accountability Office (GAO) with reviewing DCAA’s documentation of these requests. GAO must send its findings and recommendations to Congress for improving the DCAA audit process.
Importantly, the conference language explains that internal audit reports “may be considered in determining whether or not a contractor has a sound system of internal controls.” However, the contractor’s internal audit may not be DCAA’s sole basis for making this determination.
Unlike the language in the original Senate bill—S. 3254, which stated its purpose was to ensure that DCAA had sufficient access to internal audit reports—this new NDAA section gives no new authority to DCAA to access internal audit records. For example, the Conference Report explicitly includes a “safeguards” provision which specifies when DCAA can request internal audits, thereby limiting DCAA’s discretion in drafting the purposes for which it can access internal audits, and removes discussion of subpoenas that could force the contractor’s hand.
Notably, the language agreed upon by the conferees removes all statutory penalties for a contractor’s failure to grant access. S. 3254 stated that a contractor’s denial of access to internal audits could provide a basis for system disapproval. It also said that all DCAA assessments of contractor business system adequacy would consider relevant internal audit reports. There is no similar language in the Conference Report.
The Conference Report now moves to the House for a vote, and is expected to pass swiftly through both the House and Senate.