Defense Contract Audits
Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports Gao ID: GAO-12-88 December 8, 2011The Defense Contract Audit Agency (DCAA) has a critical role in contract oversight. DCAA audits are intended to help provide reasonable assurance that defense company policies for safeguarding assets and complying with contractual requirements are fulfilled. Defense companies also maintain their own internal audit departments to monitor policies, procedures, and business systems related to their government contracts. GAO was asked to assess the role of defense companies' internal audit departments and their ability to provide DCAA with information on their internal controls. GAO assessed (1) selected defense companies' adherence to standards for internal audits, (2) the extent to which those companies' internal audit reports address defense contract management internal controls, and (3) DCAA's ability to examine internal audits and use information from these audits. GAO reviewed a nongeneralizable sample of seven major defense companies including the five largest defense contractors and two smaller contractors; analyzed information on their 2008 and 2009 internal audits, which were the latest available when GAO began its assessment; and reviewed DCAA's ability to examine and use the audits in carrying out its oversight.
The seven internal audit departments GAO reviewed generally adhered to Institute of Internal Auditors standards for organizing their internal audit departments. These standards include maintaining independence and having a proficient workforce. For example, all seven companies are organized so that the internal audit department is independent of company management. For performing individual audits, the majority of the companies followed the standards in areas such as planning the audit work and obtaining evidence. In its examination of evidentiary workpapers, GAO found documentation of the internal auditors' testing to show the level of compliance with company policies. The selected companies' internal audit reports cover a broad spectrum of policies, business systems, and programs that are relevant to DCAA audits. Each company performs audits with scope and objectives specific to that company and its individual businesses, such as audits about defense programs or audits that review a company's accounting system. In addition, some audits are common across companies, such as reviews of purchase card transactions or controls over information technology. In 2008 and 2009, the seven companies conducted 1,125 internal audits. GAO determined that of these, 520 were related to the defense contract control environment and one or more areas reviewed by DCAA, such as overall internal control functions and specific business systems. DCAA's access to and use of internal audit information from reports and workpapers is limited, in part, because of company interpretations of court decisions concerning DCAA's access to documents. Consequently, the seven companies GAO reviewed have developed differing policies and procedures for providing internal audit information to DCAA but ultimately provide DCAA access to internal audit reports and workpapers on a case-by-case basis. (1) Six of the companies have policies that provide for DCAA access to at least some internal audits reports upon request. Of the six, four have policies for providing access to supporting workpapers for their internal audits upon request. The other two companies have policies of not providing DCAA with access to supporting workpapers. (2) One company has a policy of not providing DCAA with access to internal audits or workpapers. DCAA's use of its access authority has been addressed in two court decisions. The courts held that DCAA does not have unlimited power to demand access to all internal company materials, but they also held that DCAA may demand access to materials relevant to its audit responsibilities. However, DCAA does not generally track its requests or denials for internal audit reports. GAO found that the number of DCAA requests for internal audit reports is small relative to the number of internal audits GAO identified as relevant to defense contract oversight. In explaining why few reports are requested, DCAA auditors noted obstacles such as not being able to identify internal audits relevant to their work and uncertainty as to how useful those reports could be. By not routinely obtaining access to relevant company internal audits, DCAA auditors are hindered in their ability to effectively plan work and meet auditing standards for evaluating internal controls. GAO recommends that DCAA take steps to facilitate access to internal audits and assess periodically whether other actions are needed. DOD generally agreed to implement GAO's recommendations but expressed skepticism that this alone would fully ensure access to internal audits.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: William T. Woods Team: Government Accountability Office: Acquisition and Sourcing Management Phone: (202) 512-8214GAO-12-88, Defense Contract Audits: Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports
This is the accessible text file for GAO report number GAO-12-88
entitled 'Defense Contract Audits: Actions Needed to Improve DCAA's
Access to and Use of Defense Company Internal Audit Reports' which was
released on December 8, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to the Committee on Armed Services, U.S. Senate:
December 2011:
Defense Contract Audits:
Actions Needed to Improve DCAA's Access to and Use of Defense Company
Internal Audit Reports:
GAO-12-88:
GAO Highlights:
Highlights of GAO-12-88, a report to the Committee on Armed Services,
U.S. Senate.
Why GAO Did This Study:
The Defense Contract Audit Agency (DCAA) has a critical role in
contract oversight. DCAA audits are intended to help provide
reasonable assurance that defense company policies for safeguarding
assets and complying with contractual requirements are fulfilled.
Defense companies also maintain their own internal audit departments
to monitor policies, procedures, and business systems related to their
government contracts.
GAO was asked to assess the role of defense companies‘ internal audit
departments and their ability to provide DCAA with information on
their internal controls. GAO assessed (1) selected defense companies‘
adherence to standards for internal audits, (2) the extent to which
those companies‘ internal audit reports address defense contract
management internal controls, and (3) DCAA‘s ability to examine
internal audits and use information from these audits. GAO reviewed a
nongeneralizable sample of seven major defense companies including the
five largest defense contractors and two smaller contractors; analyzed
information on their 2008 and 2009 internal audits, which were the
latest available when GAO began its assessment; and reviewed DCAA‘s
ability to examine and use the audits in carrying out its oversight.
What GAO Found:
The seven internal audit departments GAO reviewed generally adhered to
Institute of Internal Auditors standards for organizing their internal
audit departments. These standards include maintaining independence
and having a proficient workforce. For example, all seven companies
are organized so that the internal audit department is independent of
company management. For performing individual audits, the majority of
the companies followed the standards in areas such as planning the
audit work and obtaining evidence. In its examination of evidentiary
workpapers, GAO found documentation of the internal auditors‘ testing
to show the level of compliance with company policies.
The selected companies‘ internal audit reports cover a broad spectrum
of policies, business systems, and programs that are relevant to DCAA
audits. Each company performs audits with scope and objectives
specific to that company and its individual businesses, such as audits
about defense programs or audits that review a company‘s accounting
system. In addition, some audits are common across companies, such as
reviews of purchase card transactions or controls over information
technology. In 2008 and 2009, the seven companies conducted 1,125
internal audits. GAO determined that of these, 520 were related to the
defense contract control environment and one or more areas reviewed by
DCAA, such as overall internal control functions and specific business
systems.
DCAA‘s access to and use of internal audit information from reports
and workpapers is limited, in part, because of company interpretations
of court decisions concerning DCAA‘s access to documents.
Consequently, the seven companies GAO reviewed have developed
differing policies and procedures for providing internal audit
information to DCAA but ultimately provide DCAA access to internal
audit reports and workpapers on a case-by-case basis.
* Six of the companies have policies that provide for DCAA access to
at least some internal audits reports upon request. Of the six, four
have policies for providing access to supporting workpapers for their
internal audits upon request. The other two companies have policies of
not providing DCAA with access to supporting workpapers.
* One company has a policy of not providing DCAA with access to
internal audits or workpapers.
DCAA‘s use of its access authority has been addressed in two court
decisions. The courts held that DCAA does not have unlimited power to
demand access to all internal company materials, but they also held
that DCAA may demand access to materials relevant to its audit
responsibilities. However, DCAA does not generally track its requests
or denials for internal audit reports. GAO found that the number of
DCAA requests for internal audit reports is small relative to the
number of internal audits GAO identified as relevant to defense
contract oversight. In explaining why few reports are requested, DCAA
auditors noted obstacles such as not being able to identify internal
audits relevant to their work and uncertainty as to how useful those
reports could be. By not routinely obtaining access to relevant
company internal audits, DCAA auditors are hindered in their ability
to effectively plan work and meet auditing standards for evaluating
internal controls.
What GAO Recommends:
GAO recommends that DCAA take steps to facilitate access to internal
audits and assess periodically whether other actions are needed. DOD
generally agreed to implement GAO‘s recommendations but expressed
skepticism that this alone would fully ensure access to internal
audits.
View [hyperlink, http://www.gao.gov/products/GAO-12-88]. For more
information, contact William T. Woods at (202) 512-4841 or
woodsw@gao.gov.
