PPS August 15, PPS-016(R)

Transcription

1 DEFENSE CONTRACT AUDIT AGENCY DEPARTMENT OF DEFENSE 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA IN REPLY REFER TO PPS August 15, 2013 MEMORANDUM FOR REGIONAL DIRECTORS, DCAA DIRECTOR, FIELD DETACHMENT, DCAA HEADS OF PRINCIPAL STAFF ELEMENTS, HQ, DCAA This memorandum provides guidance on testing the contractor s scanned images in order to determine if reliance can be placed on the contractor s scanned documents during the course of our audits, and to report any identified noncompliances with FAR 4.703(c), FAR 4.703(d). As part of the program planning process, field audit offices (FAOs) should determine how they will implement this new guidance. What are the FAR Requirements Pertaining to Scanned Images? FAR 4.703(c) allows contractors to duplicate and store original records in electronic form. Contractors are not required to maintain or produce original records during an audit if the contractor provides photographic or electronic images of the original records and the contractor meets the requirements of FAR. FAR 4.703(c) states that the contractor must meet the following requirements: The contractor has established procedures to ensure that the imaging process preserves accurate images of the original records, including signatures and other written or graphic images, and that the imaging process is reliable and secure so as to maintain the integrity of the records; The contractor maintains an effective indexing system to permit timely and convenient access to the imaged records; and The contractor retains the original records for a minimum of one year after imaging to permit periodic validation of the imaging systems. FAR 4.703(d) allows contractors to transfer images from one reliable computer medium to another if the transfer process maintains the integrity, reliability, and security of the original data and an audit trail is retained. When Should Auditors Test the Contractor s Compliance with the FAR Requirements?

2 PPS August 15, 2013 FAOs should test the contractor s scanned images annually as part of an ongoing audit being performed at the contractor (e.g., incurred cost, proposal audit, etc.). There is no separate activity code for performing this testing; rather, the FAO will determine which assignment will include procedures to perform this testing annually as part of the program planning process. The testing will cover the previous 12-month period; therefore, the procedures should be included in one of the first audits performed during the contractor fiscal year. This will allow the FAO to test the previous fiscal year images, thus allowing auditors in the future to make an easy determination on whether reliance can be placed on the scanned images for that contractor fiscal year. What Procedures Will the Auditor Perform? As part of the planning process, auditors will: Request the contractor to provide a demonstration/walkthrough in order to: o Obtain an understanding of the contractor s system and control activities over the functional elements that make up the source documentation imaging process. o Develop procedures to ensure the contractor s compliance with the requirements of FAR 4.703(c). Determine if a transfer from one electronic medium to another will, or has, taken place. o If a transfer has taken place, develop procedures to ensure the contractor s compliance with the requirements of FAR 4.703(d). o If a transfer is planned for the future, auditors will assess compliance with FAR on a real-time basis as the transfer is taking place. At a minimum, the auditor should perform the following procedures: Test a sample of the images to original documentation from the preceding 12-month period o Ensure the contractor is able to provide timely access to the imaged records to test whether the contractor maintains an effective indexing system to permit timely and convenient access. o Ensure the scanned image accurately reflects the original record, including signatures and other written or graphic images. If a transfer has taken place, the auditor should include steps to ensure the contractor s transfer procedures maintain the integrity, reliability, and security of the original computer data. They also should ensure the contractor retains an audit trail describing the data transfer. 2

