CONTRACT PROPERTY MANAGEMENTSYSTEMS AUDITOCTOBER 2010 EDITION

A PRIMER

byDr. Douglas N. Goetz, CPPM, CF

GP CONSULTANTS, LLCGOVERNMENT

PROPERTY

i

WELCOME TO THE CONTRACT PROPERTY MANAGEMENT SYSTEMS AUDIT CLASS

You are holding in your hands a labor of love! It is really a one of a kind book! In fact, there are very few books written SPECIFICALLY for the world of Contract Property Management – let alone for the conduct of internal assessments or audits – FOCUSING on Contract Property Management! This book is just that – a TEXT with supporting references, not just opinions, dealing with the “HOWs” and “WHYs” of performing an audit! Through this text and the accompanying course I will try and guide you on a journey of understanding – understanding the processes involved with conducting either and internal audit or assessment or a Property Management System Audit. In following an old Chinese proverb, “Give a man a fish – and he will eat for a day. Teach him HOW to fish, and he will never go hungry!” My utmost desire is for you to acquire the skill to fish, or in this case the skills and abilities to perform ASSESSMENTS or AUDITS! I hope that you find this book informative, educational (That IS its purpose) as well as enjoyable – since we believe that education can be the most rewarding aspect of an individual’s career. So, let’s have at it! We encourage you to participate and let us together challenge this great field in the acquisition process – GOVERNMENT PROPERTY!!!

Professor Douglas N. Goetz, Ph.D., CPPM, CF Editor, 2010 GP Consultants LLC

ii

© 2010 GP Consultants, LLC All Rights Reserved. No part of this document may be reproduced without the express

written consent of the author.

iii

INDEX CHAPTER 1 HISTORY OF AUDITING ........................................................................................... 1 HISTORICAL LINEAGE ............................................................................................. 2 TYPES OF AUDITORS .............................................................................................. 3 AUDIT GUIDANCE .................................................................................................... 5 Government Audit Standards .......................................................................... 8 THE “OLD” DOD PROPERTY MANUAL ................................................................. 10 DEFINITIONS ........................................................................................................... 11 AUDIT PRACTICES ................................................................................................. 14 A Ten Step Statistical Audit Process .............................................................. 14 AUTHORITY TO PERFORM A PROPERTY MANAGEMENT SYSTEMS AUDIT .................................................................................................... 23 REQUIREMENT TO AUDIT .................................................................................... 23 HISTORICAL PERSPECTIVE ON THE FREQUENCY OF A PROPERTY MANAGEMENT SYSTEM AUDITS .......................................... 24 HISTORICAL PERSPECTIVE ON THE LEVELS OF A PROPERTY MANAGEMENT SYSTEM AUDITS .......................................... 26 APPLICATION OF A RISK MANAGEMENT TYPOLOGY TO PLANNING A PMSA .................................................................................................................... 29 REVIEW OF PROCEDURES .................................................................................. 33 APPLICATION OF VCSes AND ILPs ...................................................................... 35 PLANNING AND SCHEDULING OF A PROPERTY MANAGEMENT SYSTEM AUDIT ........................................................................... 36

iv

NOTIFICATION TO THE CONTRACTOR .............................................................. 38 ENTRANCE CONFERENCE ................................................................................... 39 STATISTICS ............................................................................................................. 42 INFERENTIAL STATISTICS ......................................................................... 42 SELECTING POPULATIONS........................................................................ 43 SAMPLING ..................................................................................................... 45 Confidence Level ................................................................................. 46 Double Sampling Plan ......................................................................... 47 Randomness ........................................................................................ 48 CORRESPONDENCE BETWEEN THE RANDOM NUMBERS AND THE POPULATION ITEMS .................................................................. 51 GENERALIZABILITY ............................................................................................... 52 CLASSES OF CRITERIA ......................................................................................... 52 JUDGMENT SAMPLING ......................................................................................... 53 APPLICATION OF STATISTICAL SAMPLING AND JUDGMENT SAMPLING UNDER THE POTENTIAL AUDIT CRITERIA ............... 55 PROCESSES AND OUTCOMES ............................................................................ 56 THE INCREDIBLE DISAPPEARING APPENDIX A ................................................ 64 Acquisition ...................................................................................................... 64 Receiving ....................................................................................................... 68 Identification ................................................................................................... 70 Records .......................................................................................................... 71 Physical Inventory .......................................................................................... 75 Subcontractor Control .................................................................................... 79 Reports ........................................................................................................... 80 Relief of Stewardship Responsibility/Liability ................................................. 82 Utilization ........................................................................................................ 84 Consumption .................................................................................................. 87 Movement ...................................................................................................... 95 Storage ........................................................................................................... 96 Maintenance ................................................................................................... 98

v

Disposition .................................................................................................... 100 Contract closeout ......................................................................................... 103 Property Management ................................................................................. 105 WORKSHEET S AND NARRATINES ................................................................... 108 RECORDING OF DATA ........................................................................................ 108 WHERE TO RECORD DATA ...................................................................... 108 STRUCTURE OF WORKSHEETS ............................................................. 110 WHAT DATA TO RECORD ......................................................................... 112 HOW TO RECORD DATA .......................................................................... 114 NARRATIVES .............................................................................................. 122 ANALYSIS OF DATA ............................................................................................. 126 TYPES OF DEFECT AND DEFICIENCIES ........................................................... 127 SAMPLE ITEM DEFECTS ........................................................................... 127 SAMPLE ITEM ELEMENT DEFECTS ........................................................ 127 SYSTEMIC OR NON-SYSTEMIC DEFECTS ....................................................... 128 ACCEPTANCE/REJECTION RATES .................................................................... 129 PROCESS SEGMENT/PROCESS/PMSA STATUS ............................................. 132 EXIT CONFERENCE/NOTIFICATION OF DEFICIENCIES ................................. 133 CORRECTIVE ACTION PLANS ............................................................................ 136 INTERNAL AUDIT OR PMSA SUMMARY ............................................................ 137 RESURVEY ............................................................................................................ 139 NON-RESPONSIVENESS TO CORRECT DEFICIENCIES ................................. 141 OTHER AUDIT TECHNIQUES/METHODS .......................................................... 143

vi

PROPERTY TO RECORDS ........................................................................ 143 USE OF ONE POPULATION FOR MULTIPLE FUNCTIONS .............................. 145 USE OF AUDIT TRAIL METHODOLOGY .................................................. 147 PURPOSIVE/PURPOSEFUL SAMPLING ............................................................. 147 WHEN TO USE PURPOSIVE SAMPLING ........................................................... 149 PERAMBULATION/DCAAM .................................................................................. 149 JUDGMENT SAMPLING ....................................................................................... 150 AUDIT INDEPENDENCE ....................................................................................... 151 AUDITING ELECTRONIC DATA PROCESSING SYSTEMS ............................... 153 THE ETHICS OF SYSTEM ANALYSIS ................................................................. 153 CONCLUSION ....................................................................................................... 154 POTENTIAL AUDIT CRITERIA – PROCESSES/PROCESS SEGMENTS 156 NOTE – These are not Official DOD sanctioned nor approved Processes/Process segments or Criteria. As there is no Official criteria established through a manual or regulation or instruction these are provided as a possible frame work for audit purposes. APPENDIX B – General dynamics Audit Case...................................................... 186 BIBLIOGRAPHY ..................................................................................................... 214

[1]

Defense Contract Property Management Systems Audit Primer

By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 1

History of Auditing

• By the end of this module, you should be able to: o Describe the history of audits.

• By completing the lesson, you should be able to:

o Explain the historical applications of an audit and list the types of auditors. System Survey! System Analysis! Audits! These are all actions that have been going on for years, decades and in some cases even centuries, though known by different names. And now with the publication of the 2007 Government Property rule – we have the new PROPERTY MANAGEMENT SYSTEM AUDIT. There has developed a body of literature surrounding the audit process with rules and requirements, standards and techniques. In fact, auditing has been around for thousands of years - Yes, that was THOUSANDS!!! Swanson and Marsh (1991) state, There is little room for doubt that auditors were going about their daily

activities as far back as 3000 B.C. In those days high officials in Babylon validated major transactions with their signatures on stone tablets. Records of work in internal control evaluations in India exist, dating from the 4th century B.C. An association of auditors, created in Venice, quickly gained high status and carefully regulated the activities of its members (p.xi).

Yet, when you look at the field of property administration there is a real lack as to the application of the established rules and techniques. This course is my effort, my attempt to clarify and codify those rules and techniques for the property professional – now in the AUDIT MODE -- in an effort to develop a more competent, highly skilled professional prepared to meet our rapidly changing environment. [NOTE: It is assumed that you have successfully completed a course in the fundamentals of CONTRACT PROPERTY MANAGEMENT and have the requisite competencies to fully grasp this material at the knowledge, comprehension and application levels.] Good luck and let's have at it!!!