[End of section]
Contents:
Letter:
Background:
Internal Audit Departments We Reviewed Generally Adhered to Institute
Standards:
Internal Audit Reports Contain Information Relevant to DCAA Audits:
DCAA's Access to and Use of Company Internal Audits Are Limited:
Conclusions:
Recommendations for Executive Action:
Agency and Third-Party Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: Comments from Lockheed Martin Corporation:
Appendix IV: DCAA Access Authority and Associated Court Cases:
Appendix V: GAO Contact and Acknowledgments:
Tables:
Table 1: Internal Audit Staff Experience and Percent of Auditors with
Certifications for Six Companies:
Table 2: Internal Audit Reports Requested by DCAA for Seven Selected
Companies in 2008 and 2009:
Figures:
Figure 1: Adherence to Selected Institute Standards by Seven
Companies' Internal Audit Departments:
Figure 2: Business System Internal Audit Reports:
Abbreviations:
AICPA: American Institute of Certified Public Accountants:
CIA: Certified Internal Auditor:
CAE: Chief Audit Executive:
CPE: Continuing Professional Education:
CAC: Contract Audit Coordinator:
CAM: Contract Audit Manual:
COSO: Committee of Sponsoring Organizations of the Treadway Commission:
DCAA: Defense Contract Audit Agency:
DCMA: Defense Contract Management Agency:
DFARS: Defense Federal Acquisition Regulation Supplement:
DOD: Department of Defense:
FAR: Federal Acquisition Regulation:
GAGAS: Generally Accepted Government Auditing Standards:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
December 8, 2011:
The Honorable Carl Levin:
Chairman:
The Honorable John McCain:
Ranking Member:
Committee on Armed Services:
United States Senate:
The Department of Defense (DOD) relies extensively on private
companies to obtain billions of dollars of goods and services
annually. This reliance underscores the importance of overseeing
contractor operations and contract costs, particularly in an era of
constrained budgets. The Defense Contract Audit Agency (DCAA) plays a
critical role in helping to ensure that contract costs are reasonable.
As part of its efforts, DCAA performs audits of companies' overall
internal controls, which are intended to provide reasonable assurance
that company policies for safeguarding assets and complying with
contractual requirements are being carried out. In addition, major
defense companies have internal audit departments to monitor policies
and procedures established by their management to ensure the integrity
of their business systems, including those related to their government
contracts. Taken together, DCAA and the internal audit departments
measure company performance against quality and reliability standards
in support of government contracts as part of the overall internal
controls.
You requested that we assess the role of defense company internal
audit departments and their ability to provide DCAA with information
on company internal controls, business systems, and policies affecting
government contracts. In response, we assessed (1) the adherence of
selected major defense companies to internal auditing standards for
organizations and individual audits, (2) the extent to which the
internal audit reports of those companies address internal controls
for the management of defense contracts and associated business
systems, and (3) DCAA's ability to examine and use those reports in
carrying out its oversight responsibilities.
We used the following methodologies to address our objectives:
* To assess defense company adherence to internal audit standards, we
selected a nongeneralizable sample of seven major defense companies.
We selected major defense companies, based on DOD contract
obligations, that had over $1 billion in DOD contracts in 2009. These
include five companies with at least $15 billion in DOD contracts and
two smaller companies that still qualify as major defense companies.
For each company, we interviewed company executives and obtained
documents pertaining to the internal audit organizational structure,
policies, and procedures. We then assessed whether their
organizations, reports, and engagements conform to standards
established by the Institute of Internal Auditors.[Footnote 1]
* We obtained the titles, objectives, and scope of all internal audit
reports completed in 2008 and 2009--the latest audits completed when
we began our assessment--by the seven selected companies. We analyzed
the information and determined that 520 internal audits were related
to contracting with the federal government. We then asked to examine
all 520 reports. Six of the seven companies agreed to provide us their
audit reports. We reviewed 470 reports to determine the findings,
corrective actions, and any connection to a DCAA audit. We also
requested that each company provide us with workpaper sets from five
internal audits, which we selected based on a nongeneralizable random
sample. Five of the seven companies agreed to provide us access to
their workpaper sets. We examined the 25 sets of documents to verify
that the workpapers contained evidence for the findings and corrective
actions identified in the internal audit reports. The seven companies
we reviewed are listed in our full scope and methodology in appendix
I, together with details on the extent to which the companies provided
us with the information we requested. When materials were not provided
for our review, we obtained the company's rationale for documenting
purposes. These rationales include the limitations on access to
company internal documents discussed in two court cases and ownership
of the workpapers by a third party. We do not regard the company
decisions as a limitation of our scope since we were fully able to
address our audit objectives based on examination of the vast majority
of documents we requested.
* In evaluating DCAA's access to and use of internal audit reports, we
reviewed DCAA's statutory and regulatory authority to access
contractor records. We also reviewed DCAA's audit manual to determine
the agency's requirements for obtaining audit reports, as well as the
seven selected companies' policies and procedures for providing
internal audit information to DCAA. We requested data from DCAA and
the selected companies on the number of company internal audit reports
DCAA had requested in 2008 and 2009, the number of reports the
companies provided, and rationale for not providing requested reports.
We interviewed DCAA officials, including those who conduct audits at
the seven selected companies, and reviewed documentation to determine
how DCAA auditors ask for and track their requests and use of internal
audit information.
The results of our review cannot be generalized across major defense
companies. Instead, they provide insights into how the selected
companies have organized their internal audit function, conduct
internal audits, and interact with DCAA.
We conducted this performance audit from September 2010 through
December 2011 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
Background:
Both DCAA and company internal auditors have the critical
responsibility of assessing the quality of company internal controls.
Broadly speaking, internal controls refer to management processes
designed to provide reasonable assurance about a company's ability to
provide reliable financial reporting, promote effective and efficient
operations, and comply with applicable laws, regulations, and contract
provisions. Internal controls encompass five areas.[Footnote 2] For
purposes of this report, we define the five areas as follows:
* Control environment--positive and supportive attitude toward
internal controls, conscientious management, and ethics standards.
* Risk assessment--identification and assessment of risks from
internal and external sources and establishment of controls to
mitigate them.
* Control activities--policies, procedures, techniques, and mechanisms
that ensure management's directives to mitigate risk are carried out.
* Information and communication systems--assurance that information is
recorded and communicated to management and others in a form and
within a time frame that enables them to carry out internal controls
and operational responsibilities.
* Monitoring--activities that assess the quality of performance over
time and ensure that audit and review findings are promptly resolved.
As part of their overall governance and control, many companies
establish internal audit departments to monitor adherence to
management policies and controls, report exceptions to policies and
procedures, and track corrective actions. One of the principal
authorities on the standards and practices of internal auditing is the
Institute of Internal Auditors (the Institute). The Institute is a non-
profit professional organization that provides guidance on assessing,
maintaining, and improving the quality of internal auditing within the
profession. Importantly, the Institute provides guidance for the
profession through its International Standards for the Professional
Practice of Internal Auditing.[Footnote 3] These standards include
requirements at the organizational level such as independence and
objectivity, as well as for conducting audits, including planning,
performing fieldwork, communicating results, and following up on
corrective actions. The Institute also conducts training and
administers the Certified Internal Auditor (CIA) testing and
certification program. The CIA certification is acknowledged by
auditing professionals as a standard by which individuals demonstrate
their competence in internal auditing.[Footnote 4]
In addition to a company's own internal audit department, companies
that provide goods and services to DOD may be audited by DCAA. As
required by the Federal Acquisition Regulation (FAR) and the Defense
Federal Acquisition Regulation Supplement (DFARS), DCAA's audits
examine internal controls, incurred costs, and business systems used
in the execution of government contracts. DCAA's contract audit
services are intended to be a key control that helps ensure that
prices paid by the government are fair and reasonable and that
companies are charging the government in accordance with applicable
laws, regulations, cost accounting standards, and contract terms. At
the completion of an audit, DCAA provides the contracting officer with
a report to assist in negotiations or in assessing contract costs, as
well as in determining compliance with regulations and contractual
requirements.
DCAA, which employs approximately 4,000 auditors, consists of a
headquarters office at Ft. Belvoir, Virginia and six major
organizational components--five regional offices across the United
States that direct and administer audits for assigned geographical
areas and a field detachment office that audits classified contracting
activity. The five regional offices manage about 300 field audit
offices. Field audit offices can be categorized as branch offices,
resident offices, or suboffices.
* Branch offices are located within each region and have
responsibility for all contract audit services within the assigned
geographical area.
* Resident offices are established at company locations where the
audit workload justifies assignment of a permanent staff of auditors.
* Suboffices are established by regional directors as extensions of
branch or resident offices when required to furnish audit services. A
suboffice depends on its parent field office for release of reports.
For larger companies with operations at multiple locations, DCAA
assigns a Contract Audit Coordinator (CAC) who serves as a central
point of communication between DCAA auditors and company
representatives.
DCAA audits are governed by generally accepted government auditing
standards (GAGAS). These standards require evaluation and testing of
the overall internal controls including the work of the contractor's
internal audit activity, specific controls, and business systems.
These standards and associated principles govern the audit planning
and evidence required to conduct a GAGAS-compliant audit. DCAA's
procedures for adhering to GAGAS in conducting different types of
audits, such as audits of internal controls or company business
systems, are contained in its Contract Audit Manual (CAM). According
to the CAM, DCAA is required periodically to examine the contractor's
internal controls, as well as contractor policies and procedures. It
also states that in the process of planning an audit, auditors should
consider the company's self governance programs when assessing the
adequacy of the internal controls to determine the scope of their
audit. Further, the CAM states that audits of individual business
systems are to include an evaluation of the internal control
activities applicable to that system.[Footnote 5] Lastly, DCAA
guidance for audit procedures states that auditors should consider a
company's internal audit activities to determine the adequacy of its
internal controls when performing an audit of the company's control
environment and accounting system.
