Originally published in Law360, New York (July 03, 2012, 12:31 PM ET)
The Defense Contract Audit Agency is facing considerable pressure to improve audit efficiency in light of significant criticisms of its auditing procedures. As demonstrated by the DCAA's recent request that Congress grant it authority to demand access to internal audit materials, one way that the DCAA is expected to respond to this pressure is by shifting more audit responsibilities onto contractors.
Thus, it is increasingly important that contractors be prepared to properly manage DCAA audits. Contractors that are not aware of their rights and obligations during an audit may incur increased compliance costs associated with defective audit procedures and findings that could result in penalties, cost disallowances, contract payment withholdings, and False Claims Act allegations.
Types of Audits
The DCAA performs a wide variety of audits including financial capability, incurred cost, systems review (e.g., accounting systems, budget systems), and Cost Accounting Standards compliance audits, as well as pre-award surveys of prospective contractors. Contractors that engage in cost contracting and have a significant volume of government sales are generally subject to all types of DCAA audits. By contrast, contractors that focus more on fixed-price contracts and have a smaller volume of sales to the government may be exempt from certain DCAA audits.
Audit Rights and Authority
The DCAA has authority under Federal Acquisition Regulation 52.215.2 to examine and audit contractors' books, records, documents and other evidence, as well as accounting procedures and practices, for the purpose of evaluating accuracy, completeness, and currency of cost or pricing data. However, the DCAA's authority is limited to records that are kept in the ordinary course of business. Thus, the DCAA does not have authority to demand preparation of any records that the contractor does not already have.
The scope of the DCAA's authority has been the center of much controversy. The DCAA regularly claims that it has the authority to access internal audits and materials that may be subject to the attorney-client or other privileges, as well as to conduct employee interviews. But, the DCAA has no clear statutory, regulatory or contractual authority to support this position. For example, other than commercial items, time and materials, or labor hour contracts under FAR 52.212-4, there is no authority granting the DCAA the power to interview employees, yet the DCAA consistently asserts its right to do so.
Nonetheless, there may be practical reasons for complying with some DCAA requests, even where the DCAA's authority is in question. For example, a contractor may determine that the risk of allowing the DCAA to interview some employees and access certain audit materials is an acceptable trade-off for the cost savings resulting from a more efficient audit or to avoid the potential implications of an assertion by DCAA that the contractor has denied access to relevant information. Under these circumstances, contractors should ask that such requests be put in writing and should not hesitate to press the DCAA to narrow or clarify requests that are unclear or overbroad. Contractors are always entitled to a reasonable time in which to respond.
Contractors should be proactive in addressing overreaching DCAA requests. For instance, the DCAA may request access to attorney-client or other privileged materials. However, disclosing such materials may waive the contractor's ability to later claim privilege against any party that could expose the contractor to significant risk.
Before any DCAA audit begins, contractors should insist on an entrance conference with the DCAA to set the specific audit objectives. The contractor's objectives should include: (1) determining the purpose of the audit; (2) agreeing on the scope and plan for performance; (3) determining the types of records and data the auditor intends to review; (4) pressing for specificity so that an internal plan for compliance with audit requests can be developed; (5) identifying and preparing key personnel; and (6) evaluating the the DCAA's level of access to documents, information and personnel.
During an audit, contractors should also seek interim conferences with the auditor. Interim conferences allow the auditor and contractor to efficiently address any perceived deficiencies or mistakes in the contractor's data, and to identify and remedy any significant issues before DCAA issues a final report.
An exit conference should be held at the conclusion of the audit. Exit conferences provide the contractor with an opportunity to discuss the audit findings with the auditor and to prepare for any negative determinations. Contractors should also use exit conferences as an opportunity to ensure that the auditor's findings are accurate and should work with the auditor to revise any findings that are not sufficiently supported by objective evidence.
Requests for Data
DCAA auditors are only entitled to access the specific records that are required to adequately assess costs. The DCAA must follow Generally Accepted Government Auditing Standards to determine what records are relevant. Thus, prior to responding to a DCAA request, contractors should ensure that they fully understand the request so that they disclose only responsive documents. All documents should be reviewed and logged before they are provided to the DCAA.
Although the DCAA is not obligated to provide all requests for data in writing, when practical, contractors should ask DCAA for written requests. Written requests will help the contractor evaluate, track, and prioritize DCAA document requests.
