DEFENSE CONTRACT AUDIT AGENCY DEPARTMENT OF DEFENSE 8725 JOHN J. KINGMAN ROAD, SUITE 2135 FORT BELVOIR, VA 22060-6219 IN REPLY REFER TO July 30, 2013 MEMORANDUM FOR REGIONAL DIRECTORS, DCAA DIRECTOR, FIELD DETACHMENT, DCAA HEADS OF PRINCIPAL STAFF ELEMENTS, HQ, DCAA SUMMARY The purpose of this guidance is to discuss the requirements for the audit team to design examination engagements that detect instances of fraud and noncompliances with provisions of laws, regulations, contracts, and grant agreements that may have a material effect on the subject matter. BACKGROUND CAM 4-702 provides guidance on the audit team responsibilities for detecting and reporting fraud. Policy supplemented this guidance last year by incorporating into working paper B-01 an audit step to hold a team-planning meeting to discuss the risk of fraud and other noncompliances with applicable laws and regulations that could have a material effect on the audit. In addition, DCAA delivered risk assessment training as part of the February/March 2013 FAO Assistant for Quality (FAQ) Workshops. The FAQ training illustrated how auditors integrate fraud risk into the application of the Audit Risk Model to achieve a focused and efficient approach to audit planning decisions. This MRD expands on these efforts and provides a comprehensive approach to detecting and responding to the risk of fraud. GUIDANCE INFORMATION-GATHERING PROCEDURES The audit team should perform information-gathering procedures to gain an understanding about the contractor and its environment. These procedures include management inquiries, analytical procedures, audit team discussion(s), and understanding the relevant internal controls that address the identified fraud risks factors. The understanding gained from these procedures assist auditors in identifying risks and design audit procedures to detect material noncompliances due to error or fraud.
Management Inquiries Management inquiries are very important for effective audit planning because fraud is often uncovered through information received in response to inquiries. Inquiries provide contractor employees with opportunities to convey information to the audit team that the employee otherwise might not communicate. This is why access to contractor employees responsible for the day-to-day management or accomplishment of major accounting/estimating functions is so important. The audit team should make the following inquiries of contractor management responsible for the subject matter under audit: Whether management has knowledge of any fraud or suspected fraud affecting the subject matter under audit; Whether management is aware of allegations of fraud or suspected fraud affecting the subject matter under audit, for example, received in communications from employees, former employees, regulators, or others; Management s understanding about the risks of fraud relevant to the subject matter under audit, including any specific fraud risks the contractor has identified or account balances or classes of transactions for which a risk of fraud may be likely to exist. The audit team should make these inquiries in every audit. The audit team should use information obtained at annual planning meetings about the contractor s programs and controls that mitigate fraud risk in order to facilitate additional inquiries related to the subject matter under audit. When possible, the audit team should conduct inquiries as part of face-to-face discussions. This provides auditors with an opportunity to measure responses, ask follow-up questions, and identify other employees that can corroborate responses. If there are instances of inconsistent information, the audit team should obtain additional audit evidence to resolve the inconsistencies. The audit team should use professional judgment to determine if there are other contractor employees that may have additional knowledge or be able to corroborate fraud risks identified in the discussions with management and make inquires accordingly (e.g., operating personnel not directly involved in the financial reporting process or employees involved in initiating, recording or processing complex or unusual transactions). Analytical Procedures Analytical procedures, combined with the audit team s understanding of the contractor and its environment, serve as a basis for additional inquiries and effective audit planning. Analytical procedures are defined as the evaluation of financial information through analysis of plausible relationships among financial and nonfinancial data. The underlying premise of utilizing analytical procedures is that plausible relationships among data should exist in the absence of known conditions to the contrary. 2
Analytical procedures used in planning audits should focus on enhancing the audit team s understanding of the contractor and its environment and identifying areas that may represent specific risks relevant to the audit. The objective of the procedures is to identify such things as the existence of unusual transactions and events, and amounts, ratios and trends that might indicate matters that have audit planning ramifications. When the results of analytical procedures differ from expectations, auditors should resolve the differences through further inquiries. While the differences in expectations may not necessarily indicate the existence of fraud, the audit team should be aware that some differences could represent a fraud risk factor and they should respond accordingly. When planning the audit, analytical procedures may simply be reviewing changes in account balances from the prior year to the current year or they may be more complex by comparing production schedules to financial representations. The audit team should use professional judgment to determine which analytical procedures are appropriate based on their understanding of the risks of material noncompliances and their knowledge of the subject matter and compliance requirements. Audit Team Discussion Prior to or in conjunction with the information gathering procedures, members of the audit team (at a minimum the auditor and the supervisor) should discuss the potential for material noncompliances due to error or fraud. The discussion should include an exchange of ideas or brainstorming among the audit team members about how and