DEFENSE CONTRACT AUDIT AGENCY

DEPARTMENT OF DEFENSE

8725 JOHN J. KINGMAN ROAD, SUITE 2135

FORT BELVOIR, VA 22060-6219

 

IN REPLY REFER TO

PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007

MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT POLICY AND

OVERSIGHT, OFFICE OF THE INSPECTOR GENERAL,

DEPARTMENT OF DEFENSE

SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007

This memorandum responds to the subject report issued on May 1, 2007. The report incorporates DCAA comments, dated April 12, 2007, to the DoDIG draft findings and recommendations. The DoDIG final report requests DCAA to reconsider its position on recommendations 6.(b), 7., 8.(a, b, c) and 9.(c). We have reconsidered our position and provide the following additional comments and planned actions.

DoDIG Report Appendix A, Comments, Observations, and Recommendations Recommendation 6.(b) – Page 8

a. DoDIG Draft and Final Report Recommendation: The Director, Defense Contract Audit Agency should revise the agreed-upon procedures pro forma report so that it complies with generally accepted government auditing standards and is easily distinguished from other standard audit report formats.

 

b. DCAA Response to Draft Report Recommendation: Nonconcur. DCAA believes that the AUP standard audit report (code 28000) appropriately differentiates between an examination and an Agreed-Upon Procedures report. DCAA has already made numerous changes to the report format to comply with AICPA Statements on Standards for Attestation Engagements (SSAE) 201.31, Agreed-Upon Procedures (AUP) Engagements Reporting Required Elements. Based on the changes DCAA already implemented, we do not understand what additional changes the DoDIG believes are required. We believe the AUPs pro forma report complies with GAGAS.

 

c. DoDIG Comments to DCAA Response to Draft Report: We still believe that DCAA should develop an AUP pro forma report that presents GAGAS requirements simply and clearly and is noticeably different from an examination report. This will preclude auditors from confusing AUP reporting and examination reporting requirements. We request DCAA reconsider its nonconcurrence with recommendation (b).

 

d. DCAA Comments on Final Report Recommendation: In our discussions with DoDIG representatives they clarified that the DCAA AUP pro forma report is in compliance with

PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007 SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007 2

 

GAGAS, but they believe DCAA auditor understanding would improve by development of a pro forma report that is noticeably different from an examination report. As stated in our response to the draft report, we have already made numerous changes to the report format to comply with SSAE 201.31, however, we agree to include a review of the pro forma report format as part of the comprehensive study of DCAA audit guidance related to AUPs that is in process. This action is scheduled for completion by September 2007.

 

DoDIG Report Appendix A, Comments, Observations, and Recommendations Recommendation 7. – Page 10

a. DoDIG Draft and Final Report Recommendation: The Director, Defense Contract Audit Agency should revise the Contract Audit Manual to require auditors to identify the specific criteria actually used in the performance of attestation examinations and reviews either on the planning document working paper or in the scope section of working papers.

 

b. DCAA Response to Draft Report Recommendation: Nonconcur. DCAA disagrees with the DoDIG report narrative statement that DCAA guidance on working paper documentation does not fully comply with the GAGAS. GAGAS does not provide specific requirements on the level of specificity of criteria. GAGAS 6.03 states “The AICPA general standard related to criteria states the following: The practitioner [auditor] shall perform an engagement only if he or she has reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.” DCAA guidance already requires that the working papers document the authoritative criteria being used in the audit procedures when testing for compliance. DCAA believes a general reference to the applicable body of regulations (e.g., FAR, CAS) is sufficient, except where noncompliant practices or cost questioned are identified. In these cases, the specific FAR provision (e.g., FAR 31.205 33) should be cited in the working paper detail. We concur that the applicable non-DoD regulations should be referenced in the report and working papers in accordance with Agency policy. In reference to the FD reports applicable to the other Agency supplements, in December 2006, FD issued a policy requiring the documentation of the applicable agency supplement in the working papers.

