•  Evaluate the adequacy of and the contractor’s compliance with the estimating system internal controls.

  •  Obtain a sufficient understanding of the contractor’s estimating system and related internal control (including both manual and computerized activities) to plan the related audit effort. This requires that the auditor assess the adequacy of the contractor’s policies and procedures, whether they have been implemented, and if they are working and being monitored effectively.

  •  Document the understanding of the estimating system internal controls in working papers and permanent files.

  •  Assess control risk as a basis to identify factors relevant to the design of substantive tests.

  •  Report on the understanding of the estimating system internal controls and assessment of control risk and the adequacy of the system for Government contracts.

  •  EST - Announcement Ltr. to Contractor

  •  EST - Experience Info Worksheet - Bid Proposals

  •  EST - Experience Info Worksheet - Other

  •  EST - Interview Questionnaire

  •  EST - Notification Memo to ACO

  •  EST - Notification Memo to PCO

1. CAM 3-300, Internal Control Audit Planning Summary (ICAPS)

2. CAM 5-1200, Audit of Estimating System Internal Controls

3. CAM 9-303, Contractor Estimating Methods and Procedures-Cost Estimates

4. CAM 10-400, Audit Reports on Operations and Internal Control (System Audits)

5. DFARS 215.407-5, Estimating Systems

1. Research and Planning

a. Review the open MRD’s for guidance which may impact the audit and adjust the scope and procedures appropriately. Open MRDs can be identified using the link provided on the DCAA Intranet home page for “MRDs, AGMs, & AMGMs”

b. Become familiar with applicable sections of CAM 5-1200. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide Library available on the DCAA’s intranet home page.

c. Perform the following steps using the permanent file:

(1) Review prior estimating system audit working paper package.

(2) Identify any flash estimating system reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2.

(3) Using the framework and the guidelines in WP B-2, obtain and document an understanding of the contractor’s internal controls that are relevant to the audit. With the proper planning auditors should be able to obtain and document a major portion of this understanding during a walk-through of the contractor’s assertion.

(4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below.

Document the sources of data by listing the data, its source, and any changes since the last system audit.

(a) Contractor’s written estimating system policies and procedures.

(b) Organization charts depicting the functional areas responsible for developing and processing estimating system related data.

(c) Estimating system flowcharts providing a pictorial overview of all manual and computerized processing steps.

(d) Information systems documentation:

(i) Pertinent record layouts of files created and/or used during the processing of estimating system related transactions.

(ii) Database table definitions.

(iii) Source documents.

(iv) Information on the conversion of documents to computer media.

(v) Subsidiary or master files affected by the system.

(vi) Relevant reports, journals, and ledgers produced in the flow of information to the estimating system reports.

(5) Review audit lead sheets.

(6) Review other related audits, for example:

(a) Review bid proposals (or comparable assignment log) and summarize the findings in pricing proposal activity. Complete EST – Experience Info Worksheet – Bid Proposals, if applicable.

(b) Review and summarize the impact of noted defective pricing, suspected irregular conduct (SIC), and related CAS noncompliances. Complete EST - Experience Info Worksheet – Other, if applicable.

(c) Review files containing telephone requests for specific information and determine if there were any inconsistent estimating practices noted that impact the scope of this audit.

(7) Consider the impact of the contractor’s financial condition on the estimating system. (Refer to prior financial capability risk assessment or audits – Code 176XX).

d. Issue a notification letter to the contractor regarding the audit in accordance with CAM 4-302.3.