[2]

HISTORICAL LINEAGE How one becomes a Property Administrator (PA) or a Contractor Property Manager can be analyzed in another forum. For this discussion, the more important question is "How does one learn to do an audit, or in our subculture's language a 'System Analysis or System Survey or now a System Audit'?" Generally, the first step in the old days was to read the old and now OBSOLETE Armed Services Procurement Regulation (ASPR) Supplement # 3. Contained within this document was coverage of the survey process (NOTE: The words system survey and system analysis were the old terms – as a reminder, the NEW CORRECT TERM is Property Management System Audit. Unfortunately, this coverage was minimal at best. How then did an individual in the past learn how to conduct a system survey, or system analysis – or let’s just call it an audit from now on and understand that it means a Property Management System Audit (PMSA)? These actions were often learned and performed through an oral tradition. The senior level property person in the office would help his or her trainees learn the ropes of the audit process. How had they learned the process? Through their property folks, who had learned it through their property folks, who had learned it through their property folks, and so on, and so on, etc., etc., ad infinitum! But were the proper tools and techniques conveyed through this method? Many times yes, sometimes no. Another avenue by which experience came into the property field was that of individuals crossing over from one field into another. Specifically, individuals from other career fields, e.g. Defense Contract Audit Agency (DCAA), may have switched careers and brought with them their tools and techniques. Contractor employees might have transferred from accounting and finance or even internal audit. These auditors brought with them their experiences using the audit guidelines found in the Defense Contract Audit Agency Manual (DCAAM). A former Quality Assurance representative may bring his or her experience using MIL-STD 105 E. Some folks might even have been members of the American Institute of Dertified Public Accountants (AICPA) or the Institute of Internal Auditors (IIA). Many of these activities’ documents had and still have applicability to our environment. (Note: Some of these documents and regulations no longer exist. They are mentioned only to provide historical evidence.) "Wait a minute" you say. "I'm not an accountant or a DCAA auditor or Quality Assurance Representative. I am a Property person! What does that have to do with me?" Well, quite a bit. Let's look at accounting versus auditing just for a minute. Many folks confuse accounting with auditing. It is a logical confusion as most audits are concerned with financial matters. But, there is a difference. Arens and Loebbecke (1988) state "Accounting is the process of recording, classifying and summarizing ECONOMIC (Emphasis added) events in a logical manner for the purposes of providing financial information for decision making" (p.3). In our Property Management System Audit (PMSA) we are concerned with checking and verifying systems, processes and data. Another definition of auditing is obtained from the Auditing Concepts Committee (1972). It states that auditing is, "A systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree

[3]

of correspondence between those assertions and established criteria and communicating the results to the interested users." Now, if we only change one word in that entire sentence we have what WE do! Change the word "economic" to "property." If we read the changed sentence it now states "A systematic process of objectively obtaining and evaluating evidence regarding assertions about PROPERTY actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to the interested users." Is this not exactly what we do during a property control system analysis? Yes! Our concern is with determining whether the recorded information properly reflects the events that occurred during the period of audit. For instance -- the proper acquisition of property, the timely receiving of property, the act of identifying the property, the maintenance of that property, and we could go on through the numerous events that take place within the property environment. Why is there confusion between auditing and accounting? Because many audit actions are concerned with financial actions. In the world of Government property that may not always be the case. In point of fact we are generally more concerned with the actions or transactions occurring and the attributes regarding the property and not so concerned with the financial actions that occur surrounding the property. Atkisson, et al, (1986) amplify and more clearly delineate the responsibilities of the auditor stating, The responsibilities ... are often extensive and require the use of many

different audit approaches. In a particular assignment the auditor may review policies and procedures of the company to determine if they are adequate. He may perform surveys and overall comparisons of information to determine trends. He may perform a study and evaluation of the existing internal control system of the company to determine its reliability. (p.187)

But even this description does not fully describe all that the Property Professional is involved with in the course of performing a system audit. Yes, there is the requisite review of the contractor's policies and procedures but we will see in the course of this text that there is much more required. TYPES OF AUDITORS There are countless different auditors out there. Rest assured that we are not alone! There are Certified Public Accountants. These auditors probably have the most complex and complete set of guidelines that exist today regarding auditing. There exist the Generally Accepted Auditing Standards (GAAS) published by the American Institute of Certified Public Accountants (AICPA). Embedded within these standards are the "Statements on Auditing Standards" which total 49 different standards.

[4]

There are the auditors that work for the General Accounting Office (The investigative arm of Congress). There are the Internal Revenue Service Auditors. Many large companies have Internal Audit folks and their respective professional association, the Institute of Internal Auditors (IIA) with its commensurate guidelines. Within the Department of Defense there are the auditors from the DCAA [NOTE: Maybe their manuals and directives are even more voluminous than the aforementioned AICPA and IIA put together - who knows?]. In addition, there are quite a few other Governmental "auditors." Talley (1988) used an Air Force Regulation, Air Force Contract Management Division (AFCMD) Regulation 178-1 to delineate some of these functions. They consisted of: Quality Assurance Finance Engineering Program Management Procurement and Subcontracts Production and Manufacturing Logistics and Customer Support Marketing and Planning Contracts and Estimating Industrial Property Management (Yes, even us!) I know, I know, AFCMD doesn't exist anymore. But, the important part is that each of these function performed their own audits. They all had their own evaluative criteria or specific items/events that they were looking for. So even though we may think we, in property, are different from everybody else, in point of fact, we are very similar! What we are involved with is more generally regarded as "operational auditing." Swanson and Marsh (1991) define operational auditing as, ... a systematic process of evaluating an organization's effectiveness,

efficiency, and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement. Its objectives are to provide a means of evaluating an organization's performance and to enhance performance by making recommendations for improvements. Operational auditing requires measuring the degree of correspondence between actual performance and acceptable criteria and focuses on management's planning a control system (P. 114).

Sounds familiar doesn't it?

Flesher (1996) provides further analysis of an “operational audit.” He states, An operational audit is a nonfinancial audit, the purpose of which is to appraise the managerial organization and efficiency of an entity or one of its subdivisions... Operational auditing is a review and appraisal of the efficiency and effectiveness of

[5]

operations and operating procedures... Operational auditing is using common sense, or logical audit techniques, with management perspective, and applying them to the organization’s objectives, operations, controls, communications, and information systems. The auditor is more concerned with the who, what, when, where, why and how of running an efficient and profitable business than just the accounting and financial aspects of the business functions (pg 242).

From a DoD perspective a PMSA is generally regarded as "OPERATIONAL AUDITING." Operational auditing is defined as a systematic process of evaluating an organization's effectiveness, efficiency, and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement. Its objectives are to provide a means of evaluating an organization's performance and to enhance performance by making recommendations for improvements. Operational auditing requires measuring the degree of correspondence between actual performance and acceptable criteria, i.e., contractual requirements and the criteria set forth in Appendix A, and focuses on management's planning a control system. A PMSA differs from a financial audit as financial audits are under the cognizance of the Defense Contract Audit Agency and address the accounting and cost issues of the contract. The PA may be involved with certain areas of a financial audit in reviewing property management items that impact and affect financial issues. Operational auditing is a review and appraisal of the efficiency and effectiveness of operations and operating procedures. Operational auditing uses logical audit techniques, with a sound business management perspective, and applies them to the organization’s objectives, operations, controls, communications, and information systems. The Property Administrator, as an operational auditor is concerned with who, what, when, where, why and how of running an efficient property management process rather than just the accounting and financial aspects of the business functions. Lastly, we could address one other form of audit -- that is a “Compliance” audit. Flesher (1996) also addresses this form of audit. “There are many requirements in existence that constrain the activities of organizations. These requirements can be imposed externally or internally, and may take the form of laws, regulations, standards, policies, plans and procedures.” As a contractor employee doing an assessment or an audit you are acting as an internal AUDITOR. As a Government employee the Property Administrator is acting as an AUDITOR! Though we are not generally viewed in that light, we have occupied that position for many, many years and decades. AUDIT GUIDANCE With the publication of the new FAR Government property clause we, in property management, became aware of the requirement to use Voluntary Consensus Standards (VCS). The Government’s use of VCSes came into play through three different operations:

[6]

Law/Statute An Office of Management and Budget Circular and The Federal Acquisition Regulation Law Public Law 104-113, entitled the ``National Technology Transfer and Advancement Act of 1995 '' amended the Stevenson-Wydler Technology Innovation Act of 1980 to include the following requirement.

