“Audit Protocol Guidelines”

Rich CulbertsonLockheed Martin

Please use the following two slides as a template for your

presentation at NES.

“Audit Protocol Guidelines”

Rich CulbertsonLockheed Martin

Why Care About Audit Protocol?

• GAO Yellow Book, Jan. 20, 2012– Government Audits are Subject to the

Yellow Book (Effective December 15, 2011)

DoD Instruction 4161.02, April 27, 2012• Accountability and Management of

Government Contract Property (Effective April 27,2012)

– Cancels DoD 4161.2-M of 1991– References the GAO Yellow Book and

Applies• Contractor Business Systems Rule (Feb

2012)• Reliable Audits – Those Auditing, Those

Audited and Decisions Makers

Background

• Government Property Management, Accounting and Auditing Go Back a Very Long Time.

– Budget and Accounting Act of 1921 -- GAO– Securities Exchange Acts of 1933 and 1934– Federal Property And Administrative Services

Act of 1949– Armed Services Procurement Regulations

(ASPR) – OFFICE OF FEDERAL PROCUREMENT POLICY

ACT (OFPP Act - 1974) -- Cost Accounting Standards

– GAO Yellow Book -- Seven editions since the 1970s

– 1984 FAR

Background• Government Property Management,

Accounting and Auditing Go Back a Very Long Time

– Sarbanes Oxley Act – AICPA Standards– Re-codification of GAAP…..

• In the last year very significant changes • Things you learned in the past may no

longer be applicable. Don’t assume you know what you assume you know

GAO Yellow Book

Government Auditing: Foundation and Ethical PrinciplesIntroduction1.01 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, ethically , and equitably within the context of the statutory boundaries of the specific government program.  

GAO Yellow Book

Government Auditing: Foundation and Ethical PrinciplesIntroduction

1.02 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations. 

FAR Part 1 is Regulation

GAO Yellow Book

Government Auditing: Foundation and Ethical PrinciplesIntroduction

Purpose and Applicability of GAGAS 1.04 The professional standards and guidance contained in this document, commonly referred to as generally accepted government auditing standards (GAGAS), provide a framework for conducting high quality audits with competence, integrity, objectivity, and independence.  

GAO Yellow Book

Government Auditing: Foundation and Ethical Principles

“1.05 Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of … programs and operations., …their work can lead to improved government management, better decision making and oversight, effective and efficient operations ,…”

Results should be to this standard.  

GAO Yellow Book

Government Auditing: Foundation and Ethical PrinciplesIntroduction

1.07 a. “The term “auditor” as it is used throughout GAGAS describes individuals performing work in accordance with GAGAS  (including audits and attestation engagements) regardless of job title. …”

GPAs are auditors.   

GAO Yellow Book

Government Auditing: Foundation and Ethical Principles“1.18 Making decisions consistent with the public interest of the program or activity under audit is an important part of the principle of integrity …, auditors may encounter conflicting pressures from management …, and other likely users. … pressures to inappropriately achieve personal or organizational gain. In resolving …, acting with integrity means that auditors place priority on their responsibilities to the public interest.”  

GAO Yellow Book

Government Auditing: Foundation and Ethical Principles“1.24 High expectations for the auditing profession include compliance with all relevant legal, regulatory , and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient.”

Know you’re right before you write.  

  

GAO Yellow Book

Performance Audits“2.10 Performance audits … provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria. … provide objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs , facilitate decision making …”

The PMSA is a Performance Audit.  

  

GAO Yellow Book

2.11 b. “Internal control audit objectives relate to an assessment of … organization’s system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations.”

• Defined in law and OMB Circular A-123… • Effective and efficient operations come with

recognition of materiality and cost and benefits.

  

GAO Yellow Book

2.15 “a. Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. … the word must … an unconditional requirement.”

Few -- for example: • Independence• Use professional judgment • Collectively possess adequate professional competence • Plan• Peer Review

GAO Yellow Book

2.15 b. … Auditors and audit organizations must comply with a presumptively mandatory requirements … GAGAS uses … should to indicate a presumptively mandatory requirement.