To conduct its audits, DCAA relies on the examination of contractor
financial, accounting, and other data. DCAA's authority to access and
audit contractor records in support of DOD contracting and contract
payment functions is described in sections 2313 and 2306a of title 10
of the United States Code (U.S.C.) and in the FAR. DCAA's use of its
authority has been addressed in two court decisions involving Newport
News Shipbuilding and Dry Dock Company. The decisions are generally
known as Newport News I and Newport News II, both decided in 1988. In
the first case (Newport News I), the court held that DCAA's statutory
subpoena power could not be used to access internal audits not tied to
a specific contract or proposal.[Footnote 6] In the second case,
(Newport News II), the court held that DCAA could subpoena company tax
returns and other materials, which were directly relevant to an audit
and would allow DCAA to corroborate the company's computation of
direct and indirect costs.[Footnote 7] For additional information on
DCAA's access authorities and the Newport News cases, see appendix IV.
Internal Audit Departments We Reviewed Generally Adhered to Institute
Standards:
All of the companies we reviewed generally followed the Institute's
standards for organizing their internal audit departments. These
organizational standards include maintaining independence and
objectivity, constructing a risk-based audit plan, employing and
maintaining a skilled, professional audit staff, and completing an
external assessment. Similarly, based on our examination of internal
audit reports and audit documentation (generally referred to as
workpapers), we found that the majority of companies followed the
standards for performing individual audits.[Footnote 8] These
standards include assessing risks during audit planning, including the
risk of fraud, obtaining evidence for findings to include testing and
documenting evidence, and following up on audit issues. However, some
companies did not provide sufficient information on how they conduct
individual audits for us to determine if the standards for performance
were met. Figure 1 shows the applicable Institute standards and the
number of companies in our review that followed them.
Figure 1: Adherence to Selected Institute Standards by Seven
Companies' Internal Audit Departments:
[Refer to PDF for image: illustrated table]
Organizational characteristics:
Institute standard: Independence and objectivity;
Number of companies that adhere to standard: 7.
Institute standard: Risk-based audit plan;
Number of companies that adhere to standard: 7.
Institute standard: Proficiency;
Number of companies that adhere to standard: 7.
Institute standard: Continuing professional education;
Number of companies that adhere to standard: 7.
Institute standard: External quality assurance review;
Number of companies that adhere to standard: 5;
Number of companies that do not adhere to standard: 2.
Standards for individual audits:
Institute standard: Planning the engagement;
Number of companies that adhere to standard: 5;
GAO did not assess if the company adheres to the standard because the
company did not provide the information needed: 2.
Institute standard: Conducting fieldwork including testing;
Number of companies that adhere to standard: 5;
GAO did not assess if the company adheres to the standard because the
company did not provide the information needed: 2.
Institute standard: Reporting findings;
Number of companies that adhere to standard: 6;
GAO did not assess if the company adheres to the standard because the
company did not provide the information needed: 1.
Institute standard: Tracking corrective actions;
Number of companies that adhere to standard: 5;
Number of companies that do not adhere to standard: 1;
GAO did not assess if the company adheres to the standard because the
company did not provide the information needed: 1.
Source: GAO analysis of the Institute of Internal Auditors' standards
and information from seven internal audit departments.
[End of figure]
Organizational Characteristics of Internal Audit Departments We
Reviewed Generally Conformed to Institute Standards:
Our analysis indicates that five of the seven companies we evaluated
generally conformed to five Institute standards for internal audit
organizations. The remaining two companies did not provide for an
external quality assurance review as required under the Institute's
standards. The five standards are:
* Independence and objectivity--According to the organizational charts
of the seven selected companies, their Vice Presidents of Internal
Audit, also called the Chief Audit Executives (CAE), report directly
to the Audit Committees of the Board of Directors for matters related
to internal audits. For administrative matters such as payroll and
office space, the internal audit departments can be linked to the
Chief Financial Officer or another department. This organizational
feature allows the internal audit activity to be independent of
company management, as called for under the Institute's standards. To
further ensure independence and objectivity, most audit executives we
met with stated that they encourage an attitude of objectivity in
their staff. For example, one CAE said that if staff from other
divisions of the company are assigned to the internal audit
department, those staff do not audit their former division's
activities to mitigate conflict of interest risks.
* Risk-based audit plan--All seven companies we reviewed developed
audit plans using risk-based assessments consistent with the
Institute's standards. Audit plans are used by companies' internal
audit departments to schedule their audits throughout the year so that
the highest risk issues the company is facing are covered. According
to the Institute's standards, internal audit departments should base
audit plans on an annual evaluation of multiple risk factors,
prioritized to ensure coverage of the highest risk areas. In reviewing
how the companies develop their audit plans, we found that they
receive input from management and the board of directors and consider
a variety of factors such as changes in government regulations, review
of high-risk areas identified in previous risk assessments, the
potential for financial misstatement, and external factors facing the
company. Once the information is compiled, the seven internal audit
departments plan specific audits across company businesses and product
lines, taking into account the likelihood of the risk materializing
and the damage to the company should the risk materialize. Sometimes
companies conduct a follow-up audit for high-risk issues highlighted
in a previous year. Follow-up audits allow the internal audit
department to track high-risk findings to ensure they are corrected.
* Proficiency--The Institute's standards require that internal
auditors have sufficient expertise. We found that although internal
audit departments' staff varies in number, the staff are comparable in
professional qualifications. Six of the company internal audit
departments are staffed by company employees, while the seventh
company contracts with an accounting firm to conduct its audits. Based
on information provided by the companies, we found that the staff from
six companies have a wide range of professional credentials including
certified public accountants, certified fraud examiners, certified
internal auditors, and certified information systems auditors. In
addition, more than half of the staff members have advanced degrees,
such as a masters of business administration. Table 1 shows the audit
staff experience and the average number of auditors with
certifications for six companies.
Table 1: Internal Audit Staff Experience and Percent of Auditors with
Certifications for Six Companies:
Average;
Number of auditors, including vice president, for internal audits: 61;
Years of staff auditing experience: 7.8;
Number of auditors that hold an advanced degree (percent)[A]: 36 (59%);
Number of auditors that hold at least one certification (percent): 29
(48%).
Range (low-high);
Number of auditors, including vice president, for internal audits: 18-
134;
Years of staff auditing experience: 3.5-18;
Number of auditors that hold an advanced degree (percent)[A]: 10-90;
Number of auditors that hold at least one certification (percent): 15-
55.
Source: GAO analysis of data from six internal audit departments.
[A] Masters degree or higher.
[End of table]
For the seventh company that retains an outside accounting firm to
perform its internal audits, the audit directors and the staff of the
accounting firm combined have a range of professional certifications
and advanced degrees comparable to the other companies. Company
officials informed us that their practice enhances the audit
function's independence since the audit staff is not employed by the
company and ensures the availability of specialists, if needed.
Another company in our review previously outsourced its internal audit
function but stopped doing so, according to a senior internal audit
official, to save money, provide an in-house talent pool, and enhance
the connection between the auditors and the company.
* Continuing professional development--The Institute's standards
require certified internal auditors to complete 80 hours of continuing
professional education (CPE) every 2 years to ensure that they
maintain and update their knowledge and skills. We found that the
companies take a variety of measures to enhance auditors' knowledge
and skills. For example, one company provides 100 hours of annual
training, covers the cost of professional certifications, provides
financial incentives for their completion, and expects auditors to
obtain an additional 100 hours of training on their own. In addition
to CPE requirements and professional certifications, officials at
three companies stated they have training programs that allow staff
from other departments or business units to rotate through the
internal audit department for a limited time.
* External assessments--Institute standards require that internal
audit departments must be subjected to external assessments at least
once every 5 years. Five of the selected companies have had external
quality assurance reviews of their organization and audit performance
within the previous 5 years. These assessments review a company's
conformity with the Institute's standards and provide comments on the
performance of the internal audit function. All five companies
received the highest possible rating of "generally conforms."
Officials from the other two companies in our review stated that they
do not have an external assessment of their internal audit departments.
Internal Audits We Reviewed Followed Institute Standards:
Our analysis found that five of the companies met the standards for
individual audits (see figure 1), including engagement planning,
conducting fieldwork and testing, reporting findings, and tracking
corrective actions. We were unable to completely assess two companies'
compliance with the standards because the companies did not provide
the information needed to do so. Specifically, we found that the 470
audit reports provided by six companies and 25 sets of supporting
workpapers provided by five companies followed the Institute's
standards.
