February 25, 2013

FY 2013 NDAA Provides DCAA With Greater Internal Audit Report Access: Is Your Company Prepared?

6 min

In February 2012, Venable’s Government Contracts Practice Group released an alert regarding then-recent initiatives to measure the Defense Contract Audit Agency’s (DCAA) access to contractor internal audit reports and the likely impact resulting from these initiatives.  As predicted, Congress has taken affirmative steps over the last year in an effort to broaden the statutory authority granting DCAA with the power to request, access and utilize contractor internal audit reports.  Indeed, on January 2, 2013, President Obama signed the Fiscal Year (FY) 2013 National Defense Authorization Act (NDAA), which includes Section 832, a noteworthy provision relating to DCAA’s access to contactor internal audit reports.

As outlined below, Section 832 provides DCAA with the statutory authority to access contractor internal audit reports and it establishes procedural frameworks that are intended to limit DCAA’s access to only those reports that are relevant to in-process audits.  While Section 832 does include safeguards and protections to avoid the potential for improper access, contractors should nonetheless be aware that DCAA is still entitled to invoke significant remedies in the event that a contractor denies DCAA access to its internal audit reports.  Consequently, contractors should be aware of the changing legislative landscape relating to DCAA’s access to their internal audit reports and modify their Policies and Procedures accordingly to ensure adequate protection of their company.


In 2011, the Government Accountability Office (GAO), in response to a request that it assess the role of contractors’ internal audit reports and DCAA’s examination and use of information within these reports, issued a report (GAO-12-88) in which it concluded that DCAA’s access to and use of contractors’ internal audit reports was limited.  According to the GAO, DCAA’s history of limited access and use of these reports was due to several factors, including: contractors’ various interpretations of court decisions concerning DCAA’s access to internal audit reports; differing policies and procedures among contractors with respect to DCAA’s access to and use of internal audit reports; and DCAA’s inability to identify internal audit reports relevant to their work, and overall uncertainty as to the usefulness of these reports.  Consequently, the GAO concluded that DCAA’s failure to routinely request access to contractor internal audit reports adversely affected its corresponding ability to effectively evaluate contactors’ internal controls.

As a result of the GAO’s report and recommendations, the DCAA issued its Internal Audit Guidance in August 2012.  These guidelines establish parameters DCAA Auditors and Supervisors will adhere to when requesting access to contractor internal audit reports.  These parameters include: the implementation of a formal tracking process to record requests and responses to contractor internal audit reports; limiting requests to only those reports deemed pertinent to the Auditor’s specific audit task; and seeking access to contractor working papers only if information within the internal audit reports was determined insufficient for performing an audit.

Recent Legislation

Efforts for DCAA’s increased access to internal audit reports also gained steam within Congress, with the Senate proposing draft legislation (S. 3254) for the FY 2013 NDAA that proposed to provide DCAA with broad statutory authority to access internal audit reports and impose statutory sanctions on those contractors who denied DCAA access to their reports.  In the end, however, the final legislation within Section 832 of the NDAA contains more restrictive grants of authority and includes critical internal safeguards to ensure that DCAA’s access to and use of contractor internal audit reports is proper.  Some of the key provisions within Section 832 require that DCAA:

  1. Document that its requests for access to internal audit reports are necessary to complete required evaluations of contractor Business Systems;
  2. Keep a record of contractor responses to requests for access to internal audit reports, including a contractor’s rationale if access to reports is denied;
  3. Implement and adhere to appropriate safeguards and protections to ensure that DCAA does not use internal audit reports and supporting material for purposes other than assessing risk and evaluating/testing efficacy of contractor internal controls and reliability of associated Business Systems; and
  4. Limit the consideration of a contractor’s internal audit reports as only a factor in determining whether a contractor’s Business Systems are sound; that is, internal audit reports may not be the sole basis for DCAA’s disapproval of a contractor’s Business Systems.

In turn, DCAA intends to implement this statutory authority through its utilization of the following processes and procedures.

  1. Contract Audit Coordinator (CAC) Offices and Field Audit Offices (FAO) at the major-contractor level will establish a Central Point of Contact (POC), as well as processes to request, access, and monitor the use of internal audit reports.  These processes will include a means by which DCAA will track its requests for access to internal audit reports and contractor responses to such requests.
  2. DCAA will establish roles and responsibilities for DCAA POCs and Auditors and Supervisors as they relate to DCAA’s request for access to internal audit reports.
  3. Limiting requests to only those which have an established nexus to an in-process audit.
  4. Requesting access to a contractor’s working papers only if the internal audit report does not contain sufficient information to conduct an audit.

Key Considerations and Best Practices

Although the final legislation within Section 832 of the NDAA certainly does not impose the significant sanctions originally proposed within the Senate’s draft legislation, contractors should nonetheless be aware that Section 832 still provides DCAA with significant remedies in the event that a contractor refuses to grant DCAA access to its internal audit reports.  These remedies include: the utilization of the DCAA Director’s subpoena authority to overrule access denials; adverse or qualified DCAA opinions; questioned costs under price proposals and progress payments; and perhaps most significantly, finding a significant deficiency or weakness, which might ultimately lead to a Business Systems failure determination and contractor withholds. 

While not necessarily apparent on its face, Section 832 provides DCAA far greater access to contractor internal audit reports than previously established in federal case law.  Extending beyond the limits set forth in Newport News, DCAA is no longer limited to accessing a contractor’s objective financial data, but may now access and evaluate the subjective opinions (and possibly working papers) of a contractor’s Internal Audit Group.  Thus, contractors should be mindful of the potential impact of Section 832’s passage.

For example, contractors will continue to see an increase in the number of requests from DCAA for access to contractor internal audit reports, which will also likely include access to electronic data.  Consequently, contractors should review their Policies and Procedures for granting DCAA access to internal audit reports and working papers to determine whether appropriate modifications are necessary to protect the company.  In addition, contractors should train their Internal Audit Group to confirm understanding of, and adherence to, their Policies and Procedures, especially if modified.  Contractors should also review their Policies and Procedures as they relate to the use of Internal Audit Groups to conduct investigations.  Moreover, if a contractor receives a request from DCAA to access its internal audit reports, the contractor should closely review the request to determine if it is proper, in compliance with the limitations established in Section 832, and provides enough time to adequately respond to the request.

As DCAA implements its new statutory authority, many questions will develop as to the propriety and scope of DCAA’s access to contractor internal audit reports.  Government contractors, with the assistance of counsel, will need to closely monitor these developments and continue to tailor their Policies and Procedures to effectively address future changes. 

For more information, please contact any of the attorneys in Venable’s Government Contracts Practice Group.