(1)In general.--Except as provided in paragraph (3) of this subsection, all Federal agencies and departments shall use technical standards that are developed or adopted by voluntary consensus standards bodies, using such technical standards as a means to carry out policy objectives or activities determined by the agencies and departments.

(2) Consultation; participation.--In carrying out paragraph (1) of this subsection, Federal agencies and departments shall consult with voluntary, private sector, consensus standards bodies and shall, when such participation is in the public interest and is compatible with agency and departmental missions, authorities, priorities, and budget resources, participate with such bodies in the development of technical standards. So here we see more than a decade ago direction to and a requirement for the Federal Government to start using VCSes. In point of fact, the law issues direction that Federal agencies “SHALL” participate with VCS bodies. Interesting note to Federal Government employees – you have your statutory marching orders. The Office of Management and Budget On February 19th, 1998 the Office of Management and Budget (OMB) published OMB circular A-119, entitled “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities.”1

This OMB circular was technically an implementation of the National Technology Transfer and Advancement Act of 1995 mentioned earlier. The OMB Circular states as its purpose, “This Circular directs agencies to use voluntary consensus standards in lieu of government-unique standards except where inconsistent with law or otherwise impractical.” It is through this Circular that we see the direction to implement what the law directed.

Well, how does this impact the Government procurement process and more importantly how Government property in the possession of contractors is managed? The Federal Acquisition Regulation. The Federal Acquisition Regulation (FAR) is the acquisition document binding upon all Federal Agencies (Unless exempted from the requirement. And yes, there are a few Federal Agencies that do NOT follow the FAR.). FAR Part 11 entitled Selecting and Developing Requirements Documents contains guidance and direction to the Procurement officials their responsibilities regarding the use of VCSes. FAR 11.101, 1 A discussion of this OMB circular may be found at http://ts.nist.gov/Standards/Conformity/upload/fr-omba119.pdf and the actual circular may be found at http://www.whitehouse.gov/omb/circulars/a119/a119.html.

[7]

Order of Precedence for Requirements Documents states in paragraph (c), In accordance with OMB Circular A-119, “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities,” agencies must use voluntary consensus standards, when they exist, in lieu of Government-unique standards, except where inconsistent with law or otherwise impractical. The private sector manages and administers voluntary consensus standards. Such standards are not mandated by law (e.g., industry standards such as ISO 9000). So, we can see that the Use of VCSes is not something new or even radical. Rather it is a natural evolution of Government’s procurement and acquisition requirements – even in its directions regarding the management of Government property. With this background information quite clearly we are required to use VCSes where applicable. Our audits are one such area! Therefore, we need to determine if there are any VCSes that apply to this realm – the realm of auditing. GENERALLY ACCEPTED AUDITING STANDARDS (GAAS) GAAS is a technical document that we will reference numerous times in this course. There are many books written about GAAS. I would recommend that as a property professional you invest some of your funds and acquire a few of these texts to assist you in understanding the framework and drivers of the auditing profession. Historically, though we did not follow STRICT audit guidelines, we did come really close through the use of the guidance, direction and methodologies set forth in the now rescinded DoD Manual for the Performance of Contract Property Administration, DoD 4161.2-M. When followed correctly, this manual provided the Property Administrator a sequence of events that paralleled the requirements of GAAS. Two texts that I would recommend: Miller GAAS Guide (Most recent Edition), Bailey, Larry P., Harcourt Brace Professional Publishing, New York. ISBN – 0-15-602273-7. Practitioner’s Guide to GAAS, 2008, Ramos, Michael J., John Wiley and Sons, Somerset, New Jersey. ISBN – 978-0470-13531-0. There is a wealth of information regarding the audit process and audit standards and risk assessment standards that are and will be extremely valuable to the Property Administrator. And we will be citing these references throughout the course. One EXTREMELY interesting note is given as direction to the auditor under the Miller GAAS Guide. In Chapter 27 it states, Government Property As part of the contract arrangement, a governmental agency may provide a contractor with property that will be used in fulfilling the terms of the contract. The government contractor should establish appropriate internal controls to ensure that government property is safeguarded and accounted for in a manner consistent with the terms of the contract. (page 27.20)

[8]

Though GAAS is not a VCS, it quite clearly IS an INDUSTRY LEADING PRACTICE – and the Government most clearly should be following it, to the maximum extent practicable. Ahhhh, but there are OTHER audit standards with which those in the Federal Government must comply! GOVERNMENT AUDIT STANDARDS In addition to GAAS we have an extremely important Government document – the Government Accountability Office (GAO) Government Auditing Standards – GAO-07-731G. This text is more affectionately referred to as the GAO Yellow Book. Why? Because it, for many years and still has in some hard copy print versions, had a yellow cover. THE GAO YELLOW BOOK What is the GAO Yellow Book? The GAO Yellow book is a compilation of “professional standards and guidance… commonly referred to as generally accepted government auditing standards (GAGAS), provide a framework for conducting high quality government audits and attestation engagements with competence, integrity, objectivity, and independence. These standards are for use by auditors of government entities and entities that receive government awards and audit organizations performing GAGAS audits and attestation engagements. GAGAS contain requirements and guidance dealing with ethics, independence, auditors' professional competence and judgment, quality control, the performance of field work, and reporting.”2

GAGAS is not a government unique document but rather comes from numerous professional associations and even Voluntary Consensus Standard Bodies (VCSB). These groups include:

a. The American Institute of Certified Public Accountants (AICPA) b. The Public Company Accounting Oversight Board (PCAOB) c. The International Auditing and Assurance Standards Board (IAASB) d. The Institute of Internal Auditors, Inc. (IIA) e. American Evaluation Association (AEA) f. Joint Committee on Standards for Education Evaluation; and: g. American Psychological Association (APA).

An extremely august listing to say the least and bodies with tons more experience in auditing than our property folks! I would recommend that you DOWNLOAD the GAO Yellow Book at: http://www.gao.gov/govaud/ybk01.htm

2 GAO Yellow Book, Page 5, Reference 1.03.

[9]

In addition to the Yellow Book a supplemental text is available. This is entitled Government Auditing Standards: Implementation Tool, GAO-08-210G. It is available at: http://www.gao.gov/new.items/d08210g.pdf Again, I would recommend that you download both these texts and keep it as part of your property professional library! We will be making reference to these and other texts throughout this class! Well, where does that leave us? I would like to share with you some closing thoughts in regard to audits – and they comes from a VERY POWERFUL book entitled the Defense Contract Audit Agency Contract Audit Manual, DCAAM 7640.1, the latest edition, found at http://www.dcaa.mil/cam.htm. This manual provides some additional guidance on auditing. It states,

2-000 Auditing Standards 2-001 Scope of Chapter

a. The term "audit" is used to refer to a variety of types of evaluations of various types of data by a person other than the preparer of the data. There is no commonly accepted definition of precisely what constitutes an audit that can be assumed to apply to all cases in which the term is used. In order to be understood, the term "audit" must be accompanied by an explanation of the type of data being evaluated;… of the purpose and scope of work undertaken. b. Omitted by the author…. c. Government Auditing Standards (GAS) directly incorporate all AICPA standards as they are issued, unless GAO excludes them by separate formal pronouncement. When the Yellow Book incorporates standards of the American Institute of Certified Public Accountants (AICPA) or other authoritative bodies, such as the Office of Management and Budget, these standards become Generally Accepted Government Auditing Standards (GAGAS). It is important to understand the various standards and how they affect DCAA audits. Generally the Yellow Book standards govern:

(1) the quality of the audit performance, including audit planning and supervision, (2) the nature and extent of audit evidence to be obtained by means of auditing procedures, and (3) the nature and content of audit reports.

Throughout this class we will be seeing a great deal of information citing the documents listed above. Why? Where before we were able to cite the DoD Property Manual, 4161.2-M, as our DoD mandated authorizing document – our “raison d’être” per se. Now, due to its rescinding, we must now weigh in with other related document serving as source and reference for what we do and why we do it and how we do it and when we do it! Not an easy task to bring together diverse documents – but we’ll give it a try! On to the next chapter!

[10]

Defense Contract Property Management System Audit Primer By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 2

Property Management Systems Audit Terms and Definitions

By the end of this module, you should be able to: • Describe the terms involved with a Property Management System Audit (PMSA).

By completing the lesson, you should be able to: • Define associated terms.