3 PPS August 15, 2013 At Which Contractors Should These Procedures be Performed? Testing of scanned images should be performed at all contractors with over $100 M Auditable Dollar Value (ADV) and select contractors with ADV below $100 M based on FAO discretion. Examples of factors to consider when determining if these procedures should be applied include the amount of firm-fixed-price work, the contractor s assessment as high risk for incurred cost sampling purposes, and whether the contractor typically provides scanned images as supporting documentation. Why Are We Performing These Tests of Scanned Images? The procedures we are performing during our testing of scanned images are intended to provide reasonable assurance that we can rely on the scanned images during the course of our audits (e.g., incurred cost, forward pricing, etc.) If we perform tests of the contractor s scanned images, and no deficiencies are identified and the scanned images appear to maintain the integrity of the original records, we generally can rely on the scanned documents for the period covered. Are We Testing Contractor Internal Controls? During our testing of scanned images, we generally will not perform testing to the level required to determine the adequacy of system internal controls. We intend to use the results of our testing to determine reliance on scanned images, and in most cases, the benefit of performing the additional tests of internal controls does not outweigh the costs of performing such tests. If an auditor believes these tests of controls are necessary, the auditor should elevate their concerns to management to determine if it is appropriate to perform such tests. If significant concerns exist relative to a contractor s general IT processes, an IT system review can be completed at major contractors. However, system reviews should not be established solely to ensure the processes supporting the scanning system are working effectively. What is the Impact of Not Testing Internal Controls? Without testing internal controls (access and storage controls) related to the contractor s imaging process, there is going to be a risk that the records reviewed could have been altered since the time the testing was performed. This risk is similar to the risk that the contractor has altered their hardcopy documents from the time of creation to the time of audit. Therefore, if no IT system audit has been performed to test the contractor s internal controls, the auditor must consider fraud risk indicators and other known risk factors in determining whether there is a material chance that the scanned images have been altered since the time of testing (similar to the thought process that would take place in considering the risk that hardcopy documents have been altered). Based on this determination, the auditor will need to make a decision as to whether a qualification relevant to the lack of testing access and storage controls will be necessary. 3

4 PPS August 15, 2013 What if we have not Performed Testing of Scanned Images in Prior Years? If we have not tested the contractor s scanned images, auditors should determine if the contractor has preserved the original documents. If the original documents were preserved, auditors should test a sample of scanned documents to original documents to determine reliability. If the contractor did not preserve the original documents, auditors must consider the contractor s environment and review the permanent files for risk factors to ensure there is no obvious reason we should not rely on the scanned documents. Assuming no significant risk factors are identified, the auditor should complete the assignment with the scanned images and, at a minimum, qualify the report. How will the Auditor Document/Report the Results? The Auditor should prepare a Memorandum for Record or summary detailed working paper if the testing did not disclose a noncompliance. If the testing discloses a significant deficiency (in accordance with the DFARS (a) definition) that is considered a material weakness, the auditor should prepare an accounting system deficiency report. The report should cite noncompliance with FAR 4.703(c) and/or 4.703(d) and DFARS (c)(1), Accounting System Administration. Additionally, the report should comment on how the deficiency affects the reliability of the scanned images. The memorandum, detailed working paper, or report will be maintained in the respective permanent file under Section B-05, Audit Planning Audit History. Questions and Further Information This guidance addresses only the scanning of paper invoices and does not address the review of electronic invoices (such as internet invoices, electronic funds transfers, and transactions) or financial and cost accounting records (such as a contractor s generated depreciation schedule). A separate guidance memorandum pertaining to the review of these types of documents will be issued in the near future. FAO personnel should direct questions to their regional points of contact, and regional personnel with questions should contact Policy Publications and Systems Division at (703) or by at DCAA-PPS@dcaa.mil. Enclosure: Frequently Asked Questions DISTRIBUTION: E /s/ John C. Shire /for/ Donald J. McKenzie Assistant Director Policy and Plans 4

5 FREQUENTLY ASKED QUESTIONS Placing Reliance on Scanned Images Question 1: The contractor does not have written policies and procedures covering its scanning system; does this mean they are in noncompliance? Answer: No. Although it is preferred, having written policies and procedures are not required. Question 2: The contractor scanned a depreciation schedule originally prepared in Excel, but did not keep the original Excel file for 12 months. Is this covered by the new guidance? Answer: No. This guidance only addresses the scanning of paper invoices. It does not address the scanning of financial and cost accounting records. Question 3: The contractor recently transferred its scanned images from one storage media to another media (e.g., from IRIMS to Livelink). Do I need to review this transfer? Answer: Yes. FAR 4.703(d) allows contractors to transfer imagines from one reliable computer medium to another. In addition to the annual testing of scanned images, you will need to determine if the transfer process maintained the integrity, reliability, and security of the original data, and whether an audit trail was retained. Question 4: If my contractor is planning to transfer images from one storage media to another in the near future, should I perform real time procedures while the transfer is taking place, or should I perform procedures during the next annual testing? Answer: If a transfer is planned in the future, you should plan to assess compliance on a real time basis as the transfer is taking place. Question 5: At my location, the contractor has fixed-price work of $725 M but only $67 M ADV. The contractor is considered low risk, but has significant proposal effort annually that is supported by scanned images. Should I test the contractor s scanned images? Answer: Generally, yes. At low risk contractors under $100 M ADV, a decision will need to be made by the FAO based on the particular circumstances of the contractor. The contractor s environment and its processes for supporting an audit should be considered. In this example, the contractor provides scanned images during its proposal audits, and the FAO performs multiple proposal audits during the year. Therefore, it would be cost-effective to validate that the scanned images can be relied upon. Question 6: We tested the contractor s scanned documents last year and found no instances of noncompliance. The contractor stated that the system has not changed. Do we need to perform testing of scanned images again this year? Enclosure Page 1 of 3

