Watkins Meegan, Presents Dealing with DCAA Audits
•Als PPTX, PDF herunterladen•
1 gefällt mir•1,077 views
Do you know what's on the DCAA radar screen? Read more to learn what Christine Williamson, Member Watkins Meegan and Karen Williams, Systems Consultant of WJ Technologies have to say about Dealing with DCAA Audits. Being unprepared for a DCAA audit can hit your back pocket and affect your future in government contracting. For more information contact Christine Williamson at Christine.Williamson@watkinsmeegan.com.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Mehr von Andrea Contres Moore, MBA
Mehr von Andrea Contres Moore, MBA (9)
KĂĽrzlich hochgeladen
KĂĽrzlich hochgeladen (20)
Watkins Meegan, Presents Dealing with DCAA Audits
- 1. Dealing with DCAA Audits - Are you prepared? Christine Williamson – Member, Watkins Meegan LLC Karen Williams – Senior Consultant, W J Technologies LLC May 25, 2010 Proprietary & Confidential
- 2. Agenda Changes within DCAA over past several years 5 Major Memorandums Audit Initiatives and Trends New Regulations – Travel, Prime Resp., Exec Comp, Pass-thru Costs, & Recapture Payments Specific DCAA Audits Proprietary & Confidential 2
- 3. DCAA ORG CHART Director Patrick Fitzgerald Deputy Director Frank Summers Executive Officer Joe Garcia General Counsel Defense Legal Service John Farenish Assistant Director, Integrity & Quality Assurance Don McKenzie Assistant Director, Resources Philip Anderson Assistant Director, Policy & Plans Ken Saccoccia Assistant Director, Operations Karen Cash Headquarters Regions Northeastern Region Ron Meldonian William Adie Western Region Chris Andrezze Susan Barajas Central Region Ed Nelson Tim Carr Eastern Region Paul Phillips Gary Spjut Mid-Atlantic Region David Eck Steve Hernandez Field Detachment Tom Peters Terry Schneider
- 4. DCAA’s NEW mission statement The DCAA, while serving the public interest as its primary customer, shall perform all necessary contract audits for the Department of Defense and provide accounting and financial advisory services regarding contracts and subcontracts to all DoD components responsible for procurement and contract administration. These services shall be provided in connection with negotiation, administration, and settlement of contracts and subcontracts to ensure taxpayer dollars are spent on fair and reasonable contract prices. DCAA shall provide contract audit services to other Federal agencies, as appropriate. Proprietary & Confidential 4
- 8. GAO Findings on DCAA First in July 2008; Second in September 2009 14 of 14 Audits failed to comply with GAGAS (Govt. Auditing Standards) 33 of 37 Internal Controls audits failed to comply with GAGAS; primarily inadequate substantive testing DCAA Management inexplicably dropped findings Reports were more favorable to contractors (influenced by contractors and contracting agencies) Proprietary & Confidential 8
- 9. Reaction/Response by DCAA Rescinding previously issued audit reports (for lack of sufficient audit testing) No reliance on outdated audit opinions e.g. internal control audit more than four years old—prior opinions on adequacy will be excluded from the report More aggressive audit strategies (to prove that DCAA is protecting the “Taxpayer”) 5 Major Memorandums all issued within a month of each other Proprietary & Confidential 9
- 10. DCAA says “It’s a Brave New World” 10
- 11. MEMORANDUMS ISSUED Three memo’s with sweeping changes issued on same day No more in part opinions, only wholly adequate or inadequate for system reviews Audit reports can not include suggestions for corrective action or improvement in internal controls Inadequate system audits require the auditor to recommend to the ACO that payments on affected contracts are suspended Proprietary & Confidential 11
- 12. #1 -Creation of Limited Scope Audits Memo 08-PAS-041®– December 19, 2008 – creates new requirement for “limited scope” audits of internal control deficiencies identified during the course of other audits the FAO should… issue a flash report to report the potential deficiencies establish a separate limited scope audit assignment Failure to accomplish a single control objective will render the overall internal control system inadequate [If this occurs the auditor will] recommend that the system and pursue suspension of progress payments or reimbursement of costs i.e. 10% withhold 12
- 13. #2 - Access to Records Memo 08-PAS-042 ® – December 19, 2008 – imposes new rules and procedures for reporting and resolving “access to records” disputes Memo is specifically about obtaining documentation to support on-going audits limited to “audit of contractor assertions” such as proposals, rate submissions, incurred cost submissions, etc. Memo extends prior guidance with respect to written requests to also cover all requests made “either verbally or in writing” Establishes “specific date, not to exceed one week” as the standard for compliance with requests for records the Agency may request a subpoena to enforce their request in an instance when the seven-day standard was not met the Agency may not negotiate either scope or date with a contractor once a request has been made 13
- 14. #3 - You Either Pass or Fail Memo 08-PAS-043 ®– December 19, 2008 – imposes new restrictions on audit findings and reports on Internal Control Reviews DCAA will NO LONGER issue reports with “inadequate in part” findings – all findings will be either “adequate” or “not adequate” DCAA will NO LONGER make recommendations for improvement in contractors’ systems When any part of a contractor’s internal control system is found to deficient, the entire system will be deemed inadequate for use When a system in deemed inadequate, the auditor is REQUIRED to recommend to the ACO that the system be disapproved for use and payments be suspended (in whole or in part) 14
- 15. #4 -Reconcile Public Vouchers Memo 08-PAS-044 ® – December 22, 2008 – requires additional reconciliation to contractors accounting records for all Public Voucher Reviews CAM 6-1008b has been revised to require auditors to reconcile billed costs to the contractor’s accounting records for the interim vouchers selected for review For non-major contractors, auditors may perform this step on the auditor’s next visit to the contractor For Time-and-Materials and Labor-Hour vouchers, auditors should ensure that labor hours and material cost reconcile to the contractor’s accounting records 15
- 16. #5 - No Review of Findings or Drafts EVM Memo 09-PPD-002® – January 22, 2009 – new procedures prohibiting participation in meetings to review draft findings or draft corrections to contractors system with regards to EVM Auditors should not participate in meetings or conferences with the contractor and DCMA where the purpose of the meeting is to discuss draft findings and draft corrections to the contractor’s EVM system Auditors should not share draft audit results with the EVMS review team Auditors report significant deficiencies/material weaknesses discovered during the audit even when the contractor corrects the deficiencies during the audit 16
- 17. DCAA Audit Trends Nancy Arasin Wood, Mid-Atlantic Regional Audit Manager – March 2010 GWSCPA Event “Incurred cost audits are not on our radar screen” Forward Pricing Audits Systems Audits Pilot Program for Billing Audits Proprietary & Confidential 17
- 18. DCAA FY 2009 Audit ResultsBy Audit Area Incurred Cost. Includes audits of historical costs, internal control systems, and final contract closings. Forward Pricing. Includes audits of price proposals, estimating systems, and forward pricing rate agreements. Special Audits. Includes audits of terminations proposals, other claims, progress payments, financial capability, and earned value management systems. Other. Includes Cost Accounting Standards, operations audits, and Truth-in-Negotiations (Defective Pricing Audits).
- 19. Major vs Non-Major Contractor Any contractor that had $90 million or more in annual auditable costs for the prior fiscal year. 19
- 20. Commission on Wartime Contracting Congressionally Mandated in 2008; Scope includes Iraq/Afghan contract administration; 8 members Interim Report in June 2009 “At What Cost”? Special Report issued in September 2009 DoD should have one voice to the Contractors Inadequate contractor business systems (internal controls) by contractors caused billions of dollars wasted (DCMA) DCAA needs to expand beyond pass/fail reporting Dysfunctional relationship: DCMA and DCAA Commission will sunset 60 days after final report is issued in 2010 (www.wartimecontracting.com) Proprietary & Confidential 20
- 21. Defining Internal Control Audits DCAAM 3-300 released 4/2/10 Definitions of Internal Controls are not contained in FAR New Terminology ICAPS = Internal Control Audit Planning Summary ICRS = Internal Control Review System database DCAA audits of internal controls come in two flavors: ICAPS audits broken into 10 systems cyclically applied to “major” contractors Post award accounting & billing system review Proprietary & Confidential 21
- 22. New - Prime Contractor Administration of Subcontractors Where: DCAA Memo PSP 730.5.1 dated 6/30/09 FAR 15.404-3/DCAM 9-104.2/DFARS 215.404-3/ DCAA expectation that prime contractor will audit subcontractor invoices (emulate DCAA) Prime contractor failure to audit = 100% disallowance & billing system inadequacy Primes are expected to show proof that subcontractors have adequate accounting and billing systems (i.e. DCAA expects primes to audit subcontractors) Proprietary & Confidential 22
- 23. New - FAR Rule on Travel Costs January 11, 2010, FAR 31.205-46 was amended to remove inconsistency on treatment of allowable airfare Before was either “lowest available to contractor” or “lowest available to public” (lowest standard offered) Cost of airfare is now limited to the “lowest priced airfare available to the Contractor” Implications Additional documentation of similar airfares Contractor negotiated rates with airlines Challenging to monitor due to the variability in airfares Proprietary & Confidential 23
- 24. New - Payment Recapture Push OMB Recovery Audit Guidance – March 2010, Executive Order to expand payment recapture audits and OMB to develop guidance within 90 days for departments and agencies to carry out the requirements. Uses tools / technology and compensation tied Misspent funds to uncover problems such as duplicate payments, payments for services not rendered, overpayments, etc. Proprietary & Confidential 24
- 25. New - Excessive Pass Through Costs FAR Clause 52.215-23, Limitations on Pass-Through Costs, requires Contractor to disclose what percentage of a contract’s work will be subcontracted If amount exceeds 70%, Contractor must state the indirect costs and/or fee which will be applied and the value-added by the Contractor to the subcontracted effort Contracting Officer may determine that pass through costs are excessive if Contractor is subcontracting large amount of effort without performing value-added functions Proprietary & Confidential 25
- 26. New – Executive Comp Cap is set annually Issued 4/23/10 CFY 2010 $693,951 from $684,181 in CFY 2009 FAR 31.205-6 Proprietary & Confidential 26
- 27. Most Common DCAA Audits Today Specific Audits Pre Award Survey/Accounting System Audit Financial Capability Audit Estimating System Audit Purchasing System Audit Billing System Audit Incurred Cost Audit CAS Audit Proprietary & Confidential 27
- 28. Specific DCAA Audits What is the purpose? What will the DCAA require? Focus Completion Proprietary & Confidential 28
- 29. Pre-Award Survey/Acctg System AuditWhat is the Purpose? Obtain an understanding of the accounting system Opine as to whether the design of the contractor’s system is acceptable for the award of a prospective Government contract A financial capability audit may be triggered as a result of the Pre-Award Survey Proprietary & Confidential 29
- 30. Pre-Award Survey/Acctg System Audit What will DCAA Require? DCAA will request an ICQ (Internal Controls Questionnaire) DCAA will review the accounting system with respect to the following: GAAP compliant Proper segregation of costs-Direct vs. Indirect and Job cost Allocation of indirect costs Accumulation of costs under General Ledger control Timekeeping System / Labor Distribution Proprietary & Confidential 30
- 31. Pre-Award Survey/Acctg System Audit What will DCAA Require? Interim Determination of Costs/Interim monitoring of rates Exclusion of Unallowable Costs Costs by Contract Line Item Procedures to ensure proper and adequate billings Adequate & Reliable / Is the accounting system in operation Proprietary & Confidential 31
- 32. Pre-Award Audit Focus Verification that the accounting system and related policies and procedures are in place to demonstrate and ensure compliance with the 15 key items contained in the DCAA Preaward Survey Audit Program Proprietary & Confidential 32
- 33. Pre-Award Survey/Acctg System Audit Completion DCAA will review the documentation and materials provided and prepare a draft audit report Contractor will respond to the draft DCAA will incorporate the contractor’s comments into the final report An adequate or inadequate opinion will be given by DCAA Proprietary & Confidential 33
- 34. Financial Capability AuditWhat is the Purpose? To determine if the contractor has adequate financial resources to perform on Government contracts in the near term. Proprietary & Confidential 34
- 35. Financial Capability AuditWhat will DCAA Require? 3 years financials, YTD FS for last Qtr available, and tax returns Explanation Off-balance sheet arrangements & Related party transactions Cash Flow Forecast Operating Budget Proprietary & Confidential 35
- 36. Financial Capability Audit Focus DCAA will Review FS Indicators: Profit/Loss Sales Working capital Net Worth Long-term Liabilities Accounts Payable Aging Loan Covenants Proprietary & Confidential 36
- 37. Financial Capability Audit Focus DCAA will Review Non FS Indicators: Timely Payment of Payroll Taxes Management of Subsidiary using Parents Cash Alert to: Non-Payment of Insurance premiums Borrowing from under-funded pension plans Poorly maintained infrastructure Proprietary & Confidential 37
- 38. Financial Capability AuditCompletion DCAA will prepare a draft audit report summarizing the results of the risk assessment and any deficiencies found DCAA will conduct an Exit Conference with Contractor and provide Contractor an opportunity to respond to findings DCAA will then draft its Final Report and update the ICRS database Proprietary & Confidential 38
- 39. Estimating System AuditWhat is the Purpose? Evaluate the adequacy of and the contractor’s compliance with the estimating system internal controls. Assess the adequacy of the contractor's policies and procedures, whether they have been implemented, and if they are working and being monitored effectively. Proprietary & Confidential 39
- 40. Estimating System AuditWhat will DCAA Require? Contractor’s written estimating system policies and procedures. Organization charts depicting the functional areas responsible for developing and processing estimating system related data. Estimating system flowcharts providing a pictorial overview of all manual and computerized processing steps. Information systems documentation Proprietary & Confidential 40
- 41. Estimating System Audit Focus DCAA will review the following: Control Environment (ICAPS) Risk Assessment Interview personnel Information and Communications Methods and records established to record, process and summarize contract data Monitoring/Internal Audit System Description and Training Proprietary & Confidential 41
- 42. Estimating System Audit Focus DCAA will review the following: Cost Estimate Development Summary of Total Cost by Element Cross-referenced to each line item Breakdown of Labor (FAR 15.408, Table 15-2 II.B.) Hours Rates and Costs by Appropriate Category Consolidated Priced Bill of Materials Types, Quantities, Cost FAR 15.408, Table 15-2 II.A. Certification Proprietary & Confidential 42
- 43. Estimating System AuditCompletion DCAA will prepare a draft audit report considering all five components of internal control: Control Environment Contractor Risk Assessment Information and Communications Monitoring Control Activities that relate to Control Objectives DCAA will conduct an Exit Conference with Contractor and provide Contractor an opportunity to respond to findings DCAA will then draft its Final Report and update the ICRS database Proprietary & Confidential 43
- 44. Purchasing System AuditWhat is the Purpose? Evaluate the adequacy of and the contractor’s compliance with the purchasing system internal controls. Assess the adequacy of the contractor’s policies and procedures, whether they have been implemented, and if they are working and being monitored effectively. Proprietary & Confidential 44
- 45. Purchasing System AuditWhat will DCAA Require? Contractor’s written purchasing policies and procedures Organization charts depicting the functional areas responsible for developing and processing purchasing related data. Purchasing charging and distribution system flowcharts providing a pictorial overview of all manual and computerized processing steps. Information systems documentation Proprietary & Confidential 45
- 46. Purchasing System Audit Focus Contractor Compliance, training, policies and procedures Purchase Orders and Subcontract Clauses Management of Purchasing Selecting Sources Pricing and Negotiation Subcontract award and Negotiation Proprietary & Confidential 46
- 47. Purchasing System Audit Completion DCAA will prepare a draft audit report to determine if the purchasing system is adequate to reasonably assure proper pricing, administration and settlement of Government contracts considering: Contractor Compliance Training Policies and Procedures Purchase Orders and Subcontract Clauses Management of Purchasing Selecting the Source Pricing and Negotiation Subcontract Award and Administration DCAA will then complete draft final audit and conduct and Exit Conference with Contractor Final Audit report will include Contractor’s response and audit rejoinder if applicable Proprietary & Confidential 47
- 48. Billing System AuditWhat is the Purpose? Evaluate the adequacy of and the contractor’s compliance with the billing system internal controls. Assess the adequacy of the contractor’s policies and procedures, whether they have been implemented, and if they are working and being monitored effectively. Proprietary & Confidential 48
- 49. Billing System AuditWhat will DCAA Require? Contractor’s written policies and procedures and billing system manual. Organization charts depicting the functional areas responsible for developing and processing billing related data. Billing system flowcharts providing a pictorial overview of all manual and computerized processing steps. Information systems documentation Proprietary & Confidential 49
- 50. DCAA Billing System Audit Focus Contractor’s system orientation briefing or a demonstration of the billing system transaction flow including data input, data processing, data output, and related internal controls Changes in the billing system process since the last examination Contractor’s Risk Assessment Process Contractor’s Monitoring Process to ensure that established manual and computerized controls are functioning as intended Contractor’s Billing System Procedures and internal controls that assure timely identification and resolution of contract overpayments. Proprietary & Confidential 50
- 51. Billing System AuditCompletion DCAA will draft a DCAA will prepare a draft audit report considering all five components of internal control: Control Environment Contractor Risk Assessment Information and Communications Monitoring Control Activities that relate to Control Objectives such as: Management Reviews Policies and Procedures Implementation of Policies and Procedures DCAA will conduct an Exit Conference with Contractor and provide Contractor an opportunity to respond to findings DCAA will then draft its Final Report and ensure the paying office and CO have notifies of any unresolved overpayments, contract administration adjustments, demand letters, and subcontract billings that are over 30 days old and any other improper offsets. Proprietary & Confidential 51
- 52. Incurred Cost AuditWhat is the Purpose? Establishes final indirect cost rates for a respective Calendar Year Audit determines whether costs charged to auditable Government contracts are allowable, allocable, and reasonable in accordance with the contract and applicable Government acquisition regulations ICS is due 6 months after the close of the fiscal year Proprietary & Confidential 52
- 53. Incurred Cost AuditWhat will DCAA Require? Incurred Cost Proposal in the following Format: Schedule A - F Rates and Allocation schedules Schedule G - H Reconciliation of Books of Account and Claimed Direct Costs by Project (Schedule H is time-consuming) Schedule I Schedule of Cumulative Direct and Indirect Costs Claimed and Billed Schedule J Subcontract Information Schedule K Summary of Hours and Amounts on T&M/Labor Hour Contracts Schedule L Reconciliation of Total Payroll to Total Labor Distribution Schedule M Listing of Decisions/Agreements/Approvals and Description of Accounting/Organizational Changes Schedule N Certificate of Final Indirect Costs Schedule O Contract Closing Information for Contracts Completed in this Fiscal Year Proprietary & Confidential 53
- 54. Incurred Cost Audit Focus Perform reconciliation and analysis by major cost element Test the reconciliation of book to billed cost Verify claimed labor cost to the 941’s Sample a set of contracts to test claimed hours, rates and qualifications Select a sample of material transactions for testing Select a sample of subcontract and ODC transactions Proprietary & Confidential 54
- 55. Incurred Cost Audit Focus Indirect Cost to include Executive Comp and sampling of indirect expenses Review of Unallowable Costs Evaluate the cost allocation basis Review FCCOM, if applicable Proprietary & Confidential 55
- 56. Incurred Cost AuditCompletion After completing the Audit, DCAA will discuss the results and provide a copy of the draft audit report to the Contractor Contractor is given the opportunity to respond to the draft report and the final audit will contain the Contractor’s comments If Contractor and DCAA cannot agree on Audit results, DCAA will forward audit report to the cognizant CO and issue a DCAA Form 1 to recover any reimbursement of unallowed costs. Contractor may appeal the Form 1 to the CO or file a claim under the contract Disputes Clause Proprietary & Confidential 56
- 57. CAS AuditWhat is the Purpose? To determine if the contractor's policies, procedures, and practices used to estimate, accumulate, and report costs on Government contracts and subcontracts comply with the requirements of CAS. Two types - Adequacy and Compliance Proprietary & Confidential 57
- 58. CAS AuditWhat will DCAA Require? Policies and Procedures Explanation of Contractor’s Internal Control Structure related to CAS Any changes since last Audit Contractor’s monitoring process for classifying costs Identified weaknesses that may have been reported and related follow up actions Proprietary & Confidential 58
- 59. CAS Audit Focus Internal Controls Review the ICQ or the ICAPS Any changes since last audit Adequacy audit Does your Disclosure Statement contain Current Accounting Practices; Accurate Accounting Method and all schedules are Complete and contain sufficient information Compliance audit What are the dates you became CAS covered What Standards apply Are you in Compliance Proprietary & Confidential 59
- 60. CAS AuditCompletion Initial Audit Summary will be discussed internally and only material non compliances will be reported Immaterial non-compliances are to be reported internally and to the Contractor at earliest possible date If Contractor does not correct immaterial non-compliance, Government may make appropriate contract adjustments DCAA will then complete draft final audit and conduct and Exit Conference with Contractor Final Audit report will include Contractor’s response and audit rejoinder if applicable Proprietary & Confidential 60
- 61. Conclusion Be prepared for your Audits! Have Policies, Procedures and Controls in Place Make Sure They are Being FOLLOWED! Sign up for WM Eblast L&L This Fall to Update DCAA Proprietary & Confidential 61
Hinweis der Redaktion
- Smaller box……lunch and learn date name
- September 2006 – DoD IG issued a “clean opinion” on DCAA peer review after finding numerous audits with “serious deficiencies in audit quality.” July 2008 – Government Accounting Office (GAO) issued a report that cited the DCAA for numerous audit failures.August 2009 – the GAO concludes that the DoD IG had clearly arrived at an erroneous conclusion and asks them to reconsider their clean opinion.The DoD IG agreed that it was not prudent to issue a clean opinion. The DCAA no longer has a peer review clean opinion nor a quality control system that meets professional standards.Audit reports disclose the lack of external opinion.DOD IG has not
- September 2006 – DoD IG issued a “clean opinion” on DCAA peer review after finding numerous audits with “serious deficiencies in audit quality.” July 2008 – Government Accounting Office (GAO) issued a report that cited the DCAA for numerous audit failures.August 2009 – the GAO concludes that the DoD IG had clearly arrived at an erroneous conclusion and asks them to reconsider their clean opinion.The DoD IG agreed that it was not prudent to issue a clean opinion. The DCAA no longer has a peer review clean opinion nor a quality control system that meets professional standards.Audit reports disclose the lack of external opinion.DOD IG has not
- September 2006 – DoD IG issued a “clean opinion” on DCAA peer review after finding numerous audits with “serious deficiencies in audit quality.” July 2008 – Government Accounting Office (GAO) issued a report that cited the DCAA for numerous audit failures.August 2009 – the GAO concludes that the DoD IG had clearly arrived at an erroneous conclusion and asks them to reconsider their clean opinion.The DoD IG agreed that it was not prudent to issue a clean opinion. The DCAA no longer has a peer review clean opinion nor a quality control system that meets professional standards.Audit reports disclose the lack of external opinion.DOD IG has not
- Internal controls now subject to more stringent compliance standardsIncurred cost audits may negate previous rate agreement letterDCAA is changing how it works with and relates to contractorsEverything about the changes will reduce communication with auditors and increase the adversarial nature of the relationshipLarge firms are subject to the new “pass/fail” audit guidanceEven the smallest firms will be impacted by the new requirement to trace invoices to the accounting system during invoice reviewsNew Administration is increasing scrutiny of Contracting Dollars Spent and the Federal Procurement Process as a Whole
- Memo 08-PAS-041® – creates new requirement for “limited scope” audits of internal control deficiencies identified during the course of other audits Memo 08-PAS-042®– imposes new rules and procedures for reporting and resolving “access to records” disputes Memo 08-PAS-043®– imposes new restrictions on audit findings and reports on Internal Control Reviews Memo 08-PAS-044®– requires additional reconciliation to contractors accounting records for all Public Voucher Reviews Memo 09-PPD-002®– new procedures prohibiting participation in meetings to review draft findings or draft corrections to contractors system
- DCAA Director, April Stephenson, addressed a meeting of the Professional Services Council on February 25th, 2009In her presentation, she stressed that DCAA auditors will be returning to the basics of GAGAS and that they…Need to understand what [they] are auditingShould use face-to-face communication with the contractor employeesShould ask questions, maintain auditor skepticismShould develop sound conclusionsIssue 20 a year and they issued 3 all on one day.
- Auditors can self initiate limited scope audits if an internal control deficiency is found during another review. Previously flash reports were issued and opinion remained unchanged until the next scheduled audit.