THE DOD PROPERTY MANUAL (DoD 4161.2-M) Since 1991, as Department of Defense Property Administrators, the primary guidance was the Department of Defense (DoD) Property Manual 4161.2-M. It has, for all intents and purposes, died a quiet death – since it not been updated subsequent to the 2007 version of the FAR death and as of the date of this class it has not been replaced with a new document. [NOTE: A DoD Guide for the Performance of Contract Property Management was presented to OSD/AT&L in January of 2010 – but it has not been published as of the publication of this text.] Quite clearly the “Old” manual did not address the “New” requirements set forth in the “New” Government property (GP) clause, i.e., FAR 52.245-1. Unfortunately, without a replacement certain terms go without a regulation based definition. Therefore, for the sake of education, I have used the “Old” definitions – and tweaked them, to bring them in line with the “New” FAR GP Clause and its vocabulary. This Primer is meant to provide descriptive guidance in performing a PMSA. Does that mean that it covers every single area? No! Rather it provides you the broad general guidance applicable to the property Processes. Please keep in mind that there exist a myriad, a plethora, a whole bunch of different environments out in our world. There are the small "mom and pop" shops with one item of Special Tooling. There are the multi-billion dollar international corporations that have billions of dollars worth of Government property with operations stretching around the world. One book, one manual could not exhaustively cover the range of contractors that we deal with in the DoD. Neither can any one individual be so presumptuous as to say "This is the only right way to do an analysis." Rather we chose to provide broad guidelines and allow you, the PA, to exercise your judgment, your intelligence within your particular environment. So, let’s move on to some definitions that we need to understand.

[11]

DEFINITIONS Let's start by operationalizing some of the definitions we will use in dealing with performance of a Property Management System Audit. Many of these definitions come from the world of inferential statistics, others from quality assurance; still others come from our own language and culture -- the language of property administration. These words consist of: Property Management System Audit - A systematic objective review and evaluation of a contractor's property management system (PMS) including both the procedures and the application, implementation and compliance with:

• the Government Property Clause, • the terms and conditions of the contract, and • any voluntary consensus standards or industry leading practices selected by the

contractor for incorporation and application in its PMS. Standard Audit - A systematic review in accordance with GAAS or GAGAS of the contractor's PMS where all applicable Processes, Process segments and criteria are reviewed. This may take place through a plant visit(s) for itinerants or where a PA is resident at the contractor’s site. Limited Desk Audit - A systematic review of the contractor's PMS generally without the benefit of a plant visit. This usually takes the form of a desk audit and uses the assistance of other Government technical representatives, e.g., QAR, IS, etc. A plant visit(s) may be deemed necessary by the PA based upon risk factors and assessment of these factors. [NOTE – Contractors… it would be wise for you to be aware of this GOVERNMENT ALLOWANCE for the Government Auditors. It might prove helpful in DEFENDING your SUBCONTRACTOR CONTROL process, i.e., where you do NOT go out to your subcontractors who have limited amounts of Government property in their possession and accountable to your PRIME contracts.] Process - A segment of a property control system based upon the life cycle approach set forth in the Government Property clause, FAR 52.245-1(f). The segments established by the FAR consist of: acquisition, receipt, records, physical inventories, subcontractor control, reports, relief of stewardship responsibilities, utilizing Government property, maintenance, and property closeout. These Processes provide the auditor a logical, orderly way of organizing the processes involved with the management of Government property. [CRITICAL NOTE – it is important for the Auditor to understand that a number of processes are NOT called out in paragraph (f) of the GP clause – yet still need to be audited. In addition, a number of processes are subsumed under other processes that may not lend themselves to single population auditing. We will discuss this further in the body of this text.] Process Segment - A subdivision of a Process. Since not all property and not all processes surrounding that property are the same, Process Segments were established to

[12]

assist in the proper framing of a population under a process. These Process segments assist the auditor in defining and selecting the proper populations for sampling driven by their common characteristics. Criteria/Criterion - (Plural/Singular forms of the word) an evaluative item of a PMS Process or Process segment subject to audit and analysis by the appropriate method. Specifically, criteria are the questions that are posed of the PMS. Many of these questions involve more complex answers than a simple "yes or no." They require and analysis of the data embedded in the question. For example, "Property control records conform to FAR..." This question requires an analysis of the record card or automated data to assure that the basic information required by the FAR is provided on that record, i.e., FAR 52.245-1(f)(iii)(A) plus any addition data requirements imposed via a VCS or ILP. Generally a yes or no answer is inappropriate for most criteria as it does not provide any audit evidence. Population - An aggregation of documents or records, or even physical assets, or possibly even actions selected for review due to common characteristics. The term population is also known as a "lot." This is one of the more critical aspects of performing the system analysis. The population must be based upon COMMON CHARACTERISTICS. This is driven by the simple belief that you compare apples with apples and oranges with oranges. We will spend a goodly amount of time on defining your population – so, more on this later! Sample - A number of items: e.g., documents, records, articles, or actions selected from a population/lot for a review in order to draw inferences regarding and generalizable to the status of the population. There will be extensive discussion of this concept throughout the entire course and later in this literature. Sample item - A single document record, article, asset or even an action from the Sample. Sample Item Element - A single element from a sample item subject to evaluation; For example, if we were analyzing the records requirement for an item of Government property some of the sample items elements that we would be looking for would be: name or nomenclature, description, national stock number, quantity received, quantity issued, balance on hand, etc. Defect - a deficiency such as a lack of contractually required data, erroneous data, untimeliness (Ok, so it’s a New York word) of data, inadequate areas or controls, etc. Item Defect - Where a sample item has one or more defects. Element Defect - Where across sample items the same element is defective (See Sample Item Element).

[13]

These are just a few of the definitions that we will be discussing, more will be forthcoming. They are essential elements of a Property Management System Audit. We will see their APPLICATION in the forthcoming chapters.

[14]

Defense Contract Property Management System Audit Primer By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 3

Audit Practices

By the end of this module, you should be able to:

• Explain the 10-step audit practice. By completing the lesson, you should be able to:

• List the 10 steps in the commercial audit process in order. • Describe the underlying concept of each step.

A TEN STEP STATISTICAL AUDIT PROCESS How do we take the pulse of a contractor’s property system - one that may be quite extensive and involve untold property items, valued in the millions of dollars? A management measurement tool is employed to do an analysis in a timely and efficient basis. We call this tool the statistical audit process. While this process can and is successfully used to evaluate many diverse Processes, we will tailor our discussion to its application in evaluating contractor property systems. Why ten steps? In a review of the literature from a number of professional associations it was determined that these ten steps represented the “essence” of the audit practice. There are a number of professional associations that deal with auditing – but the two largest are the American Institute of Certified Public Accountants (AICPA) (http://www.aicpa.org) and the Institute of Internal Auditors (IIA)( http://www.theiia.org). Both of these organizations have a rich and robust body of literature that the working property professional should become aware of and potentially read as they grow and mature in their chosen profession. Please note that these audit practices are NOT Government practices – rather they are practices applied in the COMMERCIAL as well as the Government world! While there could certainly be more steps in a variety of different applications and environments, these ten comprise the core actions around which a statistical audit approach for property management can be planned and implemented. Here they are:

1. State objectives of the audit test 2. Define Attributes/Transactions 3. Define the Population/Sampling Unit 4. Specify Acceptance/Rejection rate 5. Determine Sample Size 6. Randomly Select Sample

[15]

7. Perform Audit Procedure 8. Analyze Defects/Deviations 9. Generalize from Sample to Population 10. Determine status of Process/Process Segment

I would like to take a minute and briefly walk you through these steps and provide some rudimentary explanation and explication of the process. We will provide more and greater depth and detail to these items as we go through the course.

#1 Objectives of Audit Test • Determine the Process or Process Segment subject to review

What are you testing? This is an important first question to answer in planning a statistical audit. Recall that the Government REQUIREMENT is for the Contractor’s Government property system to be viewed in terms of Processes and outcomes. If one were to historically review the DoD Manual for the Performance of Contract Property Administration, we, the contract property community, have long held to the belief that property management was process oriented – even though we called them “categories” under the old and obsolete Armed Services Procurement Regulation (ASPR) Supplement # 3 or “Processes” under the fast aging DoD 4161.2M. The FAR GP Clause of 52.245-1 legitimatized that belief – making it a contractual requirement. Therefore the Auditor needs to be quite comfortable with the concept of a PROCESS orientation as well as a well defined knowledge of what occurs under that process. So, the question remains – what are you testing? The ACQUISITION of stuff? The RECEIVING of stuff? The RECORDS maintained on stuff? The performance of PHYSICAL INVENTORIES? The DISPOSAL of Property? Etc. Notice that each of these actions is actually a PROCESS for accomplishing an act or action – with a desired OUTCOME. So we are testing how well the Property Management System manages a PROCESS for accomplishing some form of act or action in accordance with a prescribed standard – in our case the Federal Acquisition Regulations (FAR) Part 45.5.

