United States: How To Survive A DCAA Audit
Last Updated: July 17 2012
Article by David M Nadler, Christian N. Curran and Ryan P. McGovern

Originally published in Law360, New York (July 03, 2012, 12:31 PM ET)

The Defense Contract Audit Agency is facing considerable pressure to improve audit efficiency in light of significant criticisms of its auditing procedures. As demonstrated by the DCAA's recent request that Congress grant it authority to demand access to internal audit materials, one way that the DCAA is expected to respond to this pressure is by shifting more audit responsibilities onto contractors.

Thus, it is increasingly important that contractors be prepared to properly manage DCAA audits. Contractors that are not aware of their rights and obligations during an audit may incur increased compliance costs associated with defective audit procedures and findings that could result in penalties, cost disallowances, contract payment withholdings, and False Claims Act allegations.

Types of Audits

The DCAA performs a wide variety of audits including financial capability, incurred cost, systems review (e.g., accounting systems, budget systems), and Cost Accounting Standards compliance audits, as well as pre-award surveys of prospective contractors. Contractors that engage in cost contracting and have a significant volume of government sales are generally subject to all types of DCAA audits. By contrast, contractors that focus more on fixed-price contracts and have a smaller volume of sales to the government may be exempt from certain DCAA audits.

Audit Rights and Authority

The DCAA has authority under Federal Acquisition Regulation 52.215.2 to examine and audit contractors' books, records, documents and other evidence, as well as accounting procedures and practices, for the purpose of evaluating accuracy, completeness, and currency of cost or pricing data. However, the DCAA's authority is limited to records that are kept in the ordinary course of business. Thus, the DCAA does not have authority to demand preparation of any records that the contractor does not already have.

The scope of the DCAA's authority has been the center of much controversy. The DCAA regularly claims that it has the authority to access internal audits and materials that may be subject to the attorney-client or other privileges, as well as to conduct employee interviews. But, the DCAA has no clear statutory, regulatory or contractual authority to support this position. For example, other than commercial items, time and materials, or labor hour contracts under FAR 52.212-4, there is no authority granting the DCAA the power to interview employees, yet the DCAA consistently asserts its right to do so.

Nonetheless, there may be practical reasons for complying with some DCAA requests, even where the DCAA's authority is in question. For example, a contractor may determine that the risk of allowing the DCAA to interview some employees and access certain audit materials is an acceptable trade-off for the cost savings resulting from a more efficient audit or to avoid the potential implications of an assertion by DCAA that the contractor has denied access to relevant information. Under these circumstances, contractors should ask that such requests be put in writing and should not hesitate to press the DCAA to narrow or clarify requests that are unclear or overbroad. Contractors are always entitled to a reasonable time in which to respond.

Contractors should be proactive in addressing overreaching DCAA requests. For instance, the DCAA may request access to attorney-client or other privileged materials. However, disclosing such materials may waive the contractor's ability to later claim privilege against any party that could expose the contractor to significant risk.

Status Conferences

Before any DCAA audit begins, contractors should insist on an entrance conference with the DCAA to set the specific audit objectives. The contractor's objectives should include: (1) determining the purpose of the audit; (2) agreeing on the scope and plan for performance; (3) determining the types of records and data the auditor intends to review; (4) pressing for specificity so that an internal plan for compliance with audit requests can be developed; (5) identifying and preparing key personnel; and (6) evaluating the the DCAA's level of access to documents, information and personnel.

During an audit, contractors should also seek interim conferences with the auditor. Interim conferences allow the auditor and contractor to efficiently address any perceived deficiencies or mistakes in the contractor's data, and to identify and remedy any significant issues before DCAA issues a final report.

An exit conference should be held at the conclusion of the audit. Exit conferences provide the contractor with an opportunity to discuss the audit findings with the auditor and to prepare for any negative determinations. Contractors should also use exit conferences as an opportunity to ensure that the auditor's findings are accurate and should work with the auditor to revise any findings that are not sufficiently supported by objective evidence.

Requests for Data

DCAA auditors are only entitled to access the specific records that are required to adequately assess costs. The DCAA must follow Generally Accepted Government Auditing Standards to determine what records are relevant. Thus, prior to responding to a DCAA request, contractors should ensure that they fully understand the request so that they disclose only responsive documents. All documents should be reviewed and logged before they are provided to the DCAA.

Although the DCAA is not obligated to provide all requests for data in writing, when practical, contractors should ask DCAA for written requests. Written requests will help the contractor evaluate, track, and prioritize DCAA document requests.

Contractors should also control the auditor's access to physical documents through their own records manager. The auditor should not be allowed to have free run of the contractor's facility or unsupervised access to files and personnel. Instead, the records manager should bring relevant documents to the auditor. If possible, the auditor should be assigned a designated work room. By controlling physical access to documents, a contractor can reduce the risk of the auditor losing or tampering with documents.

Access to Office Space

Under the FAR, a contractor is required to make records available "at its office." The DCAA has taken this to mean that contractors are obligated to provide the DCAA with office space if the audit work to be performed is substantial. The DCAA continues to be increasingly aggressive in its demands for office space and has gone as far as demanding that contractors modify existing facilities to suit DCAA needs. Despite the DCAA's assertion that FAR 52.215-2 entitles it to permanent office space, there is no basis for this in the language of the clause.