- DCAA response to record requests due within 7 days or auditors report to the agency headquarters for issuance of a subpoena. (could result in a control deficiency)
- DCAA Audit Opinion is “adequate” or “inadequate” (pass or fail)“Inadequate” issued if one deficiency; a deficiency is virtually any failure to satisfy any one of DCAA’s internal control objectives
- Activity Code 11070 Control Environment and Overall Accounting System Controls Version 7.1, dated December 2009 B-1 Planning Considerations Purpose and Scope The major objectives of this audit are to:  Evaluate the adequacy of and the contractor’s compliance with the accounting system internal controls.  Obtain a sufficient understanding of the contractor’s control environment and overall accounting controls to plan related audit effort. This requires that the auditor assess the adequacy of the contractor’s accounting policies and procedures, whether they have been implemented, and if they are working and being monitored effectively.  Document the understanding of the control environment and the overall accounting controls in working papers and permanent files.  Assess control risk as a basis to identify factors relevant to the design of substantive tests. Report on the understanding of the accounting system internal control, assessment of control risk, and the adequacy of the system for performing on Government contracts. This audit is limited to the examination of the control environment and the overall accounting controls for major contractors, nonmajor contractors where the system is considered significant. Controls for interrelated audit concerns regarding the adequacy of the contractor’s major accounting subsystems (i.e., labor, MMAS, indirect & ODC, etc.) will be audited under separate assignments. While the controls for these areas are not part of this audit, the results of all audits of these interrelated controls must be considered in forming an overall audit conclusion of the overall accounting system. The results of this audit should also be commented on in reports on related audit areas. Before performing any examination of internal controls, the auditor should determine that the system contemplated for examination is material to the Government. Once it is determined that the system is material to the Government, the auditor should reassess the materiality of each section in the internal control audit before performing any audit steps in that section. The scope of any audit depends on individual circumstances. The auditor is expected to exercise professional judgment, considering vulnerability and materiality, in deciding the scope of audit to be performed. The use of computers of all kinds in a contractor’s accounting and management systems is so pervasive it is unlikely that any audit of them could be performed adequately without an examination of the internal controls over their automated aspects. Therefore, the auditor should become familiar with guidance contained in the Information Systems (IS) Auditing Knowledge 1 of 18 Master Document – Audit Program Base that is contained on DCAA’s Intranet, and CAM 5-1400, Audit of Information Technology Systems Application Internal Controls, prior to the beginning of this audit. In addition, in some instances, the assistance of IT specialists may be required to adequately evaluate the automated aspects of the internal controls. In these cases, auditors should coordinate, through their supervisory auditor, to contact their regional office to obtain the necessary expertise. The internal control matrix (see Internal Control Matrix – Control Environment and Overall Accounting Controls) showing the interrelationships among the control objectives, example control activities, and audit procedures used in this audit program. The control objectives and the audit procedures have been fully integrated into this audit; therefore, the matrix is not needed unless it is desirable to see the associated example control activities and the interrelationships in a matrix format. In cases where this examination covers internal control systems at multi-segment contractors, follow the guidance in CAM 5-103.2 and 5-110e. Auditing internal controls at multi-segment contractors requires effective coordination among cognizant auditors to identify the audit responsibilities at each location to ensure appropriate audit coverage when contractor locations share components of an internal control system, such as policies and procedures, common technologies (e.g., software) or common management. FAOs cognizant of segment locations should initiate assist audits from off-site locations as necessary. FAOs cognizant of off-site locations should not self-initiate audits of internal controls. References CAM 3-300, Internal Control Audit Planning Summary (ICAPS) CAM 5-100, Obtaining an Understanding of a Contractor’s Internal Controls and Assessing Control Risk CAM 5-300, Audit of Internal Controls – Control Environment and Overall Accounting Controls CAM 5-1400, Audit of Information Technology Systems Application Internal Controls CAM 10-400, Audit Reports on Operations and Internal Control (System Audits)
- B-1 Preliminary Steps W/P Reference Version 7.1, dated December 2009 1. Research and Planning a. Become familiar with applicable sections of CAM 5-300. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide 2 of 18 Master Document – Audit Program Library available on the DCAA’s intranet home page. b. Perform the following steps using the permanent file: (1) Review prior accounting system audit working paper package. (2) Identify any accounting system deficiency reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2. (3) Determine if there are any reported deficiencies in the other internal control system audits that impact the scope of this accounting system audit (review ICRS database, as applicable). Document on W/P B-2. The results of the IT Systems General Internal Controls examination, if any, should also be evaluated and documented in detail under Information and Communications, Section E-1, Step 1. (4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below. Document the sources of data by listing the data, its source, and any changes since the last system audit. (a) Contractor’s written policies and procedures and accounting system manual. (b) Organization charts depicting the functional areas responsible for developing and processing accounting related data. (c) Accounting system flowcharts providing a pictorial overview of all manual and computerized processing steps (including interfaces between the general accounting system and other systems). (d) Information systems documentation: (i) Pertinent record layouts of files created and/or used during the processing of accounting system related transactions. (ii) Database table definitions. (iii)Source documents. (iv) Information on the conversion of documents to computer media. (v) Subsidiary or master files affected by the system. (vi) Relevant reports, journals, and ledgers produced in the flow of information to the accounting system reports. (5) Review audit lead sheets. (6) Review other related audits, for example the impact of suspected irregular conduct (SIC) and CAS noncompliances, if applicable. 3 of 18 Master Document – Audit Program (7) Consider the impact of the contractor’s financial condition on the accounting system. (Refer to prior financial capability assessments or audits – 176XX). c. Discuss the planned evaluation of the Control Environment and the Overall Accounting Controls with the administrative contracting officer and the contractor’s major procuring activities to identify, understand, and document any concerns they may have of areas which should be evaluated. d. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3. Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit as well as during the audit if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. e. Obtain from the contractor a schedule of total dollars processed through the accounting system for the past twelve months (or most recently completed fiscal year) and summarize by total dollars and dollars by Government flexibly priced contracts and fixed price contracts in order to determine the materiality of the accounting system. Complete the Materiality section of the ICAPS form at W/P A. f. FAOs that have cognizance of contractors with significant classified contracts should coordinate with the Field Detachment to determine the DCAA office responsible for reviewing costs on classified contracts. This coordination should be documented in the working papers. FAOs should also coordinate with the Field Detachment on any significant accounting system issues. g. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. h. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to 4 of 18 Master Document – Audit Program the accounting system. (1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the accounting system. (2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the accounting system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. i. Determine the need for technical assistance, if any, and document your consideration on working paper B-3. C-1 Control Environment W/P Reference Version 7.1, dated December 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the contractor’s system of internal controls. (See Internal Control Matrix – Control Environment and Overall Accounting Controls, working paper 31.) The auditor should recognize those aspects of the contractor’s Control Environment and Overall Accounting Controls (either automated or manual) and should ensure that the related control activities adequately address those processes by performing the audit procedures set forth below. 1. Integrity and Ethical Values Management must convey the message that integrity and ethical values cannot be compromised, and employees must receive and understand that message through continuous demonstration of words, actions, and commitment to high ethical standards. a. Contractor Code of Business Ethics and Conduct - Perform procedures to address the requirements in FAR 52.203-13, 6 of 18 Master Document – Audit Program Contractor Code of Business Ethics and Conduct. (1) Verify the existence of a written code of conduct and review the contents to ensure it addresses ethical business practices, conflicts of interest, and expected standards of ethical and moral behavior. The code should cover dealings with customers, suppliers, employees, and other parties (See CAM 5-306.1). (FAR 52.203-13(b)(1)). (2) Obtain evidence that the code of conduct was made available to each employee (FAR 52.203-13(b)(1)). (3) Verify that written codes of conduct (a) are periodically communicated to all employees, (b) are formally acknowledged, and (c) cite consequences for violations. b. Business Ethics Awareness and Compliance Program - Perform procedures to address the requirements in FAR 52.203-13, Contractor Code of Business Ethics and Conduct, and FAR 52.203-14, Display of Hotline Poster(s). (1) Verify that the contractor’s policies and procedures provide for a business ethics awareness and compliance program (FAR 52.203-13(c)(1). (2) Verify that the business ethics awareness and compliance program includes an ethics training program for all principals and employees, and as appropriate, the contractor’s agents and subcontractors (see CAM 5-306.2). Selectively test this control by evaluating training program materials and training records of completion (FAR 52.203-13(c)(1). The training program should cover the contractor’s code of business ethics and conduct (see CAM 5-306.1). (3) Verify that the manager responsible for the ethics program reports to a high level official (e.g., vice president/CFO). (4) Contractors should not appoint, as a principal (e.g., officer, director, partner), an individual who previously engaged in conduct that conflicts with the contractor’s code of conduct (FAR 52.203-13(c)(2)(ii)(B)). Auditors should review the contractor’s policies and procedures and test the procedures to verify that they include steps for exercising due diligence in identifying such conduct (e.g., require background checks before appointing principals of the company) and that the steps have been taken when applicable. (5) Verify that the contractor performs periodic reviews (i.e., at least annually) of company business practices, procedures, and internal controls for compliance with the contractor’s code of business ethics and conduct and special requirements of 7 of 18 Master Document – Audit Program Government contracting, including the specific requirements in FAR 52.203-13(c)(2)(ii)(C). Review the results of the recent reviews and assess any impact on this audit. (6) Verify that the contractor has an internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality, by which employees may report suspected instances of improper conduct, and instructions that encourage employees to make such reports FAR 52.203-13(c)(2)(ii)(D)). (7) Verify that the contractor’s policies and procedures provide for appropriate disciplinary action for improper conduct, or failing to take reasonable steps to prevent or detect improper conduct (FAR 52.203-13(c)(2)(ii)(E)). Review the contractor’s assessment of whether disciplinary action was needed related to the incidences of improper conduct, and the action that was taken (if applicable) (see CAM 5-306.3). (8) Verify that the contractor’s policies and procedures provide for timely disclosure to the agency OIG, with a copy to the contracting officer, when there is credible evidence of a violation of Federal criminal law involving fraud, conflict of interest, bribery, or gratuity, or a violation of the civil False Claims Act in connection with Government contracts (see CAM 5-306.3) (FAR 52.203-13(c)(2)(ii)(F)). Request a copy of any disclosures made and verify that the contractor complied with their policies and procedures. If deficiencies are identified related to the requirements in FAR 52.203-13(c)(2)(ii)(F), the DCAA Justice Liaison Auditor (DCAAHQJLA@dcaa.mil) will be included on the distribution for the audit report. (9) Review any disclosures obtained in step 8 above. Ascertain if the contractor has taken the necessary corrective actions to protect the Government’s interests. If the contractor has not taken the appropriate corrective action, the auditor should report this as an internal control deficiency. (10) Verify that the contractor’s policies and procedures provide for cooperation with any Government agencies responsible for audits, investigations, or corrective actions (FAR 52.203-13(c)92)(ii)(G)). Confirm that there are no outstanding access to records issues or subpoenas that may indicate a lack of cooperation. (11) Verify that the contractor includes the substance of FAR 52.203-13 and 52.203-14, when appropriate, in its subcontracts (FAR 52.203-13(d)(1) and FAR 52.203-14(d)). Review a sample of subcontracts to determine if the FAR clause is 8 of 18 Master Document – Audit Program included in those subcontracts that should contain the clause. 2. External Auditor’s Report a. Obtain the external CPA’s report of material weaknesses of internal controls and/or management letter for the most recently audited year. For identified weaknesses of internal control, determine that corrective action has been taken to correct the item(s). b. Review the annual report for SEC registrants for an internal control report. This report includes an assessment of the effectiveness of the internal control structure and procedures for financial reporting, and the individual auditor must attest to and report on the contractor’s assessment. (1) Auditors located at segments or divisions of SEC Registrant companies will need to coordinate this effort with the CAC or Corporate auditors. (2) Determine whether corrective action has been taken in response to internal control weaknesses. c. Determine the reason for any recent changes in external auditors. Review the associated SEC filing by predecessor auditors for corroborating evidence. 3. Board of Directors/Audit Committee The Board of Directors and the Audit Committee should be sufficiently independent from management to constructively challenge managements’ decisions and act effectively on external audit communications and recommendations. The Board and Audit Committee should take an active role to ensure an appropriate upper managements’ commitment to ethical business practices and behavior. Auditors at contractor segments should request assist audits from the auditor cognizant of the corporate office to accomplish the applicable audit steps below. a. Obtain a list of Board of Director and Audit Committee members. Determine their relationship to the business and assess their independence. b. Evaluate the minutes of the Board of Directors' meeting and all communications with the Audit Committee or body of similar authority to determine if the Board is taking an active role in 9 of 18 Master Document – Audit Program significant management decisions. c. Evaluate the minutes of the Audit Committee meetings to determine if the committee (and/or Board of Directors) is acting effectively on all audit matters, including internal and external audit recommendations. d. Verify that the internal audit department is functionally and organizationally independent to achieve objectivity in the conduct of its audits. 4. Basic Structural Organization The organizational structure provides the overall framework for planning, directing, and controlling operations. This structure defines the form and nature of the organization, as well as the management functions and reporting relationships. Authority and areas of responsibility should be appropriately assigned. a. Complete or update the contractor's basic organizational structure questionnaire. (See Survey of Contractor’s Organization in “Other Audit Guidance” folder.) b. Review the current organization chart to determine whether it delineates clear lines of authority. 5. Assignment of Authority and Responsibility Management ensures that appropriate responsibility and delegation of authority is assigned to deal with goals and objectives, operating functions, regulatory requirements, information systems, and authorization for changes. The delegation of authority ensures a basis for accountability and control and sets forth individual respective roles. a. Verify that policies and procedures exist which specifically state the limitation or delegation of authority b. Verify that there is a clear assignment of responsibility and delegation of authority to deal with such matters as goals, objectives, operating functions, and regulatory requirements. 6. Financial Capability 10 of 18 Master Document – Audit Program Management must ensure the contractor has adequate financial resources to perform on Government contracts. a. Verify that management regularly conducts financial analyses and monitors contract cost performance. Observe that procedures are in place and appropriate management and the Board of Directors is being informed of adverse conditions. b. Evaluate notes to financial statements, management certifications, and SEC filings (including Management Discussion & Analysis) for any indication of potential adverse financial conditions and discuss these conditions with the controller or other financial managers. c. Consider the impact of any off-balance sheet arrangements disclosed (CAM 14-306). d. Consider the impact of severe financial distress on the ability of the contractor to perform on Government contracts. e. Determine that policies and procedures require the preparation of an accounts payable aging schedule and that results are elevated to appropriate levels of management. f. Evaluate procedures for analyzing the collectibility of receivables. g. Evaluate procedures and verify that the contractor monitors loan covenants and sets up payment schedules. h. Verify that the contractor periodically prepares and evaluates cash flow projections. D-1 Contractor Risk Assessment W/P Reference Version 7.1, dated December 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the accumulation and recording of contract cost data. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, 11 of 18 Master Document – Audit Program depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G and H). E-1 Information and Communications W/P Reference Version 7.1, dated December 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. 1. Since the information system is an integral component of information and communication processes, evaluate the most recently completed ICAPS for the IT System General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the contractor’s overall accounting system internal controls on information and communications. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its overall accounting system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its accounting system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the accounting system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-300. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of transactions. Have the 12 of 18 Master Document – Audit Program contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current accounting system information and communication processes are demonstrated by the contractor, selectively trace the processing of an accounting transaction through the accounting system starting from the initiation of the transaction (e.g., invoice payment) to validate your understanding of the accounting system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., subsidiary ledgers reconcile to general ledger, adequate segregation of duties, proper approval of adjustments). Discrepancies between your understanding and the contractor’s demonstration should be noted and resolved prior to completing the remainder of this examination. 6. Document your confirmed understanding of the contractor’s accounting system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s accounting system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G and H). F-1 Monitoring W/P Reference Version 7.1, dated December 2009 13 of 18 Master Document – Audit Program Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the accounting system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. a. Consider whether the contractor has an adequate internal audit plan for conducting internal control and compliance reviews considering the contractor’s other monitoring activities b. Verify that there are effective follow-up procedures on internal audit recommendations. 3. Document your overall understanding of the monitoring activity being performed at the contractor’s location and the impact it will have on the nature and extent of testing of each control objective (W/Ps G and H). G-1 Accounting System and Controls W/P Reference Version 7.1, dated December 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Accounting system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control 14 of 18 Master Document – Audit Program objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring The auditor should ensure that the accounting system is well designed and is operating effectively to provide reliable accounting data and prevent misstatements that would otherwise occur. 2. Determine that the contractor maintains a current description of the accounting system, including books of original entry, general and subsidiary ledgers, and any statistical and/or supporting records which demonstrate the initiation of transactions, the flow of documents, and the identification of all points where correcting, adjusting or other cost transfers can be entered into the system. 3. Determine if the contractor maintains a chart of accounts which is updated in a timely manner. 4. Verify that adequate written policies and procedures exist for approving and documenting correcting, adjusting, closing, credit, and transfer entries. 5. Verify that adequate procedures exist for reconciling all subsidiary cost ledgers and cost objectives to the general ledger accounts. If this is a computerized function, the auditor should document how this is accomplished and selectively test to verify that it is occurring properly. 6. Verify that a trial balance is prepared on a regular basis and reconciles to the financial statements. 7. Verify that adequate procedures exist for controlling monthly accrual calculations and that an adequate approval process is used. 8. Verify that there is adequate segregation of duties and responsibilities in such areas as access to accounting records, check-signing authority, recording disbursements in cash journal, performance of bank reconciliations, etc. 9. Determine whether policies and procedures require identification of systemic problems or trends based on error reports. Verify that corrections are processed in a timely manner. 10. Evaluate management intervention and/or overrides: a. Determine whether policies and procedures address the situations and frequency of management intervention, require documentation and approval of intervention, and the strict prohibition of any 15 of 18 Master Document – Audit Program management overrides. b. If applicable, selectively evaluate documentation of management interventions or overrides for compliance with policies and procedures. 11. Determine if the contractor has disclosed the use of non-GAAP financial measures in the filed financial statements. If so, determine if reliance is placed on any of this information for this audit or any related audits. If so, determine the impact on the assessment of control risk (the contractor is required to disclose the most directly comparable GAAP financial measure and it’s reconciliation to the disclosed non-GAAP financial measure). H-1 Cost Allocations W/P Reference Version 7.1, dated December 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Accounting system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. The auditor should determine if management ensures that an item of cost or a group of items of cost are assigned to one or more cost objectives in accordance with rules and regulations and standards. Management ensures the proper allocation of both the direct assignment of cost and the reassignment of a share from an indirect cost pool. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications 16 of 18 Master Document – Audit Program  Monitoring 2. Determine that the contractor's disclosure statement is current and adequately describes its accounting practices. 3. Document, if applicable, any CAS noncompliances that may impact the internal control structure. 4. Verify that adequate written policies and procedures exist for the identification and exclusion of unallowable costs. Determine that the detail and depth of records required as backup support for proposals, billings, or claims are adequate to establish and maintain visibility of identified unallowable costs (CAS 405). 5. Verify that adequate written procedures exist to ensure that charge numbers are based on contractual requirements and are under management control and authorizations. 6. Verify that adequate written procedures exist for adjusting costs charged to the Government for any income, rebates, allowances, or miscellaneous credits and that appropriate approvals are required.
- B-1 Preliminary Steps W/P Reference Version 7.1, dated December 2009 1. Research and Planning a. Become familiar with applicable sections of CAM 5-300. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide 2 of 18 Master Document – Audit Program Library available on the DCAA’s intranet home page. b. Perform the following steps using the permanent file: (1) Review prior accounting system audit working paper package. (2) Identify any accounting system deficiency reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2. (3) Determine if there are any reported deficiencies in the other internal control system audits that impact the scope of this accounting system audit (review ICRS database, as applicable). Document on W/P B-2. The results of the IT Systems General Internal Controls examination, if any, should also be evaluated and documented in detail under Information and Communications, Section E-1, Step 1. (4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below. Document the sources of data by listing the data, its source, and any changes since the last system audit. (a) Contractor’s written policies and procedures and accounting system manual. (b) Organization charts depicting the functional areas responsible for developing and processing accounting related data. (c) Accounting system flowcharts providing a pictorial overview of all manual and computerized processing steps (including interfaces between the general accounting system and other systems). (d) Information systems documentation: (i) Pertinent record layouts of files created and/or used during the processing of accounting system related transactions. (ii) Database table definitions. (iii)Source documents. (iv) Information on the conversion of documents to computer media. (v) Subsidiary or master files affected by the system. (vi) Relevant reports, journals, and ledgers produced in the flow of information to the accounting system reports. (5) Review audit lead sheets. (6) Review other related audits, for example the impact of suspected irregular conduct (SIC) and CAS noncompliances, if applicable. 3 of 18 Master Document – Audit Program (7) Consider the impact of the contractor’s financial condition on the accounting system. (Refer to prior financial capability assessments or audits – 176XX). c. Discuss the planned evaluation of the Control Environment and the Overall Accounting Controls with the administrative contracting officer and the contractor’s major procuring activities to identify, understand, and document any concerns they may have of areas which should be evaluated. d. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3. Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit as well as during the audit if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. e. Obtain from the contractor a schedule of total dollars processed through the accounting system for the past twelve months (or most recently completed fiscal year) and summarize by total dollars and dollars by Government flexibly priced contracts and fixed price contracts in order to determine the materiality of the accounting system. Complete the Materiality section of the ICAPS form at W/P A. f. FAOs that have cognizance of contractors with significant classified contracts should coordinate with the Field Detachment to determine the DCAA office responsible for reviewing costs on classified contracts. This coordination should be documented in the working papers. FAOs should also coordinate with the Field Detachment on any significant accounting system issues. g. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. h. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to 4 of 18 Master Document – Audit Program the accounting system. (1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the accounting system. (2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the accounting system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. i. Determine the need for technical assistance, if any, and document your consideration on working paper B-3. C-1 Control Environment W/P Reference Version 7.1, dated December 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the contractor’s system of internal controls. (See Internal Control Matrix – Control Environment and Overall Accounting Controls, working paper 31.) The auditor should recognize those aspects of the contractor’s Control Environment and Overall Accounting Controls (either automated or manual) and should ensure that the related control activities adequately address those processes by performing the audit procedures set forth below. 1. Integrity and Ethical Values Management must convey the message that integrity and ethical values cannot be compromised, and employees must receive and understand that message through continuous demonstration of words, actions, and commitment to high ethical standards. a. Contractor Code of Business Ethics and Conduct - Perform procedures to address the requirements in FAR 52.203-13, 6 of 18 Master Document – Audit Program Contractor Code of Business Ethics and Conduct. (1) Verify the existence of a written code of conduct and review the contents to ensure it addresses ethical business practices, conflicts of interest, and expected standards of ethical and moral behavior. The code should cover dealings with customers, suppliers, employees, and other parties (See CAM 5-306.1). (FAR 52.203-13(b)(1)). (2) Obtain evidence that the code of conduct was made available to each employee (FAR 52.203-13(b)(1)). (3) Verify that written codes of conduct (a) are periodically communicated to all employees, (b) are formally acknowledged, and (c) cite consequences for violations. b. Business Ethics Awareness and Compliance Program - Perform procedures to address the requirements in FAR 52.203-13, Contractor Code of Business Ethics and Conduct, and FAR 52.203-14, Display of Hotline Poster(s). (1) Verify that the contractor’s policies and procedures provide for a business ethics awareness and compliance program (FAR 52.203-13(c)(1). (2) Verify that the business ethics awareness and compliance program includes an ethics training program for all principals and employees, and as appropriate, the contractor’s agents and subcontractors (see CAM 5-306.2). Selectively test this control by evaluating training program materials and training records of completion (FAR 52.203-13(c)(1). The training program should cover the contractor’s code of business ethics and conduct (see CAM 5-306.1). (3) Verify that the manager responsible for the ethics program reports to a high level official (e.g., vice president/CFO). (4) Contractors should not appoint, as a principal (e.g., officer, director, partner), an individual who previously engaged in conduct that conflicts with the contractor’s code of conduct (FAR 52.203-13(c)(2)(ii)(B)). Auditors should review the contractor’s policies and procedures and test the procedures to verify that they include steps for exercising due diligence in identifying such conduct (e.g., require background checks before appointing principals of the company) and that the steps have been taken when applicable. (5) Verify that the contractor performs periodic reviews (i.e., at least annually) of company business practices, procedures, and internal controls for compliance with the contractor’s code of business ethics and conduct and special requirements of 7 of 18 Master Document – Audit Program Government contracting, including the specific requirements in FAR 52.203-13(c)(2)(ii)(C). Review the results of the recent reviews and assess any impact on this audit. (6) Verify that the contractor has an internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality, by which employees may report suspected instances of improper conduct, and instructions that encourage employees to make such reports FAR 52.203-13(c)(2)(ii)(D)). (7) Verify that the contractor’s policies and procedures provide for appropriate disciplinary action for improper conduct, or failing to take reasonable steps to prevent or detect improper conduct (FAR 52.203-13(c)(2)(ii)(E)). Review the contractor’s assessment of whether disciplinary action was needed related to the incidences of improper conduct, and the action that was taken (if applicable) (see CAM 5-306.3). (8) Verify that the contractor’s policies and procedures provide for timely disclosure to the agency OIG, with a copy to the contracting officer, when there is credible evidence of a violation of Federal criminal law involving fraud, conflict of interest, bribery, or gratuity, or a violation of the civil False Claims Act in connection with Government contracts (see CAM 5-306.3) (FAR 52.203-13(c)(2)(ii)(F)). Request a copy of any disclosures made and verify that the contractor complied with their policies and procedures. If deficiencies are identified related to the requirements in FAR 52.203-13(c)(2)(ii)(F), the DCAA Justice Liaison Auditor (DCAAHQJLA@dcaa.mil) will be included on the distribution for the audit report. (9) Review any disclosures obtained in step 8 above. Ascertain if the contractor has taken the necessary corrective actions to protect the Government’s interests. If the contractor has not taken the appropriate corrective action, the auditor should report this as an internal control deficiency. (10) Verify that the contractor’s policies and procedures provide for cooperation with any Government agencies responsible for audits, investigations, or corrective actions (FAR 52.203-13(c)92)(ii)(G)). Confirm that there are no outstanding access to records issues or subpoenas that may indicate a lack of cooperation. (11) Verify that the contractor includes the substance of FAR 52.203-13 and 52.203-14, when appropriate, in its subcontracts (FAR 52.203-13(d)(1) and FAR 52.203-14(d)). Review a sample of subcontracts to determine if the FAR clause is 8 of 18 Master Document – Audit Program included in those subcontracts that should contain the clause. 2. External Auditor’s Report a. Obtain the external CPA’s report of material weaknesses of internal controls and/or management letter for the most recently audited year. For identified weaknesses of internal control, determine that corrective action has been taken to correct the item(s). b. Review the annual report for SEC registrants for an internal control report. This report includes an assessment of the effectiveness of the internal control structure and procedures for financial reporting, and the individual auditor must attest to and report on the contractor’s assessment. (1) Auditors located at segments or divisions of SEC Registrant companies will need to coordinate this effort with the CAC or Corporate auditors. (2) Determine whether corrective action has been taken in response to internal control weaknesses. c. Determine the reason for any recent changes in external auditors. Review the associated SEC filing by predecessor auditors for corroborating evidence. 3. Board of Directors/Audit Committee The Board of Directors and the Audit Committee should be sufficiently independent from management to constructively challenge managements’ decisions and act effectively on external audit communications and recommendations. The Board and Audit Committee should take an active role to ensure an appropriate upper managements’ commitment to ethical business practices and behavior. Auditors at contractor segments should request assist audits from the auditor cognizant of the corporate office to accomplish the applicable audit steps below. a. Obtain a list of Board of Director and Audit Committee members. Determine their relationship to the business and assess their independence. b. Evaluate the minutes of the Board of Directors' meeting and all communications with the Audit Committee or body of similar authority to determine if the Board is taking an active role in 9 of 18 Master Document – Audit Program significant management decisions. c. Evaluate the minutes of the Audit Committee meetings to determine if the committee (and/or Board of Directors) is acting effectively on all audit matters, including internal and external audit recommendations. d. Verify that the internal audit department is functionally and organizationally independent to achieve objectivity in the conduct of its audits. 4. Basic Structural Organization The organizational structure provides the overall framework for planning, directing, and controlling operations. This structure defines the form and nature of the organization, as well as the management functions and reporting relationships. Authority and areas of responsibility should be appropriately assigned. a. Complete or update the contractor's basic organizational structure questionnaire. (See Survey of Contractor’s Organization in “Other Audit Guidance” folder.) b. Review the current organization chart to determine whether it delineates clear lines of authority. 5. Assignment of Authority and Responsibility Management ensures that appropriate responsibility and delegation of authority is assigned to deal with goals and objectives, operating functions, regulatory requirements, information systems, and authorization for changes. The delegation of authority ensures a basis for accountability and control and sets forth individual respective roles. a. Verify that policies and procedures exist which specifically state the limitation or delegation of authority b. Verify that there is a clear assignment of responsibility and delegation of authority to deal with such matters as goals, objectives, operating functions, and regulatory requirements. 6. Financial Capability 10 of 18 Master Document – Audit Program Management must ensure the contractor has adequate financial resources to perform on Government contracts. a. Verify that management regularly conducts financial analyses and monitors contract cost performance. Observe that procedures are in place and appropriate management and the Board of Directors is being informed of adverse conditions. b. Evaluate notes to financial statements, management certifications, and SEC filings (including Management Discussion & Analysis) for any indication of potential adverse financial conditions and discuss these conditions with the controller or other financial managers. c. Consider the impact of any off-balance sheet arrangements disclosed (CAM 14-306). d. Consider the impact of severe financial distress on the ability of the contractor to perform on Government contracts. e. Determine that policies and procedures require the preparation of an accounts payable aging schedule and that results are elevated to appropriate levels of management. f. Evaluate procedures for analyzing the collectibility of receivables. g. Evaluate procedures and verify that the contractor monitors loan covenants and sets up payment schedules. h. Verify that the contractor periodically prepares and evaluates cash flow projections. D-1 Contractor Risk Assessment W/P Reference Version 7.1, dated December 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the accumulation and recording of contract cost data. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, 11 of 18 Master Document – Audit Program depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G and H). E-1 Information and Communications W/P Reference Version 7.1, dated December 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. 1. Since the information system is an integral component of information and communication processes, evaluate the most recently completed ICAPS for the IT System General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the contractor’s overall accounting system internal controls on information and communications. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its overall accounting system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its accounting system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the accounting system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-300. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of transactions. Have the 12 of 18 Master Document – Audit Program contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current accounting system information and communication processes are demonstrated by the contractor, selectively trace the processing of an accounting transaction through the accounting system starting from the initiation of the transaction (e.g., invoice payment) to validate your understanding of the accounting system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., subsidiary ledgers reconcile to general ledger, adequate segregation of duties, proper approval of adjustments). Discrepancies between your understanding and the contractor’s demonstration should be noted and resolved prior to completing the remainder of this examination. 6. Document your confirmed understanding of the contractor’s accounting system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s accounting system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G and H). F-1 Monitoring W/P Reference Version 7.1, dated December 2009 13 of 18 Master Document – Audit Program Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the accounting system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. a. Consider whether the contractor has an adequate internal audit plan for conducting internal control and compliance reviews considering the contractor’s other monitoring activities b. Verify that there are effective follow-up procedures on internal audit recommendations. 3. Document your overall understanding of the monitoring activity being performed at the contractor’s location and the impact it will have on the nature and extent of testing of each control objective (W/Ps G and H). G-1 Accounting System and Controls W/P Reference Version 7.1, dated December 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Accounting system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control 14 of 18 Master Document – Audit Program objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring The auditor should ensure that the accounting system is well designed and is operating effectively to provide reliable accounting data and prevent misstatements that would otherwise occur. 2. Determine that the contractor maintains a current description of the accounting system, including books of original entry, general and subsidiary ledgers, and any statistical and/or supporting records which demonstrate the initiation of transactions, the flow of documents, and the identification of all points where correcting, adjusting or other cost transfers can be entered into the system. 3. Determine if the contractor maintains a chart of accounts which is updated in a timely manner. 4. Verify that adequate written policies and procedures exist for approving and documenting correcting, adjusting, closing, credit, and transfer entries. 5. Verify that adequate procedures exist for reconciling all subsidiary cost ledgers and cost objectives to the general ledger accounts. If this is a computerized function, the auditor should document how this is accomplished and selectively test to verify that it is occurring properly. 6. Verify that a trial balance is prepared on a regular basis and reconciles to the financial statements. 7. Verify that adequate procedures exist for controlling monthly accrual calculations and that an adequate approval process is used. 8. Verify that there is adequate segregation of duties and responsibilities in such areas as access to accounting records, check-signing authority, recording disbursements in cash journal, performance of bank reconciliations, etc. 9. Determine whether policies and procedures require identification of systemic problems or trends based on error reports. Verify that corrections are processed in a timely manner. 10. Evaluate management intervention and/or overrides: a. Determine whether policies and procedures address the situations and frequency of management intervention, require documentation and approval of intervention, and the strict prohibition of any 15 of 18 Master Document – Audit Program management overrides. b. If applicable, selectively evaluate documentation of management interventions or overrides for compliance with policies and procedures. 11. Determine if the contractor has disclosed the use of non-GAAP financial measures in the filed financial statements. If so, determine if reliance is placed on any of this information for this audit or any related audits. If so, determine the impact on the assessment of control risk (the contractor is required to disclose the most directly comparable GAAP financial measure and it’s reconciliation to the disclosed non-GAAP financial measure). H-1 Cost Allocations W/P Reference Version 7.1, dated December 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Accounting system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. The auditor should determine if management ensures that an item of cost or a group of items of cost are assigned to one or more cost objectives in accordance with rules and regulations and standards. Management ensures the proper allocation of both the direct assignment of cost and the reassignment of a share from an indirect cost pool. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications 16 of 18 Master Document – Audit Program  Monitoring 2. Determine that the contractor's disclosure statement is current and adequately describes its accounting practices. 3. Document, if applicable, any CAS noncompliances that may impact the internal control structure. 4. Verify that adequate written policies and procedures exist for the identification and exclusion of unallowable costs. Determine that the detail and depth of records required as backup support for proposals, billings, or claims are adequate to establish and maintain visibility of identified unallowable costs (CAS 405). 5. Verify that adequate written procedures exist to ensure that charge numbers are based on contractual requirements and are under management control and authorizations. 6. Verify that adequate written procedures exist for adjusting costs charged to the Government for any income, rebates, allowances, or miscellaneous credits and that appropriate approvals are required.