 

c. DoDIG Comments to DCAA Response to Draft Report: DCAA needs to reconsider its position on this recommendation. GAGAS requires auditors to state the criteria to provide a context for evaluating evidence and understanding the findings. Without the criteria, supervisors, internal quality assurance reviewers, and external reviewers are unable to verify the specific criteria an auditor used to assess the work performed, even if there are no noncompliance practices or costs questioned.

 

d. DCAA Comments on Final Report Recommendation: DCAA continues to disagree with the DoDIG recommendation. As stated in our previous response, GAGAS does not provide requirements on the level of specificity of criteria. The intent of the GAGAS

PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007 SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007 3

 

requirement for criteria is that in order for a practitioner to perform an examination, there must be criteria that are available to users of the report and suitable for the engagement. DCAA auditors fulfill this requirement by referencing the applicable body of regulations which the auditor uses to evaluate the subject matter (FAR, CAS, DoD FAR Supplement, non-DoD FAR Supplement). As stated by the IG, GAGAS requires auditors to state the criteria to provide a context for evaluating evidence and understanding the findings. DCAA believes that listing criteria that is too specific, such as sections of a cost principle, incorrectly limits the auditor’s scope of review and provides incomplete criteria. It is expected that a DCAA auditor inherently consider all applicable FAR and CAS in examining transactions and therefore, it is only appropriate to state the general FAR and/or CAS requirements in the assignment documentation, as opposed to specific cost principles.

 

In response to DCAA’s draft report comments, the DoDIG stated that without the detailed criteria, supervisors, internal quality assurance reviewers, and external reviewers are unable to verify the specific criteria an auditor used in assessing the work performed. The GAGAS attestation documentation standard states that working papers should contain sufficient information to enable an experienced auditor who has had no previous connection with the audit to determine the evidence that supports the auditor’s conclusions. DCAA believes that an experienced auditor (e.g., supervisor, internal and external reviewer) possesses sufficient knowledge of the applicable regulations to allow them to appropriately understand the work performed and conclusions reached when a general reference to the appropriate regulations (e.g., FAR and CAS) is provided for an audit of certain transactions. In addition, as stated previously, there are generally many FAR cost principles and CAS provisions applicable to an audit of certain transactions. To require an auditor to list every potentially applicable FAR cost principle and CAS standard on every working paper would be unduly burdensome. This unreasonable expectation would be time consuming, resulting in extraneous working papers, and a waste of our limited audit resources.

DCAA guidance requires the auditor to identify the criteria in the assignment planning documentation and detailed working papers. The description of what is included in the scope section of the detailed working papers is “Scope of analysis – provide a detailed description of the scope of the audit work performed to create the working paper. Include appropriate explanations when the scope has been limited or unusually expanded. It should also include the criteria (e.g., FAR, CAS) used to make the judgments and conclusions.” (CAM 4-403.g.(4)) By requiring a detailed description of the scope of audit work performed and a reference to the body of regulations against which the subject matter is being evaluated, DCAA complies with GAGAS. PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007 SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007 4

DoDIG Report Appendix A, Comments, Observations, and Recommendations Recommendation 8.(a,b,c) – Page 11

a. DoDIG Draft and Final Report Recommendation: The Director, Defense Contract Audit Agency should:

1. issue a memorandum to all field audit offices reminding them of the requirement to ask appropriate contractor representatives about their knowledge of fraud risk,

2. revise the Annual Planning Document to include a reminder of the requirement, and

3. require the Regional Directors and Director, Field Detachment to establish a monitoring process to verify that the requirement is properly implemented.

b. DCAA Response to Draft Report Recommendation: Nonconcur. DCAA disagrees with all three recommendations and also disagrees with the report narrative characterization that the planning meeting inquiry regarding the risk of fraud is a required step in the proper planning of examinations under GAGAS. In every DCAA examination the auditor is required to assess the risk for fraud, as required by the GAGAS. In addition to this requirement, although not required by GAGAS, DCAA implemented a policy for auditors to make inquiries of management on their knowledge of fraud risks during its annual planning meeting with its major contractors. Since this requirement applies only to financial statement audits and duplicates other effort performed by the auditor, we have re-assessed this policy and have eliminated this requirement.