[16]

#2 Define Attributes/Transactions • Determine what data items of this Process or Process Segment that you will be

testing Having selected the Process or Process segment, the next planning step is to define the items which may consist of attributes or transactions that we are to sample (test). These may include:

• Date of posting • Timeliness of posting • Quantity Acquired • Quantity Received • Quantity posted • Location • Record accuracy • Etc.

Remember that this is the planning phase and the attributes and transactions need to be selected BEFORE the statistical review BEGINS. The contractor is required by the applicable Government Property clauses and other applicable FAR/DFARS clauses to maintain records of Government property. Therefore, the “bits of data” that we will be reviewing have ALREADY BEEN PRESCRIBED by the contract and should be available for review.

A CRITICAL NOTE – please note also that there is now a requirement to apply VOLUNTARY CONSENSUS STANDARDS (VCS) or INDUSTRY LEADING

PRACTICES (ILP). These items may echo the data requirements of the GP Clause or they may ALSO have ADDITIONAL DATA KEEPING REQUIREMENTS. In other

words – THERE MAY BE ADDITIONAL CRITERIA NOT REQUIRED BY THE GP CLAUSE, BUT THAT MUST BE ADDRESSED IN THE PROPERTY MANAGEMENT

SYSTEM TO COMPLY WITH ANY VCS OR ILP THAT THEY HAVE CHOSEN TO USE!!! We will discuss this concept later in the class and in this text.

Amidst all of these records, selecting the proper data item(s) to reveal property system performance is one of the keys to a successful audit engagement.

#3 Define Population/Sampling Unit The term “Population” is defined as, “An aggregation of documents, records, assets, or actions selected for review due to common characteristics.” The term “Sampling Item (unit)” is defined as, “A single document, record, article or action from the sample.” Having already determined the Process and Process segments for our audit tests and further refined the focus using criteria under each segment, the most critical planning phase begins with the definition of the population and sampling unit. This is essentially

[17]

establishing the “bulls-eye” in the target. This “bulls-eye” target, the population and the sampling unit should capture two important elements:

First – the population and the sample unit must have homogeneity – in other words there must be shared common characteristics. You do not want to be testing items that are DISSIMILAR! You are looking to test items – populations that have items that are comprised of items that have the SAME characteristics. Let me provide an example of dissimilar items – and the potential for combining them into one population erroneously. One of the processes called out in the GP Clause of FAR 52.245-1(f) is that of Utilization. Embedded under utilization are: Use, Consumption, Storage and Movement. If I were to ask you to combine all of these under one population how would you DEFINE that population? Are usage records the same as consumption records are the same as storage records are the same as movement records? The answer, quite clearly is NO! for the process of storage you may not even look at records – you might visit the specific SITE where property is STORED. While for Consumption you might be doing a very DETAILED analysis of records and blueprints and drawings and bills of material, and material requirements lists. HOMOGENEITY!!! Remember that word – we will discuss it in greater detail later. Second – a time frame must be established. When dealing in terms of a property system audit, a common timeframe would be 1 year or back to the last system audit.

AANN IIMMPPOORRTTAANNTT NNOOTTEE:: DDEEFFIINNIINNGG AA PPOOPPUULLAATTIIOONN –– PPRROOPPEERRLLYY DDEEFFIINNIINNGG AA

PPOOPPUULLAATTIIOONN ---- IISS PPRROOBBAABBLLYY TTHHEE MMOOSSTT CCRRIITTIICCAALL SSTTEEPP IINN TTHHEE EENNTTIIRREE PPRROOCCEESSSS..

[18]

#4 Specify Acceptance/Rejection Rate Determining the acceptance/rejection rate is the next step in the planning process. In the past one could use the old Property Manual, DoD 4161.2-M for this task. Since no Department of Defense guidance exists it would be wise and prudent to continue to use the guidance provided in this aging manual until such time as some form of replacement is published. “Wait,” you say! “I can’t use that manual – my agency is different – and we don’t even have a manual!” Well, lacking any other guidance would you consider it – after more than two decades of successful use – to be invalid? Lacking anything else – it is not a bad place for application of some standard STATISTICAL APPLICATIONS. The old manual provided sampling for a 90% confidence level, stating:

“b. When using a sampling plan, the Government's risk shall not exceed 10% (a 90% confidence level) excepting slight variations due to changes in population sizes. Appendix B contains sampling plans for use in achieving this 90% confidence level. Using this sampling plan the Government will discover defects of 10% or more, if they exist, 90% of the time. There may be times where, due to the criticality of a process, dollar value or sensitivity of the property that a sampling plan with a higher confidence level may be used.”

What this means is that Government’s risk shall not EXCEED 10% - hence the minimum 90% confidence level. Note however, that other, higher confidence levels may be needed depending upon differing populations and differing criticality of risk. For example: If we were looking at the Contractor’s control of the government furnished material, platinum or plutonium. It would not be unreasonable to require a 100% confidence level for obvious reasons. The Property Manual, DoD 4161.2-M, Appendix B provided a 90% confidence level, double sampling plan to facilitate sample measuring. Here is a copy of that table.

[19]

#5 Determine Sample Size

Once the confidence level is selected, the sample size, suitable to the size of the population (lot range) should be determined. The above table ALSO provides a sample size for you to use to obtain this 90% confidence rate. The table is self-explanatory and is easy to use.

[20]

But give it a try… you want a 90% confidence rate and you have a population of 6792. How may SAMPLE NUMBERS will you select? If you look at the table above – find the range of 401 to 10,000. Why? Because 6792 falls within that range. Look at the second column. How many Sample Items will you select? 34!

#6 Randomly Select Sample Selecting a random sample is seemingly a simple task, yet more complex than one might think. We will cover sampling in MUCH greater detail later in this course – this is just a “teaser” until we get to the meat of the matter!! So, how DO we select or draw the sample in an unbiased way? Bias creeps into choice selections every day. Yet bias, or lack of randomness, can destroy the very basis of the measurement being taken. Recall that we are selecting a few from the vast many. Then we are permitting the attributes of the few to represent the many. Improperly chosen, wrong conclusions can be drawn on the sample and extrapolated to the population/lot. How can we achieve a true representative sample—or at least as close as possible to a TRUE random Sample? Well, here are four approaches to sample selection:

• Random Selection • Stratified Random Sampling • Systematic Sampling or • Use Random number tables found in virtually every statistics book out there!!!

Now, we really haven’t taught you how to do ANY of these – rather we are wetting your appetite for the actual PROCESS of performing this task. More later on this topic!

#7 Perform Audit Procedure The culmination of all the planning comes together under this step. The population was determined, the sample selected to evaluate the applicable criteria. These criteria (ESTABLISHED BY BOTH THE FAR GP CLAUSE REQUIREMENTS and the VCS AND/OR ILP REQUIREMENTS) are the standards against which attributes and transactions are tested and evaluated. The results of these tests are the WRITTEN AND DOCUMENTED work papers that capture the raw data of the evaluation. These work papers help form the basis of the documented audit evidence upon which conclusions will be drawn regarding the contractor’s Property system – they are the AUDIT EVIDENCE of your work!

#8 Analyze Defects The eighth step is to analyze the defects found as a result of the statistical analysis. Care must be exercised to ensure validity of your findings. For example we have to carefully distinguish between:

[21]

• System defects versus a NON-Systemic deficiency Isolated defects do not necessarily equal a system deficiency. Isolated system defects may not point to a systemic problem. Therefore good evaluation and good judgment need to be applied to what the data is saying

• Materiality Are the noted defects important or otherwise significant? Not all findings carry system impact and judgment must be judiciously applied to determining their true significance

• Major versus Minor deficiencies Even if there is a system deficiency that the evaluated data discloses, how significant is it?

• Qualitative versus Quantitative A finding may be quantitatively significant (“Hey look, they were off by ten, or twenty items) and yet be statistically insignificant when considered in light of the QUALITATIVE IMPACT and the overall number of findings (“Yea, but the value of the items was only fifty cents total”). Therefore SOUND evaluation and GOOD judgment must be applied

##99 GGeenneerraalliizzee ffrroomm SSaammppllee ttoo PPooppuullaattiioonn Having analyzed the defects from several perspectives, step nine requires that an inference be made between the statistical sample and the overall population. If “x” was found in the statistical Sample, what inference, or generalization can correctly be drawn on the overall population?