• One of few mandatory “must” statements

  

GAO Yellow Book

2.16 “If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement (“should” statement), they must document their justification  for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement.”  • There are many “should” statements.

  

GAO Yellow Book

“3.20 Auditors should evaluate threats to independence … when the facts and circumstances under which the auditors perform their work may create or augment threats to independence. Auditors should evaluate threats both individually and in the aggregate because threats can have a cumulative effect on an auditor’s independence”.

  

3.36 Whether an activity is a management responsibility depends on the facts and circumstances and auditors exercise professional judgment in identifying these activities. Examples of activities that are considered management responsibilities and would therefore impair independence if performed for an audited entity include: a. setting policies and strategic direction for

the audited entity;

• Auditors should not audit their own work. • Do auditors audit their own work now?

Guidelines and Recommendations

“4.26 When auditors detect … noncompliance with provisions of contracts … or abuse that … are less than material but warrant the attention of those charged with governance, they should communicate those findings in writing to audited entity officials. When auditors detect any instances of fraud, noncompliance with provisions of laws, regulations, contracts … or abuse that do not warrant the attention of those charged with governance, the auditors’ determination of whether and how to communicate such instances to audited entity officials is a matter of professional judgment.”

Don’t misrepresent noncompliance's with Material Deficiencies

Findings Less Than Material Deficiencies

GAO Yellow Book“5.08 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.” • Abuse is similar to unreasonable cost (FAR 31)• There is no good reason for abuse – don’t

tolerate it or blame on contracts or regulations.

  

Significance in a Performance Audit6.04 …Significance is defined as the relative importance … within the context …, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the impact of the matter to the audited program or activity. Professional judgment assists auditors when evaluating … In the performance audit requirements, the term “significant” is comparable to the term “material” as used in the context of financial statement engagements.

GAO Yellow Book

DoD Instruction 4161.02, April 27, 2012 -- Government Contract

Property • Cancels DoD 4161.2-M Audit it Guide 1991 • c. …shall comply with the requirements of …DoDI

5000.64 … to establish and maintain accountability for Government contract property furnished to, or acquired by, contractors and third parties.  

This requires a $5000 threshold for accountability and adopts ASTM 2279 with a shall statement.

• DoD IUID Registry stays.

  

Contractor Business Systems Rule (Feb 2012)

(a)  Definitions.  ““Significant deficiency” means a shortcoming in the system that materially affects the ability of officials of the Department of Defense to rely upon information produced by the system that is needed for management purposes.”

• This is a high standard – impacts Cost, Schedule, Quality

 • This definition was placed in law. Not every

deficiency is material. Not every outcome identified in (f) can be a material.

  

Contractor Business Systems Rule (Feb 2012)

“DoD is relying on the temporary payment withholding amounts, not  as a penalty for a deficiency, but as representing a good-faith estimate sufficient to mitigate the Government’s risk …”   (Ref. Federal Register /Vol. 77, No. 37 / Friday, February 24, 2012 /Rules and Regulations 11359)

• Note: DCMA Guide published prior to final rule and may not reflect the assertions that the Government made in the Federal Register.• The risk to the Government should be proportional

the significant deficiency – a $10K problem should not result in a $10 million withhold.

  

Contractor Business Systems Rule (Feb 2012) Materiality

FAR 30.602 – Materiality (a) 48 CFR 9903.305 (FAR Appendix).“…the following criteria shall be considered …; no one criterion is necessarily determinative:(a) …absolute dollar amount involved. …(b) …contract cost compared with the amount under consideration. …(e) … cumulative impact of individually immaterial items. (f) The cost of administrative processing …. If the cost to process exceeds the amount to be recovered, …” (cost vs.. benefit)

•   FAR Part 1 Materiality and Cost and Benefits –

  

Contractor Business Systems Rule (Feb 2012) Materiality

Other Materiality Authoritative References: • CAS 409 uses a ten percent threshold• FASAB 6. Materiality statement -- The provisions

of this statement need not be applied to immaterial items.• FASB Concepts 2: The magnitude of an omission or

misstatement …, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.• SEC Staff Accounting Bulletin No. 99 –”must

consider both "quantitative" and "qualitative" factors”

  

Contractor Business Systems Rule (Feb 2012) Materiality

ASTM 2279-03 and 09 materiality, n—magnitude of an omission or misstatement of accounting data that misleads financial statement readers or decision makers. Materiality is judged both by relative amount and by the nature of the item.