c. DoDIG Comments to DCAA Response to Draft Report: We are disappointed that DCAA chooses to eliminate their requirement. The DCAA guidance showed a proactive position regarding fraud awareness and the identification of fraud indicators and detection. We believe that the knowledge gained from the discussions with contractor management regarding fraud risks enhanced auditors’ ability to design specific programs for assignments. DCAA should reconsider their decision to eliminate this guidance and instead enforce the implementation of the guidance fully as recommended.

d. DCAA Comments on Final Report Recommendation: DCAA continues to disagree with the IG’s position. In planning examination-level contract audits, GAGAS requires auditors to design the audit to provide reasonable assurance of detecting fraud, illegal acts, or violations of compliance with laws and regulations. DCAA guidance on fraud standards for examination level engagements discussed in CAM 2-305 requires auditors to specifically assess the risk of material misstatement due to fraud and consider that assessment in designing the audit procedures to be performed. These requirements are required to be contained in the planning steps for each examination level engagement performed by DCAA.PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007 SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007 5

In addition, many aspects of a DCAA auditor’s responsibilities require constant alertness to the possibility of fraudulent activities. This alertness, combined with a contractor’s internal controls and the auditor’s normally programmed tests of procedures and transactions, provides a reasonable degree of assurance for disclosing fraud or other unlawful activity. The assessment of the risk of material misstatement due to fraud is a continual and cumulative process within DCAA’s total audit concept that includes a consideration of risk factors individually and in combination, and is ongoing throughout the total audit process. CAM 4 702.3 states that auditors should be familiar with specific fraud indicators and references publications issued by the DoDIG which contain these fraud indicators.

As stated in our initial response, DCAA implemented a policy for auditors to make inquiries of management on their knowledge of fraud risks during the annual planning meeting with major contractors. However, this requirement was based on SAS 99 which applies only to financial statement audits; and, after further review, we believe it duplicates other activities and methods used by auditors to obtain information from the contractor on their knowledge of fraud risks. Therefore, we do not believe this step is necessary to comply with GAGAS and have eliminated this requirement.

DoDIG Report Appendix A, Comments, Observations, and Recommendations Recommendation 9.(c) – Page 12

a. DoDIG Draft and Final Report Recommendation: The Director, Defense Contract Audit Agency should require all Regions and Field Detachment management to monitor use and documentation of judgmental and statistical sampling in audit assignments.

 

b. DCAA Response to Draft Report Recommendation: Nonconcur. DCAA disagrees with the recommendation to require all regions and Field Detachment to monitor the use of sampling. We do not believe the significant effort that would be required would be a prudent use of Government and audit resources. We believe this effort is a fundamental responsibility of a supervisory auditor as part of their responsibility to review the audit assignment for compliance with GAGAS and Agency policy.

 

c. DoDIG Comments to DCAA Response to Draft Report: The DCAA position that supervisors are fundamentally responsible for ensuring assignments comply with GAGAS and Agency policies, ignores the number of deficiencies identified and the need to take additional action to supplement the supervisory reviews. DCAA should reconsider its position on recommendation 9.(c).

 

d. DCAA Comments on Final Report Recommendation: DCAA continues to disagree with the recommendation to require all regional management to monitor the use and documentation of judgmental and statistical sampling in audit assignments as stated

PQA 720.7.a.225.5 [D-2007-6-006] June 1, 2007 SUBJECT: Response to Department of Defense Office of Inspector General (DoDIG) Final Report, Review of the Defense Contract Audit Agency Quality Control System, (Report No. D2007-6-006), dated May 1, 2007 6

 

above. As discussed in our response to the DoDIG draft report, we are in the process of reviewing the guidance related to sampling with the intention of clarifying the guidance. By December 2007, training will be provided on any substantive changes to the current guidance. However, to address the IG’s concerns, DCAA agrees that once the review of guidance and any necessary training have been completed, the Regional Quality Assurance Divisions will perform a review to determine compliance with Agency guidance on the use and documentation of sampling in audit assignments.

 

Questions regarding this memorandum should be directed to Ms. Mary L. Silva, Chief, Quality Assurance Division, at (703) 767-2298.

/signed/

Kenneth J Saccoccia

Assistant Director

Policy and Plans

Advertisements