- 2. Entrance Conference and Preparation a. Prepare a written memorandum to the contractor to arrange for an entrance conference, covering the areas highlighted in CAM 4-302 and any specific data or pertinent information not yet provided. b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: (1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the overall accounting system transaction flow including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. (2) Determining any changes in the accounting system process since the last examination. (3) Discussing the contractor's risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment, Section D-1. (4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. (5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. 3. Other Preliminary Steps 5 of 18 Master Document – Audit Program Perform a high level cursory assessment to determine if the following exist: a. A functional accounting organization with defined organizational responsibilities. b. A written description of the work flow in the accounting process. c. Policies and procedures for effectively controlling the process.
- A-1 Concluding Steps W/P Reference Version 7.1, dated December 2009 1. Assessment of Control Risk a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring, and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (accounting system and controls and cost allocations). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies. b. Determine if the accounting system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations. c. Based on the assessments above, determine the impact on the scope of other audits. d. Complete the ICAPS form at W/P A(see CAM 3-305). 17 of 18 Master Document – Audit Program 18 of 18 e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completing this audit effort should be documented and approved by management. 2. Summary Steps a. Prepare a draft audit report in accordance with CAM 10-400. If applicable, prepare a separate CAS noncompliance report. b. Conduct an exit conference with the contractor in accordance with CAM 4-304. c. Finalize the audit report incorporating the contractor's response and audit rejoinder. d. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor's EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b). e. Update the permanent file in accordance with CAM 4-405.b (MAAR 3). Retain a copy of the approved W/P A ICAPS form. After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).)
- Activity Code 17600 Financial Capability Audit Version 8.2, dated May 2008 B-1 Planning Considerations Purpose and Scope The purpose of the detailed financial condition risk assessment is to determine if there are significant indicators of any financial distress that would warrant the performance of a financial capability audit. The purpose of a financial capability audit is to determine if the contractor has adequate financial resources to perform on Government contracts in the near term. This audit program contains steps for performing a detailed risk assessment of the contractor’s financial condition as required by CAM 14-303. Detailed risk assessments should be performed at contractors with Government sales greater than $15 million every three years, unless increased risk exists. Modified risk assessments should be performed in the years when the detailed risk assessments are not performed. A separate audit program, entitled Financial Capability, Modified Financial Condition Risk Assessment (DMIS code 17610), is available for performing modified risk assessments. FAOs should also consider circumstances where performance of a financial condition risk assessment may not be applicable, such as, contractors that are no longer performing on Government contracts (refer to CAM 14-303e for additional examples). References 1. FAR 9.104-1, General Standards 2. DFARS 232.072, Financial Responsibility of Contractors 3. SAS 59, The Entity's Ability to Continue as a Going Concern 4. CAM 14-300, Contractor Financial Capability Audits and Reporting 5. FASB 95, Statement of Cash Flows
- Activity Code 17600 Financial Capability Audit Version 8.2, dated May 2008 B-1 Planning Considerations Purpose and Scope The purpose of the detailed financial condition risk assessment is to determine if there are significant indicators of any financial distress that would warrant the performance of a financial capability audit. The purpose of a financial capability audit is to determine if the contractor has adequate financial resources to perform on Government contracts in the near term. This audit program contains steps for performing a detailed risk assessment of the contractor’s financial condition as required by CAM 14-303. Detailed risk assessments should be performed at contractors with Government sales greater than $15 million every three years, unless increased risk exists. Modified risk assessments should be performed in the years when the detailed risk assessments are not performed. A separate audit program, entitled Financial Capability, Modified Financial Condition Risk Assessment (DMIS code 17610), is available for performing modified risk assessments. FAOs should also consider circumstances where performance of a financial condition risk assessment may not be applicable, such as, contractors that are no longer performing on Government contracts (refer to CAM 14-303e for additional examples). References 1. FAR 9.104-1, General Standards 2. DFARS 232.072, Financial Responsibility of Contractors 3. SAS 59, The Entity's Ability to Continue as a Going Concern 4. CAM 14-300, Contractor Financial Capability Audits and Reporting 5. FASB 95, Statement of Cash Flows
- B-1 Preliminary Steps Version 8.2, dated May 2008 W/P Reference 1. Research and Planning a. Financial condition risk assessments/financial capability audits are generally performed at the parent company. If this is a risk assessment/audit of a contractor segment, ensure that an exception for performing the audit at the segment level applies (CAM 14- 1 of 17 Master Document 302). b. If this is a requested audit, review the audit request for matters of particular interest to acquisition officials. Contact the requestor or contact the administrative office to discuss any specific areas of concern. Proceed with the risk assessment and/or audit tailoring this program to satisfy the customer’s need and prepare an acknowledgment letter. c. If the detailed risk assessment/audit is being performed at the parent company (as determined in Step 1a above): (1) Auditors at the parent location should identify all Government subsidiaries with significant Government contracts and cognizant DCAA offices. (2) If the parent “sweeps cash” through a cash management plan, request a copy of that plan to include any policies and procedures related to how transfers of cash surpluses or coverage of subsidiary cash deficits are accounted for (i.e., inter/intra accounts receivables established and related liabilities, bank accounts used, identified transactions between the parent and the Government subsidiary(ies)) detailing the net cash transferred to the parent or the net cash transferred to the subsidiary(ies) over the past three years. d. Review permanent files. (1) Review the results of prior accounting system surveys and results of related audits. (2) Obtain financial statements for the last three years. (3) Review the most recent financial condition risk assessment or financial capability audit. (4) Review any audit leads, including the results of any internal/external audit work in this area, and any audit leads of financial problems. Auditors at parent offices with multiple subsidiaries may survey auditors at all Government locations to identify any unfavorable or adverse events if deemed necessary. (5) Obtain the mix of Government and commercial business. e. If the contractor is classified as non-major (where ICAPS have not been completed) and if the evidential matter to be obtained during the audit is highly dependent on computerized information systems, document on working paper (W/P) B-2 the audit work performed that supports reliance on the computer-based evidential matter. Specifically, document or reference one or more of the following in W/P B-2: 2 of 17 Master Document (1) the audit assignment(s) where the reliability of the data was sufficiently established in other DCAA audits, (2) the procedures/tests that will be performed in this audit to evaluate the incurred costs that will also support reliance on the evidential matter, and/or (3) the tests that will be performed in this audit that will be specifically designed to test the reliability of the computer-based data. When sufficient work is not performed to determine reliability (i.e., reduce audit risk to an acceptable level), qualify the audit report in accordance with CAM 10-210.4a and 10-1204.4. f. In planning and performing the examination, review the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are: • Listing of Fraud Risk Indicators, Financial Capability Audits (See APPS Other Audit Guidance (OAG) folder for FINCAP-Listing of Fraud Indicators.doc) Document in W/P B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit as well as during the audit if risk indicators are disclosed. If no risk indicators are identified, document this in W/P B. g. If the company is not publicly held, request the contractor to provide written confirmation that the financial statements provided during the financial condition risk assessment disclose all off-balance sheet arrangements and related party transactions. A proforma letter requesting contractor confirmation on the financial statements is included in the Administrative section of the APPS, entitled 31 - Confirmation Letter - Financial Statements. h. If the company is not publicly held, and the contractor states that all off-balance sheet arrangements and related party transactions are not reflected in the financial statements and/or cash flow forecasts, request the contractor to provide a schedule separately showing (1) the maximum liability included in the financial statements and cash flow forecast and (2) the maximum liability not reflected in the financial statements and cash flow forecast, for off-balance sheet arrangements and related party transactions. i. Publicly held companies are required to disclose details regarding off-balance sheet arrangements under a separately captioned subsection of the “Management’s Discussion and Analysis” section of the quarterly and annual U.S. Securities and Exchange Commission (SEC) filings. Review the appropriate section of the 3 of 17 Master Document SEC filings. j. The contractor should be requested to provide: (1) Any inquiries from their independent public accountant (IPA) related to off-balance sheet arrangements and related party transactions and their responses. (2) The results and reports of any internal audits, reviews or other analyses of off-balance sheet arrangements and related party transactions. k. When performing a detailed risk assessment, request preliminary data from the contractor. If performing an audit, prepare a list of data required for the audit and provide to the contractor when establishing the entrance conference date. Conduct an entrance conference with the contractor in accordance with CAM 4-302. Key company executives should be invited to attend the conference. l. During the entrance conference, ask the contractor if there are any significant events that have occurred or may occur in the near future (sale of a division, loss of a contract, large layoff, new contract, buying larger plant, etc.). m. Document any significant or unfavorable events that would impact the contractor’s financial status (loss of a contract, major layoff, sale of a division, etc.). The existence of this type of information may be contained within the permanent files, audit lead sheets, ICAPS/ICQ, local newspaper articles, or obtained through discussions with the contractor, supervisor, or auditor that normally works at the contractor location. 2. Risk Assessment a. Obtain preliminary data and information: Based on the circumstances, tailor the following audit steps to perform the assessment. (1) Gather the information needed to perform or update the risk assessment. If not already in the permanent files obtain: (a) annual financial statements and/or annual reports for the last three years, plus year-to-date financial information for the last quarter available; (b) current Form 10K and 10Q (required SEC annual and quarterly filings for publicly traded companies); (c) tax returns for non-publicly traded companies to validate unaudited financial statements; and 4 of 17 Master Document (d) external credit ratings. (2) Request the contractor to provide any analyses it has performed to assess its current and future financial condition. Ask the contractor to provide details on prior, current, and forecasted events that have had or are forecasted to have a favorable or unfavorable impact on its financial condition. b. Internal Controls. The auditor should consider the contractor's internal control structure relating to financial planning and monitoring and its cash management plan. Review the ICAPS (or the ICQ for non-majors) to determine if any internal control deficiencies have been identified that impact this risk assessment or audit. Some of the key controls are: (1) written policies and procedures that require evaluation of current financial conditions in order to anticipate and avoid unfavorable or adverse conditions; (2) periodic assessments of accounts payable and receivable, including analysis of accounts payable aging and the collectibility of accounts receivable; (3) periodic assessments to ensure compliance with any loan covenants and debt payment schedules; (4) preparation of cash flow forecasts, including reasonable and supported assumptions; (5) monitoring, analyzing and managing its cash flow; and (6) periodic assessments of contract cost performance. c. Trend Analysis of Key Financial Ratios. (1) Use the contractor's financial statements to compute the ratios for the most recently completed fiscal year and the previous two fiscal years. An electronic workbook that calculates financial ratios is included in the OAG section of the APPS entitled Financial Capability Workbook. If compelling reasons exist to question the financial statements, or the statements are unaudited, then the auditor should consider additional steps to verify the financial information prior to computing the ratios, (e.g., compare key financial statement amounts (total assets, total liabilities, etc.) to the general ledger or tax returns to validate data in the unaudited financial statements). If performing an audit, the audit report should be qualified if the financial statements are unaudited. (2) Request from the contractor any additional ratios that the contractor believes may be a better indicator of its financial 5 of 17 Master Document condition. Consider using such ratios. (3) Review the trends of the contractor's key ratios. If consistent unfavorable or adverse trends are noted for the most recent three year period, obtain from the contractor an explanation for the unfavorable or adverse trends and any actions being taken to improve the conditions. Sometimes a change in accounting practice, or an unusual accounting method such as an inventory valuation method, will explain the variance. d. Trend Analysis of Key Financial Statement Elements. (1) Review the trends of the following financial statement elements for the most recently completed fiscal year and the previous two fiscal years. If consistent unfavorable or adverse trends are noted, obtain and verify any explanation from the contractor and any actions being taken to improve the condition (CAM 14-304f). • Profit/Loss • Sales • Cash Flow from o Operating activities o Investing activities o Financing activities • Working Capital (Current assets minus current liabilities) • Net Worth (Total assets minus total liabilities) • Long-term Liabilities (2) The notes to the financial statements and/or the SEC filings (10K and 10Q) should be reviewed for any conditions or statements that may indicate financial risk requiring further inquiry/review. Determine if there is a going concern comment in the most recent financial statements. If so, this is a high risk indicator that requires further analysis. e. Off-Balance Sheet Arrangements and Related Party Transactions. The auditor should review the information provided by the contractor, as well as information contained in the quarterly and annual SEC filings (if a publicly traded company), to determine if the financial statements disclose the maximum liability of off-balance sheet arrangements and related party transactions. A list of indicators that identifies the existence of related parties, entitled Potential Related Party Indicators, is included in the OAG section of the APPS and should be used to assist in identifying situations 6 of 17 Master Document that would indicate related party arrangements. Any lead should be followed-up with the contractor. (1) Review for audit leads any inquiries from the contractor’s IPA related to off-balance sheet arrangements and related party transactions and the contractor’s response to these inquiries. (2) Compare for consistency the contractor’s response to IPA inquiries concerning off-balance sheet arrangements and related party transactions to the contractor’s disclosures in the confirmation letter. Follow-up any inconsistencies with the contractor. (3) Review for any audit leads the results and reports of any internal audits, reviews, or other analyses of off-balance sheet arrangements and related party transactions. (4) Verify that the contractor-prepared schedule (for nonpublicly held companies) identifying the maximum possible liability for each disclosed off-balance sheet arrangements and related party transactions is based on sufficient, competent, evidential matter, which should be reconciled to the contractor’s supporting documentation for each liability. f. Timely Payment of Payroll Taxes. Determine if the contractor is paying its payroll taxes on a timely basis (CAM 14-304h). [Note: Contractor delays or the nonpayment of payroll taxes may affect the allowability of claimed and billed costs and should be promptly discussed with the Supervisory Auditor.] g. Analysis of Parent Company’s Management of Subsidiary’s Cash. (1) Review and assess the parent’s administration of its cash management plan. This includes reviewing the contractor’s processes, controls, procedures and management reporting mechanisms used for ensuring that the cash needs of any subsidiary with Government contracts are being met. In situations where the parent has not guaranteed the performance of the subsidiaries, perform additional analysis of the corporation’s cash management plan and assess the following: (a) whether a subsidiary with Government contracts is a consistent generator or user of cash to/from the parent; (b) how often subsidiary needs cash from the parent; (c) the significance of the funds being used by the subsidiary; (d) how such funds are being accounted for, e.g., liabilities, reduction of equity; and 7 of 17 Master Document (e) parent actions taken or planned (based on its cash management plan) to support the financial needs of the subsidiary that is consistently using cash from the parent. (2) If analysis of the cash management plan and/or data discloses financial distress at a subsidiary with Government contracts (and the contractor has not guaranteed or taken other actions to financially support the subsidiary’s performance), determine whether assistance from the subsidiary FAO is considered necessary. Consider requesting data from the subsidiary auditors which may not be available at the parent location, e.g., accounts payable aging, identification of loss contracts, local ACO inquiries, knowledge of other financial distress indicators. h. Analysis of Parent Data by Subsidiary Auditors. These risk assessment steps should be performed when the risk assessment/audit is being performed at a subsidiary. (1) If the parent is a public company, the subsidiary auditor should use the financial data under Filings & Forms (EDGAR) presented on the SEC website at www.sec.gov. The auditor will rely upon this published contractor financial data to determine if there are indicators of financial distress at the parent location. (a) Note the type of audit opinion being rendered on the financial statements by the IPA; (b) other comments/notes contained in the published financial statements; and (c) any going concern comment (SAS 59) made by the IPA. (2) If the parent is a nonpublic company, the auditor should normally not pursue access to the financial records of the parent company unless (1) total Government dollars at the subsidiary location(s) are significant, (2) the parent sweeps cash or guarantees the subsidiary’s performance, and (3) the auditor has indicators of potential financial distress of the parent. Unless all three of these key elements exist, auditors will only perform a risk assessment and/or audit at the subsidiary location. i. Other Indicators. (1) Low bond/debt ratings or declining trends may signal problems for the company in obtaining cash outside of normal operations. Where a conflict exists between external bond/debt ratings (especially high bond/debt ratings) and other risk assessments, the auditor should ascertain and evaluate the reason for the conflict. Bond/debt ratings may not be indicative of a company's ability to perform on contracts, and may not 8 of 17 Master Document consider all information available to the auditor. (2) Discuss any plans the contractor may have to enter into significant leases, make significant capital expenditures, liquidate assets, borrow significant cash or restructure existing debt, reduce or delay expenditures, and increase ownership equity. (3) Identify and analyze any unusual compensation packages used to retain employees or outstanding loans to other company operations or company officers that would drain financial resources from an operating unit with Government contracts. (4) Be alert to any other potential considerations that may warrant more analysis in the risk assessment or expansion to an audit. These items may be identified by the customer, company employees, other auditor or other sources. These may include: • Borrowing from or under-funded pension plans, • Non-payment of insurance premiums or under-insurance, and • Poorly maintained infrastructure (i.e., facilities, accounting software, etc.). j. If the detailed risk assessment does not disclose significant indicators of financial distress, discuss the results with the ACO. Proceed to Concluding Steps (Section A-1). If a financial capability audit is warranted, proceed to the audit steps beginning with Cash Flow Projections (Section C-1). k. For customer requested assignments, where no significant indicators of financial distress were disclosed, coordinate the results with the requestor and the ACO. If the requestor agrees that further audit work is not necessary, confirm the coordination with the requester in a memorandum. If the customer requests an audit, proceed to the audit steps beginning with Cash Flow Projections (Section C-1). l. If the contractor (for nonpublicly held companies) has not provided the written confirmation letter (requested under Section B-1, Step 1.g), begin performance of a financial capability audit.
- C-1 Cash Flow Projections Version 8.2, dated May 2008 W/P Reference 1. Obtain Data and Other Information. 9 of 17 Master Document This section of the audit program focuses on financial capability and includes an evaluation of the forecasted cash flows and related information. Obtain the following information from the contractor to proceed with the audit: a. A cash flow forecast with supporting rationale covering at a minimum a one year period. [Note: the FAO’s audit opinion must reflect a cash flow forecast of no less than six months from the date of the audit report.] b. The current fiscal year operating budget, including each contractor division. c. The capital acquisitions budget for the next three years. d. Accounts payable aging schedules for more than one period. e. Accounts receivable aging schedules for more than one period. f. Copies of any loan covenants/agreements. g. Status of any outstanding lines of credit. h. Debt/Bond payment schedules. i. Pending/potential claims and the status of any legal proceedings, investigations or any potential recoveries of losses. j. Current Board of Directors minutes. k. Current sales backlog and new contract awards. l. Corporate guaranties, if applicable. m. Subordination agreement, if applicable. n. Any updates to status of any unfavorable or adverse conditions noted during the risk assessment. o. Written Confirmation Letter and Other Information. Request the contractor to provide written confirmation that the cash flow forecast includes liabilities associated with off-balance sheet arrangements and related party transactions. A proforma letter requesting contractor confirmation on the cash flow forecast is included in the Administrative section of the APPS entitled 31 - Confirmation Letter – Cash Flow Forecast. In addition to the written confirmation, the contractor should also be requested to provide: (1) A schedule separately showing (i) the maximum liability included in the financial statements and cash flow forecast and (ii) the maximum liability not reflected in the financial statements and cash flow forecast when the contractor states that the maximum liability for off-balance sheet arrangements 10 of 17 Master Document and related party transactions is not reflected in the financial statements and/or cash flow forecast. (2) Any inquiries from their IPA related to off-balance sheet arrangements and related party transactions, associated with these statements, and their responses to these inquiries. (3) The results and reports of any internal audits, reviews or other analyses of off-balance sheet arrangements and related party transactions related to these statements. 2. Review of Cash Flow Projections The cash flow forecast should be evaluated by the auditor for reasonableness. The contractor’s IPA may have performed a cash flow projection review during their annual audit. Determine if this occurred and if it is possible to review their audit efforts. The evaluation of the cash flow forecast will form the basic framework for the auditor’s opinion on the contractor’s financial capability. The auditor needs to have a reasonable basis to assure that the contractor will have sufficient sources of cash to perform on Government contracts. a. If the contractor does not prepare a cash flow forecast as part of normal financial management, request that the contractor prepare a cash flow forecast for the audit. It may be necessary to explain in detail what we need in this regard and provide an example at some contractor locations. If the contractor fails to do so, ask the ACO for assistance in obtaining a cash flow forecast and in determining the appropriate period for the cash flow (DFARS 232.072-3). b. An audit opinion cannot be rendered for a major contractor without a cash flow forecast. The auditor should report this absence of normal financial management and budgetary controls as a significant internal control weakness. Actions to deny access should be elevated to the ACO for assistance. If the problem continues, it should be reported as an access to records problem (see CAM 1-504). c. If a non-major contractor fails to prepare a cash flow forecast, and other detailed audit steps indicate the contractor is experiencing financial distress, the auditor can issue an unfavorable or adverse audit opinion on the contractor’s financial capability which should be qualified due to the lack of the cash flow projection. If a non-major contractor fails to provide a cash flow forecast and detailed audit steps did not indicate financial distress, a report disclaiming an opinion should be issued. Refer to CAM 14-305.2e and 14.307a(4). d. Evaluate the contractor’s cash flow forecast. 11 of 17 Master Document (1) If the forecast is presented in the form of a statement of cash flows, verify the key amounts to the forecasted income statement and balance sheet. (2) Compare significant cash flow line items to actual historical balances. Determine if sales or production forecasts and related operating costs are consistent with recent financial statement trends, and evaluate supporting assumptions. (3) Verify that projected sales agree with the contractor's annual financial plan and indirect rate forecasts. A list of projected sales or sources of cash, by contract, should be reviewed by the auditor and verified to contract data on a sample basis. Any contracts in a loss position should be carefully reviewed to determine the extent to which any additional billings might be made. Assist audits may be required at organizations with multiple divisions or subsidiaries. (4) Other significant sources of cash should be identified by the contractor and verified by the auditor. Any projected collection of outstanding claims or unliquidated contract balances should be verified with the appropriate agency. If a significant projected source of cash is due to a planned liquidation of accounts receivable, confirmations may be required to the extent they were not audited by independent auditors. Contact the ACO prior to confirming accounts receivable balances outside the Government. If the ACO requests that receivables not be confirmed, qualify the report accordingly. Only the difference between the beginning and ending balance represents a source of cash. (5) Determine if the contractor's ability to achieve its cash flow forecast is dependent on the favorable outcome of one or a few key event(s). If so, the circumstances and chance of occurrence should be reviewed. (6) Verify projected uses of cash to the contractor's annual financial plan and forecasted indirect rate submission. Review the contractor's production schedule to determine if the variable uses of cash, such as material purchases and payroll (headcount), are adequate to support performance assumptions. (7) Verify that all interest and principal payments on any debt, loans, or lines of credit are considered in the forecast. (8) Determine if the cash flow forecast considers any unfavorable or adverse conditions that have already been identified in the auditor’s review of existing financial conditions. (9) Compare previous cash flow forecasts with actual statements 12 of 17 Master Document of cash flows to determine the reliability of past forecasts. (10) Determine whether the contractor has the financial means to meet ongoing costs of operations in the near term. (a) Routine borrowings against a line of credit that do not consume most of the line of credit are not a condition that should be considered financial distress. However, a projected shortfall in meeting short term obligations may require obtaining cash from outside the normal course of operations by means of extraordinary management actions (such as liquidation of assets, significant loans, or sale of stock) which is considered financial distress. (b) If a significant shortfall is not projected, but cash flows are dependent on significant conditions or events for which there is significant doubt (such as optimistic sales of a new product, anticipated contract awards, or a negative cash flow due to a pending contingent liability), the contractor would also be considered to be in a condition of financial distress. (11) Using the contractor-prepared schedule identifying the maximum possible liability for off-balance sheet arrangements and related party transactions, inquire of the contractor if any of the liabilities will become due in the near term (one year or less). If any are, verify that these cash outflows are reflected in the contractor’s cash flow forecast. D-1 Liquidation Of Accounts Payable Version 8.2, dated May 2008 W/P Reference The auditor should determine if the contractor is liquidating accounts payable on a timely basis by reviewing the contractor's accounts payable aging schedule. Obtain a copy of the contractor's policy regarding liquidating accounts payable. For a multidivisional corporation with a decentralized accounts payable function, the auditor may need to request assist audits of segments/divisions with significant accounts payable balances. 1. Verify the accounts payable aging schedule for more than one period to supporting accounting records (e.g., general ledger). Contractors may have the ability to manage accounts payable through various computer sort programs. When account balances are significant and the contractor does not prepare an aging schedule or similar analysis, the contractor should be asked to perform such analysis. If the contractor refuses, the auditor should 13 of 17 Master Document report this absence of normal financial management and budgetary controls as a significant internal control weakness. The auditor will then consider evaluating liquidation of accounts payable by such audit procedures as statistical sampling and use of the IT retrieval software (e.g., SAS and FOCUS). 2. Compare debt cancellation dates with cancelled checks on a sample basis to determine if any checks are being held. 3. Evaluate the number of days outstanding. Any significant deviation from the contractor's policy should be explained. Significant payables over 90 days should also be explained by the contractor. Determine if the reason for slow liquidation of payables is due to inadequate available cash. E-1 Loan Covenants Version 8.2, dated May 2008 W/P Reference Review the contractor's loan agreements and covenants to determine if the contractor is complying with all of the conditions of the loan such as maintaining established ratios. 1. Request the contractor to provide a historical analysis of the established ratios. Verify calculations. If the ratios are not being monitored by the contractor, the auditor should report this as a material internal control weakness. 2. If the loan covenants or financial ratios are not being met, determine if they have been waived by the financial institution. 3. Review the debt payments schedules. Verify that historical payments have been made on a timely basis. Note future payment requirements for verification during the contractor's cash flow forecast. 4. Verify that the contractor properly classifies any lines of credit as short/long-term since the improper classification would affect the calculation of some financial ratios. 5. Review the interest rate charged by the lending institution. An increase in the rate charged significantly above the prime rate could be attributable to perceived contractor financial distress. 6. Review loan/line of credit to determine if they are secured by collateral. If the contractor receives progress payments, and collateral includes inventory/work-in-process, determine if a subordination agreement is necessary. 14 of 17 Master Document F-1 Bankruptcy Version 8.2, dated May 2008 W/P Reference Determine if the contractor has filed a petition for reorganization with the Bankruptcy Court or if any legal proceedings have been initiated by vendors for payment. [This condition gives rise to significant uncertainty as to the contractor's ability to adequately perform on Government contracts.] If the contractor has filed for bankruptcy: 1. Determine if the ACO has been notified of any petition for bankruptcy. If not, provide written notification to the ACO immediately, and provide copies to the Regional Special Programs Office and Headquarters, Attention PPD. 2. Determine what legal provisions exist and obtain the required financial information to ascertain the company's continuing financial capability. 3. Consider qualifying the audit report regarding the bankruptcy proceedings. G-1 Other Potential Conditions Version 8.2, dated May 2008 W/P Reference Other potential conditions that must be considered include: • Litigation • Unusual agreements with the Internal Revenue Service • Vendor requirements for Cash or Delivery payments • Production delays • Contract overruns • Labor disputes, etc. H-1 Financial Flexibility Version 8.2, dated May 2008 W/P Reference If the above steps do not disclose financial distress, completion of this section is not required.: 1. Determine if the contractor has any plans to minimize the effects of a forecasted insufficient cash flow. Such extraordinary management 15 of 17 Master Document actions may involve any or all of the following: • Company reorganization/downsizing • Restructuring of debt • Liquidation of assets • Additional borrowings • Reduced or delayed expenditures • Increased ownership equity • Reduced dividends • Sale of a portion of the company 2. Review the following indicators in order to determine the extent of the contractor's ability to obtain additional cash: a. Net worth (Assets - Liabilities). Companies with no or little net worth have a difficult time attracting additional investment. Lines of credit or additional borrowings are often guaranteed by officers’ and/or shareholders’ personal assets. b. Current Outside Ratings. Companies with high debt/bond/stock ratings may be able to raise additional cash through the issuance of additional debt, bonds, or stock. However, it should be noted that such ratings are only for existing debt, bonds, and stock. The company's ability to meet new interest, principal and/or dividends must be evaluated. c. Liquidation of Assets. In order to raise cash, a company may sell existing assets. It is important to determine that such assets are not secured and are not pertinent to the continued operations of the company. Determine any direct or indirect effects of any planned disposition on Government contracts. The sale of assets that are secured often does not provide additional cash. However, it may favorably impact the debt to equity ratio, the cash flow to debt ratio, and reduce debt service costs. d. Bank Line of Credit/Loan covenants. Covenants should be reviewed to determine if the contractor is in compliance with the terms of the agreement, including maintenance of established minimum account balances and ratios. Determine if the credit line is guaranteed by another individual or corporation. If operating losses continue, such guarantees may be withdrawn, thereby eliminating existing lines of credit. Also, determine the amount of credit currently outstanding, amounts available, and terms of repayment on current balances. A-1 Concluding Steps Version 8.2, dated May 2008 W/P Reference 1. Summarize the results. a. Select and use an opinion paragraph verbatim from CAM 14-307a. Following the opinion, it may be appropriate to include additional detail that addresses the specific contractor situation. For example, there may be improving or worsening conditions. There also may be mitigating circumstances, such as the lack of progress payments. Prepare and submit a draft audit report for review, based upon the format in CAM 10-1200. b. When an audit is not performed based on the results of the risk assessment, prepare a memorandum for the record. 2. Obtain, as necessary, regional approval of the draft report. 3. Report separately, in flash report format, any internal control deficiency found during the audit. 4. After supervisory review, coordinate preliminary results with the ACO and or requestor. If the issues warrant, invite the ACO to attend the exit conference. 5. Hold the exit conference with contractor and, if applicable, provide a draft copy of the audit results for contractor written comment. Significant issues should have already been discussed with the contractor during the audit. Allow a reasonable time for the contractor's written response. Top level contractor management should be involved in the exit conference if sensitive issues are going to be discussed or the draft report states there is some doubt regarding the contractor's ability to perform on Government contracts. 6. Prepare final report incorporating the contractor's response. 7. If the risk assessment or audit is performed at a parent or corporate office, address the report or memorandum to the CACO or ACO responsible for the parent and distribute a copy of the audit report or memorandum to all cognizant DCAA offices. Also provide copies of the reports to FLAs, as appropriate. Include a transmittal letter advising that the report contains sensitive information and should not be released outside of DCAA. 8. Update permanent files and ICAPS (MAARs #1, #3 and #4 (if applicable)).
