_________
From the Defense Contract Audit Agency’s Directory of Audit Programs (AP) and Other Audit Guidance (OAG) Documents. Available at: http://www.dcaa.mil/standardguidance.htm.
B-1 | Preliminary Steps | W/P Reference |
Version 8.5, dated June 2012 | ||
1. Research and Planning |
||
a. Review the open MRD’s for guidance which may impact the audit and adjust the scope and procedures appropriately. Open MRDs can be identified using the link provided on the DCAA Intranet home page for “MRDs, AGMs, & AMGMs” |
||
b. Become familiar with applicable sections of CAM 5-1200. Any recent relevant Headquarters guidance (i.e., MRDs, AGMs, and AMGMs) not incorporated in the CAM can be accessed from the Agency-Wide Library available on the DCAA’s intranet home page. |
||
c. Perform the following steps using the permanent file: |
||
(1) Review prior estimating system audit working paper package. |
||
(2) Identify any flash estimating system reports issued (review ICRS database, as applicable). Document the results of (1) and (2) on W/P B-2. |
||
(3) Using the framework and the guidelines in WP B-2, obtain and document an understanding of the contractor’s internal controls that are relevant to the audit. With the proper planning auditors should be able to obtain and document a major portion of this understanding during a walk-through of the contractor’s assertion. |
||
(4) Identify the sources for the detailed policies, procedures, charts, etc., called for in steps (a) through (d) below. |
||
Document the sources of data by listing the data, its source, and any changes since the last system audit. |
||
(a) Contractor’s written estimating system policies and procedures. |
||
(b) Organization charts depicting the functional areas responsible for developing and processing estimating system related data. |
||
(c) Estimating system flowcharts providing a pictorial overview of all manual and computerized processing steps. |
||
(d) Information systems documentation: |
||
(i) Pertinent record layouts of files created and/or used during the processing of estimating system related transactions. |
||
(ii) Database table definitions. |
||
(iii) Source documents. |
||
(iv) Information on the conversion of documents to computer media. |
||
(v) Subsidiary or master files affected by the system. |
||
(vi) Relevant reports, journals, and ledgers produced in the flow of information to the estimating system reports. |
||
(5) Review audit lead sheets. |
||
(6) Review other related audits, for example: |
||
(a) Review bid proposals (or comparable assignment log) and summarize the findings in pricing proposal activity. Complete EST – Experience Info Worksheet – Bid Proposals, if applicable. |
||
(b) Review and summarize the impact of noted defective pricing, suspected irregular conduct (SIC), and related CAS noncompliances. Complete EST - Experience Info Worksheet – Other, if applicable. |
||
(c) Review files containing telephone requests for specific information and determine if there were any inconsistent estimating practices noted that impact the scope of this audit. |
||
(7) Consider the impact of the contractor’s financial condition on the estimating system. (Refer to prior financial capability risk assessment or audits – Code 176XX). |
||
d. Issue a notification letter to the contractor regarding the audit in accordance with CAM 4-302.3. |
||
e. Hold a planning meeting with the audit team (e.g., RAM, Manager, Supervisor, Auditors) to discuss the risk of fraud and other noncompliances with applicable laws and regulations that could have a material effect on the assertion. The discussion should include relevant prior audit experience (e.g., questioned cost, relevant reported estimating or accounting system deficiencies), relevant aspects of the contractor’s environment (e.g., the extent of incentives, pressures and opportunities to commit fraud and the propensity to rationalize misstatements), other known risk factors, and the audit team’s understanding of relevant internal controls (see W/P B-2). The team should also review and discuss the general and other relevant sections of the IG Handbook on Fraud Indicators for Contractors as well as the relevant fraud indicators in CAM Figure 4-7-3. See “Principal Sources of Fraud Indicators” below. • Handbook on Fraud Indicators for Contract Auditors, Sections I and III, (IGDH 7600.3, APO March 31, 1993) located at: http://www.dodig.mil/PUBS/igdh7600.doc. • CAM Figure 4-7-3.(To access the fraud handbook, copy and paste the web address shown above into the address block in Internet Explorer.) |
||
f. Obtain from the contractor its listing of proposals for the past twelve months (or most recently completed fiscal year) and summarize by customer, contract type, and dollar volume in order to determine the materiality of the estimating system. Complete the Materiality section of the ICAPS form at W/P A. |
||
g. Contact the contracting officer to ascertain any known concerns (including risk related to the contractor’s financial condition) that will impact the audit and adjust the audit scope and procedures accordingly. If information regarding the contractor’s financial condition is not available from the contracting officer, the auditor should perform the procedures addressed in CAM 2-302.1h. If during the course of the audit the auditor becomes aware of unfavorable or adverse financial conditions, they should immediately communicate their concerns to the contracting officer, and appropriately adjust the scope of audit. |
||