e. Hold a planning meeting with the audit team (e.g., RAM, Manager, Supervisor, Auditors) to discuss the risk of fraud and other noncompliances with applicable laws and regulations that could have a material effect on the assertion. The discussion should include relevant prior audit experience (e.g., questioned cost, relevant reported estimating or accounting system deficiencies), relevant aspects of the contractor’s environment (e.g., the extent of incentives, pressures and opportunities to commit fraud and the propensity to rationalize misstatements), other known risk factors, and the audit team’s understanding of relevant internal controls (see W/P B-2). The team should also review and discuss the general and other relevant sections of the IG Handbook on Fraud Indicators for Contractors as well as the relevant fraud indicators in CAM Figure 4-7-3. See “Principal Sources of Fraud Indicators” below.
Based on the team discussion and other risk assessment procedures the team should document on W/P B, Section 4 the risk factors/indicators identified and design audit procedures to meet the audit objectives and provide reasonable assurance of detecting fraud and other noncompliances with applicable laws and regulations that could have a material effect on the proposal (i.e., tailor (add/delete/modify) the audit steps). GAGAS6.13(a)Communication among audit team members about the risk of material misstatement due to fraud should continue as needed throughout the audit.
Principle Sources of Fraud Indicators:

  •  Handbook on Fraud Indicators for Contract Auditors, Sections I and III, (IGDH 7600.3, APO March 31, 1993) located at: http://www.dodig.mil/PUBS/igdh7600.doc.

  •  CAM Figure 4-7-3.(To access the fraud handbook, copy and paste the web address shown above into the address block in Internet Explorer.)

f. Obtain from the contractor its listing of proposals for the past twelve months (or most recently completed fiscal year) and summarize by customer, contract type, and dollar volume in order to determine the materiality of the estimating system. Complete the Materiality section of the ICAPS form at W/P A.

g. Contact the contracting officer to ascertain any known concerns (including risk related to the contractor’s financial condition) that will impact the audit and adjust the audit scope and procedures accordingly. If information regarding the contractor’s financial condition is not available from the contracting officer, the auditor should perform the procedures addressed in CAM 2-302.1h. If during the course of the audit the auditor becomes aware of unfavorable or adverse financial conditions, they should immediately communicate their concerns to the contracting officer, and appropriately adjust the scope of audit.

h. Electronically transmit an acknowledgement/notification to the ACO/Buying Command notifying them of the commencement of the risk assessment and that the expected completion date will be provided in the formal acknowledgement/notification once the risk assessment is complete. (CAM 2-303). The acknowledgement/notification process should be within the timeframe and in accordance with the procedures in CAM 4-104.

i. Coordinate with other DCAA offices (including FD if there are significant classified contracts) cognizant of other contractor segments to determine if any estimating-related system deficiencies should be considered in this audit. Also, coordinate and request any necessary assist audits at locations that perform effort affecting the estimating system. Document your need for assist audits on W/P B-3.

j. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable.

k. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to the estimating system.

(1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the estimating system.

(2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the estimating system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC.

(3) In those cases where internal or external audits have been performed, the auditor should follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Document your preliminary evaluation and its impact on the scope of this examination. The evaluation of internal audit working papers is documented in detail in Section G-1, Step 2.

l. Determine the need for technical specialist assistance and document your consideration on W/P B-3.

2. Entrance Conference and Preparation

a. Prepare a written memorandum to the contractor to arrange for an entrance conference covering the areas highlighted in CAM 4-302, and any specific data or pertinent information not yet provided.

b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on:

(1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the estimating system transaction flow, including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3.

(2) Determining any changes in the estimating process since the last examination.

(3) Discussing the contractor’s risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment, Section D-1.

(4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1.

(5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken.

3. Other Preliminary Steps

a. Determine the degree a computerized system is used in the estimating process.

b. Perform a high level cursory assessment to determine if the following exist:

(1) A functional estimating organization with defined organizational responsibilities.

(2) A written description of the work flow in the estimating process.

(3) Policies and procedures for effectively controlling the estimating process.

4. Initial Risk Assessment

1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the estimating system internal controls…

2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals and discussions with prior auditors. Obtain an understanding of the following factors:

a. Integrity and ethical values.

b. Commitment to competence.

c. Board of directors and/or audit committee participation.

d. Management’s philosophy and operating style.

e. Organizational structure.

f. Assignment of authority and responsibility.

g. Human resource policies and procedures.

h. Financial capability.

