Are you prepared for audits of your business systems? If you are not ready when notified of an impending business system audit, you will not have time to get ready. Many U.S. government contractors are expected to comply with contractual requirements for maintenance of adequate business systems. The Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses incorporated into U.S. government contracts list detailed criteria associated with business systems for:
- Material management and accounting,
- Earned value management, and
While contractors that do not have DoD contracts are not contractually required to comply with DFARS criteria, the criteria are considered suitable standards to use in determining the acceptability of any government contractor’s internal control systems.
The Defense Contract Audit Agency (DCAA) has primary responsibility for conducting the audits for several of these systems. The primary objective of a business system audit is to examine your compliance with the criteria. The agency’s audit approach includes obtaining and documenting an understanding of relevant portions of your system’s internal controls.
The audit program includes a planning meeting with your personnel prior to the formal entrance conference. At this meeting you will be notified of the upcoming audit. You will also be asked to identify the locations of the various accounting functions to determine if coordination with other DCAA offices is necessary. The planning meeting is also used to schedule the entrance conference and request that you provide a general overview of the system to be audited at that time.
An important aspect of this audit: You will be expected to provide detailed walkthroughs and demonstrations of your processes that make up the system. At the entrance conference, you will be requested to begin providing these walkthroughs and demonstrations within approximately two weeks. The auditors will provide additional information regarding what you should demonstrate for each area of the specific system that has been selected for audit. The walkthroughs and demonstrations and the documentation provided to support this disclosure represent your “assertions” of system compliance.
DCAA will perform attestation examinations for your compliance with the system criteria for each system and based on that examination will opine on your compliance. If significant deficiencies or material weaknesses are identified, a deficiency report will be issued stating the noncompliance with the system criteria.
The auditors’ purpose for obtaining your demonstrations is to document an understanding of your system’s internal controls that are related to compliance with system criteria. During the demonstrations, the auditors will make detailed notes on your system descriptions, policies and procedures, and processes as needed to document their understanding of the system and make sufficient inquiries to ensure that they have a sufficient understanding. However, inquiry alone is not expected to be adequate to obtain an understanding of your internal controls. Procedures to obtain an understanding of system internal controls include making inquiries of your personnel, observing the application of specific controls, inspecting documents and reports and performing additional walkthroughs of the system (including tracing transactions through the various processing steps).
Be prepared to provide and walk the auditors through the information that has been requested for the specific system being audited, demonstrate how each of the key processes and functions are accomplished and how you ensure compliance with the system criteria. It will probably be necessary for the auditors to conduct additional one-on-one demonstrations with the process owners at their work site to gain a full understanding of the processes. One of the controls that you should demonstrate for each of the processes and functions is how you maintain an adequate segregation of duties.
Upon completion of your walk-throughs and demonstrations, the auditors will document any risks they have identified during the entrance conference or demonstrations. Then, they will prepare a high-level summary of their understanding of your system and provide it to you for confirmation of accuracy. Based on their understanding of your system and an internal risk assessment, they will design their audit procedures to address the risks to meet the audit objectives and provide reasonable assurance of detecting errors, irregularities and other non-compliances with applicable laws and regulations that could have a material effect.
The system walk-through and demonstration are your opportunities to demonstrate your best practices. While a certain level of substantive transaction testing by the auditors is required to meet their audit standards, a successful and thorough demonstration can provide auditors with a basis for reducing the scope and degree of testing involved.
It is important that you validate the auditors’ understanding of your system. Misunderstandings can result in otherwise avoidable audit findings that, once included in a report, can be difficult to get rescinded.
Reports that include significant deficiencies or material weaknesses, which were identified during an audit related to your compliance with business system criteria, can result in:
- System disapproval,
- Withholding of interim payments and financing,
- Problematic negotiations, and
- Potential non-award of future contracts.
- Document your process flows, identifying functions and departments, activities, events and segregation of duties.
- Cross-reference your process flows to your written policies, procedures, operation instructions, desk instructions, screen shots or any other command media provided to your staff members that instructs or guides them in the performance of their work.
- Consider performing your own transaction testing using the DCAA’s own audit guidance. This way, you can establish that controls are working, demonstrate your process for monitoring compliance and identifying and mitigating compliance risk and provide auditors with the necessary audit trail to accomplish their transaction testing.