h. Electronically transmit an acknowledgement/notification to the ACO/Buying Command notifying them of the commencement of the risk assessment and that the expected completion date will be provided in the formal acknowledgement/notification once the risk assessment is complete. (CAM 2-303). The acknowledgement/notification process should be within the timeframe and in accordance with the procedures in CAM 4-104. |
||
i. Coordinate with other DCAA offices (including FD if there are significant classified contracts) cognizant of other contractor segments to determine if any estimating-related system deficiencies should be considered in this audit. Also, coordinate and request any necessary assist audits at locations that perform effort affecting the estimating system. Document your need for assist audits on W/P B-3. |
||
j. Close coordination is required at FAOs cognizant of a shared services location and the FAOs cognizant of the segments serviced by the shared services. Document the objectives and procedures to be performed at the shared services location and the segment level. Request assist audits, as applicable. |
||
k. Determine the extent and results of the contractor’s self-governance activities, internal and external audits, and coordinated audits related to the estimating system. |
||
(1) Request the contractor provide a list of completed internal and external audits and determine if any are related to the estimating system. |
||
(2) If applicable, coordinate with the CAC or corporate office auditors to determine if any internal control weaknesses that might impact the estimating system were identified in management’s internal control report or the independent auditor’s attestation on management’s assertion included in the annual report filed with the SEC. |
||
(3) In those cases where internal or external audits have been performed, the auditor should follow the guidance contained in CAM 4-1000, Relying Upon the Work of Others. Document your preliminary evaluation and its impact on the scope of this examination. The evaluation of internal audit working papers is documented in detail in Section G-1, Step 2. |
||
l. Determine the need for technical specialist assistance and document your consideration on W/P B-3. |
||
2. Entrance Conference and Preparation |
||
a. Prepare a written memorandum to the contractor to arrange for an entrance conference covering the areas highlighted in CAM 4-302, and any specific data or pertinent information not yet provided. |
||
b. Conduct an entrance conference as outlined in CAM 4-302, with particular emphasis on: |
||
(1) Requesting the contractor to provide, if applicable, a system orientation briefing or a demonstration of the estimating system transaction flow, including data input, data processing, data output, and related internal controls. Document under Information and Communications, Section E-1, Step 3. |
||
(2) Determining any changes in the estimating process since the last examination. |
||
(3) Discussing the contractor’s risk assessment process. Overall understanding of contractor’s processes will be documented under Contractor Risk Assessment, Section D-1. |
||
(4) Discussing the contractor’s monitoring process to ensure that established manual and computerized controls are functioning as intended. Document under Monitoring, Section F-1. |
||
(5) Discussing any identified weaknesses which may have been previously reported and related follow-up actions taken. |
||
3. Other Preliminary Steps |
||
a. Determine the degree a computerized system is used in the estimating process. |
||
b. Perform a high level cursory assessment to determine if the following exist: |
||
(1) A functional estimating organization with defined organizational responsibilities. |
||
(2) A written description of the work flow in the estimating process. |
||
(3) Policies and procedures for effectively controlling the estimating process. |
||
4. Initial Risk Assessment |
||
Using the information obtained in steps 1, 2, and 3, prepare an initial risk assessment (W/P B) to determine the initial scope of the examination. |
C-1 | Control Environment | W/P Reference |
Version 8.5, dated June 2012 | ||
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The auditor should obtain a sufficient understanding of the control environment to determine the impact that it may have on the overall effectiveness of the estimating system internal controls. | ||
1. Evaluate the most recently completed ICAPS for the Control Environment and Overall Accounting Controls for the rationale behind any moderate or high-risk assessment ratings and determine the impact, if any, on the effectiveness of the estimating system internal controls… |
||
2. If an examination of the control environment has not been recently performed, evaluate all documented prior audit experience with the contractor, including permanent files, relevant audit reports and working papers, suspected irregular conduct (SIC) referrals and discussions with prior auditors. Obtain an understanding of the following factors: |
||
a. Integrity and ethical values. |
||
b. Commitment to competence. |
||
c. Board of directors and/or audit committee participation. |
||
d. Management’s philosophy and operating style. |
||
e. Organizational structure. |
||
f. Assignment of authority and responsibility. |
||
g. Human resource policies and procedures. |
||
3. Document your overall assessment of the control environment and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). |
D-1 | Contractor’s Risk Assessment | W/P Reference |
Version 8.5, dated June 2012 | ||