3.1.9.1 Discussion-…. In determining whether items or amounts of cost are material or immaterial, the following quantitative and qualitative criteria should be considered where appropriate but no one criterion is necessarily determinative: (1) the absolute dollar amount involved, (2) the relationship between a cost item/occurrence and a cost objective, (3) the criticality of an item in terms of importance or use, (4) the cumulative impact of individually immaterial items, and (5) the cost of administrative processing.(Referenced in DODI 5000.64 and in Industry Procedures)

  

Contractor Business Systems Rule (Feb 2012)

The Yellow Book incorporates AICPA AU Section 312 Audit Risk and Materiality in Conducting an Audit

“Determining Materiality ….27 The auditor should determine a materiality level … when establishing the overall audit strategy for the audit … Determining a materiality level … helps guide the auditor's judgments in identifying and assessing the risks of material misstatements…”

• Materiality thresholds should not be established as the auditor goes along or at the end of the audit.

• A financial approach is taken rather than a quality approach.

• It is okay to ask the auditor – what is the threshold…

  

Contractor Business Systems Rule (Feb 2012)

The Yellow Book incorporates AICPA AU Section 312 Audit Risk and Materiality in Conducting an Audit

“Determining Materiality ….27 The auditor should determine a materiality level … when establishing the overall audit strategy for the audit … Determining a materiality level … helps guide the auditor's judgments in identifying and assessing the risks of material misstatements…”

• Materiality thresholds should not be established as the auditor goes along or at the end of the audit.

• A financial approach is taken rather than a quality approach.

• It is okay to ask the auditor – what is the threshold…

  

Contractor Business Systems Rule (Feb 2012)

Response to comment on “due process”

“The contractor will be notified of a preliminary finding of a deficiency during the course of formal system reviews and audits. This occurs before the auditor or functional specialist releases a report to the contractor and contracting officer. After receiving a report, the contracting officer will promptly evaluate and issue an initial determination. The contractor is then allowed 30 days to respond to any significant deficiencies. Contractors are given ample opportunity to present their position during system reviews.” Ref: Federal Register /Vol. 77, No. 37 / Friday, February 24, 2012 /Rules and Regulations 11361

4.4. …. ACO’s shall not apply payment withholds to contracts containing DFARS Clause 252.242-7005 unless the Contractor is given due process …. Ref. DCMA Internal Process Business Systems Rule http://guidebook.dcma.mil/308/index.cfm

What is it and why do we care about Due Process?

  

Contractor Business Systems Rule (Feb 2012)

Due Process : Constitutional right … the Fifth Amendment...

Rights of Persons “No person [includes contractors] shall be … deprived of life, liberty, or property, without due process of law;” As construed by the courts, includes rights to be adequately notified of charges or proceedings, the opportunity to be heard …, and the person or panel making the final decision … be impartial in regards to the matter before them. Ref. Goldberg v. Kelly.

The Government recognizes due process rights of contractors.

Contractors should exercise due process rights – ask about preliminary findings – respond to preliminary findings and include the impartial decision maker (ACO).

  

Contractor Business Systems Rule (Feb 2012)

“(d)  Significant deficiencies.  (1)  The Contracting Officer will provide an initial determination to the Contractor, in writing, of any significant deficiencies. The initial determination will describe the deficiency in sufficient detail to allow the Contractor to understand the deficiency.”

• Due Process – is not passive. Understand, and present facts, law, regulations, standards… Get help if needed.

 “(2)  The Contractor shall respond within 30 days to a written initial determination from the Contracting Officer that identifies significant deficiencies in the Contractor's property management system. If the Contractor disagrees with the initial determination, the Contractor shall state, in writing, its rationale for disagreeing.”• May submit corrective action plan – go for 2%.