#10 Determine the Status of Process/Process Segment and SYSTEM Of course the whole purpose of this statistical evaluation adventure is to determine the acceptability of the Process or Process segment and in turn, the acceptability of the Contractor’s property system. Additionally, the need for corrective action must be assessed and requested. Is the Property Management System good or bad – is it working or not working –are there PARTS of it that are working? You are to evaluate the end result in accordance with your AGENCY’S Guidance and direction or if you are a contractor doing an Internal Audit or Assessment – follow you company’s guidance and direction. Different activities have determined different words to indicate the status of a system – though the terms Satisfactory and Unsatisfactory are the two most frequently used terms for the end result of a Property Management Systems Audit. Is corrective action needed? Corrective action could include correction of system defects and/or correction of disclosed items with no systemic impact This section provided just a quick overview of the Ten Step Process in regard to performing a Contract Property Control System Analysis. Each of the steps will be discussed in greater depth and detail in the coming chapters.

[22]

[23]

Defense Contract Property Management Systems Audit Primer

By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 4

PMSA Planning

By the end of this module, you should be able to: • Describe the concepts involved with planning a Property Management System

Audit (PMSA). By completing the lesson, you should be able to:

• Cite the reference for the Government’s authority to audit the contractor. • Cite the reference for how the Property Administrator is to perform a PMSA. • Describe some classical types of PMSAs. • Describe the classical use of these two types of PMSAs. • Describe the classical frequency requirement for performing a PMSA. • Explain the requirement for scheduling/planning a PMSA. • Describe the advance notification requirement to the Auditee. • Explain the requirement for an Entrance Conference.

AUTHORITY TO PERFORM A PROPERTY MANAGEMENT SYSTEM AUDIT The FAR GP Clause of 52.245-1 provides us detailed guidance as to our authorities and the contractor’s responsibilities in regard to a PMSA. It states in paragraph (g),

(g) Systems analysis. (1) The Government shall have access to the contractor’s premises and all

Government property, at reasonable times, for the purposes of reviewing, inspecting and evaluating the Contractor’s property management plan, systems, procedures, records, and supporting documentation that pertains to Government property.

(2) Records of Government property shall be readily available to authorized Government personnel and shall be safeguarded from tampering or destruction. Quite clearly the Government has access to the contractor’s premises and the contractor is required to provide us access to the records of Government property. REQUIREMENT TO AUDIT THE CONTRACTOR While the GP Clause provides the Government the AUTHORITY to audit the contractor, FAR 45.105 addresses the Government’s REQUIREMENT to audit the contractor. FAR 45.105 states, “(a) The agency responsible for contract administration SHALL (emphasis added) conduct an analysis of the contractor’s property management policies,

[24]

procedures, practices, and systems. This analysis shall be accomplished as frequently as conditions warrant, in accordance with agency procedures.” So we see that we SHALL CONDUCT an analysis – or our concern, an audit. Of what? – The contractor’s property management policies, procedures, practices, and systems. When? As frequently as conditions warrant! The Government Property Administrator (GPA) asks, “O.k., so I can go in there every week – right?” Technically the Government has the AUTHORITY to access the contractor’s plant for audit purposes. But should the Government be in the contractor’s plant every week? GENERALLY NO!!! O.k., really -- it depends! If the GPA is RESIDENT – then they very well MAY be there on a daily basis. Just a small technicality.

For the Government Property Administrator: Seriously, if you are resident GPA – you might be physically LOCATED at that contractor’s

plant – but that does not mean that you are doing an AUDIT day in and day out every week. Yes, your audit as a resident GPA MAY take a prolonged period of time – but this

was not the intent of the statement “as frequently as conditions warrant.” Your agency may well have provided you GUIDANCE as to the FREQUENCY with which you audit the contractor. Let’s look at this from a HISTORICAL perspective first. HISTORICAL PERSPECTIVE ON FREQUENCY OF PMSAs Historically, it was the “norm” for the Government to perform this PMSA once each year. Ahhhhh, but is that REALLY necessary? In light of declining budgets and alternate methodologies, there was an allowance for the “old” PMSA to be performed on a biennial basis - once every two (2) years. Why? Well, if you have done audits before think about some of your experiences. How many times has a GPA gone into a contractor's plant, performed the your audit and found every function/category or now the PROCESSES satisfactory? And they were supposed to do this every year?!?!?! And the contractor's PMSA is rated satisfactory every year. Yet, the previous regulation required the GPA to keep doing this year in and year out. This might be considered a real waste of time, effort and money!!!

[25]

The “OLD” DoD Manual had the option of performing a PMSA on a biennial basis IF - The contractor has demonstrated SATISFACTORY property control system performance for three (3) consecutive years. This means that the contractor must have been rated satisfactory for the three years prior to the planned survey or survey year. The second option under the “OLD” DoD Property Manual was to reduce the Government surveillance and the time spent reviewing the contractor's Property Control System via the allowance for the GPA to "Waive" selected processes of the analysis. It was based upon the following factors: - Satisfactory compliance with the contractual requirements, - Stability of the quantity, type, and use of Government property, - The PA's emic (That means insider's view) perspective of the contractor's operation. Why was this allowed? Again, think back to your analyses. How many times has a GPA gone into a contractor's plant, performed the survey/analysis/audit and found every function/category/process satisfactory? Or, how about when a goodly number of functions or processes were rated satisfactory? Yet, the previous regulation required the GPA to keep doing every function/process year in and year out. Well, why not skip the functions/processes that were satisfactory every year and focus on those that were deficient? There appears to be some logic to this approach. But (there are always buts in this world), there are two things the GPA must do. 1. They were required to document and substantiate WHY they were exempting this/these functions/functional segments, or processes/process segments and 2. This function/process or these functions/processes may not be reviewed any less often than every two (2) years. The GPA was and is provided the opportunity to use sound judgment in this scheduling of frequency and the waiving of functions/functional segments or process/process segments. It is important to properly apply these requirements in this day and age due to the economic impact these actions may have on both the Government and the Contractor.

TECHNICAL NOTE TO THE GOVERNMENT PROPERTY ADMINISTRATOR Another act or action of the scheduling process was the notification of other

functions/processes within the Government that would assist the PA in the performance of the PMSA. The PA must never forget that it is his or her ultimate responsibility to perform

the PMSA. Others may "assist" but it is the PA who signs the document.

Who are some of those other technical specialists that you may call upon to assist you in the performance of the PMSA? To name a few, these technical specialists may consist of

the Quality Assurance Representative for the maintenance portion of the PMSA, the Industrial Specialist for the utilization portion of the PMSA (In certain circumstances), the Safety specialist, the Security Specialist, etc. There may even be times when you need the assistance of the Defense Contract Audit Agency (DCAA) Auditor to answer some technical questions. BUT, WHEN THIS IS NECESSARY YOU MUST GO THROUGH

[26]

THE CONTRACTING OFFICER. All of the other technical specialists mentioned above are usually found with the contract administration office or the office performing the

administration of the contract. DCAA is a separate agency and as such your request as a PA should be processed through the normal channels. Most agencies DO NOT allow the

PA to directly request the assistance of DCAA. Follow your agency guidance and direction in this matter.

TECHNICAL NOTE TO THE CONTRACTOR PERFORMING INTERNAL

ASSESSMENTS OF AUDITS If you read the above paragraphs SOME of the direction provided has applicability in

YOUR situation! You may not be EXPERT in certain areas, and therefore need ASSISTANCE (As did the GPA) in determining the TECHNICAL ADEQUACY of the

PROCESS(ES). You also may have to call upon OTHER technical people!!! HISTORICAL PERSPECTIVE ON THE LEVELS OF PMSAs I would like to and will now move onto discussing the types or levels of Property Management System Audits. We’ve alluded to the various types or levels of Property Management Systems Audits – but really have not defined a few characteristics. Historically, there were two types or forms of Property Management System Audits: These were entitled either Standard or Limited. The drivers behind these two forms were the dollar value of the property and the type of property.

HISTORICAL MATERIALS – SO WE DO NOT FORGET! Under the OLD and now OBSOLETE DFARS Sup. 3 a LIMITED SURVEILLANCE could be performed if: 1. The Government property totaled no more than 10 items regardless of dollar value, or 2. The Government property was valued at no more than $100,000 regardless of item count, and 3. This dollar value could be exceeded if the items were Reparables on overhaul and maintenance contracts. Limited surveillance could not be used if: 1. Government property under one or more contracts was in excess of $100,000, or 2. Hazardous or Precious metals valued at more than $10,000 were provided. In 1991 these allowances and restrictions were changed through the publication of the DoD Property manual. WARNING – WE NO LONGER USE THE OLD SUP. 3 so these OLD requirements are

obsolete.