- C-1 Cash Flow Projections Version 8.2, dated May 2008 W/P Reference 1. Obtain Data and Other Information. 9 of 17 Master Document This section of the audit program focuses on financial capability and includes an evaluation of the forecasted cash flows and related information. Obtain the following information from the contractor to proceed with the audit: a. A cash flow forecast with supporting rationale covering at a minimum a one year period. [Note: the FAO’s audit opinion must reflect a cash flow forecast of no less than six months from the date of the audit report.] b. The current fiscal year operating budget, including each contractor division. c. The capital acquisitions budget for the next three years. d. Accounts payable aging schedules for more than one period. e. Accounts receivable aging schedules for more than one period. f. Copies of any loan covenants/agreements. g. Status of any outstanding lines of credit. h. Debt/Bond payment schedules. i. Pending/potential claims and the status of any legal proceedings, investigations or any potential recoveries of losses. j. Current Board of Directors minutes. k. Current sales backlog and new contract awards. l. Corporate guaranties, if applicable. m. Subordination agreement, if applicable. n. Any updates to status of any unfavorable or adverse conditions noted during the risk assessment. o. Written Confirmation Letter and Other Information. Request the contractor to provide written confirmation that the cash flow forecast includes liabilities associated with off-balance sheet arrangements and related party transactions. A proforma letter requesting contractor confirmation on the cash flow forecast is included in the Administrative section of the APPS entitled 31 - Confirmation Letter – Cash Flow Forecast. In addition to the written confirmation, the contractor should also be requested to provide: (1) A schedule separately showing (i) the maximum liability included in the financial statements and cash flow forecast and (ii) the maximum liability not reflected in the financial statements and cash flow forecast when the contractor states that the maximum liability for off-balance sheet arrangements 10 of 17 Master Document and related party transactions is not reflected in the financial statements and/or cash flow forecast. (2) Any inquiries from their IPA related to off-balance sheet arrangements and related party transactions, associated with these statements, and their responses to these inquiries. (3) The results and reports of any internal audits, reviews or other analyses of off-balance sheet arrangements and related party transactions related to these statements. 2. Review of Cash Flow Projections The cash flow forecast should be evaluated by the auditor for reasonableness. The contractor’s IPA may have performed a cash flow projection review during their annual audit. Determine if this occurred and if it is possible to review their audit efforts. The evaluation of the cash flow forecast will form the basic framework for the auditor’s opinion on the contractor’s financial capability. The auditor needs to have a reasonable basis to assure that the contractor will have sufficient sources of cash to perform on Government contracts. a. If the contractor does not prepare a cash flow forecast as part of normal financial management, request that the contractor prepare a cash flow forecast for the audit. It may be necessary to explain in detail what we need in this regard and provide an example at some contractor locations. If the contractor fails to do so, ask the ACO for assistance in obtaining a cash flow forecast and in determining the appropriate period for the cash flow (DFARS 232.072-3). b. An audit opinion cannot be rendered for a major contractor without a cash flow forecast. The auditor should report this absence of normal financial management and budgetary controls as a significant internal control weakness. Actions to deny access should be elevated to the ACO for assistance. If the problem continues, it should be reported as an access to records problem (see CAM 1-504). c. If a non-major contractor fails to prepare a cash flow forecast, and other detailed audit steps indicate the contractor is experiencing financial distress, the auditor can issue an unfavorable or adverse audit opinion on the contractor’s financial capability which should be qualified due to the lack of the cash flow projection. If a non-major contractor fails to provide a cash flow forecast and detailed audit steps did not indicate financial distress, a report disclaiming an opinion should be issued. Refer to CAM 14-305.2e and 14.307a(4). d. Evaluate the contractor’s cash flow forecast. 11 of 17 Master Document (1) If the forecast is presented in the form of a statement of cash flows, verify the key amounts to the forecasted income statement and balance sheet. (2) Compare significant cash flow line items to actual historical balances. Determine if sales or production forecasts and related operating costs are consistent with recent financial statement trends, and evaluate supporting assumptions. (3) Verify that projected sales agree with the contractor's annual financial plan and indirect rate forecasts. A list of projected sales or sources of cash, by contract, should be reviewed by the auditor and verified to contract data on a sample basis. Any contracts in a loss position should be carefully reviewed to determine the extent to which any additional billings might be made. Assist audits may be required at organizations with multiple divisions or subsidiaries. (4) Other significant sources of cash should be identified by the contractor and verified by the auditor. Any projected collection of outstanding claims or unliquidated contract balances should be verified with the appropriate agency. If a significant projected source of cash is due to a planned liquidation of accounts receivable, confirmations may be required to the extent they were not audited by independent auditors. Contact the ACO prior to confirming accounts receivable balances outside the Government. If the ACO requests that receivables not be confirmed, qualify the report accordingly. Only the difference between the beginning and ending balance represents a source of cash. (5) Determine if the contractor's ability to achieve its cash flow forecast is dependent on the favorable outcome of one or a few key event(s). If so, the circumstances and chance of occurrence should be reviewed. (6) Verify projected uses of cash to the contractor's annual financial plan and forecasted indirect rate submission. Review the contractor's production schedule to determine if the variable uses of cash, such as material purchases and payroll (headcount), are adequate to support performance assumptions. (7) Verify that all interest and principal payments on any debt, loans, or lines of credit are considered in the forecast. (8) Determine if the cash flow forecast considers any unfavorable or adverse conditions that have already been identified in the auditor’s review of existing financial conditions. (9) Compare previous cash flow forecasts with actual statements 12 of 17 Master Document of cash flows to determine the reliability of past forecasts. (10) Determine whether the contractor has the financial means to meet ongoing costs of operations in the near term. (a) Routine borrowings against a line of credit that do not consume most of the line of credit are not a condition that should be considered financial distress. However, a projected shortfall in meeting short term obligations may require obtaining cash from outside the normal course of operations by means of extraordinary management actions (such as liquidation of assets, significant loans, or sale of stock) which is considered financial distress. (b) If a significant shortfall is not projected, but cash flows are dependent on significant conditions or events for which there is significant doubt (such as optimistic sales of a new product, anticipated contract awards, or a negative cash flow due to a pending contingent liability), the contractor would also be considered to be in a condition of financial distress. (11) Using the contractor-prepared schedule identifying the maximum possible liability for off-balance sheet arrangements and related party transactions, inquire of the contractor if any of the liabilities will become due in the near term (one year or less). If any are, verify that these cash outflows are reflected in the contractor’s cash flow forecast. D-1 Liquidation Of Accounts Payable Version 8.2, dated May 2008 W/P Reference The auditor should determine if the contractor is liquidating accounts payable on a timely basis by reviewing the contractor's accounts payable aging schedule. Obtain a copy of the contractor's policy regarding liquidating accounts payable. For a multidivisional corporation with a decentralized accounts payable function, the auditor may need to request assist audits of segments/divisions with significant accounts payable balances. 1. Verify the accounts payable aging schedule for more than one period to supporting accounting records (e.g., general ledger). Contractors may have the ability to manage accounts payable through various computer sort programs. When account balances are significant and the contractor does not prepare an aging schedule or similar analysis, the contractor should be asked to perform such analysis. If the contractor refuses, the auditor should 13 of 17 Master Document report this absence of normal financial management and budgetary controls as a significant internal control weakness. The auditor will then consider evaluating liquidation of accounts payable by such audit procedures as statistical sampling and use of the IT retrieval software (e.g., SAS and FOCUS). 2. Compare debt cancellation dates with cancelled checks on a sample basis to determine if any checks are being held. 3. Evaluate the number of days outstanding. Any significant deviation from the contractor's policy should be explained. Significant payables over 90 days should also be explained by the contractor. Determine if the reason for slow liquidation of payables is due to inadequate available cash. E-1 Loan Covenants Version 8.2, dated May 2008 W/P Reference Review the contractor's loan agreements and covenants to determine if the contractor is complying with all of the conditions of the loan such as maintaining established ratios. 1. Request the contractor to provide a historical analysis of the established ratios. Verify calculations. If the ratios are not being monitored by the contractor, the auditor should report this as a material internal control weakness. 2. If the loan covenants or financial ratios are not being met, determine if they have been waived by the financial institution. 3. Review the debt payments schedules. Verify that historical payments have been made on a timely basis. Note future payment requirements for verification during the contractor's cash flow forecast. 4. Verify that the contractor properly classifies any lines of credit as short/long-term since the improper classification would affect the calculation of some financial ratios. 5. Review the interest rate charged by the lending institution. An increase in the rate charged significantly above the prime rate could be attributable to perceived contractor financial distress. 6. Review loan/line of credit to determine if they are secured by collateral. If the contractor receives progress payments, and collateral includes inventory/work-in-process, determine if a subordination agreement is necessary. 14 of 17 Master Document F-1 Bankruptcy Version 8.2, dated May 2008 W/P Reference Determine if the contractor has filed a petition for reorganization with the Bankruptcy Court or if any legal proceedings have been initiated by vendors for payment. [This condition gives rise to significant uncertainty as to the contractor's ability to adequately perform on Government contracts.] If the contractor has filed for bankruptcy: 1. Determine if the ACO has been notified of any petition for bankruptcy. If not, provide written notification to the ACO immediately, and provide copies to the Regional Special Programs Office and Headquarters, Attention PPD. 2. Determine what legal provisions exist and obtain the required financial information to ascertain the company's continuing financial capability. 3. Consider qualifying the audit report regarding the bankruptcy proceedings. G-1 Other Potential Conditions Version 8.2, dated May 2008 W/P Reference Other potential conditions that must be considered include: • Litigation • Unusual agreements with the Internal Revenue Service • Vendor requirements for Cash or Delivery payments • Production delays • Contract overruns • Labor disputes, etc. H-1 Financial Flexibility Version 8.2, dated May 2008 W/P Reference If the above steps do not disclose financial distress, completion of this section is not required.: 1. Determine if the contractor has any plans to minimize the effects of a forecasted insufficient cash flow. Such extraordinary management 15 of 17 Master Document actions may involve any or all of the following: • Company reorganization/downsizing • Restructuring of debt • Liquidation of assets • Additional borrowings • Reduced or delayed expenditures • Increased ownership equity • Reduced dividends • Sale of a portion of the company 2. Review the following indicators in order to determine the extent of the contractor's ability to obtain additional cash: a. Net worth (Assets - Liabilities). Companies with no or little net worth have a difficult time attracting additional investment. Lines of credit or additional borrowings are often guaranteed by officers’ and/or shareholders’ personal assets. b. Current Outside Ratings. Companies with high debt/bond/stock ratings may be able to raise additional cash through the issuance of additional debt, bonds, or stock. However, it should be noted that such ratings are only for existing debt, bonds, and stock. The company's ability to meet new interest, principal and/or dividends must be evaluated. c. Liquidation of Assets. In order to raise cash, a company may sell existing assets. It is important to determine that such assets are not secured and are not pertinent to the continued operations of the company. Determine any direct or indirect effects of any planned disposition on Government contracts. The sale of assets that are secured often does not provide additional cash. However, it may favorably impact the debt to equity ratio, the cash flow to debt ratio, and reduce debt service costs. d. Bank Line of Credit/Loan covenants. Covenants should be reviewed to determine if the contractor is in compliance with the terms of the agreement, including maintenance of established minimum account balances and ratios. Determine if the credit line is guaranteed by another individual or corporation. If operating losses continue, such guarantees may be withdrawn, thereby eliminating existing lines of credit. Also, determine the amount of credit currently outstanding, amounts available, and terms of repayment on current balances. A-1 Concluding Steps Version 8.2, dated May 2008 W/P Reference 1. Summarize the results. a. Select and use an opinion paragraph verbatim from CAM 14-307a. Following the opinion, it may be appropriate to include additional detail that addresses the specific contractor situation. For example, there may be improving or worsening conditions. There also may be mitigating circumstances, such as the lack of progress payments. Prepare and submit a draft audit report for review, based upon the format in CAM 10-1200. b. When an audit is not performed based on the results of the risk assessment, prepare a memorandum for the record. 2. Obtain, as necessary, regional approval of the draft report. 3. Report separately, in flash report format, any internal control deficiency found during the audit. 4. After supervisory review, coordinate preliminary results with the ACO and or requestor. If the issues warrant, invite the ACO to attend the exit conference. 5. Hold the exit conference with contractor and, if applicable, provide a draft copy of the audit results for contractor written comment. Significant issues should have already been discussed with the contractor during the audit. Allow a reasonable time for the contractor's written response. Top level contractor management should be involved in the exit conference if sensitive issues are going to be discussed or the draft report states there is some doubt regarding the contractor's ability to perform on Government contracts. 6. Prepare final report incorporating the contractor's response. 7. If the risk assessment or audit is performed at a parent or corporate office, address the report or memorandum to the CACO or ACO responsible for the parent and distribute a copy of the audit report or memorandum to all cognizant DCAA offices. Also provide copies of the reports to FLAs, as appropriate. Include a transmittal letter advising that the report contains sensitive information and should not be released outside of DCAA. 8. Update permanent files and ICAPS (MAARs #1, #3 and #4 (if applicable)).
- Activity Code 24010 Estimating System Survey (ICR) Version 8.4, dated November 2009 B-1 Planning Considerations Purpose and Scope The major objectives of this audit are to:  Evaluate the adequacy of and the contractor’s compliance with the estimating system internal controls.  Obtain a sufficient understanding of the contractor's estimating system and related internal control (including both manual and computerized activities) to plan the related audit effort. This requires that the auditor assess the adequacy of the contractor's policies and procedures, whether they have been implemented, and if they are working and being monitored effectively.  Document the understanding of the estimating system internal controls in working papers and permanent files.   Assess control risk as a basis to identify factors relevant to the design of substantive tests.  Report on the understanding of the estimating system internal controls and assessment of control risk and the adequacy of the system for Government contracts. This audit is limited to the estimating system and related internal controls for major contractors, nonmajor contractors where the system is considered significant, and other contractors with substantial firm-fixed price contracts. Only those controls directly related to the contractor's estimating system, as defined below, will be audited under this assignment. Controls for interrelated audit concerns regarding the adequacy of the contractor's other major systems (i.e., labor, budget and planning, etc.) will be audited under separate assignments. While the controls for these areas are not part of this audit, the results of all audits of these interrelated controls must be considered in forming an overall audit conclusion on the estimating system internal controls. The results of this audit should be commented on in reports on related audit areas. When performing an update or follow-up examination, the audit steps should be adjusted and tailored accordingly. To the extent possible, prior audit effort should be used as a basis for validating the contractor's internal controls. Before beginning this examination, the auditor should be alert for internal control evaluations performed by the contractor or its external auditors relating to this audit area. In those cases where internal control evaluations have been performed, the auditor should 1 of 20 Master Document – Audit Program follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Before performing any examination of internal controls, the auditor should determine that the system contemplated for examination is material to the Government. Once it is determined that the system is material to the Government, the auditor should reassess the materiality of each section in the internal controls audit before performing any audit steps in that section. The scope of any audit depends on individual circumstances. The auditor is expected to exercise professional judgment, considering vulnerability and materiality, in deciding the scope of audit to be performed. The use of computers of all kinds in a contractor’s accounting and management systems is so pervasive it is unlikely that any audit of them could be performed adequately without an examination of the internal controls over their automated aspects. Therefore, the auditor should become familiar with guidance contained in the Information System (IS) Auditing Knowledge Base that is found on DCAA’s Intranet, prior to the beginning of this audit. In addition, in some instances, the assistance of IT specialists may be required to adequately evaluate the automated aspects of the internal controls. In these cases, auditors should coordinate, through their supervisory auditor, to contact their regional offices to obtain the necessary expertise. The internal control matrix (see Internal Control Matrix - Estimating System and Related Internal Controls) shows the interrelationships among the control objectives, example control activities, and audit procedures used in this audit program. The control objectives and the audit procedures have been fully integrated into this audit; therefore, the matrix is not needed unless it is desirable to see the associated example control activities and the interrelationships in a matrix format. In cases where this examination covers internal control systems at multi-segment contractors, follow the guidance in CAM 5-103.2 and 5-110e. Auditing internal controls at multi-segment contractors requires effective coordination among cognizant auditors to identify the audit responsibilities at each location to ensure appropriate audit coverage when contractor locations share components of an internal control system, such as policies and procedures, common technologies (e.g., software) or common management. FAOs cognizant of segment locations should initiate assist audits from off-site locations as necessary. FAOs cognizant of off-site locations should not self-initiate audits of internal controls. The following “Other Audit Guidance” documents are available in APPS under “Administrative Working Papers” to assist the auditor in preparing the risk assessment, working papers, and letters, required for this audit. They should be tailored to fit the circumstances.  EST - Announcement Ltr. to Contractor  EST - Experience Info Worksheet - Bid Proposals  EST - Experience Info Worksheet - Other  EST - Interview Questionnaire  EST - Notification Memo to ACO 2 of 20 Master Document – Audit Program  EST - Notification Memo to PCO References 1. CAM 3-300, Internal Control Audit Planning Summary (ICAPS) 2. CAM 5-1200, Audit of Estimating System Internal Controls 3. CAM 9-303, Contractor Estimating Methods and Procedures-Cost Estimates 4. CAM 10-400, Audit Reports on Operations and Internal Control (System Audits) 5. DFARS 215.407-5, Estimating Systems
- Pertinent record layouts of files created and/or used during the processing of estimating system related transactions. Database table definitions. Source documents. Information on the conversion of documents to computer media. Subsidiary or master files affected by the system. Relevant reports, journals, and ledgers produced in the flow of information to the estimating system reports. B-1 Preliminary Steps W/P Reference Version 8.4, dated November 2009 1. Research and Planning a. Become familiar with applicable sections of CAM 5-1200. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide Library available on the DCAA’s intranet home page. b. Perform the following steps using the permanent file: (1) Review prior estimating system audit working paper package. (2) Identify any flash estimating system reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2. (3) Determine if there are any reported deficiencies in the other internal control system audits that impact the scope of this estimating system audit (review the ICRS database, as applicable). Document on W/P B-2. The results of the Control Environment and Overall Accounting Controls examination, if any, should also be evaluated and documented, in detail, under Control Environment, Section C-1, Step 1, of the W/Ps and under Information and Communications, Section E-1, Step 1. The results of the IT Systems General Internal Controls examination, if any, should also be evaluated and documented in detail under Information and Communications, Section E-1, Step 1. 3 of 20 Master Document – Audit Program (4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below. Document the sources of data by listing the data, its source, and any changes since the last system audit. (a) Contractor’s written estimating system policies and procedures. (b) Organization charts depicting the functional areas responsible for developing and processing estimating system related data. (c) Estimating system flowcharts providing a pictorial overview of all manual and computerized processing steps. (d) Information systems documentation: (i) Pertinent record layouts of files created and/or used during the processing of estimating system related transactions. (ii) Database table definitions. (iii)Source documents. (iv) Information on the conversion of documents to computer media. (v) Subsidiary or master files affected by the system. (vi) Relevant reports, journals, and ledgers produced in the flow of information to the estimating system reports. (5) Review audit lead sheets. (6) Review other related audits, for example: (a) Review bid proposals (or comparable assignment log) and summarize the findings in pricing proposal activity. Complete EST - Experience Info Worksheet – Bid Proposals, if applicable. (b) Review and summarize the impact of noted defective pricing, suspected irregular conduct (SIC), and related CAS noncompliances. Complete EST - Experience Info Worksheet – Other, if applicable. (c) Review files containing telephone requests for specific information and determine if there were any inconsistent estimating practices noted that impact the scope of this audit. 4 of 20 Master Document – Audit Program (7) Consider the impact of the contractor’s financial condition on the estimating system. (Refer to prior financial capability risk assessment or audits – Code 176XX). c. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II.4 (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3. Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. d. Obtain from the contractor its listing of proposals for the past twelve months (or most recently completed fiscal year) and summarize by customer, contract type, and dollar volume in order to determine the materiality of the estimating system. Complete the Materiality section of the ICAPS form at W/P A. e. Discuss the planned evaluation of the estimating system internal controls with the administrative contracting officer (ACO) and the contractor’s major procurement activities to identify, understand, and document any concerns they may have of areas which should be evaluated. f. Coordinate with other DCAA offices (including FD if there are significant classified contracts) cognizant of other contractor segments to determine if any estimating-related system deficiencies should be considered in this audit. Also, coordinate and request any necessary assist audits at locations that perform effort affecting the estimating system. Document your need for assist audits on W/P B-3. g. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. 5 of 20 Master Document – Audit Program h. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to the estimating system. (1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the estimating system. (2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the estimating system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. (3) In those cases where internal or external audits have been performed, the auditor should follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Document your preliminary evaluation and its impact on the scope of this examination. The evaluation of internal audit working papers is documented in detail in Section G-1, Step 2. i. Determine the need for technical specialist assistance and document your consideration on W/P B-3.
- 2. Entrance Conference and Preparation a. Prepare a written memorandum to the contractor to arrange for an entrance conference covering the areas highlighted in CAM 4-302, and any specific data or pertinent information not yet provided. b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: (1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the estimating system transaction flow, including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. (2) Determining any changes in the estimating process since the last examination. (3) Discussing the contractor’s risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment, Section D-1. 6 of 20 Master Document – Audit Program (4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. (5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. 3. Other Preliminary Steps a. Determine the degree a computerized system is used in the estimating process. b. Perform a high level cursory assessment to determine if the following exist: (1) A functional estimating organization with defined organizational responsibilities. (2) A written description of the work flow in the estimating process. (3) Policies and procedures for effectively controlling the estimating process. 4. Initial Risk Assessment Using the information obtained in steps 1, 2, and 3, prepare an initial risk assessment (W/P B) to determine the initial scope of the examination. C-1 Control Environment W/P Reference Version 8.4, dated November 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the estimating system internal controls. 1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the estimating system internal controls. .. 7 of 20 Master Document – Audit Program 2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals and discussions with prior auditors. Obtain an understanding of the following factors: a. Integrity and ethical values. b. Commitment to competence. c. Board of directors and/or audit committee participation. d. Management’s philosophy and operating style. e. Organizational structure. f. Assignment of authority and responsibility. g. Human resource policies and procedures. h. Financial capability. 3. Document your overall assessment of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). D-1 Contractor’s Risk Assessment W/P Reference Version 8.4, dated November 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the preparation of contract cost data. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and 8 of 20 Master Document – Audit Program extent of testing of each control objective (W/Ps G, H, I, J and K). E-1 Information and Communications W/P Reference Version 8.4, dated November 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 1. Since the accounting and information systems are integral components of information and communication processes, evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls and the IT Systems General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the estimating system internal controls on information and communications. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its estimating system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its estimating system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the estimating system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-1200. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of estimating related transactions. Have the contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control 9 of 20 Master Document – Audit Program listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current estimating system information and communication processes are demonstrated by the contractor, selectively trace the development of a contractor’s proposal through the estimating system, starting from the initiation of the proposal development process (e.g., response to RFP) to validate your understanding of the estimating system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., estimates based on most current, accurate and completed data; cost or price analysis performed on subcontract proposals; proposal properly certified). Discrepancies between your understanding and the contractor’s demonstration should be resolved prior to completing the remainder of this examination. 6. Document your confirmed understanding of the estimating system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions, and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s estimating system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). F-1 Monitoring W/P Reference Version 8.4, dated November 2009 Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the 10 of 20 Master Document – Audit Program estimating system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. 3. Determine and document the extent of monitoring activities being performed by external parties. 4. Document your overall understanding of the monitoring activity being performed at the contractor’s location, and determine the impact it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). G-1 Internal Audits W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Verify that periodic reviews of contractor’s policies and procedures 11 of 20 Master Document – Audit Program are conducted to ensure that: a. Policies and procedures are compliant with applicable Federal regulations. b. Policies and procedures have been implemented and are working effectively. c. Follow-up actions are taken on recommendations resulting from management reviews. 3. Evaluate the contractor's record of completed internal audits and its current internal audit plan to determine if the estimating system is being subjected to periodic reviews in accordance with established policies and procedures. 4. Identify and selectively evaluate documentary evidence and the frequency of the contractor’s management reviews to determine whether the scope of such reviews are appropriate, the conclusions sound, and appropriate follow-up actions were taken. 5. Identify any reviews which may have an impact on this examination, and evaluate the reports and supporting working papers to determine if any system deficiencies were noted, and the extent to which we can rely on the work performed (see CAM 4-1000). H-1 System Description W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows: 12 of 20 Master Document – Audit Program  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Contractors should establish and maintain an estimating system description, including policies, procedures, and operating instructions compliant with FAR and DFARS. a. Organization/Assignment of Responsibilities (1) Obtain organization charts and written policies, procedures, and directives describing the organizational structure, and responsibilities of the estimating group(s) and contributing departments. (2) Obtain flowcharts showing the flow of work in the estimating process and integration of data prepared by personnel responsible for various functions, such as accounting, cost control, budgeting, planning, purchasing, production control, engineering, estimating, and sales. Key decision and review points, and the time frame for the entire process, should be identified by the contractor. (3) Determine if the following characteristics of an adequate system exist: (a) Lines of authority, duties, and responsibilities are clearly defined. (b) Coordination among the various segments of the organization responsible for different parts of the estimate. (c) Designation of individuals authorized to approve requests for preparing estimates. (4) Interview selected employees involved in the proposal preparation process to determine if the actual responsibility for preparing, reviewing, and approving cost estimates is consistent with established policies and procedures. b. Policies and Procedures (1) Determine if written policies are established at a high enough organizational level to allow for proper implementation. (2) Determine if procedures are in writing and compatible with underlying policies. (3) Determine if: (a) Policies, procedures, and other written instructions are 13 of 20 Master Document – Audit Program disseminated to all employees responsible for putting the estimates together. (b) Revisions to policies, procedures, and instructions are timely, as changes occur in the estimating system. (4) Throughout the remainder of this examination, be alert for any areas in which established estimating policies and procedures are either inadequate or incomplete. c. Integration with Other Management Systems (1) Evaluate the contractor's policies and procedures to determine if they provide for the integration of information from other management systems, as appropriate. (2) Selectively evaluate recent pricing proposals or other cost estimates to determine if information from other management systems was appropriately integrated into the cost estimates. I-1 Training W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 14 of 20 Master Document – Audit Program 2. Policies and procedures should be established and implemented to assure that assigned personnel have sufficient training, experience, and guidance to perform estimating tasks in accordance with established procedures. a. Evaluate the contractor's policies and procedures to determine if they require periodic training of all employees involved in the estimating process, including, when appropriate, the use of statistical aids and advanced estimating techniques. b. Evaluate records of completed training or other evidence indicating that appropriate employees have been trained in accordance with the policies and procedures. J-1 Cost Estimate Development W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows::  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Policies and procedures should be established and implemented to ensure that cost estimates are developed using acceptable estimating methods and rationale, and that supporting data is current, accurate, 15 of 20 Master Document – Audit Program and complete. a. Evaluate the adequacy and appropriateness of the methods employed in preparing cost estimates for each proposal type. Consider the following: (1) The nature of the products or services procured. (2) The degree of firmness of specifications. (3) The contractor's experience with the same or similar products or services. (4) The extent detailed cost data can be derived from the accounting system, adjunct statistical records, etc. (5) The relative dollar amount of the estimates. (6) Cost and time restrictions on the preparation of the estimates. b. Evaluate the extent to which the contractor has identified the estimating practices for sensitive cost areas. c. Determine if the contractor has procedures in place to ensure that practices used to estimate costs are consistent with accounting practices used in accumulating costs (CAS 401/FAR 31.201 and 31.203(d)), and to ensure that estimated costs are consistently classified between direct and indirect (CAS 402/FAR 31-202 and 31.203(a)). d. Evaluate the extent to which estimating methods make use of historical data relating to entire products and individual tasks; and indirect cost ratios and percentage factors applicable to a common base. e. Determine if cost estimates based upon prior cost experience consider: (1) Differences in complexity, quantity, rate of production, state of development, etc., between items previously produced and those for which estimates are being developed. (2) Applicability of preproduction engineering, special tooling, plant rearrangement, and other nonrecurring costs. (3) Anticipated changes in production methods, material usage, prices, wage rates, labor efficiency, production volume, plant capacity and make-or-buy structure. f. Evaluate the applicability of historical standard cost variance factors. (Where standards have been revised to represent expected actual cost, historical cost variances are not applicable). g. Evaluate the appropriateness of escalation factors proposed, and 16 of 20 Master Document – Audit Program the methods used to apply them to the cost elements. h. Evaluate the availability and use of incurred cost records in developing estimates if the contractor is given the authorization to proceed before a contract price is negotiated. i. Evaluate the propriety of using company-wide forward pricing factors for preparing cost estimates. Are such factors current, based upon reliable cost data and procedures, and correctly applied? j. Evaluate the reasonableness of formula pricing methods for spare parts to ensure that individual elements of cost are not duplicated in both base costs and loading factors. k. If used by the contractor, evaluate the adequacy of catalog pricing and prepriced listing methods for developing reasonable prices for spare parts proposals. l. Evaluate the adequacy of the contractor's methods for developing cost estimates for contract changes. (1) Do the estimates properly reflect the nature and scope of the change and the status of the work in process at the time the change is issued? (2) Are the contractor's procedures for pricing deleted work correct? (Work deleted, but not yet performed, should be priced at estimated current cost). m. Determine if proposals are submitted on the appropriate forms, and if related supporting data contains enough detail to permit an adequate evaluation of cost estimates. Is the basis for each cost element disclosed? n. When a certificate of current cost or pricing data is required, does the contractor adequately identify the cost or pricing data submitted? o. Evaluate the contractor's policies and procedures to determine if they establish responsibility for the review and analysis of subcontracts. p. Selectively evaluate recent pricing proposals or other cost estimates to determine if cost/price analysis of subcontracts was performed, as required by the policies and procedures. q. Determine if controls are in place to ensure: (1) Timely submission of data at all phases of the proposal preparation process. (2) Uniformity of approach, detection of errors, and prevention of 17 of 20 Master Document – Audit Program cost duplication. r. Determine if the following characteristics of an adequate system exist: (1) Adequate supervision in each area, and at each level of the estimating process. (2) Managerial reviews at interim points, and upon completion of the estimating process. (3) Management reviews covering soundness of judgmental estimates, adherence to established procedures, and compliance with pertinent regulations. (4) Estimators who summarize and document the conditions, assumptions, contingencies, qualifications, risks, etc., taken into consideration in developing estimates. s. Determine whether proposed direct labor rates reflect the total hours employees are expected to work during the year as covered in CAM 9-505b, “Evaluation of Estimated Direct Labor Rates.” K-1 Contract Certification W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment 18 of 20 Master Document – Audit Program  Information and communications  Monitoring 2. Policies and procedures should be established and implemented to ensure that all cost or pricing data is current, accurate, and complete as of the date of agreement on price. a. Evaluate the contractor's policies and procedures to determine if they adequately provide for updating of cost or pricing data up to the point of agreement on price. b. Selectively evaluate recent post-award audits to determine if they indicate that the contractor is not updating cost or pricing data, as provided for in the policies and procedures.