3. Document your overall assessment of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K).

1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management.

2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting.

3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations.

4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K).

1. Since the accounting and information systems are integral components of information and communication processes, evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls and the IT Systems General Internal Controls for the rationale behind any moderate or high-risk assessment ratings and determine the potential impact, if any, on the effectiveness of the estimating system internal controls on information and communications.

2. Evaluate relevant permanent files, prior audit working papers, and any prior contractor demonstrations of its estimating system information and communication processes.

3. Determine if the contractor has made changes to the information and communication processes in its estimating system since the last demonstration. Evaluate the changes. If no prior systems demonstration was performed, have the contractor provide one. Contractor representatives providing the demonstration should possess a detailed knowledge of the estimating system. The demonstration provides the auditor an opportunity to query contractor personnel regarding internal controls and how they are monitored. The auditor should ensure that the demonstration addresses the internal control objectives outlined in CAM 5-1200.

4. The contractor should include appropriate manual and computerized controls in its information processing that check for accuracy, completeness, and proper authorization of estimating related transactions. Have the contractor identify and demonstrate controls related to each of the areas listed in a. through e. below. Compare the contractor disclosed controls with the generic access control listing contained in the referenced CAM section and identify any controls not incorporated in the application. Verify the existence and adequacy of the contractor disclosed controls. Discuss any apparent deficiencies with the contractor.

a. Access Controls (CAM 5-1406.1)

b. Data Input Controls (CAM 5-1406.2)

c. Processing Controls (CAM 5-1406.3)

d. Error Correction and Submission (CAM 5-1406.4)

e. Output Controls (CAM 5-1406.5)

5. Once the current estimating system information and communication processes are demonstrated by the contractor, selectively trace the development of a contractor’s proposal through the estimating system, starting from the initiation of the proposal development process (e.g., response to RFP) to validate your understanding of the estimating system. By tracing a transaction, the auditor should document the validity and operation of the key controls demonstrated by the contractor in steps 2-4 above (e.g., estimates based on most current, accurate and completed data; cost or price analysis performed on subcontract proposals; proposal properly certified). Discrepancies between your understanding and the contractor’s demonstration should be resolved prior to completing the remainder of this examination.

6. Document your confirmed understanding of the estimating system information and communication processes and obtain a written confirmation from the contractor indicating that they agree with this understanding. This documentation will typically take the form of system flowcharts or narrative descriptions, and can be prepared by the auditor or consist of documentation prepared by the contractor (see CAM 5-106). Based on your understanding of the contractor’s estimating system information and communication processes, document the impact that it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K).

1. Determine if ongoing monitoring procedures are incorporated into the normal recurring activities of the contractor’s organization. These procedures should include regular management and supervisory activities.

2. Where applicable, determine the extent of internal audit involvement in performing monitoring functions through separate evaluations.

3. Determine and document the extent of monitoring activities being performed by external parties.

4. Document your overall understanding of the monitoring activity being performed at the contractor’s location, and determine the impact it will have on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K).

1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:

  •  Control environment

  •  Contractor risk assessment

  •  Information and communications

  •  Monitoring

2. Verify that periodic reviews of contractor’s policies and procedures are conducted to ensure that:

a. Policies and procedures are compliant with applicable Federal regulations.

b. Policies and procedures have been implemented and are working effectively.

c. Follow-up actions are taken on recommendations resulting from management reviews.

3. Evaluate the contractor’s record of completed internal audits and its current internal audit plan to determine if the estimating system is being subjected to periodic reviews in accordance with established policies and procedures.

4. Identify and selectively evaluate documentary evidence and the frequency of the contractor’s management reviews to determine whether the scope of such reviews are appropriate, the conclusions sound, and appropriate follow-up actions were taken.

5. Identify any reviews which may have an impact on this examination, and evaluate the reports and supporting working papers to determine if any system deficiencies were noted, and the extent to which we can rely on the work performed (see CAM 4-1000).