where they believe the subject matter under audit might be susceptible to material noncompliances due to error or fraud and how management could perpetrate and conceal fraud. Because of the characteristics of fraud, auditors should maintain an objective level of professional skepticism when considering the risk of material noncompliance due to fraud. The audit team discussions should include consideration of relevant prior audit experience (e.g., questioned cost, relevant reported estimating or accounting system deficiencies, audit leads) and relevant aspects of the contractor s environment. This includes discussion of the relevant fraud risk factors, other known risk factors, and the audit team understanding of relevant internal controls. The audit team should document how and when the discussion(s) occurred, the team members who participated, the subject matter discussed, and the outcome. A number of factors will influence the extent of the discussion. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor to consider in planning the discussions is whether to include specialists assigned to the audit team. For example, if the auditor determines that the team needs a professional possessing information technology skills, he or she may want to include that individual in the discussion. 3
FRAUD RISK FACTORS The audit team should be familiar with the fraud risk factors 1. The risk factors cover a broad range of situations, therefore, not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different sizes or with different ownership characteristics or circumstances. In addition, certain characteristics or circumstances provide opportunities to carry out fraud. The auditing standards and the DoDIG Handbook of Fraud Indicators identifies weaknesses in internal controls as fraud risk factors and in some cases uses weak internal controls in the fraud risk scenarios. Some examples are lack of segregation of duties, inadequate monitoring by management for compliance with policies, laws and regulations, and lack of asset accountability or safeguarding procedures. The audit team should be aware of these fraud risk factors when obtaining their understanding of relevant internal controls and respond accordingly. However, while these factors may be present in many small contractors, an opportunity to carry out fraud does not necessarily indicate the existence of fraud. The audit team also should keep in mind that the levels of internal controls for smaller contractors are likely to be less formal and less structured. It is important to note that we are not auditing to the fraud risk factors. They are not the objectives of the audit. The audit team gains an understanding of the contractor and its environment though the information gathering procedures. From this understanding, and an awareness of what the risk factors are, auditors should be reasonably sure they would detect materially relevant fraud risk factors. The audit team should document on Working Paper B all fraud risk factors identified during the performance of the audit. For each identified factor, auditors should reference the working paper that specifically addresses their response and the result of that response. If auditors identify no risk factors, they also should document this on Working Paper B. RESPONDING TO FRAUD RISK FACTORS The audit team should respond to the presence of fraud risk factors by designing audit procedures that (i) impact the overall conduct of the audit; (ii) modify the nature, timing and extent of the audit procedures; and/or (iii) address the risk of management override of controls. Responses that affect or influence the overall conduct of the audit generally relate to the assignment of personnel and supervision, predictability of auditing procedures, etc. For example, a supervisor generally should not assign a trainee to an audit when there were suspicions of fraud without the support of a more experienced audit team member or technical specialist. 1 You can find fraud risk factors in the DoDIG Handbook of Fraud Indicators and the examples of Indicators of Fraud Risk in the GAGAS Appendix Section A.10. In addition, AT 601.33 requires auditors to consider the risk factors identified in AU-C 240.A75 (Appendix A). 4
The second type of response modifies the nature, timing or extent of the audit procedures from that which the audit team would normally perform. That is, specifically documenting the response to fraud risk indicators by stating how the normal audit procedures changed in some way to address the risk of fraud. The audit team should use professional judgment to determine which modifications are necessary to address the risk of fraud by designing additional or different auditing procedures to obtain more reliable evidence or additional corroboration of management s explanations or representations (e.g., third-party confirmation, analytical procedures, examination of documentation from independent sources, or inquiries of others within or outside the entity). Management has the unique ability to perpetrate fraud by overriding controls that otherwise may appear to be operating effectively. Responses that address the risk of management override of controls generally relate to examining journal entries and other adjustments for evidence of possible material misstatement due to fraud, reviewing evidence of arbitrarily managing contracts to budgets, and evaluating the rationale for significant accounting and organizational changes. CLOSING REMARKS The guidance set forth in this MRD suggests a sequential audit process. Auditing standards do prescribe an integrated process for addressing audit risk. The Audit Risk Model (inherent (including fraud) risk, control risk and detection risk) illustrates this process. However, auditing, in fact, involves a continuous process of gathering, updating, and analyzing information throughout the audit. As a result, the audit team may implement the sequence of the guidance differently to fit the audit engagement at hand. FAO personnel should direct questions regarding this memorandum to their regional offices and regional personnel should direct any questions to Auditing Standards Division at (703) 767-3274 or e-mail DCAA-PAS@dcaa.mil. DISTRIBUTION: E /Signed/ Donald J. McKenzie Assistant Director Policy and Plans 5