Continuous Auditing
The Ultimate Access To Records
The Defense Contract Audit Agency (DCAA) received a tremendous boost in our ability to protect the taxpayer and warfighter with the issuance of Memorandum for Regional Directors MRD 13-PPS-007(R). This document presents guidance on necessary actions to obtain contractor’s internal audit reports.
This has been a long time coming.
The preposterous notion that defense contractors receiving some substantial amount of income from the Department of Defense (DOD) are then permitted to cloister their internal audit reports from the DOD auditors charged with monitoring the efficacy with which the contractors are executing their public responsibilities was ludicrous on its face.
Thanks to the hard work of DCAA and others, DOD auditors are now privy to a potent new tool to protect taxpayer dollars. While DCAA auditors are compelled to identify a NEXUS showing how the acquisition of contractor auditor reports will support a risk assessment or a procedure in an on-going audit, this reasonable requirement will not create a problem. The Contract Auditing Manual (CAM) stipulates the necessity of Mandatory Annual Audit Reports (MAARS). MAARS reports deal with Trial Balances, Floor Checks, Internal Controls, Tax Returns, Financial Statements and other matters for a total of seventeen audit areas in all. MAARS are an “Off the Shelf” nexus. This long codified requirement should provide the necessary rationale to access contractor audits.
While we work to formalize and normalize access to contractor audit reports, it’s necessary to keep moving forward. The last thing DCAA auditors want to do is rest on their laurels.
Now that we have the audit report, we need comprehensive access to the data from which those reports were derived. Our ultimate goal should be the implementation of Continuous Auditing across all contractors. The Institute of Internal Auditors defines Continuous Auditing as:
The automatic method used to perform control and risk assessments on a more frequent basis.
Accomplishing Continuous Auditing across all contractors is a daunting goal. But, like the old saw says, you eat an elephant one bite at a time.
Defense contractors are incredibly sophisticated users of advanced technology. Their auditing departments are no exception. They’re already using Continuous Auditing to monitor their activities. DCAA should leverage these contractor assets by meeting with the companies Chief Audit Executive (CAE) to learn what Auditing Control Language (ACL) software they’re currently using, what has proven most useful about that software and what results from that software have flowed into the contractors mandatory SOX reporting as well as what has been captured in their Corporate Risk Register.
The 2005 IIA Global Technology Auditing Guide (GTAG) entitled Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment, says the following:
Traditionally, internal auditing’s testing of controls has been performed on a retrospective and cyclical basis, often many months after business activities have occurred. ….. Today, however, it is recognized that this approach only affords internal auditors a narrow scope of evaluation, and is often too late to be of real value to business performance or regulatory compliance.
This describes a DCAA auditors circumstances to a “T.” I’ve heard colleagues refer to auditing dated items as “Poking the Blob.” You may find an exception by reviewing old records, but, the older it is, the less likely it is to be sustained. From a contractor’s perspective, no news is good news. If DCAA finds something, many times the contractor’s position is, we’ve always done it that way. Why didn’t you say something before? And then the laborious back and forth begins.
If DCAA were to avail themselves of continuous auditing systems the contractors presently possess, we would be able to nip problems in the bud and keep taxpayer dollars within DOD. That is immensely preferable to inappropriately paying contractors and then having to expend many years and countless man hours trying to recover them. The taxpayers did, after all, facilitate the purchase of those same continuous auditing assets. We then, ipso facto, have rights to the same.
DCAA bases audits on risk. We want to minimize, mitigate or eliminate risk. Also from the same GTAG:
A continuous audit approach allows internal auditors to fully understand critical control points, rules, and exceptions. With automated, frequent analyses of data, they are able to perform control and risk assessments in real time or near real time.
Access to existing real time risk assessments of operating financial systems would elevate the timeliness and quality of our audits immeasurably.
I believe the Agency is poised to enter a golden era. We’ve come through our recent difficulties with a much better approach to auditing. We’re far more deliberate and insightful as opposed to the previously mechanistic approach. Now, with Continuous Auditing and it’s first cousin, Continuous Monitoring, we can let the machines perform the metrics, freeing our people to audit, analyze and save taxpayer dollars.
In January of 2013, Rutgers University conducted its 26th World and Continuous Auditing Symposium. Advanced users of Continuous Auditing present were Siemens, Verizon, HP, Proctor and Gamble and more. I’m sure many of our majors are included in these users.
We come to this juncture at a propitious time. DCAA doesn’t have the clout to compel 
contractors to adopt Continuous Auditing. HOWEVER, thanks to SOX, the PCAOB and other regulatory bodies we don’t have to. The information is there for us to use. Making the obvious point, these requirements came into existence because of the egregious actions of certain companies. The requirements are there for a reason. We’re responsible to assure compliance. We must have access to the tools to fulfill our responsibilities.
I believe we should form and AdHoc Committee for the purpose of understanding what Continuous Auditing and Continuous Monitoring information is available, what systems the contractors have in place to acquire this data and how might these systems be used to benefit the taxpayer.
Matthew 7:7 says, “Ask and it will be given to you.” Let’s ask!!