[27]

In 1991 the old DFARS Sup. #3 was replaced by the DoD Property Manual, 4161.2-M. Specifically, the DOD Property Manual allowed a limited analysis when Government property under one or more contracts consists of no more than $500,000 exclusive of reparables on overhaul and maintenance. This first qualifier/threshold could be used by the PA and could be obtained from the PA’s knowledge of the contractor and their records of the contracts that they administered. The second criterion for the non-allowance of a limited analysis is when the contractor has sensitive property provided under a contract. The logic and rational behind this action is the current regulatory and litigious framework surrounding hazardous materials/wastes, and the control requirements over arms, ammunition, explosives and nuclear materials. Put simply, we need to be more careful with those types of property. Standard analyses SHALL be used in all other instances. IMPORTANT NOTE – With the obsolescence of the DOD PROPERTY MANUAL there

is no guidance from DoD as to the division of work as provided by the use of a Standard of Limited performance standard. Therefore – the only direction we can

provide is that you follow your agency’s direction in this matter. There is no guidance in any of the audit references, i.e., GAAS, GAGAS or even the DCAA Manual (7640.1). Therefore, though logically, intellectually and economically it

makes sense to continue this practice of stratifying our workload based upon this typology – again,

FOLLOW YOUR AGENCY’S GUIDANCE! O.K., we've seen under the “old” regulations and manuals when we could and could not use a limited analysis as well as a standard analysis. What's the big deal? What was the difference between a limited analysis and a standard analysis? The Answer: Method of performance! Generally speaking, and I must emphasize generally, a limited analysis was done without the benefit of a plant visit. You could consider it a form of a desk audit. Rather than traveling to the contractor's plant, the PA would use the eyes and ears of other Government representatives the Quality Assurance representative and the Industrial Specialist, to name just a few. This in addition to his or her own telephonic conversations with the contractor. The QUESTION then remains – which audit do I perform – a Standard or a Limited and WHEN do I perform them? Let’s run through a few scenarios. Since there is NO REGULATORY nor POLICY guidance for this topic these represent my OPINION and are presented for intellectual disputation only!!!

[28]

NOTE TO CONTRACTORS: It is important for you to understand the degree of involvement (Plant visit versus Desk Audit) applied to the two types of audits, i.e., Standard versus Limited! Why? Ahhh,

GOOD QUESTION!!! Do you have to review YOUR subcontractors that have Government property that YOU provided them but which is STILL ACCOUNTABLE under

YOUR contracts? Yup, you do!

So, my question to you… what BASIS do YOU apply in determining whether or not you PHYSICALLY go out and AUDIT your subs vis-à-vis use some other method or methods

which DO NOT require you actually to visit the site.

NOTE: Those of you with Subcontractors out in Hawaii or overseas in idyllic locations forget everything I have just said and plan to visit them every year!!! Of course while doing your audit you WILL need to take some addition vacation time! Don’t laugh – while flying

out to Hawaii to teach a class (YES, I was working!!! Though I did take some vacation time AFTER the class) I ran into two of my property peers. What were they doing in

Hawaii? Auditing their subcontractors! And of course I believed them – and they believed me.

We will cover ethics at the end of this text! DISCUSSION ON FREQUENCY OF PERFORMING PMSAs Quite clearly the requirement to audit exists. It is the frequency that allows for debate and discussion. Are the old rules of allowing a biennial audit or a waiving of processes obsolete and overcome by events? Not at all. OPINION -- There are a number of options available based upon existing practices. I would endorse the well planned and thought out application of a: Waiving of a selected PROCESS or selected PROCESSES within a PMSA for contractor evidencing EXEMPLARY performance in those selected PROCESSES over an extended period of time where SOME PROCESSES were rated unsatisfactory. BIENNIAL PMSA for contractors evidencing satisfactory performance in their PMS over an extended period of time TRIENNIAL PMSA for evidencing EXEMPLARY performance in their PMS over an extended period of time. Wait – can we do this? Well, there is no document telling you that you can, but there is no document telling you that you cannot! Rather, what I would be looking for, if I were to evaluate your work, would be the consistent application of sound judgment and documentation of your reasons for taking such actions. [NOTE – ONCE AGAIN!!! If your agency has guidance and direction in this area, you MUST follow their guidance and direction.] What you are doing is applying a simple “Risk Management” approach to your work.

[29]

APPLICATION OF A RISK MANAGEMENT TYPOLOGY TO PLANNING A PMSA Performance of PMSAs may require detailed tests, examinations, and evaluations over an extended period of time. However, an analysis of a contractor's PMS involving small dollar amounts of property and simple property control methods may often be accomplished without plant visits or extensive testing by the PA. To more efficiently and effectively utilize resources, the depth and detail of the PMSA will be based on the PA’s system level risk assessment. In a planning group of experienced Property Administrators made up of all DoD Agencies, i.e., Army, Navy, Air Force and DCMA, as well as other non-DoD Agencies, e.g., NASA a Risk Management Typology was created. This Risk Management typology consisted of three levels of risk based upon three contract variables – Performance, schedule and cost. The three levels of risk were: Critical Risk Moderate Risk and Minimal Risk. On the next page is a table representing these risk criteria/variables.

[30]

RISK CATEGORY PERFORMANCE SCHEDULE COST

CRITICAL RISK Data cast significant doubt on the ability of the PMS to meet contractual requirements or a major disruption in the management of Government property, impacting performance, schedule or cost is highly probable. Contractors accountable for $1 billion or more of GP shall be rated critical for PMSA planning purposes

The Government has withdrawn its assumption of risk of loss. Recurring significant LTDDs, where repair or replacement of the property delays contract performance. Recurring significant instances of unauthorized use, disallowance of acquisition costs, or unauthorized acquisition Deficiencies disclosed during the previous PMSA or by the contractor through its self assessment process have not been corrected over an extended period of time, unless an extension has been approved by the PA in accordance with agency directives. An event(s) occurred involving Sensitive property that presents an increased potential danger to public health or personal safety

PMS systemic deficiencies significantly impact schedule when the PMS has been rated Moderate and one of the conditions below exist: Recurring significant LTDDs, where repair or replacement of the property delays schedule. Recurring significant inventory deficiencies which cause schedule delays.

PMS deficiencies significantly increase cost and one of the conditions below exist: Recurring Significant repair or replacement of LTDD property needed for contract performance Significant or extensive corrective actions/ plans are required. Majority are cost contracts.

MODERATE RISK Data cast doubt on the ability of the PMS to meet contractual requirements, disruption in the management of GP, impacting performance, schedule or cost is probable. Contractors accountable for $500 million or more of GP shall be rated Moderate for PMSA planning purposes

Recurring instances of LTDD where repair or replacement may delay contract performance. Recurring minor instances of unauthorized use, disallowance of acquisition costs, or unauthorized acquisition More than +/- 5% physical inventory variance on material ($ value or quantity). More than +/- 2% physical inventory variance for ST/STE/E

PMS deficiencies may impact schedule. Recurring LTDD where repair or replacement of the property delays contract performance. Inventory balance discrepancies which causes schedule delays.

PMS deficiencies may impact cost or delivery: Recurring repair or replacement of LTDD property needed for contract performance Numerous corrective actions are required.

MINIMAL RISK Performance data provides confidence in the ability of the PMS to meet requirements. Minimal or no impact will occur in meeting performance, cost or schedule objectives. Contractors accountable for less than $1 million of GP may be rated Minimal for PMSA planning purposes.

PMS has minimal/no impact to performance.

PMS has minimal/no impact to schedule.

PMS has minimal/no cost impact.

[31]

So we see numerous quantitative and qualitative variables that effect the risk assessment rating of a contractors PMS. These include: Dollar value of Government Property accountable to that contractor Historical occurrences of Loss, theft, damage or destruction Physical Inventory Adjustments Possession of Sensitive Property Unauthorized use of Government Property The Auditor is encouraged to perform a RISK ASSESSMENT at the beginning of the fiscal year, or at some logical point, to determine a risk assessment rating for each contractor under their cognizance to enable them to properly determine:

a. The Frequency of that PMSA b. The type of PMSA they will perform, c. The Processes subject to review if a PMSA is performed

BASED UPON THE RISK ASSESSMENT!

[WARNING – MY OPINION AS AN APPLICATION]. Let’s try and make this a simple decision tree:

1. If the entity to be audited is rated CRITICAL in regard to the risk assessment – you (Either GPA or Contractor Auditor) should do a STANDARD System Audit of all processes on an annual basis.

