The new DFARS business system rule requires audits by CPA’s, with DCAA approving the risk assessment and the audit program and reviewing the working papers afterwards.
The obvious reason for this proposal is that DCAA is unable to perform the audits themselves. At least not on a timely basis. When DCAA was performing the audits, it was taking over 2 years to perform 1 system audit. This rule requires it to be done within 6 months after the close of the contractor’s fiscal year. In contrast, DCAA was not completing the risk assessment in that length of time.
So now let’s take CPA firms that are used to performing financial statement reviews in a timely manner and handcuff them to DCAA, an Agency that is notorious for missing due dates.
And THEN let that same Agency, in essence, audit the audit. And furthermore, there are no provisions to limit DCAA to a reasonable time frame for approval of the risk assessment and audit program.
This is a planning nightmare for both the CPA firm and DCAA. DCAA would not know when the risk assessments or audit programs would arrive. Since the majority of companies are on a calendar year as their fiscal year, most of audits would be required to be completed by June 30. This makes it likely that DCAA would be swamped with risk assessments and audit programs to review during January, leaving few, if any, resources to perform forward pricing audits.
The CPA firm would be waiting for DCAA to “approve” the risk assessments and audit programs, with no real indication of when this approval would come. This would also be during the timeframe the CPA firms would be performing financial statement audits to meet their requirements for those.
Then comes the real problem: What if the CPA firm and DCAA disagree on the risk assessment and/or the audit program??? Then they continue down the road, stumbling from one side to the other, shackled together and each trying to pull the other to their side of the road.