Contractors should also control the auditor's access to physical documents through their own records manager. The auditor should not be allowed to have free run of the contractor's facility or unsupervised access to files and personnel. Instead, the records manager should bring relevant documents to the auditor. If possible, the auditor should be assigned a designated work room. By controlling physical access to documents, a contractor can reduce the risk of the auditor losing or tampering with documents.
Access to Office Space
Under the FAR, a contractor is required to make records available "at its office." The DCAA has taken this to mean that contractors are obligated to provide the DCAA with office space if the audit work to be performed is substantial. The DCAA continues to be increasingly aggressive in its demands for office space and has gone as far as demanding that contractors modify existing facilities to suit DCAA needs. Despite the DCAA's assertion that FAR 52.215-2 entitles it to permanent office space, there is no basis for this in the language of the clause.
Indeed, requests for permanent alteration of office space are totally unsupported. If an auditor proposes a plan that is disruptive to the business, the contractor should raise its concerns with the auditor's supervisor and negotiate a more reasonable solution.
Contractors should develop a written record retention policy consistent with FAR Part 4.7 and periodically verify that the policy complies with applicable statutes and contract provisions. Generally, contractors must maintain records until three years after final payment under a contract. However, this requirement can be lengthened or shortened by statute or contract (e.g., the FAR requires that certain financial and cost accounting records be kept for four years). When in doubt as to the applicable retention period, contractors should keep the record for the maximum time required.
Contractors are required to maintain an indexing system so that records can be found easily and promptly. Contractors also may keep records in duplicate or electronic form unless the electronic record is missing information shown in the original copy. When records are kept in electronic form, original records must still be kept for one year after imaging in order to permit validation of imaging systems.
A contractor's record retention system should at a minimum include the following: (1) an up-to-date index of records; (2) a log of the location and movement of records; (3) read-only access to auditors so that records cannot be tampered with; and (4) quick access to records.
Denial of Access
According to the DCAA Contract Audit Manual ("CAM") a contractor "denial of access" can occur if the DCAA determines that a contractor has: (1) refused to provide access to requested records; (2) caused unreasonable delays in providing access to required contractor data or personnel; (3) caused a partial or complete denial of access to internal audit data; or (4) asserted the attorney-client privilege or attorney work-product rule. A denial of access finding could subject a contractor to suspension or withholding of payments, criminal sanctions and document subpoenas.
The CAM, however, is not binding on contractors, and it is unlikely that at least several of the denial of access conditions listed in the CAM would ultimately result in a denial of access judgment because the DCAA's statutory authority on personnel, internal audit data, and privileged material is unclear at best. As a practical matter, however, contractors should cooperate and work with the DCAA to resolve any conflicts over requests for access before they escalate to a denial of access.
The DCAA's authority to penalize a contractor for denial of access is further limited by U.S. v. Newport News Shipbuilding & Dry Dock Co., 837 F.2d 162 (4th Cir. 1988) and 862 F.2d 464 (4th Cir. 1988), which held that the DCAA may subpoena the objective data underlying an audit, but not subjective internal audit materials. In March 2012, the DCAA requested expanded authority from Congress to require contractors to disclose subjective internal audit materials, but Congress has not yet acted on the request.
At the close of each audit, the DCAA generally satisfies its government reporting standards by issuing an audit report. Audit reports typically include: (1) a statement that identifies the scope and objectives of the report, including the area, system, or proposal being audited; (2) findings that are presented in an objective manner; (3) adequate objective support for all conclusions; (4) a description of any issues that adversely affected the audit; and (5) a summary of the audit results, including the auditor's conclusions, recommendations for effecting compliance with applicable requirements, and overall opinions.
For most audits, the DCAA is required to submit a draft audit report to the contractor prior to issuing its final report. Contractors should diligently review the draft report and use the opportunity to challenge any concerns with the DCAA's findings before the final report is issued. The DCAA must then modify its audit report if, in response to the draft report, a contractor raises legitimate flaws in the auditor's findings.
Surviving the Audit
Given the increased risk that contractors face from overbroad and aggressive requests from the DCAA, contractors should ensure that current policies are in place to effectively manage DCAA audits. Those policies should include processes regarding records access, employee interviews, audit requests, commenting on audit reports, and interacting with the DCAA during the audit. These policies should clearly delineate a chain of command and ensure that all employees likely to be involved in the audit process are aware of their roles and responsibilities. Contractors who do not have current and clear policies in place run the risk of a negative audit report and the costs associated with disapproval of systems that can result in contract withholdings.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.