* Planning the audit including assessing the risk of fraud--Workpapers
we examined from the five companies that provided them contained
documents showing planning steps for each objective consistent with
the Institute's standards. Some companies completed an additional step
by noting in the workpapers the evidence associated with each planning
step. We also found that some workpapers contained assessments of the
fraud risks specific to the audit's scope. For example, one workpaper
set we reviewed reported that the audit team met with the legal
department about fraud risks and ethics considerations for that
particular audit. Another set of workpapers showed that a risk
assessment chart was used to identify areas to be included in the
audit's scope along with a rationale for its inclusion.
* Conducting fieldwork including testing--The Institute's standards
require internal auditors to conduct sufficient analysis and document
information to support the audit. The workpapers we reviewed contained
extensive documentation of the fieldwork, such as interviews with
company officials, and testing, such as comparing company actions to
policies and procedures to determine the extent of compliance. The
audit reports we reviewed from the six companies showed evidence of
substantive testing and provided analysis of the testing showing the
level of compliance with company policies, procedures, business
systems, and defense contracts. When testing was conducted, it was
cited in the reports as support for reportable issues. Some testing
relied on judgmental samples, but for certain audits, such as audits
of purchase card transactions, all of the transactions were examined.
In addition, we traced identified findings through the workpapers to
track the testing and the inclusion of the work in the audit planning.
By tracing the findings back to their origin in the audit objectives,
we verified that the findings reported were supported by sufficient
audit work.
* Reporting findings--The audit reports we reviewed followed the
Institute's standards for reporting results of the audit work by
providing reports to upper management and the audited party. The audit
reports provided the objectives and scope of the audit work and the
findings or issues discovered through the audit work. While the
companies do not follow GAGAS standards, the reports, although brief,
contained a clear explanation of the findings often citing criteria,
condition, cause, and effect as defined in GAGAS.[Footnote 9] Audit
officials at one company stated that they include only those findings
they consider to be the most important in their reports because that
is what company management has indicated has the most value to them.
Officials said that highlighting the most important issues allows them
to prioritize their resources and take appropriate actions to correct
them. In contrast, some companies include nearly every finding
discovered during the audit work. Illustrative of these different
approaches, the company that only reports on the highest risk issues
routinely had 2 to 4 findings per report, while other companies had
multiple reports with more than 10 findings per report.
* Tracking corrective actions--The Institute's standards require that
the CAE establish a process for the internal audit department to track
corrective actions to ensure they have been implemented or that
management has accepted the risk of not taking the corrective action.
We found that five companies documented the corrective actions they
had taken or intended to take to fix the problems identified in the
audit reports. Usually, the responsibility and accountability for
implementing the corrective actions were assigned to specific
individuals and were generally required to be implemented within a
certain time period. According to officials at one company, if
corrective actions are not taken or completed in a timely manner
internal audit management and company management are notified. In
addition to findings that require corrective actions, some companies'
audit reports include suggestions for process enhancements for
improving operations, comments that are notable business practices,
and observed areas of excellence that are exceptional practices that
would benefit other business units within the company.
Internal Audit Reports Contain Information Relevant to DCAA Audits:
The internal audits conducted by the seven selected defense companies
cover a broad spectrum of policies, business systems, and programs.
The seven companies conducted 1,125 internal audits from January 1,
2008, through December 31, 2009, with 520--slightly less than half--of
these audits relevant to the internal control for defense contracts.
[Footnote 10] The defense-related internal audit reports fell into one
or more of the following categories:
* All 520 audits examined some aspect of the companies' overall
control environment.
* 338 audits related to one or more of the six business systems that
DOD audits.
* 97 audits pertained to a specific DOD program and could include
reviews of an entire business system, such as the earned value
management system, or one component of a business system, such as
purchasing.
* 96 audits were associated with a company's compliance with federal
laws and regulations, or company policies related to its management
and oversight of its defense contracts.
Of the 338 audits related to the business systems audited by DOD, we
found that most concerned some aspect of the company's accounting
system. In addition, the audits reviewed a wide range of subjects,
including purchase cards or earned value management systems to
determine if they are compliant with FAR and DFARS standards, and
internal controls over accounts payable. For example, an audit from
one company assessed a division's purchase card program and found
several issues of non-compliance with policies and procedures and
identified control weaknesses related to the administration of the
purchase card program. Another company's audit reviewed the general
controls, including the accounting system, for a division within a
company and found that controls were not operating effectively to
ensure consistent classification of accounting transactions. Figure 2
shows the distribution of internal audits among the six business
systems.
Figure 2: Business System Internal Audit Reports:
[Refer to PDF for image: pie-chart]
Accounting system: 62.4%;
Estimating system: 13.3%;
Purchasing system: 11.2%;
Material management and accounting system: 6.5%;
Earned value management system: 4.1%;
Property management system: 2.4%.
Source: GAO analysis of data from seven internal audit departments.
[End of figure]
DCAA's Access to and Use of Company Internal Audits Are Limited:
DCAA's access to and use of internal audit information were generally
limited at the companies we reviewed. Company policies on providing
DCAA access to such information varied at the seven companies--from
allowing full access on a case-by-case basis to denying access. The
extent to which DCAA has requested or been denied access to internal
audits is difficult to determine because DCAA does not track its
requests or denials. Based on information provided to us by the seven
companies, we estimate that DCAA requested access to 115 of the 520
audits we identified as being relevant to internal controls and
oversight of defense contracting. We identified a number of factors
that affect how frequently DCAA auditors request internal audits,
including interpretations of prior legal decisions on DCAA's access
and the limited details DCAA receives from the companies about the
contents of the internal audit reports. However, GAGAS and DCAA's
audit manual require an evaluation of internal control, which includes
internal audits, to provide a basis for efficiently and effectively
planning an audit.
DCAA Obtains Limited Access to Internal Audit Reports and Workpapers:
The seven companies that we reviewed do not have uniform policies
about providing DCAA with access to internal audit reports and
workpapers. Of the seven companies:
* Six companies have policies that provide for DCAA access to at least
some internal audits reports upon request. Four of the six, however,
provide that access on a "view-only" or "read-only" basis, meaning
that DCAA auditors may not have physical or electronic copies of the
reports but may view them and take notes in the presence of company
staff. Company officials explained to us that they adopted this policy
because the reports are sensitive and proprietary.[Footnote 11] One
company provides copies only of the sections of the reports and
workpapers that company officials consider relevant to DCAA's work.
* Of those six, four companies have policies that provide for DCAA
access to the supporting workpapers for their internal audits upon
request. Again, one company's policy is to provide only workpapers for
the sections of internal audit reports the company deems relevant to
DCAA's work. The other two companies have policies to not provide DCAA
with access to supporting workpapers.
* One company adopted a policy of not providing DCAA with access to
its internal audits or workpapers.
Each of the six companies that have policies for providing access to
their internal audit reports require approval for specific requests
for access on a case-by-case basis, and most require that the
requested internal audit information directly relate to a DCAA audit
of a specific contract or proposal. When companies determined that
such a request is not relevant, the companies have denied DCAA's
requests. For example, one company denied DCAA access to two requested
audits because company officials determined that the audits were
related to commercial or other activities the company believed were
not subject to DCAA's review. Another company official said that the
company would not provide DCAA with access to internal audits related
to internal controls for information technology due to the potential
threat of unauthorized individuals getting access to networks,
critical applications, and confidential company or client data.
For the company with the policy of not providing DCAA with access to
internal audit reports, DCAA has cited the lack of access as
preventing it from obtaining an understanding of the company's
internal controls and reported this as a deficiency in the audit of
the company's overall accounting system. DCAA concluded that without
access to the company's internal audit reports, DCAA could not
determine if the company's monitoring function was operating
effectively and whether deficiencies were corrected. The company's
response cited the Newport News I decision to support its position
that contractors are not required to provide DCAA with access to
internal audit reports that are not tied to a specific DCAA audit.
[Footnote 12] While the company provided DCAA with lists of planned
audits as requested by DCAA and a summary of the three requested
audits, DCAA noted in its 2010 report that this was not enough
information to establish that the company's internal controls were
effective.[Footnote 13]
In another instance, DCAA reported a deficiency in another company's
control environment, citing the company's policy of limiting access to
sections of internal audit reports the company deemed relevant to
contract oversight and not providing adequate and timely disclosure of
audit reports that identified unallowable costs. The company changed
its policy and agreed to provide DCAA with access to all audit reports
the company determines to include findings related to government
costs. However, auditors at one DCAA office who have requested
internal audit reports from the company said that the company has not
adhered to the revised policy and has continued to deny DCAA access to
reports.
