DCAA Audit Procedures

There are two primary sources of audit guidance for DCAA auditors. The DCAA Contract Audit Manual (DCAM) provides technical audit guidance, audit techniques, audit standards, and technical policies and procedures for contract audits.[1] DCAA Audit Programs provide roadmaps that are specific to the type of contract audit and include detailed guidance regarding the documents to be reviewed, the questions to be asked, the procedures to be followed, and the analyses to be conducted at each step of the audit. This article focuses on the DCAM audit guidance that applies across most contract types.

The DCAM encourages open communication between the audit team and the contractor.[2] Most DCAA audits include an entrance conference, one or more interim conferences, and an exit conference.[3] The DCAM provides guidance regarding the types of issues the audit team should address with the contractor during each stage of the audit.[4]

The DCAM instructs auditors to conduct an entrance conference with the contractor’s designated representatives at the start of each audit assignment.[5] At minimum, the audit team should explain the purpose of the audit, the overall plan for its performance including the estimated duration, and the types of books, records, and other data the audit team plans to review.[6] At the entrance conference, or shortly thereafter, the audit team typically coordinates with the contractor regarding administrative matters, such as arrangements for any necessary workspace and administrative support and identification of the contractor’s primary and alternative points of contact for the audit.[7] It is also common for the audit team to obtain a briefing from the contractor to clarify any preliminary questions, to understand the basis for the contractor’s representations, and to learn the nature and location of supporting data.[8] The audit team may also request a separate “walkthrough” meeting to obtain a better understanding of the contractor’s assertion(s) being audited, to identify any obvious data omissions, and to determine whether there are any other proposal inadequacies or other issues that need to be addressed early in the audit process.[9]

The DCAM also encourages the audit team to conduct interim conferences with the contractor.[10] The audit team should disclose to the contractor any factual duplications, omissions, or other mistakes noted in the contractor’s assertion, records, or supporting data.[11] The audit team also should discuss preliminary audit findings with the contractor to ensure that conclusions are based on a complete understanding of all relevant facts.[12] In the interest of equity, the DCAM also instructs the audit team to inform the contractor of any significant cost understatements that result from obvious and unintentional oversight, bookkeeping, or mathematical errors.[13] The DCAM also encourages the audit team to communicate major audit problems to the contractor at the earliest possible time, before the final exit conference or the issuance of the audit report.[14] Examples of major audit problems include denial of access to records, significant deficiencies and material weaknesses, significant differences concerning the application of generally accepted accounting principles, conclusions regarding the reasonableness of estimates, and any other items that may affect the audit.[15]

At the conclusion of the audit, the DCAM instructs the audit team to hold an exit conference with the contractor’s designated representative to discuss the audit results and obtain the contractor’s views regarding the audit team’s findings, conclusions, and recommendations for inclusion in the audit report.[16] For audits other than those involving forecasted costs subject to negotiation (such as forward pricing audits), the contractor should receive a copy of the draft audit report, or at a minimum, the results of audit section of the draft audit report (including the opinion and any exhibits and notes, or statements of conditions and recommendations).[17] The contractor also should have an opportunity to submit comments on the draft audit report and those comments should be included in the final report.[18] The DCAM identifies additional information that should be disclosed to the contractor at or before the exit conference depending on the type of audit conducted.[19]

To satisfy Government reporting standards, there must be a written record of the results of each audit.[20] This ordinarily takes the form of a written audit report.[21] The DCAM includes detailed guidance for the style and substance of DCAA audit reports as well as a standard format for organization and contents.[22] The audit report should describe the purpose of the audit, the audit results (including findings, conclusions, and recommendations), and any material reservations (including noncompliances and scope limitations).[23]

The DCAM distinguishes between unqualified and modified opinions.[24] The audit team issues an unqualified opinion when it has obtained sufficient evidence to be reasonably sure the subject matter of the audit is free of material noncompliances and the audit team has applied all the procedures considered necessary for the audit.[25] The audit team issues a modified opinion when there is a material reservation.[26] A reservation occurs when the audit identifies material reservation(s) about the subject matter (noncompliance) and/or material reservation(s) about the engagement (scope limitations).[27]