1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:

  •  Control environment

  •  Contractor risk assessment

  •  Information and communications

  •  Monitoring

2. Contractors should establish and maintain an estimating system description, including policies, procedures, and operating instructions compliant with FAR and DFARS.

a. Organization/Assignment of Responsibilities

(1) Obtain organization charts and written policies, procedures, and directives describing the organizational structure, and responsibilities of the estimating group(s) and contributing departments.

(2) Obtain flowcharts showing the flow of work in the estimating process and integration of data prepared by personnel responsible for various functions, such as accounting, cost control, budgeting, planning, purchasing, production control, engineering, estimating, and sales. Key decision and review points, and the time frame for the entire process, should be identified by the contractor.

(3) Determine if the following characteristics of an adequate system exist:

(a) Lines of authority, duties, and responsibilities are clearly defined.

(b) Coordination among the various segments of the organization responsible for different parts of the estimate.

(c) Designation of individuals authorized to approve requests for preparing estimates.

(4) Interview selected employees involved in the proposal preparation process to determine if the actual responsibility for preparing, reviewing, and approving cost estimates is consistent with established policies and procedures.

b. Policies and Procedures

(1) Determine if written policies are established at a high enough organizational level to allow for proper implementation.

(2) Determine if procedures are in writing and compatible with underlying policies.

(3) Determine if:

(a) Policies, procedures, and other written instructions are disseminated to all employees responsible for putting the estimates together.

(b) Revisions to policies, procedures, and instructions are timely, as changes occur in the estimating system.

(4) Throughout the remainder of this examination, be alert for any areas in which established estimating policies and procedures are either inadequate or incomplete.

c. Integration with Other Management Systems

(1) Evaluate the contractor’s policies and procedures to determine if they provide for the integration of information from other management systems, as appropriate.

(2) Selectively evaluate recent pricing proposals or other cost estimates to determine if information from other management systems was appropriately integrated into the cost estimates.

1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:

  •  Control environment

  •  Contractor risk assessment

  •  Information and communications

  •  Monitoring

2. Policies and procedures should be established and implemented to assure that assigned personnel have sufficient training, experience, and guidance to perform estimating tasks in accordance with established procedures.

a. Evaluate the contractor’s policies and procedures to determine if they require periodic training of all employees involved in the estimating process, including, when appropriate, the use of statistical aids and advanced estimating techniques.

b. Evaluate records of completed training or other evidence indicating that appropriate employees have been trained in accordance with the policies and procedures.

1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows::

  •  Control environment

  •  Contractor risk assessment

  •  Information and communications

  •  Monitoring

2. Policies and procedures should be established and implemented to ensure that cost estimates are developed using acceptable estimating methods and rationale, and that supporting data is current, accurate, and complete.

a. Evaluate the adequacy and appropriateness of the methods employed in preparing cost estimates for each proposal type. Consider the following:

(1) The nature of the products or services procured.

(2) The degree of firmness of specifications.

(3) The contractor’s experience with the same or similar products or services.

(4) The extent detailed cost data can be derived from the accounting system, adjunct statistical records, etc.

(5) The relative dollar amount of the estimates.

(6) Cost and time restrictions on the preparation of the estimates.

b. Evaluate the extent to which the contractor has identified the estimating practices for sensitive cost areas.

c. Determine if the contractor has procedures in place to ensure that practices used to estimate costs are consistent with accounting practices used in accumulating costs (CAS 401/FAR 31.201 and 31.203(d)), and to ensure that estimated costs are consistentlyclassified between direct and indirect (CAS 402/FAR 31-202 and 31.203(a)).

d. Evaluate the extent to which estimating methods make use of historical data relating to entire products and individual tasks; and indirect cost ratios and percentage factors applicable to a common base.

e. Determine if cost estimates based upon prior cost experience consider:

(1) Differences in complexity, quantity, rate of production, state of development, etc., between items previously produced and those for which estimates are being developed.