- 2. Entrance Conference and Preparation a. Prepare a written memorandum to the contractor to arrange for an entrance conference covering the areas highlighted in CAM 4-302, and any specific data or pertinent information not yet provided. b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: (1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the estimating system transaction flow, including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. (2) Determining any changes in the estimating process since the last examination. (3) Discussing the contractor’s risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment, Section D-1. 6 of 20 Master Document – Audit Program (4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. (5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. 3. Other Preliminary Steps a. Determine the degree a computerized system is used in the estimating process. b. Perform a high level cursory assessment to determine if the following exist: (1) A functional estimating organization with defined organizational responsibilities. (2) A written description of the work flow in the estimating process. (3) Policies and procedures for effectively controlling the estimating process. 4. Initial Risk Assessment Using the information obtained in steps 1, 2, and 3, prepare an initial risk assessment (W/P B) to determine the initial scope of the examination. C-1 Control Environment W/P Reference Version 8.4, dated November 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the estimating system internal controls. 1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the estimating system internal controls. .. 7 of 20 Master Document – Audit Program 2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals and discussions with prior auditors. Obtain an understanding of the following factors: a. Integrity and ethical values. b. Commitment to competence. c. Board of directors and/or audit committee participation. d. Management’s philosophy and operating style. e. Organizational structure. f. Assignment of authority and responsibility. g. Human resource policies and procedures. h. Financial capability. 3. Document your overall assessment of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). D-1 Contractor’s Risk Assessment W/P Reference Version 8.4, dated November 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the preparation of contract cost data. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and 8 of 20 Master Document – Audit Program extent of testing of each control objective (W/Ps G, H, I, J and K). E-1 Information and Communications W/P Reference Version 8.4, dated November 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 1. Since the accounting and information systems are integral components of information and communication processes, evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls and the IT Systems General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the estimating system internal controls on information and communications. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its estimating system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its estimating system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the estimating system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-1200. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of estimating related transactions. Have the contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control 9 of 20 Master Document – Audit Program listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current estimating system information and communication processes are demonstrated by the contractor, selectively trace the development of a contractor’s proposal through the estimating system, starting from the initiation of the proposal development process (e.g., response to RFP) to validate your understanding of the estimating system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., estimates based on most current, accurate and completed data; cost or price analysis performed on subcontract proposals; proposal properly certified). Discrepancies between your understanding and the contractor’s demonstration should be resolved prior to completing the remainder of this examination. 6. Document your confirmed understanding of the estimating system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions, and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s estimating system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). F-1 Monitoring W/P Reference Version 8.4, dated November 2009 Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the 10 of 20 Master Document – Audit Program estimating system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. 3. Determine and document the extent of monitoring activities being performed by external parties. 4. Document your overall understanding of the monitoring activity being performed at the contractor’s location, and determine the impact it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). G-1 Internal Audits W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Verify that periodic reviews of contractor’s policies and procedures 11 of 20 Master Document – Audit Program are conducted to ensure that: a. Policies and procedures are compliant with applicable Federal regulations. b. Policies and procedures have been implemented and are working effectively. c. Follow-up actions are taken on recommendations resulting from management reviews. 3. Evaluate the contractor's record of completed internal audits and its current internal audit plan to determine if the estimating system is being subjected to periodic reviews in accordance with established policies and procedures. 4. Identify and selectively evaluate documentary evidence and the frequency of the contractor’s management reviews to determine whether the scope of such reviews are appropriate, the conclusions sound, and appropriate follow-up actions were taken. 5. Identify any reviews which may have an impact on this examination, and evaluate the reports and supporting working papers to determine if any system deficiencies were noted, and the extent to which we can rely on the work performed (see CAM 4-1000). H-1 System Description W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows: 12 of 20 Master Document – Audit Program  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Contractors should establish and maintain an estimating system description, including policies, procedures, and operating instructions compliant with FAR and DFARS. a. Organization/Assignment of Responsibilities (1) Obtain organization charts and written policies, procedures, and directives describing the organizational structure, and responsibilities of the estimating group(s) and contributing departments. (2) Obtain flowcharts showing the flow of work in the estimating process and integration of data prepared by personnel responsible for various functions, such as accounting, cost control, budgeting, planning, purchasing, production control, engineering, estimating, and sales. Key decision and review points, and the time frame for the entire process, should be identified by the contractor. (3) Determine if the following characteristics of an adequate system exist: (a) Lines of authority, duties, and responsibilities are clearly defined. (b) Coordination among the various segments of the organization responsible for different parts of the estimate. (c) Designation of individuals authorized to approve requests for preparing estimates. (4) Interview selected employees involved in the proposal preparation process to determine if the actual responsibility for preparing, reviewing, and approving cost estimates is consistent with established policies and procedures. b. Policies and Procedures (1) Determine if written policies are established at a high enough organizational level to allow for proper implementation. (2) Determine if procedures are in writing and compatible with underlying policies. (3) Determine if: (a) Policies, procedures, and other written instructions are 13 of 20 Master Document – Audit Program disseminated to all employees responsible for putting the estimates together. (b) Revisions to policies, procedures, and instructions are timely, as changes occur in the estimating system. (4) Throughout the remainder of this examination, be alert for any areas in which established estimating policies and procedures are either inadequate or incomplete. c. Integration with Other Management Systems (1) Evaluate the contractor's policies and procedures to determine if they provide for the integration of information from other management systems, as appropriate. (2) Selectively evaluate recent pricing proposals or other cost estimates to determine if information from other management systems was appropriately integrated into the cost estimates. I-1 Training W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 14 of 20 Master Document – Audit Program 2. Policies and procedures should be established and implemented to assure that assigned personnel have sufficient training, experience, and guidance to perform estimating tasks in accordance with established procedures. a. Evaluate the contractor's policies and procedures to determine if they require periodic training of all employees involved in the estimating process, including, when appropriate, the use of statistical aids and advanced estimating techniques. b. Evaluate records of completed training or other evidence indicating that appropriate employees have been trained in accordance with the policies and procedures. J-1 Cost Estimate Development W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows::  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Policies and procedures should be established and implemented to ensure that cost estimates are developed using acceptable estimating methods and rationale, and that supporting data is current, accurate, 15 of 20 Master Document – Audit Program and complete. a. Evaluate the adequacy and appropriateness of the methods employed in preparing cost estimates for each proposal type. Consider the following: (1) The nature of the products or services procured. (2) The degree of firmness of specifications. (3) The contractor's experience with the same or similar products or services. (4) The extent detailed cost data can be derived from the accounting system, adjunct statistical records, etc. (5) The relative dollar amount of the estimates. (6) Cost and time restrictions on the preparation of the estimates. b. Evaluate the extent to which the contractor has identified the estimating practices for sensitive cost areas. c. Determine if the contractor has procedures in place to ensure that practices used to estimate costs are consistent with accounting practices used in accumulating costs (CAS 401/FAR 31.201 and 31.203(d)), and to ensure that estimated costs are consistently classified between direct and indirect (CAS 402/FAR 31-202 and 31.203(a)). d. Evaluate the extent to which estimating methods make use of historical data relating to entire products and individual tasks; and indirect cost ratios and percentage factors applicable to a common base. e. Determine if cost estimates based upon prior cost experience consider: (1) Differences in complexity, quantity, rate of production, state of development, etc., between items previously produced and those for which estimates are being developed. (2) Applicability of preproduction engineering, special tooling, plant rearrangement, and other nonrecurring costs. (3) Anticipated changes in production methods, material usage, prices, wage rates, labor efficiency, production volume, plant capacity and make-or-buy structure. f. Evaluate the applicability of historical standard cost variance factors. (Where standards have been revised to represent expected actual cost, historical cost variances are not applicable). g. Evaluate the appropriateness of escalation factors proposed, and 16 of 20 Master Document – Audit Program the methods used to apply them to the cost elements. h. Evaluate the availability and use of incurred cost records in developing estimates if the contractor is given the authorization to proceed before a contract price is negotiated. i. Evaluate the propriety of using company-wide forward pricing factors for preparing cost estimates. Are such factors current, based upon reliable cost data and procedures, and correctly applied? j. Evaluate the reasonableness of formula pricing methods for spare parts to ensure that individual elements of cost are not duplicated in both base costs and loading factors. k. If used by the contractor, evaluate the adequacy of catalog pricing and prepriced listing methods for developing reasonable prices for spare parts proposals. l. Evaluate the adequacy of the contractor's methods for developing cost estimates for contract changes. (1) Do the estimates properly reflect the nature and scope of the change and the status of the work in process at the time the change is issued? (2) Are the contractor's procedures for pricing deleted work correct? (Work deleted, but not yet performed, should be priced at estimated current cost). m. Determine if proposals are submitted on the appropriate forms, and if related supporting data contains enough detail to permit an adequate evaluation of cost estimates. Is the basis for each cost element disclosed? n. When a certificate of current cost or pricing data is required, does the contractor adequately identify the cost or pricing data submitted? o. Evaluate the contractor's policies and procedures to determine if they establish responsibility for the review and analysis of subcontracts. p. Selectively evaluate recent pricing proposals or other cost estimates to determine if cost/price analysis of subcontracts was performed, as required by the policies and procedures. q. Determine if controls are in place to ensure: (1) Timely submission of data at all phases of the proposal preparation process. (2) Uniformity of approach, detection of errors, and prevention of 17 of 20 Master Document – Audit Program cost duplication. r. Determine if the following characteristics of an adequate system exist: (1) Adequate supervision in each area, and at each level of the estimating process. (2) Managerial reviews at interim points, and upon completion of the estimating process. (3) Management reviews covering soundness of judgmental estimates, adherence to established procedures, and compliance with pertinent regulations. (4) Estimators who summarize and document the conditions, assumptions, contingencies, qualifications, risks, etc., taken into consideration in developing estimates. s. Determine whether proposed direct labor rates reflect the total hours employees are expected to work during the year as covered in CAM 9-505b, “Evaluation of Estimated Direct Labor Rates.” K-1 Contract Certification W/P Reference Version 8.4, dated November 2009 The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment 18 of 20 Master Document – Audit Program  Information and communications  Monitoring 2. Policies and procedures should be established and implemented to ensure that all cost or pricing data is current, accurate, and complete as of the date of agreement on price. a. Evaluate the contractor's policies and procedures to determine if they adequately provide for updating of cost or pricing data up to the point of agreement on price. b. Selectively evaluate recent post-award audits to determine if they indicate that the contractor is not updating cost or pricing data, as provided for in the policies and procedures.
- A-1 Concluding Steps W/P Reference Version 8.4, dated November 2009 1. Assessment Of Control Risk a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring, and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (internal audits, system description, training, cost estimate development, and contract certification). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies. b. Determine if the estimating system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations. c. Based on the assessments above, determine the impact on the scope of other audits. d. Complete the ICAPS form at W/P A (see CAM 3-305). e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completion of this audit effort should be documented and approved by management. 19 of 20 Master Document – Audit Program 20 of 20 2. Summary Steps a. Prepare a draft audit report in accordance with CAM 10-400. b. Conduct an exit conference with the contractor in accordance with CAM 4-304. c. Finalize the audit report incorporating the contractor's response and audit rejoinder. d. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor's EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b). e. Update the permanent file in accordance with CAM 4-405.b (MAAR #3). Retain a copy of the approved W/P A ICAPS form. After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).)
- Activity Code 12030 Purchasing System Internal Controls Version 7.5, dated November 2009 B-1 Planning Considerations Purpose and Scope The major objectives of this audit are to:  Evaluate the adequacy of and the contractor’s compliance with the purchasing system internal controls.  Obtain a sufficient understanding of the contractor’s purchasing system and related internal controls (including manual and computerized activities) to plan related audit effort. This requires that the auditor assess the adequacy of the contractor’s policies and procedures, whether they have been implemented, and if they are working and being monitored effectively.  Document the understanding of the purchasing system internal controls in working papers and permanent files.  Assess control risk as a basis to identify factors relevant to the design of substantive tests. Report on the understanding of the purchasing system internal controls and assessment of control risk, and the adequacy of the system for Government contracts. This audit program is limited to the examination of the purchasing system and related internal controls for major contractors, non-major contractors where the system is considered significant, and other contractors with substantial firm-fixed price contracts. Only those controls directly related to the contractor’s purchasing system, as defined below, will be audited under this assignment. Controls for interrelated audit concerns regarding the adequacy of the contractor’s other major systems (i.e., MMAS, Indirect & ODC, etc.) will be audited under separate assignments. While the controls for these areas are not part of this audit, the results of all audits of these interrelated controls must be considered in forming an overall audit conclusion on the purchasing system internal controls. The results of this audit should be commented on in reports on related audit areas. When performing an update or follow-up examination, the steps should be adjusted and tailored accordingly. To the extent possible, prior audit effort should be used as a basis for validating the contractor’s internal controls. Before beginning this examination, the auditor should be alert for internal control evaluations performed by the contractor or its external auditors relating to this area. In those cases where internal control evaluations have been performed, the auditor should follow guidance contained in CAM 4-1000, Relying Upon the Work of Others. Before performing any examination of internal controls, the auditor should determine that the 1 of 19 Master Document – Audit Program system contemplated for examination is material to the Government. Once it is determined that the system is material to the Government, the auditor should reassess the materiality of each section in the internal control audit before performing any audit steps in that section. The scope of any audit depends on individual circumstances. The auditor is expected to exercise professional judgment, considering vulnerability and materiality, in deciding the scope of audit to be performed. The use of computers of all kinds in a contractor’s accounting and management systems is so pervasive it is unlikely that any audit of them could be performed adequately without an examination of the internal controls over their automated aspects. Therefore, prior to the beginning of this audit, the auditor should become familiar with guidance contained in the Information System (IS) Auditing Knowledge Base that is found on DCAA’s Intranet. In addition, in some instances, the assistance of IT specialists may be required to adequately evaluate the automated aspects of the internal controls. In these cases, auditors should coordinate, through their supervisory auditor, to contact their regional offices to obtain the necessary expertise. The internal control matrix (see Internal Control Matrix – CPSR/Purchasing System Audit), shows the interrelationships among the control objectives, example control activities, and audit procedures used in this audit program. The control objectives and the audit procedures have been fully integrated into this audit; therefore, the matrix is not needed unless it is desirable to see the associated example control activities and the interrelationships in a matrix format. In cases where this examination covers internal control systems at multi-segment contractors, follow the guidance in CAM 5-103.2 and 5-110e. Auditing internal controls at multi-segment contractors requires effective coordination among cognizant auditors to identify the audit responsibilities at each location to ensure appropriate audit coverage when contractor locations share components of an internal control system, such as policies and procedures, common technologies (e.g., software) or common management. FAOs cognizant of segment locations should initiate assist audits from off-site locations as necessary. FAOs cognizant of off-site locations should not self-initiate audits of internal controls. References  CAM 3-300, Internal Control Audit Planning Summary (ICAPS)  CAM 5-100, Obtaining an Understanding of a Contractor’s Internal Controls and Assessing Control Risk  CAM 5-600, Audit of Purchasing System Internal Controls  CAM 5-1300, Participation on Joint Team Reviews
- Pertinent record layouts of files created and/or used during the processing of purchasing related transactions. Database table definitions. Source documents. Information on the conversion of documents to computer media. Subsidiary or master files affected by the system. Relevant reports, journals, and ledgers produced in the flow of information to the purchasing system reports. 1. Research and Planning a. Become familiar with applicable sections of CAM 5-600. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide Library available on the DCAA’s intranet home page. b. Coordinate with the contracting officer: (1) The DCMA CPSR normally covers many DCAA concerns regarding internal control objectives, but not always all of them. Therefore, it is extremely important that, prior to commencing any audit of the contractor’s purchasing system, the auditor coordinate with the contracting officer (see CAM 5-1302 and FAR Part 44 for discussion of DCAA’s participation on joint CPSR reviews). If a CPSR is planned, the DCAA auditor should be a member of the CPSR team and the scope of the review should be discussed. There should be mutual agreement in the planning stage on what additional audit steps will be necessary to address any DCAA concerns. (2) In order to enhance coordination and planning of CPSRs, DCMA has committed to meet with the cognizant DCAA office a month before the scheduled CPSR, when appropriate, 3 of 19 Master Document – Audit Program to discuss the scope of the CPSR. This meeting will provide the auditor an opportunity to share the DCAA audit program for purchasing system internal controls with the DCMA purchasing analyst, discuss other relevant audits the FAO has performed (e.g., evaluations of estimating system and material management and accounting system internal controls), and discuss any concerns DCAA may have relative to the contractor’s purchasing system. FAOs should adequately document this coordination in the audit working papers. (3) During the CPSR, it is not the auditor’s responsibility to review the quality of the CPSR team’s work. However, the auditor should understand the scope of the work being performed in order to assess whether additional steps are required to satisfy any DCAA concerns. The auditor will make maximum use of the work performed and conclusions reached during these reviews in establishing the extent of any separate coverage and audit tests to be undertaken in the area (see Appendix D-300). c. Perform the following steps using the permanent file: (1) Review prior purchasing system audit working paper package. (2) Identify any purchasing system deficiency reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2. (3) Determine if there are any reported deficiencies in the other internal control system audits that impact the scope of this purchasing system audit (review ICRS database, as applicable). Document on W/P B-2. The results of the Control Environment and Overall Accounting Controls examination, if any, should also be evaluated and documented, in detail, under Control Environment, Section C-1, Step 1, of the W/Ps, and under Information and Communications, Sections E-1, Step 1. The results of the IT Systems General Internal Controls examination, if any, should also be evaluated and documented in detail under Information and Communications, Section E-1, Step 1. (4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below. Document the sources of data by listing the data, its source, and any changes since the last system audit. (a) Contractor’s written purchasing policies and procedures. (b) Organization charts depicting the functional areas responsible for developing and processing purchasing 4 of 19 Master Document – Audit Program related data. (c) Purchasing charging and distribution system flowcharts providing a pictorial overview of all manual and computerized processing steps. (d) Information systems documentation: (i) Pertinent record layouts of files created and/or used during the processing of purchasing related transactions. (ii) Database table definitions. (iii)Source documents. (iv) Information on the conversion of documents to computer media. (v) Subsidiary or master files affected by the system. (vi) Relevant reports, journals, and ledgers produced in the flow of information to the purchasing system reports. (5) Review audit lead sheets. (6) Review other related audits (e.g., 10100-Incurred Cost and 21000-Price Proposal). d. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Sections II.2., IV.4., and IV.5., (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3 and CAM 6-305. Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. e. Obtain from the contractor a schedule of total dollars processed through the purchasing system for the past twelve months (or most recent completed fiscal year) and summarize by total dollars and dollars by Government flexibly priced contracts and fixed price 5 of 19 Master Document – Audit Program contracts in order to determine the materiality of the purchasing system. Complete the Materiality section of the ICAPS form at W/P A (MAAR #1). f. Discuss the planned examination of the purchasing system internal controls with the administrative contracting officer (ACO) and, if appropriate, other customers to identify, understand, and document any concerns they may have of areas which should be evaluated. g. FAOs that have cognizance of contractors with significant classified contracts should coordinate with the Field Detachment to determine the DCAA office responsible for identifying and reviewing purchased costs on classified contracts. This coordination should be documented in the working papers. FAOs should also coordinate with the Field Detachment on any significant purchasing system or other purchasing related system issues. h. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. i. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits, etc., related to the purchasing system. (1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the purchasing system. (2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the purchasing system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. (3) In those cases where internal or external audits have been performed, the auditor should follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Document your preliminary evaluation and its impact on the scope of this examination. The evaluation of internal audit working papers is documented in detail under Contractor Compliance, Training, Policies and Procedures in Section G-1, Step 4. j. Determine the need for technical assistance, if any, and document your consideration on working paper B-3.
- 2. Entrance Conference and Preparation a. Prepare a written memorandum to the contractor to arrange for an entrance conference, covering the areas highlighted in CAM 4-302 and any specific data or pertinent information not yet provided. b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: (1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the purchasing system transaction flow including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. (2) Determining any changes in the purchasing processing job stream since the last examination. (3) Discussing the contractor’s risk assessment process. The overall understanding of the contractor’s process will be documented under Contractor Risk Assessment, Section D-1. (4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. (5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. 3. Other Preliminary Steps a. Determine the degree a computerized system is used in the purchasing system process. b. Perform a high level cursory assessment to determine if the following exist: (1) A functional purchasing organization with defined organizational responsibilities. (2) A written description of the work flow in the purchasing process. (3) Policies and procedures for effectively controlling the process. 4. Initial Risk Assessment Using the information obtained in steps 1, 2, and 3, prepare an initial risk assessment to determine the initial scope of the examination (W/P 7 of 19 Master Document – Audit Program B). C-1 Control Environment W/P Reference Version 7.5, dated November 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the purchasing system internal controls. 1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the purchasing system internal controls on the control environment. 2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals, and discussions with prior auditors. Obtain an understanding of the following factors: a. Integrity and ethical values. b. Commitment to competence. c. Board of directors and/or audit committee participation. d. Management’s philosophy and operating style. e. Organizational structure. f. Assignment of authority and responsibility. g. Human resource policies and procedures. h. Financial capability. 3. Document your overall understanding of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J, K, and L). 8 of 19 Master Document – Audit Program D-1 Contractor Risk Assessment W/P Reference Version 7.5, dated November 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the preparation of contract cost data. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J, K, and L). E-1 Information and Communications W/P Reference Version 7.5, dated November 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 1. Since the accounting and information systems are integral components of information and communication processes, evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls and the IT Systems General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the purchasing system internal controls on information and 9 of 19 Master Document – Audit Program communications. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its purchasing system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its purchasing system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the purchasing system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-600. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of purchasing related transactions. Have the contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current purchasing system information and communication processes are demonstrated by the contractor, trace the processing of a purchase order/subcontract through the purchasing system starting from the initiation of the transaction (e.g., purchase requisition) to validate your understanding of the purchasing system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., purchasing department’s organizational independence, required cost/price analysis performed, adequate source selection evaluation, purchasing file documentation requirements). Discrepancies between your understanding and the contractor’s demonstration should be resolved prior to completing the remainder of this examination. 10 of 19 Master Document – Audit Program 6. Document your confirmed understanding of the purchasing system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s purchasing system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J, K and L). F-1 Monitoring W/P Reference Version 7.5, dated November 2009 Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the purchasing system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. 3. Determine and document the extent of monitoring activities being performed by external parties. 4. Document your overall understanding of the monitoring activity being performed at the contractor’s location and the impact it will have on the nature and extent of testing of each of the control objectives (W/Ps G, H, I, J, K, and L). G-1 Contractor Compliance, Training, Policies, and Procedures W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, 11 of 19 Master Document – Audit Program and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 2. Determine whether any internal audits or management reviews of the Purchasing Department have been performed. Evaluate the results and note any deficiencies. 3. Determine if any required follow-up actions were taken related to reported findings or recommendations, or why no actions were taken. 4. Adjust the scope of this audit based on the results of the internal audits or management reviews. 5. Obtain the contractor's purchasing policies and procedures. Verify that they include the items set forth in the audit steps for the following control objectives:  Purchase Orders and Subcontract Clauses  Management of Purchasing  Selecting the Source  Pricing and Negotiation  Subcontract Award and Administration 6. Obtain a list of training provided to purchasing personnel. Evaluate the training materials to verify that the training covers Government purchasing regulations and contractor procedures. 12 of 19 Master Document – Audit Program H-1 Purchase Orders and Subcontract Clauses W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 2. Verify that the contractor ensures flow down of applicable prime contract terms and conditions in purchase orders and subcontracts (e.g., either the Government or contractor has access to the subcontractor's/intercompany books and records for audit, that billings include only allowable costs [see CAM 6-802.2c.]). I-1 Management of Purchasing W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see (W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that 13 of 19 Master Document – Audit Program relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 2. Determine whether the purchasing department is organizationally independent in order to allow it to operate at maximum effectiveness and make objective decisions. 3. Verify that the contractor requires the following purchasing file data to be maintained: a. The purchase order. b. The purchase requisition. c. The request for quotation (RFQ). d. Copies of the vendors' quotes. e. A bid tabulation sheet that summarizes and compares vendor quotations. f. Certificates for the rent-free use of Government facilities. g. Vendor surveys or facilities capabilities reports. h. Source selection explanation. i. Price or cost analysis data. j. Negotiation summary. k. Basis for selection of contract type. l. Copies of technical data. m. Price redetermination or termination data. n. Correspondence between the purchasing department and the bidders. o. Evidence of Small and Disadvantaged Business enterprise 14 of 19 Master Document – Audit Program consideration. p. Information concerning the use of special terms and conditions and approval thereof. q. Departmental and management approvals, if required. r. Administrative Contracting Officer notification and consent. s. Certificate of Current Cost or Pricing Data, if a procurement meets the requirements. 4. Verify that the contractor follows its make-or-buy program. Ensure that procedures are followed and decisions are documented. 5. Verify that the contractor has a system of reports and controls that reflect performance and provides the means through which the purchasing department reports its performance to company management. J-1 Selecting the Source W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 15 of 19 Master Document – Audit Program 2. Evaluate the following as an indication of the contractor's commitment to promote competition: a. Reports to top management. b. Existence and usefulness of the historical records on parts and vendors. c. Extent of market survey efforts. 3. Verify the implementation of a current vendor performance rating system. 4. Selectively test procurement files to ensure compliance with FAR 52.244-5, Competition in Subcontracting. K-1 Pricing and Negotiation W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 2. Determine if the purchasing file contains appropriate cost/price analysis and technical evaluation (see “Management of Purchasing” – Section I-1). 16 of 19 Master Document – Audit Program 3. Verify that the contractor has a system to negotiate and take advantage of quantity and prompt payment discounts. Selectively evaluate payments to determine that the system is working. 4. Verify that guidelines are in place and being followed for determining that cost effective methods are used for processing the high volume of low dollar value orders and calls against blanket orders and open-ended subcontracts. Include consideration of corporate wide purchase agreements, where appropriate. L-1 Subcontract Award and Administration W/P Reference Version 7.5, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Purchasing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control Environment  Contractor Risk Assessment  Information and Communications  Monitoring 2. Verify that guidelines are in place and being followed for determining the types of subcontracts awarded (MAAR #12) and under what circumstances. 3. Determine that the contractor notifies the Government upon award of an auditable subcontract (MAAR #12)or intercompany order (see CAM 6-802.2b). 17 of 19 Master Document – Audit Program 4. Verify that the contractor obtains annual incurred cost proposals for auditable subcontracts/intercompany orders (MAAR #12), assures the proposals are audited, and incorporates the audit results into billings and proposals to the Government. 5. Determine that the contractor adequately monitors financial and technical performance.