Reservations about the subject matter of the audit occur when the audit team discloses a material noncompliance.[28] This type of reservation will result in a qualified or an adverse opinion depending on materiality and pervasiveness.[29] The audit team issues a qualified opinion when it has identified noncompliances that are material but not pervasive and an adverse opinion when it has identified noncompliances that are both material and pervasive.[30] In this context, a noncompliance is pervasive if it affects a substantial portion of the subject matter under audit and is generally not confined to specific cost elements.[31]

Reservations about the engagement occur when the audit team is unable to obtain sufficient evidence due to time constraints, denial of access to contractor records, or other circumstances.[32] This type of reservation will result in a qualified opinion or the disclaimer of an opinion.[33] The audit team issues a qualified opinion when it is unable to obtain sufficient appropriate audit evidence (i.e., could not complete all planned audit procedures) and the potential effects of the reservation are material but not pervasive.[34] The audit team disclaims an opinion when it is unable to obtain sufficient appropriate audit evidence (i.e., could complete all planned audit procedures) and the potential effects of the reservation are both material and pervasive.[35] In this context, a noncompliance is pervasive if the possible impact of the audit procedures not performed can affect a substantial portion of the subject matter under audit and is not confined to specific cost elements.[36] Before making a determination to disclaim an opinion, the DCAM instructs auditors to make every effort to complete all planned procedures and to attempt to perform alternate procedures if possible.[37]

DCAA routinely provides contractors copies of draft reports for all audits other than those dealing with the negotiation of forecasted costs or costs potentially under litigation.[38] In fact, the DCAM instructs auditors to provide the contractor a copy of the draft report, or at minimum, the audit opinion and any exhibits and notes, or statement of conditions and recommendations, at the exit conference.[39] The contractor should be afforded reasonable time to analyze the audit results and to submit its reaction for incorporation into the final report.[40] The DCAM advises the audit team not to disclose or discuss draft or final reports that are of a privileged or sensitive nature, including those that address unsatisfactory conditions and those that make reference to suspected irregular conduct or referral for investigation.[41]

Denial of Access to Contractor Records

The DCAM provides detailed guidance for auditors who are unable to obtain the records deemed necessary to conduct a contract audit. The DCAM identifies seven conditions as constituting denial of access to contractor records:

a. Contractor refusal to provide access to any requested record…

b. Unreasonable delays by contractor representatives in permitting the audit commencement or in providing access to needed data or personnel

c. Restrictions on reproduction of necessary supporting evidential matter

d. Partial or complete denial of access to internal audit data or other management reports on contractor operations

e. Denial of access to the contractor’s data base

f. Chronic failure of contractor personnel to comply with agreed-to dates for furnishing data

g. Assertion of attorney-client privilege or attorney-work product doctrine.[42]

When DCAA determines that a contractor has denied access to records, its policy is to escalate the issue within the contractor and make reasonable efforts to resolve the issue quickly at the lowest possible DCAA and contractor management level.[43] If access is denied, the auditor should formally request access via letter and potentially inform the contractor of a formal denial.[44] If the issue is still unresolved, DCAA may consider the issuance of a subpoena.[45]

These are reasonable strategies for seeking records to which DCAA believes it is entitled (even if that belief is mistaken). However, the DCAM goes much further by instructing auditors to: (1) question any costs affected by the denial of records under price proposals and on progress payments and (2) pursue suspension or disapproval of any costs affected by the denial of records under cost reimbursement contracts.[46] The DCAM does not advise auditors to limit these draconian steps to cases in which access to the denied record is essential to the audit. Rather, the DCAM seems to suggest that denial of access to contractor records, standing alone, warrants these punitive measures.