Another company we reviewed also changed its policy in recent years in
response to discussions with DCAA officials or as the result of DCAA
reporting the lack of access as contributing to a control environment
deficiency. The company previously had a policy of providing DCAA with
no access to internal audit reports, citing the Newport News I court
case as support for restricting DCAA's access. After the CAC sent a
letter in 2009 challenging this access policy and discussed the access
issue with company officials, the company changed its policy to
provide DCAA with read-only access to internal audit reports.
DCAA Does Not Generally Track Requests and Company Responses Related
to Internal Audits:
DCAA audit teams generally do not coordinate their requests for audit
reports among their field audit offices, which limits DCAA's insight
into the extent to which audit teams are requesting or are being
denied access to internal audit reports. Within DCAA, one of the
responsibilities of the CAC assigned to a company is to serve as a
contact point for discussions related to access to contractor
information, such as internal audit reports. However, we found only
one DCAA audit team that has implemented a system in which the CAC
serves as a focal point for all internal audit report requests by all
the field offices. For the other companies, the corporate and field
offices submit requests directly to the company. As a result, the CAC
does not necessarily know how frequently or what type of internal
audit information field audit offices are requesting. One of these
CACs noted that the CAC is informed when DCAA teams are denied access,
but otherwise the CAC does not track requests or company responses. In
the case of the one company that has multiple locations but does not
have a CAC, the DCAA audit team does not coordinate internal audit
requests to the company. As a result, the audit team does not know how
many requests for internal audit information are made to company, what
type of information is being requested, or whether the requests are
fulfilled or denied.
Although DCAA does not generally track requests or denials for
internal audit reports and, therefore, cannot say how many audit
reports it asks for or receives, the companies we reviewed maintain
such information with varying degrees of specificity. Based primarily
on information from these companies, we determined that for the most
part, DCAA audit teams request a small number of company internal
audits, even though a significant number of internal audits pertain to
internal controls and systems that are subject to DCAA audits. The
companies provided us with estimates or specific counts of how many
internal audits were requested by DCAA since 2008. In most cases, the
number of reports requested was significantly fewer than the number of
reports we determined were related to DOD contract oversight. The
companies estimated that DCAA requested 115 audit reports over the 2-
year period while we determined that 520 audit reports were related to
some aspect of oversight of DOD contracts. Information on the number
of reports requested from each of the companies and the number of
reports we determined to be related to oversight of government
contracts is summarized in table 2.
Table 2: Internal Audit Reports Requested by DCAA for Seven Selected
Companies in 2008 and 2009:
Company: A;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 1;
Description: According to a company official, DCAA requested one
internal audit report released in 2008 and made no requests in 2009;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 28.
Company: B;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 7;
Description: The company recorded 7 requests from DCAA auditors for
internal audit reports that were issued 2008 and 2009. DCAA also
requested 14 additional reports issued in previous years;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 75.
Company: C;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 23;
Description: According to a company official, DCAA requested
approximately 23 of the company's internal audit reports since 2008;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 148.
Company: D;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 34;
Description: The company recorded 34 internal audit reports requests
from DCAA that were issued in 2008 and 2009, and 35 additional reports
issued in previous years;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 139.
Company: E;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 44;
Description: One DCAA audit team requested to review all of the
company's 107 internal audit reports issued in 2008 and 2009, which
included all 44 related to DOD contract oversight as well as those
related to the company's commercial activities. Also, various DCAA
field audit offices made 85 requests for additional internal audit
information in 2008 and 2009, according to the company;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 44.
Company: F;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 3;
Description: A company official estimated that DCAA requested three
internal audit reports that were issued by the company in 2008 from
the company and eight additional reports issued in previous years;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 44.
Company: G;
Company count of the number of 2008-2009 internal audit reports
requested by DCAA related to contract oversight: 3;
Description: DCAA requested three internal audit reports from the
company in 2009;
Number of 2008-2009 internal audit reports selected for review by GAO
related to DOD contract oversight: 42.
Source: GAO analysis of data from seven companies and DCAA.
[End of table]
DCAA auditors we spoke with identified several factors that could
affect the number of internal audits they request.
* Auditors from four DCAA audit teams told us they have difficulty
determining which internal audit reports are relevant to their own
audit work because descriptions of internal audits they receive from
the companies are often too brief to assess the relevancy to ongoing
or planned DCAA audits. Our review of the lists of audits provided to
DCAA confirmed that five of the companies provide only brief titles of
audits, while two provide more detailed summaries that included the
purpose, potential risks, and scope.
* DCAA auditors stated when they request an internal audit report, the
company usually requires them to justify their request by linking it
to a planned or ongoing DCAA audit of a particular contract or
proposal. As a result, DCAA auditors believe they are limited to
requesting only those reports related to a specific planned or ongoing
DCAA audit, even if the company has other internal audit reports
related to another system or program that DCAA is responsible for
auditing.
* Auditors from three DCAA audit teams stated that they did not
believe that access to contractor internal audit information is
critical to their own audit work and that the internal audit reports
do not have enough detail to be helpful. They also stated that they
are restricted by auditing standards in relying on the work of others.
However, auditing standards do not restrict auditors from relying on
the work of other auditors, including internal audit functions. While
not reducing the level of work to be performed by DCAA auditors,
consideration of relevant internal audit reports in planning related
DCAA audits and performing risk assessments can provide useful
information for planning DCAA's scope of work and audit procedures.
* DCAA has issued significantly fewer audit reports since 2008. The
annual number of DCAA audits of the seven companies selected for this
review decreased by almost 50 percent from 2008 to 2010. The number of
internal control audits DCAA performed on the companies decreased from
128 to 62 in the same period. A DCAA policy official noted that DCAA
decreased its number of control environment audits because it was
waiting for a regulatory change that would redefine critical business
systems for contractors.[Footnote 14] As a result of this decrease,
the number of internal audits necessary to supplement DCAA's audit
work also decreased during this time period.
Auditors from the DCAA audit teams we spoke with confirmed that while
they request relatively few internal audits, when they are provided
access to the audit reports, they use them primarily to help assess
the companies' internal controls and to determine whether companies
took corrective action to address reported issues. Other uses of
internal audits that DCAA auditors identified included:
* assessing the risk associated with a given DCAA audit,
* identifying the amount of testing needed for a given area, and:
* determining whether company audit report findings identify
unallowable costs that affect government contracts.
DCAA officials have acknowledged that getting access to internal audit
information has been an issue with some of the major defense
contractors and, at best, they have access on a case-by-case basis.
They also acknowledge that they have not used their subpoena authority
to get access to internal audits or other company documents since the
Newport News decisions were issued in 1988 in part because the Fourth
Circuit Court of Appeals held that the language in the statutes did
not generally include internal audit reports unrelated to a specific
contract or proposal.[Footnote 15] They also stated that the court's
decisions may have resulted in some DCAA auditors limiting their
requests for internal audit information. A DCAA official noted that
they have implemented a pilot program with one major defense
contractor that could be a model for how the agency disseminates and
coordinates internal information. The pilot program consolidates
authority and communication among various field offices throughout the
country that are responsible for auditing the contractor into one
regional audit team. DCAA auditors and company representatives told us
that the pilot provided enhanced communications and efficiency between
DCAA and the company. While the pilot does not specifically address
requests for internal audits, a senior DCAA official suggested that
the model could be applied to the process of requesting and
distributing company internal audit information as well.
Conclusions:
The internal audits conducted by the seven companies we reviewed
generally were conducted in accordance with recognized professional
organizational standards. For individual company audits, the audit
reports and workpapers from five companies demonstrate that they
likewise adhere to recognized professional standards. The audit
reports assess the controls and systems for managing defense contracts
that DCAA is charged with auditing and contain information and
analysis that DCAA could find useful as it conducts its own work.
However, DCAA is not making full use of internal audits to help
accomplish its critical oversight role. This is attributable, in part,
to company limits on access to internal audit information based on
their interpretations of DCAA's access authority and related court
cases. While the courts have held that DCAA does not have unlimited
power to demand access to all internal company materials, the courts
have also made it clear that DCAA may demand access to materials that
are relevant to carrying out its audit responsibilities.[Footnote 16]
There are other issues that also account for DCAA's limited use of
internal audit reports. Specifically, DCAA auditors do not routinely
request access to the reports due to limited visibility into the scope
and objectives of internal audits and uncertainty as to how relevant
internal audits can be used. DCAA management lacks insight into the
limited access and use of internal audits because DCAA does not
centrally track requests and denials for access to documents that
could improve its ability to carry out its mission.