- A-1 Concluding Steps W/P Reference Version 7.5, dated November 2009 1. Assessment of Control Risk a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (contractor compliance, training, policies, and procedures; purchase orders and subcontract clauses; management of purchasing; selecting the source; pricing and negotiation; and subcontract award and administration). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies. b. Determine if the purchasing system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations. c. Based on the assessments above, determine the impact on the scope of other audits. d. Complete the ICAPS form at W/P A (see CAM 3-305) (MAAR #1). e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completion of this audit effort should be documented and approved by management. 2. Summary Steps 18 of 19 Master Document – Audit Program 19 of 19 a. Prepare a draft audit report in accordance with CAM 10-400. b. Conduct an exit conference with the contractor in accordance with CAM 4-304. c. Finalize the audit report incorporating the contractor's response and audit rejoinder. d. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor's EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b). e. Update the permanent file in accordance with CAM 4-405.1.b (MAAR #3). Retain a copy of the approved W/P A ICAPS form. After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).)
- Activity Code 11010 Billing System Version 10.9, dated November 2009 B-1 Planning Considerations Purpose and Scope 1. The major objectives of this audit are to:  Evaluate the adequacy of and the contractor’s compliance with the billing system internal controls.  Obtain a sufficient understanding of the contractor’s billing system and related internal controls (including both manual and computerized activities) to plan related audit effort. This requires that the auditor assess the adequacy of the contractor’s policies and procedures, whether they have been implemented, and if they are working and being monitored effectively.  Document the understanding of the billing system internal controls in working papers and permanent files.  Assess control risk as a basis to identify factors relevant to the design of substantive tests. Report on the understanding of the billing system internal controls and assessment of control risk and the adequacy of the system for Government contracts. 2. This audit is limited to the examination of the billing system and related internal controls for major contractors, non-major contractors where the system is considered significant, and other contractors with substantial firm-fixed price contracts. Only those controls directly related to the contractor’s billing system, as defined below, will be audited under this assignment. Controls for interrelated audit concerns regarding the adequacy of the contractor’s other major systems (i.e., budget and planning, estimating, etc.) will be audited under separate assignments. While the controls for these areas are not part of this audit, the results of all audits of these interrelated controls must be considered in forming an overall audit conclusion on the billing system internal controls. The results of this audit should be commented on in reports on related audit areas. 3. When performing an update or follow-up examination, the steps below should be adjusted and tailored accordingly. To the extent possible, prior audit effort should be used as a basis for validating the contractor’s internal controls. 4. Before beginning this examination, the auditor should be alert for internal control evaluations performed by the contractor or its external auditors relating to this audit area. In those cases where internal control evaluations have been performed, the auditor should follow guidance contained in CAM 4-1000, Relying Upon the Work of Others. 5. Before performing any examination of internal controls, the auditor should determine that the system contemplated for examination is material to the Government. Once it is determined that the system is material to the Government, the auditor should reassess the materiality of 1 of 27 Master Document – Audit Program each section in the internal control audit before performing any audit steps in that section. The scope of any audit depends on individual circumstances. The auditor is expected to exercise professional judgment, considering vulnerability and materiality, in deciding the scope of audit to be performed. 6. The use of computers of all kinds in a contractor’s accounting and management systems is so pervasive it is unlikely that any audit of them could be performed adequately without an examination of the internal controls over their automated aspects. Therefore, the auditor should become familiar with guidance contained in the Information System (IS) Auditing Knowledge Base that is found on DCAA’s Intranet, prior to the beginning of this audit. In addition, in some instances, the assistance of IT specialists may be required to adequately evaluate the automated aspects of the internal controls. In these cases, auditors should coordinate, through their supervisory auditor, to contact their regional office to obtain the necessary expertise. 7. The internal control matrix (see Internal Control Matrix – Billing System and Related Internal Controls), showing the interrelationships among the control objectives, example control activities, and audit procedures used in this audit program. The control objectives and the audit procedures have been fully integrated into this audit; therefore, the matrix is not needed unless it is desirable to see the associated example control activities and the interrelationships in a matrix format. 8. This examination incorporates the steps of the Annual Testing of Contractor’s Eligibility for Direct Bill Program (Code 11015). Thus, a separate Code 11015 assignment is not required to be performed in the same contractor fiscal year that a billing system audit is being performed. 9. In cases where this examination covers internal control systems at multi-segment contractors, follow the guidance in CAM 5-103.2 and 5-110e. Auditing internal controls at multi-segment contractors requires effective coordination among cognizant auditors to identify the audit responsibilities at each location to ensure appropriate audit coverage when contractor locations share components of an internal control system, such as policies and procedures, common technologies (e.g., software) or common management. FAOs cognizant of segment locations should initiate assist audits from off-site locations as necessary. FAOs cognizant of off-site locations should not self-initiate audits of internal controls. 10. The following documents are available in APPS under “Other Audit Guidance” to assist the auditor in preparing the vulnerability assessment, working papers, and letters required for this audit. They should be tailored to fit the circumstances.  Direct Billing Letters.doc  Proforma Notification to Payment Office.doc  Proforma Request for Assist Audit Definitions  Contract Overpayments. Overpayments are payments that the contractor receives that are in excess of billed amounts. Overpayments may also result from differences between 2 of 27 Master Document – Audit Program recorded and billed costs. Major causes of overpayments include: (i) weaknesses in contractor internal controls; (ii) contract administration adjustments; and (iii) paying office errors.  Accounting for Progress Payment Liquidations. The Government liquidates (recoups) progress payment amounts previously provided to contractors by deducting these amounts from the payment requested on the appropriate contractor delivery invoice. Consequently, the contractor should have procedures for recording, in its accounting records, the net delivery invoice amount that reflects the reduction of the delivery invoice amount by any prior progress payments requested by the contractor and paid by the Government.  Contract Administration Adjustments. Contract administration adjustments include payments the contractor received in accordance with contract provisions, which need to be reduced because of subsequent events or actions. Contract administration adjustments may result from contract administration related actions, such as:  progress payment adjustments due to a contract loss position;  changes in contract billing prices, liquidation rates, and foreign exchange rates;  quarterly limitation of payment adjustments;  Government withholds as a result of contract performance problems; and  settlement of final indirect rates, Cost Accounting Standard noncompliances, or postaward audits.  Demand Letters. Letters issued by the paying office or contracting officer demanding payment of specified amounts by the contractor. The demand letter notifies the contractor that amounts not paid within 30 days of the demand letter shall bear interest.  Offsets. An offset is a reduction applied to an invoice submitted to the paying office as a means of resolving payment issues such as overpayments, contract administration adjustments, and paying office/contractor errors.  Refunds. Checks submitted to the Government during a specific time period. References 1. CAM 3-300 Internal Control Audit Planning Summary (ICAPS) 2. CAM 5-100 Obtaining an Understanding of a Contractor’s Internal Controls and Assessing Control Risk 3. CAM 5-1100 Audit of Billing System Internal Controls 4. CAM 6-203 Credits and Refunds on Cost-Type Contracts 5. CAM 6-705 Interim Cost-Reimbursable Billings 6. CAM 6-900, Notice of Cost Suspensions and Disapprovals Under Cost Reimbursable Contracts 3 of 27 Master Document – Audit Program 7. CAM 6-1000, Responsibilities for Processing and Approval of Interim and Completion Cost-Reimbursable Vouchers 8. CAM 14-200, Audit of Progress Payments
- Pertinent record layouts of files created and/or used during the processing of billing system related transactions. Database table definitions. Source documents. Information on the conversion of documents to computer media. Subsidiary or master files affected by the system. Relevant reports, journals, and ledgers produced in the flow of information to the billing system reports. Contractor’s written policies and procedures and billing system manual. (b) Organization charts depicting the functional areas responsible for developing and processing billing related data. 4 of 27 Master Document – Audit Program (c) Billing system flowcharts providing a pictorial overview of all manual and computerized processing steps. (d) Information systems documentation: (i) Pertinent record layouts of files created and/or used during the processing of billing system related transactions. (ii) Database table definitions. (iii) Source documents. (iv) Information on the conversion of documents to computer media. (v) Subsidiary or master files affected by the system. (vi) Relevant reports, journals, and ledgers produced in the flow of information to the billing system reports. (5) Review audit lead sheets. (6) Review other related audits, for example: (a) Review results of prior annual testing of contractor’s eligibility for direct bill program assignment (11015). (b) Review results of prior examinations of progress payments (175XX). (c) Review results of prior examinations of contract overpayments (17310). (d) Review results of prior examination of contractor compliance with billing instructions (17390). (e) Review and summarize the impact of suspected irregular conduct (SIC), and CAS noncompliances, if applicable. (7) Consider the impact of the contractor’s financial condition on the billing system. (Refer to prior financial capability assessments or audits – 176XX). 5 of 27 Master Document – Audit Program c. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II.4 (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3. Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. d. Obtain from the contractor a schedule of total dollars processed through the billing system for the past twelve months (or most recently completed fiscal year) and summarize by total dollars and dollars by Government flexibly priced contracts and fixed price contracts in order to determine the materiality of the billing system. Complete the Materiality section of the ICAPS form at W/P A. e. Discuss the planned evaluation of the billing system internal controls with the administrative contracting officer (ACO) and the contractor's major procurement activities to identify, understand, and document any concerns they may have of areas which should be evaluated. The auditor should reassure the ACO and procurement activities that DCAA billing system audits can satisfy customer requirements and eliminate the need for submittal of excessive contractor documentation with interim vouchers. In addition, determine if the ACO wants us to perform specific audit services to support the ACO’s responsibilities under FAR 32.503-5, Administration of Progress Payments, or other guidance. f. FAOs that have cognizance of contractors with significant classified contracts should coordinate with the Field Detachment to determine the DCAA office responsible for identifying and reviewing billings and overpayments on classified contracts. This coordination should be documented in the working papers. FAOs should also coordinate with the Field Detachment on any significant billing system issues, including overpayments found on classified contracts during prior period reviews. g. Close coordination is required at FAOs cognizant of a shared 6 of 27 Master Document – Audit Program services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. h. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to the billing system. (1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the billing system. (2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the billing system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. (3) In those cases where internal or external audits have been performed, the auditor should follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Document your preliminary evaluation and its impact on the scope of this examination. The evaluation of internal audit working papers is documented in detail under Management Reviews in Section G-1, step 3. i. Determine the need for technical assistance, if any, and document your consideration on working paper B-3. C-1 Control Environment W/P Reference Version 10.9, dated November 2009 The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the billing system internal controls. 1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the billing system internal controls on the control environment. 2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals and discussions with prior auditors. Obtain an understanding of the following factors: a. Integrity and ethical values. b. Commitment to competence. c. Board of directors and/or audit committee participation. d. Management’s philosophy and operating style. e. Organizational structure. f. Assignment of authority and responsibility. g. Human resource policies and procedures. h. Financial capability. 10 of 27 Master Document – Audit Program 3. Document your overall understanding of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H and I). D-1 Contractor Risk Assessment W/P Reference Version 10.9, dated November 2009 The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the preparation of contract cost data and the generation of contract billings. 1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. 2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. 3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. 4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H and I). E-1 Information and Communications W/P Reference Version 10.9, dated November 2009 Information and communication processes consist of the methods and records established to record, process, summarize, and report contract cost data. The auditor should develop a sufficient understanding of the contractor’s information and communication processes (relevant to contract cost data) to identify significant classes of transactions and how they are initiated, processed, controlled, and reported. A necessary step in understanding the information and communication process is to trace selected transactions through the system (see Step 5 below). This will assist in validating the contractor’s demonstration of the system and identifying key controls requiring subsequent testing. 1. Since the accounting and information systems are integral components 11 of 27 Master Document – Audit Program of information and communication processes, review the most recently completed ICAPS for the Control Environment and Overall Accounting Controls and the IT Systems General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the billing system internal controls on information and communications. 2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its billing system information and communication processes. 3. Determine if the contractor has made changes to the information and communication processes in its billing system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the billing system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-1100. 4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of billing related transactions. Have the contractor identify and demonstrate controls related to each of the areas listed in a through e below. Compare the contractor disclosed controls with the generic access control listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor. a. Access Controls (CAM 5-1406.1) b. Data Input Controls (CAM 5-1406.2) c. Processing Controls (CAM 5-1406.3) d. Error Correction and Submission (CAM 5-1406.4) e. Output Controls (CAM 5-1406.5) 5. Once the current billing system information and communication processes are demonstrated by the contractor, trace the processing of a public voucher and/or progress payment through the billing system starting from the initiation of the transaction (e.g., authorization to prepare a billing) to validate your understanding of the billing system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., billed amounts are compliant with contract provisions, 12 of 27 Master Document – Audit Program reconcile to the job cost ledger, reflect only allowable costs). Discrepancies between your understanding and the contractor’s demonstration should be resolved prior to completing the remainder of this examination. 6. Document your confirmed understanding of the contractor’s billing system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s billing system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G, H and I). F-1 Monitoring W/P Reference Version 10.9, dated November 2009 Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The auditor should develop a sufficient understanding of the contractor’s ongoing monitoring activities and/or separate evaluations related to the billing system internal controls. 1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities. 2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations. 3. Determine and document the extent of monitoring activities being performed by external parties. 4. Document your overall understanding of the monitoring activity being performed at the contractor’s location and the impact it will have on the nature and extent of testing of each control objective (W/Ps G, H and I). 13 of 27 Master Document – Audit Program G-1 Management Reviews W/P Reference Version 10.9, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Billing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Verify that periodic reviews of contractor’s policies and procedures are conducted to ensure that: a. Policies and procedures are compliant with applicable Federal regulations and contract terms. b. Policies and procedures have been implemented and are working effectively. c. Follow-up actions are taken on recommendations resulting from management reviews. 3. Evaluate the contractor’s record of completed internal audits and its current internal audit plan to determine if the billing system is being subjected to periodic reviews in accordance with established policies and procedures. 4. Identify and selectively evaluate documentary evidence and the frequency of the contractor's management reviews to determine whether the scope of such reviews are appropriate, the conclusions sound, and appropriate follow-up actions were taken. 14 of 27 Master Document – Audit Program 5. Identify any reviews which may have an impact on this examination, and evaluate the reports and supporting working papers to determine if any system deficiencies were noted, and the extent to which we can rely on the work performed (see CAM 4-1000). H-1 Policies and Procedures W/P Reference Version 10.9, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of control activities is essential to the assessment of control risk. Billing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. Evaluate the contractor's written policies and procedures and assess their adequacy in the following areas: a. Training of employees involved in the preparation of billing requests. Verify that: (1) Policies, procedures, and course materials are updated to comply with revisions to company policies, and Government rules and regulations. (2) Training includes relevant topics, such as billing procedures, briefing of contracts, applicable FAR and contract 15 of 27 Master Document – Audit Program requirements, etc. b. Briefing of contracts, including responsibility, frequency and adequacy of briefing, to identify and document billing requirements, including all contract modifications, withholds, special provisions, etc. and update of the briefs accordingly. c. Management review of billings prior to submission. d. Evaluating the adequacy of subcontractors' accounting and billing systems prior to providing the subcontractors with interim financing. e. Monitoring the adequacy of subcontractors’ accounting and billing systems and identifying and resolving subcontractor overpayments/underpayments, contract administration adjustments, offsets, and refunds. Ensure that contractor procedures: (1) Provide for obtaining documentation on the adequacy of the subcontractor accounting and billing systems, including obtaining documentation that the subcontractors provide timely notification to the prime contractor of any overpayments/underpayments, (2) Provide for obtaining, on a periodic basis, the subcontractors’ reconciliation of billed and paid amounts on the subcontract, (3) Require the contractor to immediately notify the subcontractor(s) of any contract administration adjustment impacting the subcontractor(s’) billings and that refunds or offsets are processed within 30 days, and (4) Require the prime contractor to timely adjust its billings or submit refunds to the Government for identified subcontractor overpayments that have been included in billings to the Government, contract administration adjustments, offsets, and refunds. f. Processing timely contract administration adjustments. Ensure that the contractor: (1) Maintains a schedule of contract administration adjustments, (2) Computes adjustments accurately, and (3) Reflects the impact of contract administration adjustments in billings or refunds within 30 days of the date of the administration adjustment. g. Processing Government demand letters for payment. Ensure that procedures: 16 of 27 Master Document – Audit Program (1) Appropriately identify demand letters, (2) Require refunds or offsets to be submitted within 30 days of the date of the demand letter, and (3) Require submission of documentation to the paying office within 30 days of the date of the demand letter if the amount in the demand letter is disputed. h. Assessing the adequacy for processing timely offsets. Ensure that the contractor’s procedures: (1) Require significant offsets of overpayments and contract administration adjustments to be made only after notification to, and instruction from, the contracting officer and paying office (and the contractor maintains adequate documentation of this coordination), (2) Require processing of approved offsets on a timely basis, usually within 30 days of identification of the overpayment or contract administration adjustment, (3) Require processing of offsets only on the same contract where the overpayment or contract administration adjustment occurred, (4) Allow processing of offsets only on valid invoices submitted to the paying office, (5) Do not allow the contract to remain in an overpaid status after the offset is processed, and (6) Require adequate accounting records to be maintained to show all offsets at the invoice level and the overpayment/underpayment status for all in-process and physically completed contracts. i. Reconciliation of billing system data to the cost accounting records. If applicable, ensure that practices used to accumulate and bill costs are consistent with practices used to estimate contract costs (CAS 401/FAR 31.201-1 and 31.203(d)) and that costs accumulated and billed are allowable in accordance with FAR 31. j. Reconciliation of recorded costs to billed costs and submitting timely credit billings and refunds where billed costs exceed incurred costs due to subsequent cost reductions to the contract. Ensure that the contractor: (1) Reconciles recorded and billed costs on a periodic basis for both in-process and physically complete (but not closed) contracts, and 17 of 27 Master Document – Audit Program (2) Submits credit billings and refunds timely when billed costs exceed recorded costs. k. Adjustment of billings to reflect appropriate interim, year-end and final indirect rates and direct costs including an evaluation of subcontractors' billings to determine if they are also making interim, year-end, and final billing rate adjustments. l. Exclusion of the following nonbillable items from billings: (1) Accrued costs of direct materials and subcontract costs that the contractor (i) did not pay in accordance with the terms and conditions of the subcontract or invoice and (ii) ordinarily will not be paid within 30 days of the contractor's payment request to the Government. (2) Accrued costs that the contractor is delinquent in paying in the ordinary course of business. (3) Accrued costs of pensions, post retirement benefits, and profit-sharing or employee stock-ownership plans that have not been paid at least quarterly (within 30 days after the end of the quarter). (4) Costs of progress payments made to subcontractors on terms less favorable to the Government than the progress payment clause contained in the prime contract. In cases where the costs of subcontract progress payments are included in billings to the U.S. Government, ensure that the contractor has procedures to protect against overpayment and losses. These procedures should include the monitoring of performance and expected profitability of the subcontractors and reducing or suspending subcontractor progress payments as necessary. m. Estimates of costs attributed to items delivered/invoiced. n. Prompt notification to the Government that adjustments of billings may be required for potential loss contracts for that portion of the costs attributable to the loss. o. Title to Government assets whose costs are billed to the U.S. Government. p. Use of the most current estimate to complete to prepare the billings. q. All changes to the billing system and related software are validated and briefed to the Government prior to implementation. r. Maintenance of cumulative allowable cost records required for the accurate and timely preparation of interim and final vouchers. s. Monitoring the timely preparation and submittal of final vouchers. 18 of 27 Master Document – Audit Program t. Comparisons of amounts received to amounts billed for each invoice and follow-up with the paying office if amounts differ. If amounts received are greater than amounts billed, the difference should be immediately remitted to the paying office [FAR 52.232-25(d), -26(c), -27(l)]. Verify procedures to identify and document the contractor’s process for resolving overpayments within 30 days after the overpayment is made. u. Ensure that on contracts with progress payments, the appropriate progress payment liquidation rate is applied when the delivery invoice is recorded in the contractor’s accounting records. Contractors should have procedures to: (1) Brief the contract to identify the appropriate liquidation rate, (2) Apply the appropriate liquidation rate against the delivery invoices and record the net amount in the accounts receivable records (for comparison to amounts received), (3) Identify payment variances as a result of differences in application of liquidation rates between the paying office and the contractor, (4) Research payment variances to determine if overpayments exist, and (5) Immediately refund overpayments due to liquidation errors and coordinate with paying office and resolve within 30 to 60 days (refund or offset on next billing) if overpayments are due to timing differences. v. Reduction of billed amounts on delivery invoices for previously received progress payments. w. Withholding of fixed fees for cost reimbursement and T & M/labor hour contracts in accordance with contract terms, if applicable. I-1 Implementation of Policies and Procedures W/P Reference Version 10.9, dated November 2009 The auditor should obtain an understanding of the contractor's control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Billing system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor 19 of 27 Master Document – Audit Program determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. 1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:  Control environment  Contractor risk assessment  Information and communications  Monitoring 2. The auditor should ensure that policies and procedures are executed to assure only billable costs/prices/fees applicable to U.S. Government contracts are included in billings in accordance with applicable regulations and contract terms, by performing the following steps: a. Interview billing personnel to determine whether they are familiar with, have access to, and actually refer to the written policies and procedures. b. Test to determine if the policies and procedures are being followed by: (1) Observation of the billing process, and (2) Inspection of selected billing records and documentation. c. Selectively evaluate evidence that employees responsible for preparing billing requests have been trained in applicable billing policies and procedures. For example, check training records, course materials, and attendance sheets; interview employees; etc. d. Selectively compare the contractor's contract briefings to the applicable contracts and billings to determine if the contracts were adequately briefed and that they reflect unique contract requirements in their billing. e. Selectively evaluate evidence that management reviewed and approved billings. For example, verify management approval signatures, etc. f. Selectively verify that the adequacy of subcontractors’ accounting and billing systems are assessed prior to providing the subcontractors with interim financing. g. Select 3 to 5 significant subcontracts to ensure that the prime 20 of 27 Master Document – Audit Program contractor is verifying its subcontractor’s procedures for identifying and resolving overpayments, contract administration adjustments, offsets and refunds are being complied with. If these procedures are not being addressed by the prime contractor, request assist audits from the cognizant FAOs (MAAR 12). (1) Assist audits are generally required on subcontracts where the prime contractor does not have visibility over payment variances in the subcontractor accounting records. Assist audit requests should identify the subcontractor name and provide information on the subcontracts to be included in the request, e.g., subcontract number, period of performance, subcontract price, and subcontract type. Use pro forma request for assist audit in APPS. (2) Immediately notify the paying office, with a copy to the contracting officer, of any subcontractor overpayment, contract administration adjustment, offset or refund that the contractor has not reflected in billings or refunds to the paying office. Use the pro forma notification to payment office memo located in APPS. h. Verify that the contractor’s schedule of contract administration adjustments is complete by performing the following processes: (1) Selectively review contract briefings on major contracts to identify required contract administration adjustments, such as, quarterly limitation of payments, (2) Review contract modifications on major contracts for prior 12 months to identify contract administration adjustments and verify that they were included on the schedule, and (3) Obtain the contracting officer’s comments on the completeness and accuracy of the schedule for major contracts selected in Step h(1) above. i. Select and review a sample of significant contract administration adjustments administered by the contractor to determine: (1) The reason(s) for the adjustment, (2) If the adjustment was accurately recorded, and (3) That a refund or offset was processed within 30 days of the date of the adjustment. Notify the paying office, with a copy to the contracting officer, of any outstanding contract administration adjustment over 30 days old where a refund or offset has not been processed. Use the pro forma notification to payment office memo located in APPS. 21 of 27 Master Document – Audit Program j. Test completeness of the contractor’s list of demand letters. Coordinate with the regional Task Force member to obtain a listing of demand letters for the contractor (the request should include contractor CAGE code). k. Select and review a sample of significant demand letters issued during the last 12 months to determine: (1) the reason(s) for the demand letter, (2) that the contractor has processed a refund or offset or disputed the debt in a timely manner (within 30 to 60 days), and (3) that the contractor maintains adequate documentation for its position on any disputed debt. Immediately notify the paying office, with a copy to the contracting officer, of any demand letter that is over 30 days and has not been properly refunded, offset, or disputed. Also notify the paying office, with a copy to the contracting officer of any disputed debt not supported by the contractor or where documentation has not been submitted to the paying office. Use the pro forma notification to the payment office in APPS. l. Review a sample of significant offsets to determine if they meet the criteria for allowable offsets discussed in H-1, step h above. m. The offsets should have already been identified during the review of billed and paid amounts, reconciliation of recorded and billed costs, contract administration adjustments, demand letters, and subcontract billings. If additional items are found during the review of offsets, request the contractor to explain why the items were not included in the data provided under Preliminary Audit Section B-1, Step 2b(5)(f) for each of the areas and perform additional audit work, if necessary. Immediately notify the paying office, with a copy to the contracting officer, of any offsets that do not meet the above criteria, using the pro forma notification to the payment office in APPS. n. Verify the completeness of the list of refunds (obtained in Preliminary Audit Section B-1, Step 2b(5)(g)) to the Government for the last 12 months by selectively comparing the list to copies of checks issued to the Government. o. Select a sample of significant refunds to: (1) determine the reason(s) for the refund(s) and the adequacy of the documentation related to the refund, and (2) determine whether the refunds were processed in a timely manner, i.e., 30-60 days after the overpayment occurred. p. The refunds should have already been identified during the review 22 of 27 Master Document – Audit Program of billed and paid amounts, reconciliation of recorded and billed costs, contract administration adjustments, demand letters, and subcontract billings. If additional items are found during the review of refunds, request the contractor to explain why the items were not included in the data provided for the applicable area and perform additional audit work, if necessary, to verify that the data discussed in Schedule I-1, Steps h through n above are complete. q. Selectively evaluate billing system and related software changes to determine if they were validated and briefed to the Government prior to implementation. r. Selectively evaluate contractor comparisons of amounts received to amounts billed for each invoice and determine, when the amount differs, if appropriate notifications were made to the paying office for overpayments or underpayments. Determine if the paying office’s requested actions were complied with. s. Selectively compare contractor reconciliations of billing system data to the cost accounting records. If applicable, ensure that practices used to accumulate and bill costs are consistent with practices used to estimate contract costs (CAS 401 and FAR 31.201-1 and 31.203(d)) and that the costs accumulated and billed are allowable in accordance with FAR 31. t. Review the contractor’s reconciliation of recorded to billed costs to verify it includes all significant contracts (including all open physically completed contracts with no recent billing activity). Compare the contracts included in the contractor’s reconciliation schedule to a verified listing of in-process and physically complete contracts. Determine that the calculation of recorded costs (for this comparison purpose) is based on acceptable indirect rates (see CAM 6-705.1). For any contract where billed costs exceed recorded costs, request the contractor to process credit billings and refunds. If the contractor does not make adjustment to billings to reflect allowable recorded costs, consider issuing a DCAA Form 1. For other than cost type contracts (or if Form 1 is not feasible), notify the contracting officer and paying office of the overpayment using the proforma notification to payment office memo located in APPS. u. Verify that the contractor promptly adjusts billings to reflect appropriate interim revisions, year-end and final indirect rates and directs costs. Ensure that subcontractors make comparable adjustments in their billings. v. Review the accuracy and completeness of the contractor’s listing of outstanding overpayments, if any. (1) Selectively review the contractor’s comparisons of amounts 23 of 27 Master Document – Audit Program received to amounts billed and other contractor documentation to determine if the list of payment variances is accurate and complete. (2) Review outstanding amounts on the aged accounts receivable and accounts payable listings to ensure these amounts are appropriately included on the list of outstanding overpayments. (3) Determine if the contractor’s listing of overpayments includes all payment variances as a result of delivery invoice liquidation differences between the contractor and paying office. Review the contractor’s accounting procedures for progress payment liquidations to verify that all outstanding variances have been identified. If liquidation differences are not identified, develop audit steps to identify the differences. w. Select a sample of significant outstanding overpayments to: (1) Obtain information on the overpayment; e.g., a copy of the invoice, copies of payment records showing invoice amount and date, payment amount and date, (2) Document the reason for the overpayment, and (3) Obtain the contractor’s rationale for not returning the overpayment; and the contractor’s documented significant actions taken to resolve differences. (4) Immediately notify applicable paying office via memorandum if a significant overpayment ($50 thousand on a single issue or $50 thousand on an individual contract) is disclosed during the audit and (1) the contractor has not notified the Government, or (2) the overpayment is over 30 days and has not been returned. Use the pro forma notification to payment office memo located in APPS to make this notification. x. Selectively evaluate delivery invoices and determine that the amounts billed are reduced for previously received progress payment amounts. y. Selectively evaluate interim and final closing vouchers submitted by the contractor and determine if the amounts billed are reconcilable to the cumulative allowable cost records used to prepare interim and final vouchers. Test for the following: (1) Cumulative amounts billed on interim vouchers do not exceed the total estimated ceiling costs on the contract and/or the current contract maximum funding levels. (2) Amounts claimed on the final voucher reconcile to the annual incurred cost audit or the cumulative allowable cost worksheet (CACWS); 24 of 27 Master Document – Audit Program (3) Assist audits have been received on all significant subcontract costs prior to the closing of applicable contracts; (4) Subcontract assist audit cost results reconcile with claimed costs on the final voucher; (5) Refunds, rebates, credits, or similar amounts have been received, if any, and accounted for in the final voucher. z. Validate that final vouchers are monitored and timely prepared and submitted. Coordinate with Contracting Administrative Offices for a schedule of completed contracts awaiting closure.