Fraud or Other Unlawful Activity and Unsatisfactory Conditions

The DCAM also includes specific guidance for addressing “fraud or other unlawful activity.”[47] The DCAM defines this phrase to include “any willful or conscious wrongdoing, including, but not limited to, acts of cheating or dishonestly which contribute to a loss or injury to the Government.”[48] Examples of fraud or other unlawful activity identified in the DCAM include falsification of documents, charging personal expenses to Government contracts, submitting false claims for services not performed or materials not delivered, intentionally mischarging or misallocating costs, bribery, corrupt payments in violation of the Foreign Corrupt Practices Act, theft, a Government employee acquiring a financial interest in or seeking employment with a contractor over whom the employee exercises oversight, kickbacks, any unlawful or fraudulent acts resulting from accounting classification practices designed to conceal the true nature of expenses, product substitution or false certification that tests were performed, and when the contractor is invoicing costs but is delinquent in paying accrued costs in the ordinary course of business.[49]

The detection of fraud or other unlawful activity is not the primary function of contract audit.[50] However, the DCAM provides that auditors should design engagements to detect instances of fraud that may have a material effect on the subject matter of the audit.[51] When the audit team obtains information that raises a reasonable suspicion of fraud, corruption, or other unlawful activity, they are required to issue an investigative referral rather than conducting an investigation.[52] The DCAM directs auditors to complete a Suspected Irregular Conduct Referral Form (DCAAF 2000) as soon as the suspected irregular conduct is identified.[53] All referrals are reported to the relevant Inspector General.[54] DCAA will continue audit activities outside the area of investigative interest, including continuing to follow up on fraud indicators, unless directed otherwise by the investigative agency.[55] The DCAM instructs the audit team to refrain from informing contractors that they are subject to investigation.[56]

Suspected irregular conduct or other unlawful activity may be so serious as to prevent the issuance of an unqualified audit report or lead to a recommendation that contract payments be halted pending resolution.[57] The auditor must coordinate with the DCAA Justice Liaison Auditor (JLA) before potentially notifying the contracting officer regarding the fraud referral.[58] Likewise, the auditor must coordinate with the JLA before issuing an audit report on any part of a representation containing suspected irregular conduct.[59] The DCAM directs that the audit report should not reference any suspected irregular conduct or a referral for investigation.[60]

The DCAM includes additional guidance tailored to specific types of suspected fraud or other unlawful conduct, including improper gifts and gratuities,[61] kickbacks,[62] anticompetitive procurement practices,[63] illegal political contributions,[64] and qui tam actions under the False Claims Act.[65] It also addresses DCAA’s responsibilities relating to the receipt and processing of contractor disclosures pursuant to FAR 52.203-13, Contractor Code of Business Ethics and Conduct, including the provision of audit support to the contracting officer, the DoD OIG, and the Defense Criminal Investigative Organizations (DCIOs).[66]

The DCAM also includes guidance and procedures for reporting requirements relating to unsatisfactory conditions that fall short of “Suspected Irregularities.”[67] These include repeated and significant deficiencies in accounting or estimating practices, mismanagement or negligence, and serious failure to comply with acquisition regulations.[68] The DCAM directs the audit team to discuss serious weaknesses causing major audit problems with the contractor and the principal cognizant Administrative Contracting Officer (ACO) and to elevate such conditions within DCAA as necessary.[69]

Best Practices for Dealing with DCAA Audits

DCAA audits can be stressful and time consuming for contractors. The best practices below can help to streamline the process and manage audit risk.

Obtain as much information as possible from the auditor. Contact the auditor as soon as you receive notice that DCAA will be conducting an audit. Ask the auditor to identify the purpose of the audit, the date of the entrance conference, the audit plan including the estimated duration, and the types of books, records, and other data the auditor intends to request. If the auditor declines to provide this information or refuses to provide an entrance conference, remind the auditor of his or her obligations under the DCAM. Contact the auditor’s supervisor if necessary.

Know what to expect from the audit. DCAA’s published audit guidance can be extraordinarily useful in determining what to expect from the audit process. Review the DCAM sections relevant to the type of audit being conducted. Determine whether there are any more recent DCAA Memoranda for Regional Directors (MRDs)[70] that are relevant to the audit. Carefully review the published Audit Program for the type of audit being conducted. If the auditor conducts any aspect of the audit in a manner inconsistent with DCAA’s audit guidance, point out the inconsistency to the auditor and, if necessary, reach out to the auditor’s supervisor.