When companies do not provide DCAA with access to internal audits or
DCAA auditors do not request them, DCAA auditors do not have
information that may be relevant for audit planning and risk
assessment. Conversely, greater access to internal audit information
could improve DCAA's efficiency. DCAA auditors could either conduct a
full audit of all components of internal control, or in instances in
which internal auditors have conducted related work, DCAA auditors
could examine the audit reports and workpapers, if needed, and adjust
their planning accordingly. Moreover, we believe that by not routinely
obtaining access to relevant company internal audits that can inform
their audits of the companies' control environments, as well as audits
of specific business systems and contracts, DCAA auditors are hindered
in their ability to meet the GAGAS requirement for assessing internal
controls. The work of the internal auditors by no means replaces the
work of DCAA auditors, but it could provide DCAA auditors with a basis
for making a judgment about a company's internal controls and help
inform their audit planning, thereby making more effective and
efficient use of DCAA audits.
Recommendations for Executive Action:
To increase DCAA's access to and use of internal audits, we recommend
that the Secretary of Defense direct that the Director of DCAA take
the following three actions:
* Ensure that DCAA's central point of contact for each company
coordinates issues pertaining to internal audits. For some companies,
this would be the Contract Audit Coordinator. For companies without a
Contract Audit Coordinator, a point of contact would need to be
designated except when DCAA officials have determined that a company
does not have an internal audit function that produces reports that
may be relevant to DCAA's audit responsibilities. Coordination
responsibilities should include:
- obtaining sufficient information from the companies on their
internal audit reports so DCAA auditors can better identify and
request relevant audit reports and workpapers and:
- tracking DCAA auditors' requests for access to internal audit
reports and workpapers and the companies' disposition of those
requests.
* Periodically assess information compiled by the central points of
contact regarding the number of requests for internal audits and their
disposition to determine whether additional actions are needed. Such
additional actions could include senior level engagement with company
officials to change company access policies or, as warranted, the
issuance of subpoenas.
* Reaffirm with DCAA staff through guidance and training how and under
what circumstances company internal audit reports can be accessed and
used to improve the efficiency of audit planning and execution.
Agency and Third-Party Comments and Our Evaluation:
We requested comments on a draft of this report from DOD. In its
written comments, reproduced in appendix II, DOD concurred with two of
the recommendations and partially concurred with the recommendation
regarding DCAA central points of contact for issues pertaining to
internal audits. In its partial concurrence, DOD explained that DCAA
would implement the recommendation to establish central points of
contact for larger companies to attempt to obtain internal audit
information from them and establish processes for tracking auditor's
requests for internal audit reports and workpapers. DOD stated,
however, that doing so for smaller companies may not be feasible or
beneficial, as some smaller contractors may not have sophisticated
internal audit functions. DOD further expressed skepticism that
implementing the recommended actions alone would fully ensure that
DCAA would have complete and full access to contractor internal
audits, citing the limits that companies have placed on DCAA's access
to internal audits and prior legal precedence.
We agree that for companies without internal audit functions that
produce reports that may be relevant to DCAA's audit responsibilities,
designated coordinators would not be necessary. We, therefore, revised
our original recommendation to provide for such an exception. We agree
that implementing these recommendations alone may not be sufficient to
provide DCAA with full and complete access to internal audit reports
in all instances. However, implementation of the recommendations is a
necessary step for DCAA to obtain the information needed to determine
the extent to which DCAA is or is not getting access and how that is
affecting DCAA's ability to fulfill efficiently its oversight
responsibilities. After taking such steps, DOD may be in a better
position to identify and pursue other remedies for ensuring DCAA's
access to internal audit reports.
We also provided a draft of the report to the Chief Audit Executives
of the seven selected companies for their review and comment. In its
written comments on the draft, which are reproduced in appendix III,
Lockheed Martin Corporation expressed support for providing DCAA with
internal audit reports to the extent they can be used by DCAA to
satisfy internal control reviews. Lockheed Martin also noted, with
regard to the recommendation for DCAA central points of contact, that
all DCAA audit requests are already centrally coordinated through the
DCAA CAC, which has allowed the company to be responsive to DCAA
request for internal audit reports. The other six companies declined
to provide official comments, but two provided technical comments,
which we incorporated into the final report as appropriate.
We are sending copies of this report to the Secretary of Defense, the
Director of the Defense Contract Audit Agency, the Director of the
Office of Management and Budget, appropriate congressional committees,
and other interested parties. We will make this report available to
the public at no charge on the GAO website at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-4841 or at woodsw@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Key contributors to this report are
listed in appendix V.
Signed by:
William T. Woods:
Director:
Acquisition and Sourcing Management:
[End of section]
Appendix I: Scope and Methodology:
In response to a congressional request to assess the role of defense
companies' internal audit departments and their ability to provide the
Defense Contract Audit Agency (DCAA) with information on their control
environments, business systems, and policies affecting government
contracts, we examined (1) the adherence of selected major defense
companies to internal auditing standards for organizations and
individual audits, (2) the extent to which the internal audit reports
of those companies address internal controls for the management of
defense contracts and associated business systems, and (3) DCAA's
ability to examine and use those reports in carrying out its oversight
responsibilities.
Our review focused on seven selected major defense companies. For
purposes of our review we defined a major defense company as having at
least $500 million in contracts with the Department of Defense (DOD)
and at least $100 million in cost reimbursable contracts.[Footnote 17]
The companies we selected had at least $1 billion in DOD contracts and
derived at least 25 percent of their revenue from DOD contracts in
fiscal year 2009. We selected the top five major defense companies
based on fiscal year 2009 DOD contract obligations--The Boeing
Company, Lockheed Martin Corporation, Raytheon Company, Northrop
Grumman Corporation, and General Dynamics Corporation. We then
judgmentally selected URS Corporation and KBR, Incorporated to obtain
insights on how smaller major defense companies carry out their
internal audit functions. Collectively these seven companies represent
about $106.7 billion (57 percent) of the value of all contracts
awarded by DOD to all major defense companies in fiscal year 2009. The
results of our review cannot be generalized across major defense
companies; instead, they provide insights into how companies have
organized their internal audit function, conduct audits, and interact
with DCAA.
To provide a framework for our assessment of the seven companies'
internal audit organization and engagement performance, we interviewed
officials with the Institute of Internal Auditors and reviewed
standards promulgated by the Institute for characteristics used in
their peer review assessment of internal audit organizations as well
as the standards for engagement performance. We also interviewed
officials and reviewed documentation pertaining to the Institute's
Certified Internal Auditor examination and its training programs and
conferences available to the auditing profession.
To develop information on companies' organizational characteristics,
we reviewed documents related to the organization and reporting
structure of companies' internal audit departments. We conducted an
initial interview and obtained documents from officials from all seven
companies to determine the internal audit department's organizational
standards, including its reporting structure, qualifications of staff,
and whether the company participated in a peer review of its
organization and engagement performance. We compared company policies,
standards, and practices to standards set by the Institute regarding
the organization and activities of company internal audit departments
and to the standards for engagements.
Our work in examining the audit reports was conducted in two phases.
First, we requested a list of all audit reports completed by the
companies from January 1, 2008, through December 31, 2009--the latest
audits completed when we began our assessment. We asked that the lists
contain the titles, objectives, and scope of the audits. In total, the
seven companies provided information on 1,125 audits. Second, we
analyzed the information provided on the 1,125 audits and identified
reports that pertained to the oversight of government contracts. We
categorized the report as defense-related if the audit report's scope
and objectives identified one or more of the following aspects of
company operations that are related to execution of government
contracts:
* The audit's scope and objectives included review of some aspect of
the overall internal control system.
* The audit's scope and objectives included review of one of the six
business systems DOD is charged with reviewing--accounting system,
earned value management system, estimating system, purchasing system,
material management and accounting system, and property management
system.
* The audit's scope and objectives covered one or more DOD programs.
* The audit's scope and objectives covered some aspect of the Federal
Acquisition Regulation (FAR), Defense Federal Acquisition Regulation
Supplement (DFARS), or company policies related to defense contract
oversight.
In total, we identified 520 audit reports as defense-related and
requested those reports from the companies. We also selected a
nongeneralizable random sample of five sets of workpapers from each
company's audit reports in order to assess how individual audits
adhere to the Institute's standards for conducting audits.
The companies provided us with 470 audit reports and 25 sets of
workpapers. Lockheed Martin Corporation, Northrop Grumman Corporation,
The Boeing Company, Raytheon Company, and URS Corporation provided us
with both audit reports and workpapers for review. General Dynamics
Corporation provided only audit reports for review. KBR, Incorporated
did not provide audit reports or workpapers for our review. When
companies did not provide us with requested audit reports or
workpapers, we obtained the rationale for not providing the materials
from company officials for documenting purposes. These rationales
included the limitations on access to company internal documents
discussed in two court cases and ownership of the workpapers by a
third party. We do not regard the company decisions as a limitation of
our scope since we examined the vast majority of the documents we
requested and were fully able to address our audit objectives.
To assess how internal auditors applied the standards in conducting
their audits, we reviewed 470 audit reports and 25 sets of workpapers.