6 Answer: Yes. However, the auditor should document during the planning process that no formal walkthrough/demonstration is necessary to determine what audit procedures are necessary since the same procedures should apply this year that were performed last year. Minimal steps should be taken to ensure the contractor s system has not changed, and the actual audit procedures must still be performed annually. Question 7: I have a contractor that has one large fixed-price contract. The contractor bids only every three years on this contract, and provides scanned images as support for the proposed costs. The contractor is considered high risk. Do I need to test the contractor s scanned images? Answer: Yes, if the contractor is determined to be high risk and it provides scanned documents to support its proposed costs, this testing should be done annually to ensure reliance can be placed on the documents provided. Since the documents will more than likely include documents in the two years between proposals, testing should be done in every year to ensure reliance can be placed on all support provided. However, in this case, there may be no programmed work for the contractor in the off years. If an FAO does not have an assignment programmed for the year, a separate assignment (e.g., 17900) should be established to test the contractor s scanned images. Question 8: During our testing of the contractor s scanned documents, we found that the contractor maintained its original documents for the majority of the required 12-month period, but not for the entire 12 months. Our testing of the original records for the time period it did maintain the records disclosed no noncompliances with FAR 4.703(c)(3). Can we rely on the contractor s scanned documents during the course of our audits? Answer: Yes. The fact that the contractor failed to maintain its original documents for exactly 12 months would not, in and of itself, prevent us from relying on the contractor s scanned images. In this case, there were no other noncompliances identified during our testing of the scanned documents, and the contractor maintained the original documents for the majority of the 12-month period. Auditors must use judgment when performing this testing to determine if reliance can be placed on the scanned images based on their overall review. Question 9: I am performing an incurred cost audit for FY 2008, and it has been determined that my audit will include testing of the contractor s scanned images. Do I test documents for FY 2008, or for the last 12-month period? Answer: If it is determined that you will include procedures to test the contractor s scanned images as part of your audit, you are required to look at the scanned images for the preceding 12- month period. However, if testing of the scanned documents was not performed for the FY 2008 time period, you also should determine if the original documents for that time period are available. If they still are available, testing of the scanned images for FY 2008 also should be performed to allow reliance on the scanned images during the ongoing audit. Question 10: We have not performed testing of scanned images at our contractor in previous years, and we still have incurred cost audits that need to be done for those periods. Can we perform testing of scanned images for these previous years in the same assignment where we are performing our current testing? Enclosure Page 2 of 3

7 Answer: Yes. Testing of scanned images can be performed for multiple years in one assignment. If an auditor is doing testing of FY 2013 scanned images, but knows that testing has not been performed in previous years where there still are open incurred cost audits, it may be the most efficient way to perform the testing. Question 11: The guidance tells me to test a sample of scanned images to source documents. How much testing is considered adequate testing? Answer: The type of testing we are doing lends itself to attribute sampling. There is an attribute sampling guidebook available on the intranet to assist you in determining how much testing is sufficient. In every review, consideration must be given to the attributes being tested (e.g., does the image exist, is it legible, is it complete, etc.) and the contractor s environment (e.g., any known risk factors, controls the contractor has in place, processes involved, etc.) As an example, if a contractor has different processes for the scanning of different types of documents, the selection of separate samples for the different processes should be considered. Additionally, if there are known risk factors, or lack of controls identified in the planning process (during the demonstration/walkthrough), the auditor should appropriately adjust their sample size to address their risk. Enclosure Page 3 of 3