Work with the auditor to narrow document requests. Auditors frequently lack the information necessary to tailor their document requests. Resist the urge to respond to overly broad document requests with a nastygram but instead set up a friendly call with the auditor. Explain why you believe particular requests are overly broad or unduly burdensome, including the level of effort required to respond to the request. Work with the auditor to narrow the requests or identify alternative sources of information that may meet the auditor’s needs.

Understand the limits of the auditor’s authority. Auditors frequently request documents that are beyond the scope of the applicable audit rights clauses. You may have a valid basis to object to requests for documents such as internal audits and board minutes as well as employee interviews. However, it is important to balance the potential benefits of withholding the requests against the potential consequences of a denial of access to contractor records finding.

Designate an individual to lead the audit response. Designate a point of contact for DCAA who has the internal authority to manage the audit, request documents, manage interviews, and who has the appropriate bandwidth to timely respond to inquiries. Ensure your designated representative has the time, know-how, and internal authority to respond to DCAA’s inquiries. This individual will manage all communications with DCAA and must ensure that other employees are not independently responding to DCAA. They should approve any emails and be copied on any communications with DCAA.

Make an internal audit plan. Have that designated individual assemble an internal team with the right people from pricing, contracts, and legal. Create an internal audit plan to collect documents, appropriately protect any attorney client privileged documents, and mark proprietary and confidential/Trade Secrets Act material with legends as necessary. Identify people with relevant knowledge, interview them internally, and prepare them for any DCAA interviews.

Communicate and cooperate with DCAA. DCAA wants and needs to work with you to conduct the audit. If collecting information is taking longer than expected, communicate that promptly to DCAA. Avoid any appearance that you are obfuscating or obstructing the audit. Build a rapport with DCAA and establish a positive working relationship, if possible. Establishing credibility and trust with the auditor are critical. Expressing animosity to DCAA will not make the audit faster or easier. Request interim conferences to ensure you are aware of DCAA’s findings on an ongoing basis.

Identify and get ahead of potential issues. If you are the target of an audit, conduct an internal review to identify any potential issues. Analyze data and documents to determine what conclusions DCAA may draw before providing those data and documents to DCAA. If you identify any information that could be misconstrued or that may be problematic, develop a plan for how best to communicate the issue and provide context to DCAA. Determine how you will explain the information before disclosure.

Document, document, document. Make sure that all communications with DCAA are promptly summarized in writing for the file. To the extent you make any oral agreements with DCAA during the audit, send an email to DCAA confirming those agreements. Identify any documents the auditors review or copy while at your facilities. After interviews, draft a written memo to file summarizing the interview and any requests for additional information. 

Prepare a detailed written response, with exhibits, to any issues identified in the draft audit report. Confirm that you will have an opportunity to respond in writing to the draft audit report. Use that written response to provide details and exhibits explaining potential issues and request that your responses be included in the final audit report. When appropriate, cite relevant regulations, case law, and Government guidance to support your positions.

Get the contracting officer on your side. If the audit report has negative findings, remember that the contracting officer – not DCAA – makes the final decision, notwithstanding any recommendation from DCAA. Build a positive working relationship with your contracting officer and be prepared to explain adverse audit findings with evidence to support your response. If the audit identifies a concern, be prepared to explain how you have resolved the issue and the steps you have taken to ensure a similar error will not reoccur (such as implementing additional internal controls, etc.).

Conclusion

This concludes our overview of DCAA and its audit functions. Our next article will take a closer look at DCAA’s Audit Program for defective pricing audits. Until then, we hope you enjoy the rest of your summer.

FOOTNOTES

[1] DCAM ¶ 0-002.a (Nov. 2021).

[2] See, e.g., DCAM ¶ 4-102 (July 2023).

[3] DCAM ¶ 4-300 (July 2023).

[4] DCAM ¶ 4-300 (July 2023).

[5] DCAM ¶ 4-302.1.a (July 2023).

[6] DCAM ¶ 4-302.1.b (July 2023).

[7] DCAM ¶ 4-302.1.b (July 2023).

[8] DCAM ¶ 4-302.1.b (July 2023).

[9] DCAM ¶ 4-302.1.c (July 2023).

[10] DCAM ¶ 4-303.1.a (July 2023).