For the audit reports we determined the issues raised by the auditors,
distribution of audit findings as well as evidence in the reports of
testing conducted and follow-up of corrective actions. For our
examination of the workpapers, we looked for evidence of planning for
the engagement, risk assessments to include the risk of fraud, testing
of company policies and procedures to determine if they are being
followed, and whether the work performed supported the findings. For
the workpaper reviews, we traced a finding from the conclusion back
through the evidentiary materials including testing to the planning
and risk evaluation to ascertain whether the finding was supported by
the audit evidence and planning. To determine whether the audit
finding was followed until it was corrected, we examined documentation
in the audit workpapers to identify the person responsible for taking
the action, what action was taken, and the date corrective action was
completed.
To assess DCAA's access and use of company internal audits, we
reviewed DCAA's audit manual and its audit programs for control
environment audits as well as for audits of business systems and
incurred costs. We interviewed DCAA officials responsible for audit
policy. At the seven companies we selected, we also interviewed the
DCAA audit staff to determine their experience in examining internal
audit reports. We obtained DCAA documents requesting audit reports and
copies of material provided by the companies in response to requests.
We discussed actions taken by DCAA to gain material requested and
reviewed reports of internal control deficiencies citing a lack of
access to company audit reports. We interviewed staff to review their
rationale for requesting company audit reports as well as the
materiality of those reports to DCAA's work.
We reviewed sections 2313 and 2306a of title 10 of the United States
Code concerning DCAA access to records and FAR and DFARS provisions
governing DCAA's responsibilities. We also reviewed two key court
decisions regarding DCAA's ability to enforce a subpoena for company
records including internal audits.[Footnote 18]
We conducted this performance audit from September 2010 through
December 2011 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
[End of section]
Appendix II: Comments from the Department of Defense:
Office Of The Under Secretary Of Defense:
Comptroller:
1100 Defense Pentagon:
Washington, DC 20301-1100:
December 6 2011:
Mr. William T. Woods:
Director, Acquisition Sourcing Management:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Woods:
This is the Department of Defense response to the Government
Accountability Office (GAO) draft report GAO-12-88, "Defense Contract
Audits: Actions Needed to Improve DCAA's Access to and Use of Defense
Company Internal Audit Reports." Thank you for the opportunity to
respond.
The Department concurs with two of the GAO recommendations, and
partially concurs with one. Our detailed responses are included in the
enclosure. The Department is skeptical that fully implementing the GAO
recommendations will ensure the Defense Contract Audit Agency (DCAA)
has full access to and use of contractor internal audits. As GAO found
during the audit, companies currently place limits on access to
internal audit information based on interpretations of DCAA's access
authority and related court cases. Additionally, based on prior legal
precedence, the success of a DCAA subpoena in obtaining the
appropriate access is questionable.
My point of contact on this matter is Mr. M. Wayne Goff. He can be
reached at wayne.goff@osd.mil or at 703-602-0374.
Sincerely,
Signed by:
Mark E. Easton:
Deputy Chief Financial Officer:
Enclosure: As stated.
cc: Director, DCAA.
[End of letter]
GAO Draft Report Dated November 4, 2011:
GA0-12-88 (GAO Code 120932):
"Defense Contract Audits: Actions Needed To Improve DCAA's Access To
And Use Of Defense Company Internal Audit Reports"
Department Of Defense Comments To The GAO Recommendations:
Recommendation 1: To increase DCAA's access to and use of internal
audits, we recommend that the Secretary of Defense direct that the
Director of DCAA ensure that DCAA's central point of contact for each
company coordinates issues pertaining to internal audits. For some
companies, this would be the Contract Audit Coordinator, but for
companies without a Contract Audit Coordinator, a point of contact
would need to be designated. Coordination responsibilities should
include:
* obtaining sufficient information from the companies on their
internal audit reports so DCAA auditors can better identify and
request relevant audit reports and workpapers and;
* tracking DCAA auditors' requests for access to internal audit
reports and workpapers, and the companies' disposition of those
requests.
DoD Response: Partially concur. The Defense Contract Audit Agency
(DCAA) will establish a central point of contact for the larger
contractor locations and attempt to obtain internal audit information
from those contractors. The DCAA will also establish processes for
tracking auditors' requests for internal audit reports and working
papers. The DCAA will implement this process at the larger contractor
locations, as it may not be feasible or beneficial to implement these
processes at smaller contractor locations. The DCAA's audit work
covers over 13,000 active contractors. Several of the smaller
contractors may not have sophisticated internal audit functions where
it would be beneficial to establish points of contact or a detailed
tracking system. The DCAA will issue guidance, as discussed in
Recommendation 3, to implement these actions by June 30, 2012.
However, despite implementing the Government Accountability Office
(GAO) recommended actions, DCAA remains skeptical that these actions
alone will fully ensure DCAA will have complete and full access to
contractor internal audits. As GAO states in the report, companies
place limits on access to internal audit information based on their
interpretations of DCAA's access authority and related court cases.
Recommendation 2: To increase DCAA's access to and use of internal
audits, we recommend that the Secretary of Defense direct that the
Director of DCAA periodically assess information compiled by the
central points of contact regarding the number of requests for
internal audits and their disposition to determine whether additional
actions are needed. Such additional actions could include senior level
engagement with company officials to change company access policies,
or, as warranted, the issuance of subpoenas.
DoD Response: Concur. The DCAA will periodically assess information
compiled by the points of contact, and if sufficient access is not
obtained, DCAA will pursue sufficient access through its subpoena
authority. We will issue guidance, as discussed in Recommendation 3,
to implement these actions by June 30, 2012. However, based on prior
legal precedence, the success of the subpoena in obtaining the
appropriate access is questionable.
Recommendation 3: To increase DCAA's access to and use of internal
audits, we recommend that the Secretary of Defense direct that the
Director of DCAA reaffirm with DCAA staff through guidance and
training how, and under what circumstances, company internal audit
reports can be accessed and used to improve the efficiency of audit
planning and execution.
DoD Response: Concur. DCAA will issue guidance and appropriate
training to reiterate how, and under what circumstances, company
internal audit reports should be accessed and used. This guidance will
also emphasize the importance of pursuing access to records, and
ultimately issuing a subpoena if the contractor denies access to
necessary internal audits. Additionally, the guidance will contain
instructions on the responsibilities of the designated points of
contact, as discussed under Recommendations 1 and 2 above. The
guidance and training will be issued by June 30, 2012.
[End of section]
Appendix III: Comments from Lockheed Martin Corporation:
Lockheed Martin Corporation:
6801 Rockledge Drive:
Bethesda, MD 20817:
Telephone 301-807-6772:
Facsimile 301-897-6980:
E-mail, stephanie.c.hill@Imco.com:
Stephanie C. Hill:
Vice President, Corporate Internal Audit:
November 30, 2011:
William T. Woods:
Director, Acquisition & Sourcing Management:
U.S. General Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
RE: Draft GAO 12-88, Defense Contract Audits: Actions Needed to
Improve Defense Contract Audit Agency's (DCAA) Access to and Use of
Defense Company Internal Audit Reports.
Dear Mr. Woods:
Thank you for the opportunity to review and respond to the draft
report GAO 12-88, Defense Contract Audits: Actions Needed to Improve
DCAA's Access to and Use of Defense Company Internal Audit Reports.
We appreciated the opportunity to demonstrate the maturity of Lockheed
Martin's Corporate Internal Audit function and our adherence to
professional auditing standards. To the extent that our risk-based
auditing can be utilized by DCAA to satisfy reviews of internal
control, we support providing DCAA with our internal audit reports.
With regard to the Report's Recommendations for Executive Action which
include the need for greater centralization of the process by which
internal audit reports are requested and provided, we would like to
take the opportunity to highlight that Lockheed Martin already has a
process by which all DCAA audit report requests are centrally
coordinated through our corporate offices and the DCAA Contract Audit
Coordinator office located in our Bethesda, MD headquarters.
This process has allowed Lockheed Martin to be responsive to DCAA
requests for internal audit reports.
Thank you for the opportunity to respond.
Signed by:
Stephanie C. Hill
[End of section]
Appendix IV: DCAA Access Authority and Associated Court Cases:
The Defense Contract Audit Agency's (DCAA) authority to access and
audit contractor records in support of Department of Defense (DOD)
contracting and contract payment functions is described in sections
2313 and 2306a of title 10 of the United States Code (U.S. Code) and
in the Federal Acquisition Regulation (FAR).
* Section 2313 of title 10 of the U.S. Code gives the head of an
agency, acting through DCAA as its authorized representative, the
authority to inspect the plant and audit the records of a contractor
performing a cost-reimbursement, incentive, time and materials, labor
hour, or price redeterminable contract for agency. Records are defined
as including both documents and data (among other things) whether
written or in electronic form. The statute also provides that records
may be subpoenaed if not provided by the contractor.