  

Contractor Business Systems Rule (Feb 2012)

(3)  The Contracting Officer will evaluate the Contractor's response and notify the Contractor, in writing, of the Contracting Officer’s final determination concerning—  

 (i)  Remaining significant deficiencies; 

 (ii)  The adequacy of any proposed or completed corrective action; and  

 (iii)  System disapproval, if the Contracting Officer determines that one or more significant deficiencies remain.

  

Contractor Business Systems Rule (Feb 2012)

(e)  If the Contractor receives the Contracting Officer’s final determination of significant deficiencies, the Contractor shall, within 45 days of receipt of the final determination, either correct the significant deficiencies or submit an acceptable corrective action plan showing milestones and actions to eliminate the significant deficiencies.       (f)  Withholding payments.  If the Contracting Officer makes a final determination to disapprove the Contractor’s property management system, and the contract includes the clause at 252.242-7005, Contractor Business Systems, the Contracting Officer will withhold payments in accordance with that clause.

  

Contractor Business Systems Rule (Feb 2012)

Suggested -- Approach Holistically from all Contractual Parties

Stick with the basics: FAR Part 1 1.102 -- Statement of Guiding Principles for the Federal Acquisition System .

• These are regulations – not suggestions. These principles are for the most part are repeated throughout the FAR, CAS, Yellow Book.

(b) The Federal Acquisition System will --(1) Satisfy the customer in terms of cost, quality, and timeliness of the delivered

product or service …(2) Minimize administrative operating costs; (3) Conduct business with integrity, fairness, and openness; …

  

Contractor Business Systems Rule (Feb 2012)

Suggested -- Approach Holistically from all Contractual Parties

Stick with the basics:

1.102-2 -- Performance Standards.(2) To achieve efficient operations, the System must shift its focus from “risk avoidance” to one of “risk management.” The cost to the taxpayer of attempting to eliminate all risk is prohibitive. The Executive Branch will accept and manage the risk associated with empowering local procurement officials to take independent action based on their professional judgment.

  

DoD Risk Reporting Matrixhttp://www.dau.mil/pubs/gdbks/risk_management.asp

  

5

4

3

2

11 2 3 4 5

Likelihood

Consequence

Read, Understand and Use the DoD Risk Management Guide

Summary

• Recent documents have changed audit requirements and protocol

• This is complex and will require relearning • The Yellow Books requires more of a financial/ performance

approach to audits over a prior quality approach • Place priority on the public interest.• Auditors, for independence purposes, are not to audit their

own work.• Materiality applies – deficiencies, if known, decision makers

would have done something differently • Emphasis and expectation is more effective and efficient

operations.• Outcome over process• Due process rights are recognized – understand it and use it.• Imperative use of ASTM 2279• Use risk management • A constructive approach will help get to maturity.• Expect and build in cost saving

  

• Budget and Accounting ACT of 1921 http://en.wikipedia.org/wiki/Budget_and_Accounting_Act

• GAO Yellow Book http://www.gao.gov/yellowbook

• DoD Instruction 4161.02, April 27,2012 www.dtic.mil/whs/directives

/corres/pdf/416102p.pdf

• Contractor Business Systems Rule DFARS 242.70 http://farsite.hill.af.mil/vfdfara.htm

• OMB Circular A-123 www.whitehouse.gov/omb/circulars_a123

• OFPP ACT http://www.law.cornell.edu/uscode/text/41/1101

• Federal Acquisition Regulations http://farsite.hill.af.mil/

• AICPA Standards http://www.aicpa.org/RESEARCH/STANDARDS/Pages/default.aspx

• ASTM 2279 http://www.astm.org/Standards/E2279.htm

• FASAB http://www.fasab.gov/

• FASB Concepts http://www.fasb.org/jsp/FASB/Page/SectionPage&cid=1176156317989

• DCMA Internal Process Business Systems Rule http://guidebook.dcma.mil/308/index.cfm

References