[11] DCAM ¶ 4-303.1.a (July 2023).

[12] DCAM ¶ 4-303.1.b (July 2023).

[13] DCAM ¶ 4-303.1.d (July 2023).

[14] DCAM ¶ 4-303.1.h (July 2023).

[15] DCAM ¶ 4-303.1.h (July2023).

[16] DCAM ¶ 4-304.1.a (July 2023).

[17] DCAM ¶ 4-304.1.e (July 2023).

[18] DCAM ¶ 4-304.1.d (July 2023).

[19] DCAM ¶ 4-304.2 – 4-304.6 (July 2023).

[20] DCAM ¶ 10-202 (July 2022).

[21] DCAM ¶ 10-202 (July 2022).

[22] DCAM ¶ 10-200 (July 2022).

[23] DCAM ¶¶ 10-103.2, 10-208 (July 2022).

[24] DCAM ¶¶ 10-208.4, 10-208.5 (July 2022).

[25] DCAM ¶ 10-208.5.a (July 2022).

[26] DCAM ¶ 10-208.4.a (July 2022).

[27] DCAM ¶ 10-208.4.a (July 2022).

[28] DCAM ¶ 10-208.5.a (July 2022).

[29] DCAM ¶ 10-208.5.a (July 2022).

[30] DCAM ¶ 10-208.5.a (July 2022).

[31] DCAM ¶ 10-208.5.b (July 2022).

[32] DCAM ¶ 10-208.5.a (July 2022).

[33] DCAM ¶ 10-208.5.a (July 2022).

[34] DCAM ¶ 10-208.5.a (July 2022).

[35] DCAM ¶ 10-208.5.a (July 2022).

[36] DCAM ¶ 10-208.5.b (July 2022).

[37] DCAM ¶ 10-208.7.a (July 2022).

[38] DCAM ¶ 10-210.3.a (July 2022).

[39] DCAM ¶ 10-210.3.b (July 2022).

[40] DCAM ¶ 10-210.3.b (July 2022).

[41] DCAM ¶ 10-210.3.d (July 2022).

[42] DCAM ¶ 1-504.4.g (Apr. 2023).

[43] DCAM ¶ 1-504.5.a (Apr. 2023).

[44] DCAM ¶ 1-504.5.b (Apr. 2023).

[45] DCAM ¶ 1-504.5.c (Apr. 2023).

[46] DCAM ¶ 1-504.6.a (Apr. 2023).

[47] DCAM ¶ 4-702.1 (July 2023).

[48] DCAM ¶ 4-702.1.b (July 2023).

[49] DCAM ¶ 4-702.1.b (July 2023).

[50] DCAM ¶ 1-102.c (Apr. 2023).

[51] DCAM ¶ 1-102.c (Apr. 2023); DCAM ¶ 4-702.2.a (July 2023).

[52] DCAM ¶ 4-702.2.d (July 2023).

[53] DCAM ¶ 4-702.4.a.1 (July 2023).

[54] DCAM ¶ 4-702.4.a.3 (July 2023).

[55] DCAM ¶ 4-702.5.a (July 2023).

[56] DCAM ¶ 4-702.6.c (July 2023).

[57] DCAM ¶ 4-702.5.c (July 2023).

[58] DCAM ¶ 4-702.5.a (July 2023).

[59] DCAM ¶ 4-702.5.e (July 2023).

[60] DCAM ¶ 4-702.5.e (July 2023).

[61] DCAM ¶ 4-703 (July 2023).

[62] DCAM ¶ 4-704 (July 2023).

[63] DCAM ¶ 4-705 (July 2023).

[64] DCAM ¶ 4-706 (July 2023).

[65] DCAM ¶ 4-709 (July 2023).

[66] DCAM ¶ 4-707 (July 2023).

[67] DCAM ¶ 4-800 (July 2023).

[68] DCAM ¶ 4-803.1.a (July 2023).

[69] See DCAM ¶¶ 4-803.3, 4-803.4 (July 2023).

[70] See https://www.dcaa.mil/Guidance/MRDS-Audit-Guidance-Memos/(last visited Jul. 19, 2023).