In a recent DCAA audit policy, DCAA makes note of the 2013 NDAA (National Defense Authorization Act) which requires DCAA to track requests and contractor responses for internal audits and to ensure that DCAA does not use contractor internal audit reports for any purpose other than evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. The reason the NDAA mentions this “limited use” is to diffuse contractor concerns and allegations that DCAA will misuse access to internal audits for so called fishing expeditions.
In DCAA’s audit policy, they first focus on auditor control of internal audits in the same context as all other contractor proprietary information. After disingenuously discussing contractor internal audits in the context of public disclosures, DCAA then gets to the meat of its policy in terms of the “limited use” component of the NDAA. As we have grown to expect, DCAA concludes that its auditors have access to all contractor internal audits:
“The NDAA states that DCAA can use the internal audit reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. Therefore, the law not only allows us to use the internal audits to assess the contractor’s business systems; it allows us to use the internal audits to understand the efficiency of the contractor’s internal controls, which we do as part of our risk assessment in every audit.” (with the exception of the “and” in the first sentence, the emphasis has been added).
If DCAA’s objective were to rely on the contractor internal audits, DCAA would hone-in on those with specific relevance to specific audits. Conversely, if DCAA’s objective is a “fishing expedition”, it would want access to every internal audit in search of audit leads or “what went wrong when”. DCAA’s recent audit policy speaks for itself in terms of DCAA’s objectives.