Indeed, requests for permanent alteration of office space are totally unsupported. If an auditor proposes a plan that is disruptive to the business, the contractor should raise its concerns with the auditor's supervisor and negotiate a more reasonable solution.

Records Retention

Contractors should develop a written record retention policy consistent with FAR Part 4.7 and periodically verify that the policy complies with applicable statutes and contract provisions. Generally, contractors must maintain records until three years after final payment under a contract. However, this requirement can be lengthened or shortened by statute or contract (e.g., the FAR requires that certain financial and cost accounting records be kept for four years). When in doubt as to the applicable retention period, contractors should keep the record for the maximum time required.

Contractors are required to maintain an indexing system so that records can be found easily and promptly. Contractors also may keep records in duplicate or electronic form unless the electronic record is missing information shown in the original copy. When records are kept in electronic form, original records must still be kept for one year after imaging in order to permit validation of imaging systems.

A contractor's record retention system should at a minimum include the following: (1) an up-to-date index of records; (2) a log of the location and movement of records; (3) read-only access to auditors so that records cannot be tampered with; and (4) quick access to records.

Denial of Access

According to the DCAA Contract Audit Manual ("CAM") a contractor "denial of access" can occur if the DCAA determines that a contractor has: (1) refused to provide access to requested records; (2) caused unreasonable delays in providing access to required contractor data or personnel; (3) caused a partial or complete denial of access to internal audit data; or (4) asserted the attorney-client privilege or attorney work-product rule. A denial of access finding could subject a contractor to suspension or withholding of payments, criminal sanctions and document subpoenas.

The CAM, however, is not binding on contractors, and it is unlikely that at least several of the denial of access conditions listed in the CAM would ultimately result in a denial of access judgment because the DCAA's statutory authority on personnel, internal audit data, and privileged material is unclear at best. As a practical matter, however, contractors should cooperate and work with the DCAA to resolve any conflicts over requests for access before they escalate to a denial of access.

The DCAA's authority to penalize a contractor for denial of access is further limited by U.S. v. Newport News Shipbuilding & Dry Dock Co., 837 F.2d 162 (4th Cir. 1988) and 862 F.2d 464 (4th Cir. 1988), which held that the DCAA may subpoena the objective data underlying an audit, but not subjective internal audit materials. In March 2012, the DCAA requested expanded authority from Congress to require contractors to disclose subjective internal audit materials, but Congress has not yet acted on the request.

Audit Reports

At the close of each audit, the DCAA generally satisfies its government reporting standards by issuing an audit report. Audit reports typically include: (1) a statement that identifies the scope and objectives of the report, including the area, system, or proposal being audited; (2) findings that are presented in an objective manner; (3) adequate objective support for all conclusions; (4) a description of any issues that adversely affected the audit; and (5) a summary of the audit results, including the auditor's conclusions, recommendations for effecting compliance with applicable requirements, and overall opinions.

For most audits, the DCAA is required to submit a draft audit report to the contractor prior to issuing its final report. Contractors should diligently review the draft report and use the opportunity to challenge any concerns with the DCAA's findings before the final report is issued. The DCAA must then modify its audit report if, in response to the draft report, a contractor raises legitimate flaws in the auditor's findings.

Surviving the Audit

Given the increased risk that contractors face from overbroad and aggressive requests from the DCAA, contractors should ensure that current policies are in place to effectively manage DCAA audits. Those policies should include processes regarding records access, employee interviews, audit requests, commenting on audit reports, and interacting with the DCAA during the audit. These policies should clearly delineate a chain of command and ensure that all employees likely to be involved in the audit process are aware of their roles and responsibilities. Contractors who do not have current and clear policies in place run the risk of a negative audit report and the costs associated with disapproval of systems that can result in contract withholdings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

More Popular Related Articles on Accounting and Audit from USA
A discussion on the Accounting Standards Update 2013-07, "Liquidation Basis of Accounting", which clarifies the guidance on how and when to use the liquidation basis of accounting.
The IFRS Interpretations Committee has issued the March 2013 "IFRIC Update", which summarizes the deliberations during its meeting in London on March 12-13, 2013.
A summary on the FASB’s Exposure Draft on the impairment of financial instruments.
The Financial Accounting Foundation, which oversees the FASB, recently announced that current Board member Russ Golden will succeed Leslie Seidman as FASB Chairman.
A discussion on the highlights of the IASB March 2013 meeting.
The following summarizes US GAAP pronouncements that must be applied, if applicable, for the first time by a calendar year-end entity that prepares financial statements in accordance with US GAAP.
The SEC recently issued for comment a proposed roadmap for initially allowing and eventually requiring U.S. issuers to report financial results in accordance with International Financial Reporting Standards ("IFRS") as issued by the International Accounting Standards Board ("IASB") rather than generally accepted accounting principles in the United States ("U.S. GAAP").
Determining the locus of ownership of intangible property related to the development of new products and services is one of the principal challenges that tax managers in multinational enterprises (MNEs) face on an ongoing basis. Tax managers must balance non-tax corporate objectives, tax efficiency, tax risk management, and financial reporting considerations.
 
In association with
Recently viewed items tracks each article you read and gives you a quick link back to that article if you need to review it again.
To activate recently viewed, you just need to login or register with us above.
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
Free News Alert
 
News Alert|Login|Register
Register for Access and our Free Biweekly Alert
Close Me
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.