The auditor should develop a sufficient understanding of the risk assessment process currently employed by the contractor in terms of its identification, analysis, and management of risks relevant to the preparation of contract cost data. | ||
1. Meet with responsible personnel to obtain an overview of the various risk factors considered by management. |
||
2. Once the various risk factors are identified, obtain an understanding of how management identifies the risks, estimates the significance of risks, assesses the likelihood of their occurrence, and relates them to contract reporting. |
||
3. If applicable, obtain an overview of any plans, programs, or actions management may initiate to address specific risks. Keep in mind that, depending on the nature of specific risks, management may elect to accept a given risk due to costs or other considerations. |
||
4. Document your overall understanding of the contractor’s risk assessment practices and the impact that it has on the nature and extent of testing of each control objective (W/Ps G, H, I, J and K). |
I-1 | Training | W/P Reference |
Version 8.5, dated June 2012 | ||
The auditor should obtain an understanding of the contractor’s control activities for this control objective. A detailed understanding of the control activities is essential to the assessment of control risk. Estimating system primary control objectives, as they relate to U.S. Government contracts, and examples of control activities the contractor may have implemented to achieve the control objectives, are provided in the internal control matrix (see W/P 31). The audit procedures for this control objective are also included in the internal control matrix. If the auditor determines that relevant internal control activities do not exist, or that the effort to perform tests is not justified, no control testing need be performed, and control risk will be assessed as high. | ||
1. In planning the following audit procedures to understand the contractor’s control activities, the auditor should recognize the other components of internal control and their impact on the nature and extent of testing to be performed. Document the impact of the internal control components on the nature and extent of testing on this control objective. Internal control components are as follows: |
||
• Control environment |
||
• Contractor risk assessment |
||
• Monitoring |
||
2. Policies and procedures should be established and implemented to assure that assigned personnel have sufficient training, experience, and guidance to perform estimating tasks in accordance with established procedures. |
||
a. Evaluate the contractor’s policies and procedures to determine if they require periodic training of all employees involved in the estimating process, including, when appropriate, the use of statistical aids and advanced estimating techniques. |
||
b. Evaluate records of completed training or other evidence indicating that appropriate employees have been trained in accordance with the policies and procedures. |
A-1 | Concluding Steps | W/P Reference |
Version 8.5, dated June 2012 | ||
1. Assessment Of Control Risk |
||
a. Considering all five components of internal control (control environment, contractor risk assessment, information and communications, monitoring, and control activities that relate to control objectives), assess control risk for each of the relevant control objectives (internal audits, system description, training, cost estimate development, and contract certification). For each of the objectives, summarize the characteristics which support the assessed level of control risk and specifically identify any internal control weaknesses or system deficiencies. |
||
b. Determine if the estimating system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts in accordance with applicable laws and regulations. |
||
c. Based on the assessments above, determine the impact on the scope of other audits. |
||
d. Complete the ICAPS form at W/P A (see CAM 3-305). |
||
e. Coordinate the results of audit with the supervisor. The supervisor and the FAO manager should review and initial the ICAPS form at W/P A before the exit conference is performed. If it is determined that additional audit steps are needed, any additional planned audit effort should be accomplished as part of this examination or immediately thereafter. Any delays in completion of this audit effort should be documented and approved by management. |
||
2. Summary Steps |
||
a. Prepare a draft audit report in accordance with CAM 10-400. |
||
b. Conduct an exit conference with the contractor in accordance with CAM 4-304. |
||
c. Finalize the audit report incorporating the contractor’s response and audit rejoinder. |
||
d. If the contractor has EVMS covered contracts, provide comments in the audit report on whether any findings are likely to impact the contractor’s EVMS (10-1204.5b). Discuss findings and recommendations relating to the EVMS with the Contract Administration Office EVMS Monitor prior to issuance of the report. Immediately evaluate the impact of these findings on specific EVMS covered contracts and provide the details in flash EVMS surveillance reports (11-203.5.b). |
||
e. Update the permanent file in accordance with CAM 4-405.b (MAAR #3). Retain a copy of the approved W/P A ICAPS form. After the audit report is issued, update the ICRS database using the information on the approved W/P A ICAPS form and file the approved W/P A ICAPS form in the Electronic Contractor Permanent File (ECPF). (The control risk assessment (Section II) and overall system opinion (Section III) in the ICAPS may not be updated until the system report supporting the change is issued (CAM 3-306a).) |
3.133.147.252