- 2. Entrance Conference and Preparation a. Prepare a written memorandum to the contractor to arrange for an entrance conference, covering the areas highlighted in CAM 4-302 and any specific data or pertinent information not yet provided. b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: (1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the billing system transaction flow including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. (2) Determining any changes in the billing process since the last examination. (3) Discussing the contractor's risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment Section D-1. 7 of 27 Master Document – Audit Program (4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. (5) Identifying the contractor’s billing system procedures and internal controls that assure timely identification and resolution of contract overpayments including the following: (a) Comparison of Billed and Paid Amounts Received. Request the contractor to provide copies of and explanations, as needed, of the following: (i) its procedures for comparing amounts billed to amounts received at the invoice level, its accounting procedures for applying progress payment liquidations on delivery invoices and for recording the net delivery invoice amount in the accounts receivable records for comparison to amounts received, and the process for resolving payment variances (including notifying the Government or prime contractor, if applicable, when overpayments are identified and returning the overpayments); (ii) a listing of all current outstanding payment variances on prime contracts and subcontracts (including variances due to liquidation differences); and (iii) the current accounts receivable and accounts payable aging reports. (b) Reconciliation of Recorded to Billed Costs. Request the contractor to provide a copy of such a reconciliation and the following: (i) its procedures for performing the periodic reconciliation of recorded to billed costs; (ii) a schedule of the reconciliation of recorded and billed costs for all significant contracts and subcontracts (including physically complete contracts awaiting closeout with no recent billing activity); and (iii) a listing of all physically complete contracts awaiting closeout. (c) Contract Administration Adjustments. Request a listing of contract administration adjustments processed over the last 12 months. Request the contractor to explain its procedures for processing contract administration 8 of 27 Master Document – Audit Program adjustments impacting billings. (d) Demand Letters. Request the contractor to provide a listing of demand letters processed over the last 12 months. Request the contractor to explain its procedures for processing Government demand letters for payments. (e) Subcontractor Billings. Request the contractor to explain its procedures for monitoring subcontractor billings and to provide a list of the top 3-5 subcontracts, including subcontract values. Based on the contractor’s explanation and a review of the subcontractor listing, determine if assist audits are required. See Step I-1, 2.g. (f) Offsets. Request a listing of all offsets processed over the last 12 months. Request the contractor to explain its procedures for processing offsets. (g) Refunds. Request the contractor to provide a listing of all refunds processed over the last 12 months. Request the contractor to explain its procedures for processing refunds to the Government. (6) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. (7) Identifying any contracts with requirements to submit excessive documentation with interim vouchers such as: travel/ODC reports, labor detail, time cards, or receipts for travel/ODC. 3. Other Preliminary Steps a. Determine the degree a computerized system is used in the billing system process. b. Perform a high level cursory assessment to determine if the following exist: (1) A functional billing organization with defined organizational responsibilities. (2) A written description of the work flow in the billing process. (3) Policies and procedures for effectively controlling the billing process. c. Verify and document that the contractor meets the following direct billing program criteria: (1) Submits final year-end indirect incurred cost proposals in accordance with FAR 52.216-7(d)(2)(i) (within 6 months after the expiration of the contractor’s fiscal year). Reasonable extensions may be granted, in writing, by the contracting 9 of 27 Master Document – Audit Program officer. (2) Submits final vouchers in accordance with FAR 52.216-7(d)(5) (within 120 days after settlement of the final annual incurred cost rates for all years of a physically complete contract). 4. Initial Risk Assessment Using the information obtained in steps 1, 2, and 3, prepare an initial risk assessment (W/P B) to determine the initial scope of the examination.
- A-1 Concluding Steps W/P Reference Version 10.9, dated November 2009 1. Assessment of Control Risk a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring, and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (management reviews, policies and procedures, and implementation of policies and procedures). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies. b. Determine if the billing system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations. c. Based on the assessments above, determine the impact on the scope of other audits. d. Complete the ICAPS form at W/P A (MAAR 1)(see CAM 3-305). e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completion of this audit effort should be documented and approved by management. 2. Direct Bill Authorization Document the FAO’s decision to: 25 of 27 Master Document – Audit Program a. Allow the contractor to participate or to continue to participate in the direct billing program (CAM 6-1007); or b. Follow audit guidance in CAM 6-1007.7 for rescinding the contractor’s authority to direct bill; or c. Document the rationale for denying the contractor’s participation in the direct billing program. 3. Summary Steps a. Prepare a draft audit report in accordance with CAM 10-400. b. If any potentially reportable conditions relate to specific contract overpayment issues, discuss the results of audit with the regional DFAS Task Force member prior to the exit conference. c. Conduct an exit conference with the contractor in accordance with CAM 4-304. d. Finalize the audit report incorporating the contractor's response and audit rejoinder. e. Coordinate with supervisor to verify DMIS accuracy. In the contractor tables in DMIS verify the accuracy of entries for: (1) Direct billing initiative (2) CAGE code(s) f. Copies of the final report should be provided to the regional Task Force member if reported conditions relate to overpayment issues. g. Ensure that the paying office and contracting officer have been notified of any unresolved overpayments, contract administration adjustments, demand letters, and subcontract billings that are over 30 days old; and of any improper offsets. The pro forma notification to the payment office should be addressed to the paying office and if the paying office is DFAS, sent to the DCAA DFAS Financial Liaison Advisor to be hand delivered/emailed to DFAS. A copy should also be provided to the ACO and the regional Task Force member or representative. h. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor's EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b). i. Update the permanent file in accordance with CAM 4-405.b (MAAR 3). Retain a copy of the approved W/P A ICAPS form. 26 of 27 Master Document – Audit Program 27 of 27 After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).) j. Contact customers who require excessive documentation with vouchers explaining:  How contract provisions require contractor to submit excessive documentation.  How DCAA’s ongoing presence and system examinations at the contractor can satisfy any customer billing requirements.  That DCAA would like an opportunity to explain our process and discuss whether it satisfies their needs.
- 6-201 Contractor Proposal a. Contractors may have both DoD and non-DoD contracts. Audits of incurred costs applicable to non-DoD Federal agencies are performed by DCAA on a reimbursable basis and only upon request of the cognizant agency. Some agencies do not request audits from DCAA for various reasons including funding considerations and the materiality of small dollar contracts. It is the contracting agency’s responsibility to audit contract costs or otherwise close the contracts. DCAA is available to assist the contractor in coordinating with other agencies. b. The Allowable Cost And Payment clause (FAR 52.216-7) requires that the contractor submit an adequate final incurred cost proposal together with supporting data, within 6 months after the end of its fiscal year. An illustration of a Model Incurred Cost Proposal is included in section 6-801 of this pamphlet. The receipt of a proposal by the audit office starts the audit process. This proposal should include a signed "Certificate of Indirect Costs" in accordance with FAR 42.703-2. A copy of this certificate may be found at FAR 52.242-4. (See Schedule N of the model incurred cost proposal under section 6-801.) An adequate proposal should reduce the time required to perform the audit because numerous preliminary steps can be performed before the auditor arrives at the contractor location. c. Failure to comply with the Allowable Cost and Payment clause requirement to provide a submission will result in a DCAA recommendation for the contracting officer to make a unilateral determination. The DCAA auditor will send several reminder letters to the contractor, but when the submission becomes 6 months overdue (one year after the end of the Information for Contractors January 2005 6-2 6-202 fiscal year) and no extension has been granted, the auditor will provide the contracting officer with a unilateral recommendation. The unilateral recommendation will be based on either a decrement factor applied to indirect rates using relevant contractor historical data or an Agency-wide decrement factor based on questioned costs at high risk contractors applied to total contract costs, if no relevant historical data exists. Relevant historical data exists when all of the following criteria are met: The prior fiscal year has been audited. All contractor submissions received have been audited and settled. The indirect cost pool and base data for the overdue fiscal year is readily available in the contractor’s books and records. There have been no significant changes in the contractor’s business base between the last audited fiscal year and the overdue fiscal year. There has been no significant reorganization of the contractor between the last audited fiscal year and the overdue fiscal year. There have been no changes in the indirect cost rate structure between the last audited fiscal year and the overdue fiscal year. The recommendation will apply to active contracts as well as physically complete contracts for the overdue fiscal year. FAR 42.703-2(c)(1) and FAR 42.705(c)(1) provide the contracting officer with the authority to unilaterally establish indirect cost rates or total contract costs. 6-202 Penalties for Mischarging The manipulation of charges to a contract may be subject to criminal penalties under 18 United States Code (U.S.C.) 1001, which reads as follows: “Whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States knowingly and willfully (1) falsifies, conceals or covers up by any trick, scheme, or device a material fact; (2) makes any materially false, fictitious or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious or fraudulent statement or entry; shall be fined under this title or imprisoned not more than five years, or both.” Penalties may be assessed against contractors who include expressly unallowable costs, or costs previously determined to be unallowable for that contractor, in a final indirect cost rate proposal pursuant to 10 U.S.C. 2324 (a) through (d) and 41 U.S.C. 256 (a) through (d). Information for Contractors January 2005 6-3 6-301 Implementing guidance for these statutes is provided in FAR 42.709 and was effective for all contracts on October 1, 1995. B-1 Preliminary Steps W/P Reference Version 4.5, dated January 2010 1. Preliminary Risk Assessment a. Evaluate relevant information from the FAO program plan files to document the decision to perform a concurrent incurred cost audit. b. Coordinate with the contracting officer. Notify the contracting officer of the commencement of the audit and expected completion date (CAM 4-103). Discuss any concerns that the contracting officer might have and the planned audit steps that address the concerns, if applicable. Analyze any applicable advance agreements. c. The auditor should combine steps for planned internal control audits and CAS audits with the incurred cost audit steps to be performed during the contractor’s fiscal year, when feasible. The document “Audit Areas Matrixed to the MAARS” (located in “Other Audit Guidance” under code 10100 – Concurrent Auditing) should be used to identify where audit steps may be consolidated. (1) Check the FAO program plan files for planned internal control audits or other system audits. Prepare a schedule for planned audits and where practical, plan the performance of the audit 3 of 21 Master Document - Audit Program steps of those assignments in conjunction with the auditing procedures of this audit program. (2) If the contractor is classified as non-major (where ICAPS have not been completed) and if the evidential matter to be obtained during the audit is highly dependent on computerized information systems, document on W/P B-2 the audit work performed that supports reliance on the computer-based evidential matter. Specifically, document or reference one or more of the following in W/P B-2: (a) the audit assignment(s) where the reliability of the data was sufficiently established in other DCAA audits, (b) the procedures/tests that will be performed in this audit to evaluate the incurred costs that will also support reliance on the evidential matter, and/or (c) the tests that will be performed in this audit that will be specifically designed to test the reliability of the computer-based data. When sufficient work is not performed to determine reliability (i.e., reduce audit risk to an acceptable level), qualify the audit report in accordance with CAM 10-210.4a and 10-504.4. (3) For contractors with CAS covered contracts, check the permanent file to ensure all significant CAS have been identified. Compliance with certain CAS 412 and 413 provisions/FAR 31.205-6(j) related to defined benefit pension plans must be tested annually even if there are no pension costs incurred. Applicable steps are provided in Section J-1, Intermediate Procedures. d. Identify areas of increased risk and reduced risk by evaluating the prior incurred cost audit files, CAS audits, and ICAPS. e. Evaluate audit leads from other audit assignments. f. Evaluate audit leads obtained from evaluating the contractor’s website, if any, employee publications, press releases, perambulations, etc. g. In planning the audit, consider the impact of any external restructuring activities (CAM 7-1914): (1.)Obtain data to support the amortized restructuring costs claimed (e.g., amortization schedules for deferred restructuring costs and detailed schedules of the incurred restructuring costs by fiscal year, project and cost element). The support should be at a level of detail sufficient to allow the auditor to determine the allowability of incurred restructuring costs. 4 of 21 Master Document - Audit Program (2.)Determine if the incurred restructuring costs are near or in excess of the negotiated ceiling. (3.)Based on the level of risk, develop appropriate detailed steps (transaction testing) to assure the contractor is properly classifying restructuring activities in accordance with established agreements and DFARS 231.205-70, if applicable. h. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud risk indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3 Document in W/P B any identified fraud risk indicators and your response/actions to the identified risks (either individually or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in W/P B. i. In planning the audit, consider the impact of SAS 70, Reports on the Processing of Transactions by Service Organizations, as amended by SAS 88, Service Organizations and Reporting on Consistency, on audit scope by performing the following steps: Note: The Incurred Pension Cost and CAS 412 & 413 Compliance program (assignment code 19412) and the Incurred Insurance Cost and CAS 416 and FAR Compliance program (assignment code 19416) also include the SAS 70 steps. If pension cost and insurance cost are selected for testing, the SAS 70 steps for service organizations related to those costs should be completed as part of those supplemental audit packages. (1) Determine if the contractor (user organization) uses any service organizations. (2) If service organizations are used, determine if the transactions processed by the service organization are material. (3) If transactions are material, determine if the service organization is part of the user organization's information system. (4) If so, determine the degree of interaction between the service organization and the user organization. If high (as in the case 5 of 21 Master Document - Audit Program of payroll processing, where the service organization receives time and attendance information from the user organization, prepares the payroll, writes the checks, etc., and then the user organization performs tests of the processed payroll for accuracy), there is no need to obtain an understanding of the service organization's controls. If low (as when a trustee manages pension assets): (a) Obtain and evaluate the service agreement (contract). (b) Obtain and evaluate the service auditor's report (if any), referring to the guidance in CAM 4-1000, Relying Upon the Work of Others. (c) If necessary, obtain and evaluate other information available at the user organization including user manuals, system descriptions, technical manuals, and other policies and procedures. (d) If necessary, obtain and evaluate (see CAM 4-1000) any reports prepared by the user or service organizations' internal auditors relating to internal controls over transactions and processes. (e) If necessary and with appropriate permission, visit the service organization and perform procedures or request an assist audit. (5) Summarize effects of evaluation of service organizations on scope of current audit. 2. Coordination with Other DCAA Offices a. Request assist audits of contractor records maintained at other locations, including corporate or home office locations and Washington D.C. area offices (CAM 6-804, 805, and 806). The cognizant DCAA assist audit offices should be identified and contacted as early as possible so concurrent auditing procedures can be considered at these locations. b. The FAO and cognizant Field Detachment office should coordinate the performance of applicable concurrent steps (e.g., floor checks) to insure complete audit coverage of the contractor’s fiscal year. 3. Entrance Conference a. Obtain a list of planned audits/reviews to be performed by the contractor’s internal and external audit staffs. If reliance can be placed on the work of others, the file should contain, at a minimum, the following documentation: 6 of 21 Master Document - Audit Program (1) A copy of the report and/or written confirmation of the work performed. (2) The period of costs covered. (3) A summary of the result(s) of the audit(s)/review(s). (4) A statement of the degree of reliance placed on the work of others (a statement of the audit scope covered by this reliance). b. Confirm prior discussions with the contractor regarding the support to be provided throughout the audit. This includes the availability of personnel and supporting documentation. The auditor and contractor should agree on a date to receive the certified proposal. c. Discuss with the contractor the audit program steps that can be performed prior to the end of its fiscal year, including other audit assignment steps (e.g., internal control audits); to be performed after the close of the fiscal year; and those steps that must be performed after receipt of the certified proposal. 4. Tailored Steps a. Tailor the detailed steps using information obtained during the current planning process, recent audit experiences, the results of preliminary steps, especially new areas of risk and sources of reliance, and discussions with the contractor. Any significant changes in the planned scope of audit, including the addition or elimination of a step, must be fully documented. b. Transaction testing plans should be developed based on the risk assessment and documented for both direct and indirect costs. Supplemental audit program steps should be approved by the supervisor. The areas where transaction testing will be performed should be discussed with the contractor. Throughout the contractor’s fiscal year, results should be discussed with the contractor. Significant unresolved issues should also be discussed with the ACO. In developing transaction tests, consider steps that can be consolidated with steps required under current Internal Control audits. (1) During the transaction testing, ensure that the contractor follows consistent practices in identifying all costs incurred for the same purpose, in like circumstances, as either direct or indirect only. Document any noncompliances. (CAS 402/FAR 31.202 and 31.203(a)) (2) If during the current audit procedures, it is discovered that the contractor is not identifying and separating significant amounts of expressly unallowable costs in one or more accounts, stop the concurrent audit effort on those accounts until the 7 of 21 Master Document - Audit Program deficiency is appropriately addressed/corrected by the contractor. C-1 Background Information W/P Reference Version 4.5, dated January 2010 1. MAAR 3: Determine if the current organization charts are contained in the permanent file. If applicable, study any updated charts to identify any changes in the organizational structure. Update the following information in the permanent file for the year being audited. If the information is not in the permanent files, obtain it during this audit. a. Number of direct and indirect employees. b. Plant layouts and floor space utilization. c. Services performed by outside auditors. d. Outside auditors’ plans for internal control examinations. e. Listing of financial and managerial reports. f. Policies and procedures for employee awareness training. (CAM 5-907) 2. Periodically assess the contractor's overall operation and update the permanent file if applicable. a. Determine whether any major changes have occurred or are expected to occur in the volume of business or through the modernization of manufacturing facilities. b. Determine whether these changes (if any) have had, or should have had, an impact on the contractor's direct/indirect charging practices, allocation bases, contract mix, etc. c. Determine if the contractor underwent or is planning a business combination which was/will be accounted for by the purchase method of accounting. If so, determine that the write-up (or write-down) of the asset values has been properly accounted for and claimed by the contractor. (CAM 7-1705.3) d. Evaluate any revisions to the CAS Disclosure Statement. 3. Evaluate the Board of Directors' minutes and audit committee minutes. These minutes may document major decisions that affect the contractor's organization and operations for the year being audited. (CAM 3-104.16) 8 of 21 Master Document - Audit Program D-1 Contract Provisions W/P Reference Version 4.5, dated January 2010 1. Evaluate the contractor’s contract briefings. Ensure that all auditable contracts awarded during the year have been briefed (CAM 3-200). If the contractor has not briefed all applicable contracts, the auditor should consider citing the contractor for a billing system deficiency. Any contracts that the contractor has not briefed should be briefed as part of this audit. Evaluate contract briefings for special contract provisions affecting costs. (Coordinate this step with effort performed in a recent billing system examination, if applicable.) Look at contract briefs and other applicable contract information (CAM 3-202) maintained by the FAO, if available. Identify any non-DoD contracts subject to audit and verify the audit effort is reimbursable (i.e., approval to bill our audit effort has been obtained from the customer where necessary). If not, adjust the audit scope and auditable dollars accordingly (CAM 15-102.2) 2. MAAR 7: Look for rate ceilings or cost categories which may not be billed directly on larger new contracts. Note for comparison to any unexplained changes in charging patterns identified. (CAM 6-604.1) 3. Note completed contracts for closeout. E-1 Periodic Reconciliations W/P Reference Version 4.5, dated January 2010 Most reconciliations are more efficiently performed at year-end or after the submission is received. However, if the contractor’s system supports performing periodic reconciliations efficiently throughout the year, the auditor may perform them periodically. (Coordinate these steps with effort performed in the Indirect and ODC and/or the Budget and Planning System and other related Internal Controls audits, if applicable.) 1. MAAR 15: Periodically compare the interim base and pool totals to the amounts for the same period of the prior year. Compare current actuals to budgetary amounts for the current period. Identify any significant variations that require further audit analysis and/or explanation. Determine if the indirect rate structure to accumulate actual costs are consistent with the indirect rate structure used to prepare forward pricing indirect rates for the same year. (CAS 401/FAR 31.201-1 and 31.203(d)) 9 of 21 Master Document - Audit Program 2. MAAR 15: Periodically compare the interim detail accounts within pools to the amounts for the same period of prior years. Compare current actuals to budgetary amounts. Identify any changes in accounting practices and unexplained significant changes in the relative dollar value for follow-up. NOTE: While preparing the above comparison, identify the amount of proposed consultant costs and evaluate the significance and sensitivity of the proposed costs. If selected for testing, utilize activity code 10160 – Incurred Costs (Individual Packages) – Consulting Services to evaluate the proposed costs for allowability, allocability, and reasonableness. (FAR 31.205.33) F-1 Direct and Indirect Labor W/P Reference Version 4.5, dated January 2010 1. MAAR 6: Perform labor floor checks or detailed employee interviews. (CAM 6-404, 6-405) Obtain a listing of contractor employees by location to determine the need for any assist audits of offsite labor. Prepare requests for assist audits deemed necessary based on risk. (CAM 6-405.3a) 2. MAAR 7: Evaluate changes in procedures and practices for direct/indirect time charging of contractor employees. Look at the analysis of changed conditions and direct and indirect labor account comparisons to prior years and to budgeted amounts for evidence of undisclosed changes in labor charging practices (CAM 6-604.1). Evaluate labor accounts for consistent classification between direct and indirect. (CAS 402/FAR 31.202 and 31.203(a)) 3. MAAR 8: Comparative Labor Analysis-Sensitive Labor Accounts. Perform comparative analysis of sensitive labor accounts, e.g., standby labor. Areas of risk may have been disclosed based on comparisons of direct and indirect labor accounts to prior years and budgets. (CAM 6404.6b(4)) 4. MAAR 10: Adjusting Entries and Exception Reports. Analyze adjusting journal entries and exception reports for labor costs. (CAM 6-404.6b(6)) 5. Executive Compensation: Perform sufficient steps to determine that all allocable direct and indirect executive compensation in excess of the statutory compensation ceilings (see CAM 6-414) has either been appropriately (1) excluded from the contractor's incurred cost submission or (2) identified as expressly unallowable costs questioned in the audit report. If another audit assignment has covered this step, 10 of 21 Master Document - Audit Program reference the assignment and applicable working papers. 6. If necessary perform any other required labor audits. G-1 Direct Material W/P Reference Version 4.5, dated January 2010 1. MAAR 13: Purchases Existence, and Consumption. Perform physical observations of purchased parts or services. (CAM 6-305.3a(2)) 2. MAAR 10: Adjusting Entries and Exception Reports. Evaluate adjusting journal entries and exception reports for costs of purchased services and material. (CAM 6-305.3a(1)) 3. MAAR 12: Auditable Subcontracts. (Coordinate the steps in this section with effort performed during the most recent CPSR or Purchasing System audit, activity code 12030, if applicable.) a. Evaluate the contractor’s internal controls relating to subcontracts and intracompany orders. (CAM 6-800) b. Evaluate the contractor’s schedule of auditable subcontracts and intracompany orders under auditable type Government contracts and subcontracts and determine if the contractor has arranged for the required assist audit. If assist audits have not been initiated, coordinate with the contractor and the contracting officer to arrange for the assist audit. (See CAM 6-801, 6-802, and 6-803.) 4. If necessary, perform other material audits, including make-or-buy decisions (CAM 6-309) and requirements audits (CAM 6-308). H-1 Other Direct Costs (ODC) W/P Reference Version 4.5, dated January 2010 Many, if not all, ODC expense categories have counterparts in the indirect cost pools, and may readily be combined with indirect costs for transaction testing. 1. Identify the universe of job numbers/contract numbers for contracts that contain ODCs. Develop and document a plan for transaction testing of ODCs. 2. Obtain the detail of ODC transactions for identified universe of job numbers/contracts. 3. Select transactions for review based upon the transaction testing 11 of 21 Master Document - Audit Program plan. 4. For selected transactions, evaluate source documents for completeness and accuracy and determine the appropriateness of the charge based on the terms of the contract and FAR/CAS. 5. MAAR 10: Adjusting Entries and Exception Reports. Evaluate adjusting journal entries and exception reports for other direct costs. (CAM 6-504.4) 6. Summarize the results of ODC testing. I-1 Indirect Expenses W/P Reference Version 4.5, dated January 2010 1. MAAR 18: Indirect Allocation Bases - Evaluate the contractor's indirect cost allocation bases for equity and consistency with generally accepted accounting principles, FAR, and CAS (including the applicability of the allocation bases). Determine if the same accounting period is used for accumulating costs in an indirect cost pool as for establishing its allocation base (CAS 406/FAR 31.203(g)). (To the extent practical, rely on the steps performed under a recent CAS 410, 418, and/or Indirect and ODC system audit to satisfy these steps and reference here.) Determine that the allocation bases used by the contractor for the allocation of indirect costs are equitable and consistent with applicable CAS requirements, generally accepted accounting principles, and applicable provisions of the contract. (CAM 6-606, CAS 410, 418) 2. The evaluation of indirect labor should be done in conjunction with the evaluation of direct labor. 3. MAAR 5: General Ledger, Trial Balance, Income and/or Credit Adjustments. Analyze general ledger, trial balance, income/credit adjustments, and miscellaneous income accounts. (CAM 6-608.2d(5)) 4. MAAR 16: Indirect Account Analysis (CAM 6-608.2). Evaluate significant or sensitive accounts or transactions and accounts selected through the MAAR 15 audit. Selected accounts audited on a concurrent basis should be accounts where the contractor has adequate point of entry or interim screening. a. Accounts containing transactions to be audited via statistical sampling. b. Accounts selected for 100% audit. c. Accounts to be evaluated by audits other than transaction testing. 12 of 21 Master Document - Audit Program 5. MAAR 10: Adjusting Entries and Exception Reports. Evaluate adjusting journal entries and exception reports for indirect costs (CAM 6-608.2c). 6. Ensure the contractor follows consistent practices in selecting the cost accounting period(s) in which any types of expense and any types of adjustment to expense are accumulated and allocated. (CAS 406/FAR 31.203(g)) 7. Computer Cost Algorithms (CAM 7-100) 8. Service Centers (CAS 418; D/S 4.3.0) 9. Expressly Unallowable Costs. Determine if expressly unallowable costs, mutually agreed to be unallowable costs, costs which specifically become designated as unallowable by contracting officer’s written decision, and directly associated costs are identified and excluded (CAS 405/FAR 31.201-6). a. Evaluate voluntary deletions and questioned costs for directly associated costs that should also be excluded/questioned. When an unallowable cost is incurred, its directly associated costs are also unallowable (FAR 31.201-6(a)). b. Determine that costs directly associated with an unallowable cost, if normally included in an indirect cost pool to be allocated over a base that contains the unallowable cost, are allocated through the regular allocation process. (1) If a directly associated cost is included in a cost pool which is allocated over a base that includes the unallowable cost with which it is associated, the directly associated cost should remain in the cost pool. Since the unallowable costs will attract their allocable share of costs from the cost pool, no further action is required to assure disallowance of the directly associated costs (FAR 31.201-6(d)). (2) If the unallowable cost is not included the allocation base, the directly associated costs, if material in amount, must be purged from the cost pool as unallowable costs. c. Ensure that unallowable costs, which are normally included in an allocation base or bases remain in the base or bases. 13 of 21 Master Document - Audit Program J-1 Special Purpose Evaluations W/P Reference Version 4.5, dated January 2010 1. Insurance (CAS 416, CAM 5-1303 and 7-500, and standard audit program Incurred Insurance Cost and CAS 416 and FAR Compliance, assignment code 19416). The insurance summary, JNTCPIRINS-Insurance Summary Schedule, under “Other Audit Guidance” in APPS, should be maintained in the permanent file and must be updated annually, regardless of whether an audit/review has been scheduled. (Audit effort performed in the most recent CIPR and CAS 416 audits/reviews should be relied upon in determining the extent of effort required on these steps.) (NOTE: The steps in the Incurred Insurance Cost and CAS 416 and FAR Compliance audit program are applicable to contractors with CAS covered contracts and contractors with no CAS covered contracts and should be adjusted appropriately based on the risk assessment.) NOTE: Insurance costs are audited by the FAO cognizant of the contractor location where the plans are administered and the costs are incurred. For multi-segment contractors, this will generally be the corporate home office. Therefore, divisional auditors may need to request an assist audit from the FAO cognizant of the corporate home office. 2. Special Facilities Operating Costs, including GOCO rent allocations,