* Section 2313(i) of title 10 of the U.S. Code defines records to
include books, documents, accounting procedures and practices, and
other data, regardless of type and regardless of whether such items
are in written form, in the form of computer data, or in any other
form.
* Section 2306a of title 10 of the U.S. Code gives the head of an
agency, acting through the contracting officer, the authority to
require offerors, contractors, and subcontractors to make available
cost or pricing data to the government. It also provides the head of
an agency, acting through the contracting officer and DCAA, with the
authority to review the records provided by the offerors, contractors,
and subcontractors for the purpose of evaluating its accuracy,
completeness, and currency.
The FAR describes the auditor's contract audit responsibilities such
as submitting information and advice to the requesting activity based
on the auditor's analysis of contractor's financial and accounting
records or other related data as to the acceptability of the
contractor's incurred and estimated costs. In addition, the auditor is
responsible for reviewing the financial and accounting aspects of
contractor cost control systems and performing other analyses and
reviews that require access to contractor financial and accounting
records supporting proposed and incurred costs. The FAR also provides
specific language regarding DCAA role as the responsible government
audit agency.[Footnote 19]
DCAA's use of its access authority has been addressed in at least two
court decisions, generally known as Newport News I and Newport News
II, both decided in 1988. In both cases, DCAA sought to enforce
subpoenas for access to internal documents of Newport News
Shipbuilding and Dry Dock Company. In the first case (Newport News I),
Newport News challenged the scope of DCAA's subpoena power as it
related to Newport News' internal audits.[Footnote 20] The court held
that the statutory subpoena power of DCAA extends to cost information
related to government contracts but that DCAA does not have unlimited
power to demand access to all internal corporate materials of
companies performing cost type contracts for the government. Because
the materials sought by DCAA were not within the scope of its
statutory authority, the court affirmed the district court's order
denying enforcement of the subpoena.
In the second case (Newport News II), DCAA subpoenaed the company's
tax returns, financial statements, and supporting schedules.[Footnote
21] The court decided to uphold enforcement of the subpoena,
concluding that the requested material was relevant to an audit and
provided evidence of the consistency of costing methods and the
reconciliation of costs claimed for tax purposes. Further, the court
decided that access to the documents would allow DCAA to corroborate
the company's computation of direct and indirect costs. The court
contrasted the two cases, stating that the subpoena at issue in the
first case did not extend to internal audits, which contain the
subjective assessments of Newport News' internal audit staff. In the
second case, DCAA requested production of objective financial and cost
data and summaries, not the subjective work product of Newport News'
internal auditors. To the extent that the materials subpoenaed would
assist DCAA in verifying and evaluating the cost claims of the
contractor, the court determined they were within DCAA's statutory
subpoena authority.
[End of section]
Appendix V GAO Contact and Acknowledgments:
GAO Contact:
William T. Woods, (202) 512-4841 or woodsw@gao.gov:
Acknowledgments:
Principal contributors to this report were Johana R. Ayers, Assistant
Director; James Ashley; Lisa M. Brownson; John W. Crawford; Gayle L.
Fischer; Laura S. Greifner; Carolyn R. Kirby; John Krump; Jean L.
McSween; Carol T. Mebane; John Needham; Matthew M. Shaffer; Robert A.
Sharpe; and Roxanna T. Sun.
[End of section]
Footnotes:
[1] The Institute of Internal Auditors is an international association
of more than 170,000 members and is recognized as the internal audit
profession's leader in certification, education, research and
technical guidance. The Institute publishes the International
Standards for the Professional Practice of Internal Auditing,
(Altamonte Springs, Fla: 2011).
[2] Internal controls are defined by both private and government
sector organizations. For the purposes of this report, we used
definitions developed by the Committee of Sponsoring Organizations of
the Treadway Commission (COSO) and GAO. COSO is a joint initiative of
the American Accounting Association, the American Institute of
Certified Public Accountants, Financial Executives International, the
Association for Accountants and Financial Professionals in Business,
and the Institute of Internal Auditors. COSO develops frameworks and
guidance on enterprise risk management, internal control, and fraud
deterrence. GAO publishes Government Auditing Standards (the Yellow
Book). The Yellow Book contains standards for audits of government
organizations and activities and for other nongovernment organizations
such as contractors. These standards, referred to as generally
accepted government auditing standards (GAGAS), are to be followed by
auditors when required by law, contract, or regulation.
[3] The Institute has developed additional guidance for internal
auditors including the code of ethics, practice advisories, position
papers, and practice guides.
[4] Examples of other certifications include the Certified Information
Systems Auditor offered by ISACA and the Certified Fraud Examiner
offered by the Association of Certified Fraud Examiners.
[5] Officials at DCAA and the Defense Contract Management Agency
(DCMA) informed GAO during interviews that they had divided their DOD
audit responsibilities between the two agencies. DCAA has primary
responsibility for reviewing the internal controls of three business
systems--accounting, estimating, and material management and
accounting. DCMA has primary responsibility for reviewing the internal
controls of the earned value management, property management, and
purchasing systems. For additional information on DCMA, see GAO,
Defense Contract Management Agency: Amid Ongoing Efforts to Rebuild
Capacity, Several Factors Present Challenges in Meeting Its Missions,
[hyperlink, http://www.gao.gov/products/GAO-12-83] (Washington, D.C.:
Nov. 3, 2011).
[6] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir. 1988).
[7] United States v Newport News Shipbuilding and Dry Dock Company,
862 F.2d 464 (Fed. Cir. 1988).
[8] Workpapers document the work and analysis of the audit team and
give evidence that substantive work is behind the audit report.
[9] The definitions of criteria, condition, cause, and effect are
based on a discussion contained in GAO, Government Auditing Standards,
[hyperlink, http://www.gao.gov/products/GAO-07-731G] (Washington,
D.C.: July 2007). Criteria are the laws, regulations, contracts, grant
agreements, standards, measures, expected performance, defined
business practices, and benchmarks against which performance is
compared or evaluated. Condition is a situation that exists. Cause
identifies the reason or explanation for the condition or the
factor(s) responsible for the difference between the situation that
exists (condition) and the required or desired state (criteria), which
may also serve as a basis for recommendations for corrective actions.
Effect is a clear, logical link to establish the impact or potential
impact of the difference between the situation that exists (condition)
and the required or desired state (criteria). The effect or potential
[10] The audit reports that were not related to defense contracts
included reviews of executives' travel, payroll, environmental health
and safety, and international operations.
[11] GAO's Government Auditing Standards [hyperlink,
http://www.gao.gov/products/GAO-07-731G] require auditors to properly
handle sensitive information.
[12] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir.1988).
[13] DCAA Audit Report No. 3321-2007K11070001.
[14] DFARS interim rule 252.242-7005, Contractor Business Systems
issued on May 18, 2011.
[15] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir. 1988) and United States v Newport News
Shipbuilding and Dry Dock Company, 862 F.2d 464 (Fed. Cir. 1988).
[16] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir. 1988) and United States v Newport News
Shipbuilding and Dry Dock Company, 862 F.2d 464 (Fed. Cir. 1988).
[17] The definition of major defense contractor is based on a
combination of language contained in the John Warner National Defense
Authorization Act for Fiscal Year 2007. Pub. L. No 109-364 §851 (2007)
and DCAA's definition of a major defense contractor provided to GAO
during interviews with DCAA officials. The act describes major defense
contractors as those contractors that have $500 million in defense
contracts in a year. DCAA defines its major defense contractors as
those that have $100 million in cost reimbursable contracts.
[18] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir. 1988) and United States v Newport News
Shipbuilding and Dry Dock Company, 862 F.2d 464 (Fed. Cir. 1988).
[19] FAR §§ 42.101 (a) and (b).
[20] United States v Newport News Shipbuilding and Dry Dock Company,
837 F.2d 162 (Fed. Cir.1988).
[21] United States v Newport News Shipbuilding and Dry Dock Company,
862 F.2d 464 (Fed. Cir. 1988).
[End of section]
GAO‘s Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the
performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates
federal programs and policies; and provides analyses, recommendations,
and other assistance to help Congress make informed oversight, policy,
and funding decisions. GAO‘s commitment to good government is
reflected in its core values of accountability, integrity, and
reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO‘s website [hyperlink, http://www.gao.gov]. Each
weekday afternoon, GAO posts on its website newly released reports,
testimony, and correspondence. To have GAO e mail you a list of newly
posted products, go to [hyperlink, http://www.gao.gov] and select ’E-
mail Updates.“
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black
and white. Pricing and ordering information is posted on GAO‘s
website, [hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
Connect with GAO:
Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov].
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm];
E-mail: fraudnet@gao.gov;
Automated answering system: (800) 424-5454 or (202) 512-7470.
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548.
