Defense Contract Audits: Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports
December 8, 2011
The seven internal audit departments GAO reviewed generally adhered to Institute of Internal Auditors standards for organizing their internal audit departments. These standards include maintaining independence and having a proficient workforce. For example, all seven companies are organized so that the internal audit department is independent of company management. For performing individual audits, the majority of the companies followed the standards in areas such as planning the audit work and obtaining evidence. In its examination of evidentiary workpapers, GAO found documentation of the internal auditors' testing to show the level of compliance with company policies. The selected companies' internal audit reports cover a broad spectrum of policies, business systems, and programs that are relevant to DCAA audits. Each company performs audits with scope and objectives specific to that company and its individual businesses, such as audits about defense programs or audits that review a company's accounting system. In addition, some audits are common across companies, such as reviews of purchase card transactions or controls over information technology. In 2008 and 2009, the seven companies conducted 1,125 internal audits. GAO determined that of these, 520 were related to the defense contract control environment and one or more areas reviewed by DCAA, such as overall internal control functions and specific business systems. DCAA's access to and use of internal audit information from reports and workpapers is limited, in part, because of company interpretations of court decisions concerning DCAA's access to documents. Consequently, the seven companies GAO reviewed have developed differing policies and procedures for providing internal audit information to DCAA but ultimately provide DCAA access to internal audit reports and workpapers on a case-by-case basis. (1) Six of the companies have policies that provide for DCAA access to at least some internal audits reports upon request. Of the six, four have policies for providing access to supporting workpapers for their internal audits upon request. The other two companies have policies of not providing DCAA with access to supporting workpapers. (2) One company has a policy of not providing DCAA with access to internal audits or workpapers. DCAA's use of its access authority has been addressed in two court decisions. The courts held that DCAA does not have unlimited power to demand access to all internal company materials, but they also held that DCAA may demand access to materials relevant to its audit responsibilities. However, DCAA does not generally track its requests or denials for internal audit reports. GAO found that the number of DCAA requests for internal audit reports is small relative to the number of internal audits GAO identified as relevant to defense contract oversight. In explaining why few reports are requested, DCAA auditors noted obstacles such as not being able to identify internal audits relevant to their work and uncertainty as to how useful those reports could be. By not routinely obtaining access to relevant company internal audits, DCAA auditors are hindered in their ability to effectively plan work and meet auditing standards for evaluating internal controls. GAO recommends that DCAA take steps to facilitate access to internal audits and assess periodically whether other actions are needed. DOD generally agreed to implement GAO's recommendations but expressed skepticism that this alone would fully ensure access to internal audits.