- 6-301 Audit Evaluation a. After receipt of an adequate proposal, the auditor will contact the contractor’s representative and set up an entrance conference. If the proposal is inadequate (e.g. missing the information listed in 6-801), the auditor will notify the contractor of the deficiency. Absent a mutually agreeable arrangement, the audit will likely be delayed pending receipt of the necessary documents. The auditor may also have performed certain analyses and tests of the books and records, and internal controls, during the fiscal year the costs were actually being incurred. These tests will supplement the audit work performed after receipt of the proposal. b. The audit will include an evaluation of both direct and indirect costs. The audit objective is to examine contractor cost representations (i.e., public vouchers, incurred cost proposal, etc.) to determine whether such costs are: reasonable, allocable to the contract(s), in accordance with generally accepted accounting principles (GAAP) and Cost Accounting Standards (CAS), and not prohibited by the contract, Government statute, or regulation (see FAR 31.201-2). During the audit, the auditor will discuss the audit findings with the contractor. The contractor is expected to provide feedback on these findings on a timely basis. c. After completing the audit, the auditor will discuss the results of audit with the contractor and provide the contractor a copy of the draft audit report. The contractor will be given the opportunity to respond to the draft report and any contractor’s comments will be included in the final report. FAR 42.705 discusses the conditions which determine whether the final indirect cost rates will be negotiated or audit determined. If the rates are auditor determined, once agreement is reached on the indirect rates, the contractor will be asked to sign an audit-furnished indirect rate agreement. If agreement with the contractor is not reached, DCAA will forward its audit report concerning the rates to the cognizant contracting officer who will then resolve the disagreement. The auditor will also issue a DCAA Form 1 to recover any reimbursement of unallowable costs that has occurred. The contractor may appeal the Form 1 disallowance to the contracting officer or file a claim under the contract “Disputes” clause (FAR 52.233-1). If rates are to be negotiated by the contracting officer (CO), the audit report and contractor comments will be forwarded to the contracting officer for action. 6-401 Contract Costs Costs must be accumulated by contract in order to determine their allowability per Government regulations. All costs (both direct and indirect) of producing goods or providing services should be identified to a final cost objective. FAR 31.001 defines a final cost objective as a cost objective that has allocated to it both direct and indirect costs and, in the contractor’s accumulation system, is one of the final accumulation points. Generally, a final cost objective is a contract. Accordingly, costs of a contract are comprised of direct costs and the contract’s allocable share of indirect costs. Information for Contractors January 2005 6-4 6-501 A major part of accounting for costs by contract is the classification of costs as either direct costs or indirect costs. 6-501 Direct Cost FAR 2.101 defines direct costs as “any cost that can be identified specifically with a particular final cost objective” (i.e., cost incurred for a specific contract). FAR 31.202 also supplements this broad definition with the following: Costs identified specifically with a contract are direct costs of the contract and are to be charged directly to the contract. All costs specifically identified with other final cost objectives of the contractor are direct costs of those cost objectives. No final cost objectives shall have allocated to it as a direct cost any cost, if other costs incurred for the same purpose in like circumstances have been included in any indirect cost pool to be allocated to that or any other final cost objective. Contractors should make every effort to identify all costs that are direct, and by default, what remains is indirect. 6-601 Indirect Costs FAR 2.101 defines an indirect cost as “any cost not directly identified with a single, final cost objective, but identified with two or more final cost objectives or an intermediate cost objective. It is not subject to treatment as a direct cost.” Further, an indirect cost shall not be allocated to a final cost objective if other costs incurred for the same purpose in like circumstances have been included as a direct cost of that or any other final cost objective. Because of their nature, indirect costs cannot be charged to final cost objectives on an individual basis. Therefore, indirect costs must be classified and grouped together into indirect cost pools, typically either an overhead cost pool or the general and administrative expense (G&A) cost pool. The pools in turn are allocated to final cost objectives using an indirect cost allocation base that best links the cost pool to the cost objectives. 6-602 Overhead Costs Costs that are incurred for or that only benefit an identifiable unit or activity of the contractor internal organization such as an engineering or manufacturing department are considered overhead costs. It is common to find separate overhead pools for engineering, manufacturing, material handling, and for certain off-site activities. Yet, it is conceivable that a very small contractor could have only one overhead pool. Examples of overhead pool costs are: Department supervision Information for Contractors January 2005 6-5 6-603 Depreciation of department buildings and equipment Training of department employees Fringe benefits of department employees Overhead rates are developed by dividing the overhead pool costs by the selected allocation base, e.g., direct labor dollars or direct labor hours. To allocate means to distribute overhead pool costs to contracts. In order to distribute overhead pool costs, the contractor must select an allocation base. There must be a relationship between the selected allocation base and the pool of costs to be allocated to contracts. For example, an engineering overhead pool would logically be allocated over total engineering direct labor dollars or engineering direct labor hours. Additional information regarding the allocation of indirect costs to contracts can be found at FAR 31.203, Indirect costs. 6-603 G&A Expenses G&A expenses represent the cost of activities that are necessary to the overall operation of the business as a whole, but for which a direct relationship to any particular cost objective cannot be shown. G&A includes the top management functions for executive control and direction over all personnel, departments, facilities, and activities of the contractor. Typically, it includes human resources, accounting, finance, public relations, contract administration, legal, and an expense allocation from the corporate home office. The G&A rate is developed by dividing total general and administrative expenses by the selected allocation base, e.g., total cost input (i.e., total direct and indirect costs, except G&A), value added cost input (i.e., total cost input except G&A, material and subcontract costs), or single element cost input (e.g., direct labor dollars, direct labor hours, direct materials costs). 6-701 Facilities Capital Cost of Money (FAR 31.205-10) a. Facilities Capital Cost of Money (cost of capital committed to facilities) is an imputed cost determined by applying a cost of money rate to facilities capital employed in contract performance. It is allowable whether or not the contract is otherwise subject to cost accounting standards (reference 48 CFR Chapter 99) if: (1) the contractor’s capital investment is measured, allocated to contracts, and costed in accordance with CAS 414; (2) the contractor maintains adequate records to demonstrate compliance with this standard; (3) the estimated facilities capital cost of money was specifically identified or proposed in cost proposals relating to the contract under which this cost is to be claimed; and Information for Contractors January 2005 6-6 6-801 (4) the requirements of FAR 31.205-52, which limit the allowability of facilities capital cost of money, are observed. b. The facilities capital cost of money need not be entered on the contractor’s books of account. However, the contractor shall make a memorandum entry of the cost and maintain, in a manner that permits audit and verification, all relevant schedules, cost data, and other data necessary to fully support the memorandum entry. An example of a facilities capital cost of money submission can be found in Section 6-801 (Schedule F). c. There is no requirement for a contractor to propose facilities capital cost of money in pricing and performing a contract. If it chooses not to propose this cost during contract pricing then the contractor waives any right to claim it during contract performance. (See FAR 15.408(I) and FAR 52.215-17 for more information.) 6-801 Model Incurred Cost Proposal a. This section of the pamphlet presents DCAA’s Model Incurred Cost Proposal (Figure 68-1) to assist a contractor in meeting its requirement for submitting final indirect cost rate proposals. The model includes example schedules on the following pages. These example schedules present the information needed to begin an audit. If a contractor generates internal formal reports that identify the needed information, these internal reports can be submitted in lieu of the example schedules. However, the basic data contained in the schedules is required to complete the audit in a timely manner. The use of internal reports as a substitute for the example schedule formats shown should first be discussed with the contractor’s cognizant DCAA field audit office. b. Note that depending upon the size of the firm, complexity of the accounting system, and type of business, some of the information contained in the schedules may not be necessary to perform the audit. Specific requirements should be coordinated with the cognizant DCAA field audit office. c. This model incurred cost proposal illustrates only a final overhead and G&A rate. Some operations may have additional rates, such as: fringe benefits rate, engineering overhead rate, manufacturing overhead rate, off-site rate, etc. A separate schedule should be prepared for each final or intermediate indirect expense pool. If expenses are available by department (e.g., President’s Office, Marketing Department for G&A; Fabrication, Assembly/Test for overhead), a breakout by expense for each department should also be provided. d. DCAA prefers that contractors include an index similar to that used in the model incurred cost proposal for each year submitted. If certain schedules are not applicable, the contractor should so note on the index. e. In addition to the data presented in the schedules, there is additional information that the auditor typically needs to facilitate timely completion of the audit in accordance with generally accepted government auditing standards. A list of this information is presented on the page entitled "Supplemental Model Incurred Cost Proposal Information." Having this Information for Contractors January 2005 6-7 6-801 information available at or prior to the entrance conference will make the audit process as fast and efficient as possible. f. The company name and fiscal period should be included on all schedules submitted. g. Contractors are encouraged to submit their proposals in electronic format. The Incurred Cost Electronically (ICE) Model, available from the DCAA web site (http://www.dcaa.mil, under DCAA Publications), is the electronic version of the Model Incurred Cost Proposal. It provides contractors with a standard user-friendly ICE submission package that will assist them in preparing adequate incurred cost submissions in accordance with FAR 52.216-7. Downloading and execution instructions are provided on the web site. The ICE Model is updated periodically, so contractors electing to use it should check the web site periodically for changes. While the ICE model is intended to aid the contractor in providing an adequate submission, its use does not guarantee that the submission will be judged adequate. Contractors should discuss the ICE model and its requirements with their local DCAA Office before preparing the proposal.
- 6-301 Audit Evaluation a. After receipt of an adequate proposal, the auditor will contact the contractor’s representative and set up an entrance conference. If the proposal is inadequate (e.g. missing the information listed in 6-801), the auditor will notify the contractor of the deficiency. Absent a mutually agreeable arrangement, the audit will likely be delayed pending receipt of the necessary documents. The auditor may also have performed certain analyses and tests of the books and records, and internal controls, during the fiscal year the costs were actually being incurred. These tests will supplement the audit work performed after receipt of the proposal. b. The audit will include an evaluation of both direct and indirect costs. The audit objective is to examine contractor cost representations (i.e., public vouchers, incurred cost proposal, etc.) to determine whether such costs are: reasonable, allocable to the contract(s), in accordance with generally accepted accounting principles (GAAP) and Cost Accounting Standards (CAS), and not prohibited by the contract, Government statute, or regulation (see FAR 31.201-2). During the audit, the auditor will discuss the audit findings with the contractor. The contractor is expected to provide feedback on these findings on a timely basis. c. After completing the audit, the auditor will discuss the results of audit with the contractor and provide the contractor a copy of the draft audit report. The contractor will be given the opportunity to respond to the draft report and any contractor’s comments will be included in the final report. FAR 42.705 discusses the conditions which determine whether the final indirect cost rates will be negotiated or audit determined. If the rates are auditor determined, once agreement is reached on the indirect rates, the contractor will be asked to sign an audit-furnished indirect rate agreement. If agreement with the contractor is not reached, DCAA will forward its audit report concerning the rates to the cognizant contracting officer who will then resolve the disagreement. The auditor will also issue a DCAA Form 1 to recover any reimbursement of unallowable costs that has occurred. The contractor may appeal the Form 1 disallowance to the contracting officer or file a claim under the contract “Disputes” clause (FAR 52.233-1). If rates are to be negotiated by the contracting officer (CO), the audit report and contractor comments will be forwarded to the contracting officer for action. 6-401 Contract Costs Costs must be accumulated by contract in order to determine their allowability per Government regulations. All costs (both direct and indirect) of producing goods or providing services should be identified to a final cost objective. FAR 31.001 defines a final cost objective as a cost objective that has allocated to it both direct and indirect costs and, in the contractor’s accumulation system, is one of the final accumulation points. Generally, a final cost objective is a contract. Accordingly, costs of a contract are comprised of direct costs and the contract’s allocable share of indirect costs. Information for Contractors January 2005 6-4 6-501 A major part of accounting for costs by contract is the classification of costs as either direct costs or indirect costs. 6-501 Direct Cost FAR 2.101 defines direct costs as “any cost that can be identified specifically with a particular final cost objective” (i.e., cost incurred for a specific contract). FAR 31.202 also supplements this broad definition with the following: Costs identified specifically with a contract are direct costs of the contract and are to be charged directly to the contract. All costs specifically identified with other final cost objectives of the contractor are direct costs of those cost objectives. No final cost objectives shall have allocated to it as a direct cost any cost, if other costs incurred for the same purpose in like circumstances have been included in any indirect cost pool to be allocated to that or any other final cost objective. Contractors should make every effort to identify all costs that are direct, and by default, what remains is indirect. 6-601 Indirect Costs FAR 2.101 defines an indirect cost as “any cost not directly identified with a single, final cost objective, but identified with two or more final cost objectives or an intermediate cost objective. It is not subject to treatment as a direct cost.” Further, an indirect cost shall not be allocated to a final cost objective if other costs incurred for the same purpose in like circumstances have been included as a direct cost of that or any other final cost objective. Because of their nature, indirect costs cannot be charged to final cost objectives on an individual basis. Therefore, indirect costs must be classified and grouped together into indirect cost pools, typically either an overhead cost pool or the general and administrative expense (G&A) cost pool. The pools in turn are allocated to final cost objectives using an indirect cost allocation base that best links the cost pool to the cost objectives. 6-602 Overhead Costs Costs that are incurred for or that only benefit an identifiable unit or activity of the contractor internal organization such as an engineering or manufacturing department are considered overhead costs. It is common to find separate overhead pools for engineering, manufacturing, material handling, and for certain off-site activities. Yet, it is conceivable that a very small contractor could have only one overhead pool. Examples of overhead pool costs are: Department supervision Information for Contractors January 2005 6-5 6-603 Depreciation of department buildings and equipment Training of department employees Fringe benefits of department employees Overhead rates are developed by dividing the overhead pool costs by the selected allocation base, e.g., direct labor dollars or direct labor hours. To allocate means to distribute overhead pool costs to contracts. In order to distribute overhead pool costs, the contractor must select an allocation base. There must be a relationship between the selected allocation base and the pool of costs to be allocated to contracts. For example, an engineering overhead pool would logically be allocated over total engineering direct labor dollars or engineering direct labor hours. Additional information regarding the allocation of indirect costs to contracts can be found at FAR 31.203, Indirect costs. 6-603 G&A Expenses G&A expenses represent the cost of activities that are necessary to the overall operation of the business as a whole, but for which a direct relationship to any particular cost objective cannot be shown. G&A includes the top management functions for executive control and direction over all personnel, departments, facilities, and activities of the contractor. Typically, it includes human resources, accounting, finance, public relations, contract administration, legal, and an expense allocation from the corporate home office. The G&A rate is developed by dividing total general and administrative expenses by the selected allocation base, e.g., total cost input (i.e., total direct and indirect costs, except G&A), value added cost input (i.e., total cost input except G&A, material and subcontract costs), or single element cost input (e.g., direct labor dollars, direct labor hours, direct materials costs). 6-701 Facilities Capital Cost of Money (FAR 31.205-10) a. Facilities Capital Cost of Money (cost of capital committed to facilities) is an imputed cost determined by applying a cost of money rate to facilities capital employed in contract performance. It is allowable whether or not the contract is otherwise subject to cost accounting standards (reference 48 CFR Chapter 99) if: (1) the contractor’s capital investment is measured, allocated to contracts, and costed in accordance with CAS 414; (2) the contractor maintains adequate records to demonstrate compliance with this standard; (3) the estimated facilities capital cost of money was specifically identified or proposed in cost proposals relating to the contract under which this cost is to be claimed; and Information for Contractors January 2005 6-6 6-801 (4) the requirements of FAR 31.205-52, which limit the allowability of facilities capital cost of money, are observed. b. The facilities capital cost of money need not be entered on the contractor’s books of account. However, the contractor shall make a memorandum entry of the cost and maintain, in a manner that permits audit and verification, all relevant schedules, cost data, and other data necessary to fully support the memorandum entry. An example of a facilities capital cost of money submission can be found in Section 6-801 (Schedule F). c. There is no requirement for a contractor to propose facilities capital cost of money in pricing and performing a contract. If it chooses not to propose this cost during contract pricing then the contractor waives any right to claim it during contract performance. (See FAR 15.408(I) and FAR 52.215-17 for more information.) 6-801 Model Incurred Cost Proposal a. This section of the pamphlet presents DCAA’s Model Incurred Cost Proposal (Figure 68-1) to assist a contractor in meeting its requirement for submitting final indirect cost rate proposals. The model includes example schedules on the following pages. These example schedules present the information needed to begin an audit. If a contractor generates internal formal reports that identify the needed information, these internal reports can be submitted in lieu of the example schedules. However, the basic data contained in the schedules is required to complete the audit in a timely manner. The use of internal reports as a substitute for the example schedule formats shown should first be discussed with the contractor’s cognizant DCAA field audit office. b. Note that depending upon the size of the firm, complexity of the accounting system, and type of business, some of the information contained in the schedules may not be necessary to perform the audit. Specific requirements should be coordinated with the cognizant DCAA field audit office. c. This model incurred cost proposal illustrates only a final overhead and G&A rate. Some operations may have additional rates, such as: fringe benefits rate, engineering overhead rate, manufacturing overhead rate, off-site rate, etc. A separate schedule should be prepared for each final or intermediate indirect expense pool. If expenses are available by department (e.g., President’s Office, Marketing Department for G&A; Fabrication, Assembly/Test for overhead), a breakout by expense for each department should also be provided. d. DCAA prefers that contractors include an index similar to that used in the model incurred cost proposal for each year submitted. If certain schedules are not applicable, the contractor should so note on the index. e. In addition to the data presented in the schedules, there is additional information that the auditor typically needs to facilitate timely completion of the audit in accordance with generally accepted government auditing standards. A list of this information is presented on the page entitled "Supplemental Model Incurred Cost Proposal Information." Having this Information for Contractors January 2005 6-7 6-801 information available at or prior to the entrance conference will make the audit process as fast and efficient as possible. f. The company name and fiscal period should be included on all schedules submitted. g. Contractors are encouraged to submit their proposals in electronic format. The Incurred Cost Electronically (ICE) Model, available from the DCAA web site (http://www.dcaa.mil, under DCAA Publications), is the electronic version of the Model Incurred Cost Proposal. It provides contractors with a standard user-friendly ICE submission package that will assist them in preparing adequate incurred cost submissions in accordance with FAR 52.216-7. Downloading and execution instructions are provided on the web site. The ICE Model is updated periodically, so contractors electing to use it should check the web site periodically for changes. While the ICE model is intended to aid the contractor in providing an adequate submission, its use does not guarantee that the submission will be judged adequate. Contractors should discuss the ICE model and its requirements with their local DCAA Office before preparing the proposal.
- Activity Code 19408 Compliance Audit CAS 408 Version 5.7, dated November 2009 B-1 Planning Considerations Purpose and Scope 1. The purpose of CAS compliance auditing is to determine if the contractor's policies, procedures, and practices used to estimate, accumulate, and report costs on Government contracts and subcontracts comply with the requirements of CAS. CAS 408 establishes criteria for uniformity in the measurement of costs of vacation, sick leave, holiday, and other compensated personal absence for a cost accounting period; thereby increasing the probability that the measured costs are allocated to the proper cost objective. FAR 52.230-2, Cost Accounting Standards, requires the contractor to comply with the CAS 408 criteria. 2. The scope of this audit should be limited to the last completed contractor fiscal year. For efficiency, CAS compliance testing, if possible, should be performed concurrently with tests for compliance with FAR and contract terms. 3. This program is intended to provide for the proper planning, performance, and reporting on the contractor's compliance with CAS 408. The audit steps in the program should reflect a documented understanding between the auditor and the technical specialist and/or the supervisor as to the scope required to comply in an efficient and effective manner with generally accepted auditing standards and DCAA objectives. The program steps are intended as general guidance and should be tailored as determined by audit risk.
- Planning Considerations 1. Before beginning any CAS compliance audit, the auditor should first determine whether the contractor is subject to the CAS coverage. If the standard is not applicable to the contractor, the audit should be cancelled. 2. Materiality (see 48 CFR 9903.305) and audit risk assessment (including Internal Control Audit Planning Summary (ICAPS) for major contractors, ICQ for nonmajors, and historical CAS problems) are integral parts of the planning process and should be considered in developing the extent of CAS compliance tests. 3. Once it is determined that the standard is applicable, the auditor should assess which provisions of the standard are significant to the contractor; the extent reliance may be placed on the contractor's system of internal controls to ensure compliance; and the results of other relevant audits (e.g., results of prior compliance audits, Disclosure Statement revisions, etc.). The decision to not test whether the contractor is complying with specific provisions of the standard should be documented. 1 of 7 Master Document – Audit Program B-1 Preliminary Steps W/P Reference Version 5.7, dated November 2009 1. Research and Planning a. Read and become familiar with the criteria in CAS 408, CAM 8-408, and any recent Headquarters guidance not incorporated in CAM. b. Evaluate Parts III and VI of the contractor's Disclosure Statement items to become familiar with the disclosed accounting practices. Determine if the contractor's accounting system has remained unchanged since the last CAS 408 compliance audit. If changes have occurred, adjust the audit scope accordingly. c. From the most recent incurred cost proposal or forward pricing rate proposal, determine whether total costs subject to CAS 408 are material. Consider contractor’s sales mix (i.e., CAS-covered Government contracts vs. not-CAS-covered and commercial) when determining materiality of costs subject to this standard. Materiality should be a consideration only in determining the extent of substantive testing.. d. Examine the FAO permanent files (including ICAPS or ICQ, audit leads from other relevant audits, and MAARs Control Log) and prior audit workpackages to determine what data are available, what audit steps were done in the past and the results from those steps. This will identify areas of high risk and/or areas where limited or no compliance testing is necessary. e. If appropriate, coordinate with the FAO technical specialist, CAC, and/or regional specialist on matters of interpretation and policy. f. Discuss the planned compliance audit with the cognizant Federal agency official (CFAO), who is usually the ACO, and, if appropriate, other customers to identify, understand, and document any concerns they may have or areas, which should be evaluated.
- Entrance Conference and Preparation a. Arrange and conduct an entrance conference covering the areas highlighted in CAM 4-302, with particular emphasis on: 2 of 7 Master Document – Audit Program (1) Compensated personal absence policy (2) The contractor’s explanation of the internal control structure. (3) Any changes since the last audit. (4) The contractor’s monitoring process. (5) Any identified weaknesses which may have been reported and related follow-up actions. (6) Chart of accounts applicable to CAS 408. (7) Account balances at the end of the two most recent accounting periods. b. If reliance is to be placed on the work of others, the file should contain the required documentation. (see CAM 4-1000) 3. Risk Assessment a. Examine the ICQ or relevant ICAPS (whichever is applicable) to obtain information regarding accounting system adequacy, identify any known outstanding system deficiencies, and perform preliminary assessment of risk. Document results. b. If the contractor is classified as non-major (where ICAPS have not been completed) and if the evidential matter to be obtained during the audit is highly dependent on computerized information systems, document on working paper B-2 the audit work performed that supports reliance on the computer-based evidential matter. Specifically, document or reference one or more of the following in working paper B-2: (1) the audit assignment(s) where the reliability of the data was sufficiently established n other DCAA audits, (2) the procedures/tests that will be performed in this audi to evaluate the incurred costs that will also support reliance on the evidential matter, and/or (3) the tests that will be performed in this audit that will be specifically designed to test the reliability of the computer based data. (4) When sufficient work is not performed to determine reliability (i.e., reduce audit risk to an acceptable level), qualify the audit report in accordance with CAM 10-210.4a and 10-807.3. c. Document the impact of the current assessment of the contractor’s internal control structure relative to this standard (Control 3 of 7 Master Document – Audit Program environment, accounting system, and relevant policies, procedures, and practices) on the audit scope. d. In planning and performing the examination, consider the fraud risk indicators specific to the audit. The principal sources for the applicable fraud indicators are:  Handbook on Fraud Indicators for Contract Auditors, Section II (IGDH 7600.3, APO March 31, 1993) located at http://www.dodig.mil/PUBS/igdh7600.doc (To access the handbook, copy and paste the web address shown above into the address block in Internet Explorer.)  CAM Figure 4-7-3 Document in working paper B any identified fraud risk indicators and your response/actions to the identified risks (either individually, or in combination). This should be done at the planning stage of the audit, as well as during the audit, if risk indicators are disclosed. If no risk indicators are identified, document this in working paper B. e. From the information gathered in the preceding steps and using the materiality criteria in 48 CFR 9903.305, assess the audit risk and determine the scope of audit and extent of compliance testing to be performed. f. Coordinate the scope of audit with the technical specialist and/or the supervisor. g. Update the information in the permanent files as needed. (MAAR 3) C-1 Compensated Personal Absence WP Reference Version 5.7, dated November 2009 1. Evaluate the contractor’s written compensated personal absence (leave) policies, understand if the contractor has one or more plan or custom for compensated personal leave (vacation, sick, holidays, etc.), and verify that the written policies are consistently followed by the contractor. a. For each plan, determine when entitlement is earned. Entitlement is generally explained in the plan, custom or disclosed accounting practices and is earned when the contractor (the employer) has an obligation to pay. (CAS 408.50(a)). 4 of 7 Master Document – Audit Program b. Test the contractor’s computation of earned entitlement for a given accounting period for a sample of employees by referring to source documents supporting the journal entries. The contractor’s calculation of earned entitlement should be in accordance with the requirements of CAS 408.50(b)(2). 2. Evaluate the contractor’s disclosed accounting practices, and determine if the accounting treatment for compensated personal absence is on the cash or accrual basis. (CAS 408.40(a)). a. If the accounting treatment is on the cash basis, verify that the contractor has assigned to the cost accounting period the cost of all compensated personal leave paid to employees during the period. There should not be a carry-forward liability for compensated personal leave if the contractor is not required to pay the employees for unused leave upon termination. b. If the accounting treatment is on the accrual basis, evaluate the contractor’s journal entries and verify that the contractor has assigned to the cost accounting period the costs of all the entitlement the employees earned during the period. Generally, a compensated personal leave liability account in the general ledger will indicate the standard (recurring) journal entries the contractor uses in recording the costs of the assigned liability. These costs will (CAS 408.50(c)): (Audit tests in this area partially satisfy the requirements of MAAR 10.) (1) include all entitlement that exists at the time the liability is determined. (2) be reduced for anticipated significant non-utilization. (3) be consistently estimated either in terms of current or anticipated wage. c. Verify that compensated personal leave costs are allocated pro-rata on an annual basis among final cost objectives of the period. (Audit tests in this area partially satisfy the requirements of MAAR 16 and MAAR 18.) 3. If the contractor changed its compensated personal leave plan or adopted a new plan, compare the contractor’s compensated personal leave liability under the new plan with the liability under the old plan at the first cost accounting period the new plan has become effective. If the liability under the new plan exceeds the liability under the old plan, verify that the contractor held the difference in a suspense account and did not charge it to Government contracts in the same accounting period (CAS 408.50(d)(2). (Audit tests in this area will partially satisfy the requirements of MAAR 10) 4. Determine that the amount held in suspense is reduced, at the end of 5 of 7 Master Document – Audit Program each cost accounting period, by the excess of the suspense amount at the beginning of the period over the liability at the end of the period. The excess shall be added to the cost of compensated personal absence assigned to the cost accounting period (CAS 408.50(d)(3)). (Audit tests in this area partially satisfy the requirements of MAAR 10)
- A-1 Concluding Steps W/P Reference Version 5.7, dated November 2009 1. Summarize the results of audit. 2. Discuss the audit results with the supervisor and/or the FAO technical specialist. The auditor should only report those noncompliances which are considered material (see CAM 8-302.7). 3. Coordinate significant or unusual issues with the CFAO, FAO Manager, and if applicable, with the CAC, CHOA, or GAC network (see CAM 8-302.4 and 8-302.6). Coordination should be both before and after discussion of audit results with the contractor. The CFAO should be apprised of noncompliance matters at the earliest possible date. If a noncompliance is considered immaterial, recommend to the CFAO that the contractor be notified to correct the noncompliance and if the noncompliance is not corrected, that the Government reserves the right to make appropriate contract adjustments should the cost impact become material (see FAR 30.602). 4. Prepare draft audit report. If the audit scope was limited to a certain area(s) of the contractor’s accounting practices, modify the scope and opinion statements as necessary so that they clearly identify the limited areas audited. a. If no instances of noncompliance are found, prepare a draft audit report in accordance with CAM 10-807 (activity code 19408). b. If instances of noncompliances are found, open an assignment under activity code 19200, prepare an audit report in accordance with CAM 10-808, and close this 19408 compliance assignment with an MFR. 5. If an internal control system deficiency is detected during the course of this audit, draft a flash internal control report and submit it to the contractor for comment in accordance with CAM 10-413. 6. Conduct an exit conference with the contractor in accordance with CAM 4-304. 7. Finalize audit report incorporating the contractor's response and audit rejoinder, if applicable. 8. Update the permanent files. Ensure that a copy of DMIS Report No CAS 3 entitled “CAS Compliance Testing (Activity Code 194XX)” is included in the permanent file after the assignment has been closed in DMIS.