(2) Applicability of preproduction engineering, special tooling, plant rearrangement, and other nonrecurring costs.

(3) Anticipated changes in production methods, material usage, prices, wage rates, labor efficiency, production volume, plant capacity and make-or-buy structure.

f. Evaluate the applicability of historical standard cost variance factors. (Where standards have been revised to represent expected actual cost, historical cost variances are not applicable).

g. Evaluate the appropriateness of escalation factors proposed, and the methods used to apply them to the cost elements.

h. Evaluate the availability and use of incurred cost records in developing estimates if the contractor is given the authorization to proceed before a contract price is negotiated.

i. Evaluate the propriety of using company-wide forward pricing factors for preparing cost estimates. Are such factors current, based upon reliable cost data and procedures, and correctly applied?

j. Evaluate the reasonableness of formula pricing methods for spare parts to ensure that individual elements of cost are not duplicated in both base costs and loading factors.

k. If used by the contractor, evaluate the adequacy of catalog pricing and prepriced listing methods for developing reasonable prices for spare parts proposals.

l. Evaluate the adequacy of the contractor’s methods for developing cost estimates for contract changes.

(1) Do the estimates properly reflect the nature and scope of the change and the status of the work in process at the time the change is issued?

(2) Are the contractor’s procedures for pricing deleted work correct? (Work deleted, but not yet performed, should be priced at estimated current cost).

m. Determine if proposals are submitted on the appropriate forms, and if related supporting data contains enough detail to permit an adequate evaluation of cost estimates. Is the basis for each cost element disclosed?

n. When a certificate of current cost or pricing data is required, does the contractor adequately identify the cost or pricing data submitted?

o. Evaluate the contractor’s policies and procedures to determine if they establish responsibility for the review and analysis of subcontracts.

p. Selectively evaluate recent pricing proposals or other cost estimates to determine if cost/price analysis of subcontracts was performed, as required by the policies and procedures.

q. Determine if controls are in place to ensure:

(1) Timely submission of data at all phases of the proposal preparation process.

(2) Uniformity of approach, detection of errors, and prevention of cost duplication.

r. Determine if the following characteristics of an adequate system exist:

(1) Adequate supervision in each area, and at each level of the estimating process.

(2) Managerial reviews at interim points, and upon completion of the estimating process.

(3) Management reviews covering soundness of judgmental estimates, adherence to established procedures, and compliance with pertinent regulations.

(4) Estimators who summarize and document the conditions, assumptions, contingencies, qualifications, risks, etc., taken into consideration in developing estimates.

s. Determine whether proposed direct labor rates reflect the total hours employees are expected to work during the year as covered in CAM 9-505b, “Evaluation of Estimated Direct Labor Rates.”

1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows:

  •  Control environment

  •  Contractor risk assessment

  •  Information and communications

  •  Monitoring

2. Policies and procedures should be established and implemented to ensure that all cost or pricing data is current, accurate, and complete as of the date of agreement on price.

a. Evaluate the contractor’s policies and procedures to determine if they adequately provide for updating of cost or pricing data up to the point of agreement on price.

b. Selectively evaluate recent post-award audits to determine if they indicate that the contractor is not updating cost or pricing data, as provided for in the policies and procedures.

1. Assessment Of Control Risk

a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring, and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (internal audits, system description, training, cost estimate development, and contract certification). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies.

b. Determine if the estimating system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations.

c. Based on the assessments above, determine the impact on the scope of other audits.

d. Complete the ICAPS form at W/P A (see CAM 3-305).

e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completion of this audit effort should be documented and approved by management.

2. Summary Steps

a. Prepare a draft audit report in accordance with CAM 10-400.

b. Conduct an exit conference with the contractor in accordance with CAM 4-304.

c. Finalize the audit report incorporating the contractor’s response and audit rejoinder.

d. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor’s EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b).

e. Update the permanent file in accordance with CAM 4-405.b (MAAR #3). Retain a copy of the approved W/P A ICAPS form. After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).)