2. If the entity to be audited is rated MODERATE in regard to the risk assessment – you (Either GPA or Contractor Auditor) should do a STANDARD System Audit of selected processes on a biennial basis. a. If the Audit is scheduled to be done biennially then in no situation will any

process be reviewed no less than once every four years. 3. If the entity to be audited is rated MINIMAL in regard to the risk assessment

with less than $1 million dollars worth of Government Property (Acquisition Cost) – you shall do a LIMITED AUDIT, i.e., a DESK AUDIT with no site visit, on an annual basis. You shall do a STANDARD AUDIT no less than once every four years.

FURTHER NOTE HERE – An interesting QUESTION… What exactly does a small contractor have to do to fulfill the FAR SELF ASSESSMENT/AUDIT requirement??? So far, I have not seen any discussion of this in any of the literature emerging from our profession. As I stated above this is my OPINION (Please feel free to comment on it) but it is possible for a small contractor, with limited amounts of Government property to simple read through their procedures and check the physical asset – make a statement to that effect – and BE DONE WITH IT!

[32]

DIRECTION TO THE GOVERNMENT PROPERTY ADMINISTRATOR:

Notice that the scenario painted requires that you, as the GPA, determine the efficiency and effectiveness of the contractor’s PMS in the SCHEDULING of your PMSA. Some contractors may require an annual STANDARD PMSA. Others, due to their Risk Assessment Rating, may require only a desk audit as their PMSA – with a full blown STANDARD PMSA once every four years to ensure that we do not relinquish the Government’s fiduciary responsibilities. The Government would be remiss in its responsibilities if it does not provide guidance to the working PA in regard to the types of PMSAs, as well as objective guidance on the frequency of performing this work. Why? If we fail to provide guidance there are natural consequences that may occur: PAs may fail to review a contractor and the Government property in its possession for multiple years – failing to ensure that the Government property was being used only for authorized purposes (A statutory violation) O.k., now I wish I could provide you a CONCRETE, REGULATION DRIVEN statement as to the FREQUENCY of performing a PMSA. I cannot as DoD does not have one. But I can reference some other documents in regard to the frequency of audits. FAR Part 44.3 discusses Contractor Purchasing Systems Review -- A CPSR. FAR 44.302 establishes the requirements and state the following, “b) Once an initial determination has been made under paragraph (a) of this section, at least every three years the ACO shall determine whether a purchasing system review is necessary. If necessary, the cognizant contract administration office will conduct a purchasing system review.” Notice that it does not MANDATE a CPSR every three years – just a determination WHETHER a CPSR is necessary. The basis for this the past performance of the contractor, complexity and dollar value of subcontracts, etc. Hmmmm, it appears that the CPSR folks – really the ACO, does a “quasi” risk assessment and makes a determination. Similar to what we read earlier in this chapter. That three year timeframe seems to echo through a number of audit processes. If we were to look at a Voluntary Consensus Standard, that being ISO 9000, we would find that same three year requirement. Specifically for a company or any activity that has an ISO registration and certification their certification is for three years. At that point they are required to have another certification audit performed – regardless of their performance over that three year period. On an interesting note – this ISO Assessment is done by an EXTERNAL BODY (That also requires accreditation of the body doing the auditing) – and the auditee PAYS the auditor. Lastly, there are other Government requirements that SPECIFY an actually audit frequency for some of our Government contractor brethren. The OMB Circulars are

[33]

binding up on our non-profit University folks. Universities like Stanford, and MIT and Harvard and Yale are bound by numerous OMB circulars. For example, the Property requirements for property acquired by non-profit universities are covered by OMB Circular A-100. But their AUDITS – as required by OMB Circular A-133 entitled Audits of States, Local Governments and Non-profit organizations – are set at a BIENNIAL FREQUENCY. Cut and dry, black and white, every two years an audit is required of these entities as set forth in OMB 133.220(b), Frequency of Audits. Now let me offer a small opinion. It is critical that DoD establish a workable plan for allowing their PAs to apply a rubric to determine WHEN they are to do audits. Leaving them tempest tossed on the seas of contracting change is a very dangerous course – whether that is for the Government or for the contractors. REVIEW OF PROCEDURES One of the areas that often receives short shrift in the performance of a PMSA is that of reviewing the contractor’s written procedures. Yes, I am sure that both the Government auditor and the Contractor auditor have reviewed these procedures before. You might even have reviewed it when “significant” changes were made to the procedures in accordance with FAR 52.245-1(b)(1) which requires, “During the period of performance, the Contractor shall disclose any significant changes to their property management system to the Property Administrator prior to implementation.” But, have you really properly prepared yourself for the engagement, the PMSA, if you have not reviewed the written procedures as part of that Property Management System? A curt Response, NO! Contractors – as an internal auditor doing an assessment or an audit –when was the last time YOU read – ACTUALLY SAT DOWN AND READ your company’s WRITTEN PROCEDURES? Well, in preparing for an internal audit, it is one of the FIRST ACTIONS you should do! The written procedures are part and parcel of the PMS. They are inexorably linked to the PERFORMANCE of the processes. You need to know WHAT and HOW and WHERE and WHO will be performing -- AND TO WHAT STANDARD!!! So, let’s think about this review for a moment. My first comparison is to compare the WRITTEN PROCEDURES to the CONTRACTUAL REQUIREMENTS. What does the contractor’s CONTRACTS require them do in regard to Government Property. Well, the Government Property clauses are our FIRST requirement. Contained within the clause are various EXPLICIT requirements -- Explicit requirements that MUST be addressed in the written procedures as part of their PMS. We, the Contractor Auditor and the GPA, need to ensure that those are properly and adequately addressed within the procedures and PMS. We, the Contractor Auditor and the GPA, also need to review for any special CLAUSES as well as for any special TERMS and CONDITIONS. This is where things can get rather complex – as we have experienced in our work throughout

[34]

the world. We have found that some DoD activities like to create their own clauses – some of which are in conflict with the FAR GP Clauses. Some of which impose REQUIREMENTS that are above and beyond the FAR requirements. It is critical that BOTH PARTIES are aware of these requirements and that the requirements are addressed within the PMS as per the terms and conditions of the contract. [Philosophically we could discuss whether or not those other Ts & Cs are incongruous with the FAR requirements – but that would be a whole ‘nuther class.] O.k., so you know the FAR. You know the FAR GP and other clauses. We, both parties, have reviewed the contractor’s WRITTEN PROCEDURES and the contractor has adequately addressed all of these requirements! Are you done? NO!!!

CRITICAL What about the application of Voluntary Consensus Standards (VCS) and Industry Leading Practices (ILP)? Remember that the contractor is required to manage Government property in accordance with the contract but also with VCSes and/or ILPs. The FAR GP Clause of 52.245-1(b) again provides clear concrete direction in this regard. It states,

“(1) The Contractor shall have a system to manage (control, use, preserve, protect, repair and maintain) Government property in its possession. The system shall be adequate to satisfy the requirements of this clause. In doing so, the Contractor shall initiate and maintain the processes, systems, procedures, records, and methodologies necessary for effective control of Government property, CONSISTENT WITH VOLUNTARY CONSENSUS STANDARDS AND/OR INDUSTRY-LEADING PRACTICES AND STANDARDS (Emphasis added) for Government property management except where inconsistent with law or regulation.”

So, BOTH PARTIES MUST be aware of ANY VCSes or ILPs

applied within the PMS!!!

[35]

APPLICATION OF VCSes and ILPs Therefore, in your review of the written procedures – EVEN BEFORE WE START OUR AUDIT(s) – we MUST include a review of those VCSes and/or ILPs applied to the contractually required processes. If you, as the contractor, have selected a VCS from a VCS body for application within the PMS, this must be addressed. At a minimum, I should look for the following:

1. a citing of the VCS, i.e., the VCS Body from which it came, 2. the VCS Number or identification and 3. the date of that VCS.

Well, you need to apply some judgment and evaluation! First, does the VCS or ILP “fit?” Yes, does it FIT? In other words is it a VCS that is DIRECTED at the PROCESS in question. Does it cover the ACTIONS or TRANSACTIONS described within the Government’s Process Requirements? Let me provide a few examples:

1. ASTM International is a VCS body that, working with the National Property Management Association (NPMA), has crafted a number of property related VCSes. [Note – if you are NOT a member of NPMA or the ASTM International I would encourage you to participate and become a member. In point of fact, membership, by Federal employees, in VCS bodies in encouraged through Office of Management and Budget’s Circular A-119 “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities,” available at http://www.whitehouse.gov/omb/circulars/a119/a119.html. In regard to NPMA membership, that is more of a matter of participating in an association aligned with your profession.]

2. ASTM International has published a VCS on Liability for loss, damage or destruction (LD&D) of property. It contains some excellent information. One area that it does a great job in is in regard to REPORTING of the LD&D. It parallels the reporting requirements set forth in the FAR GP Clause, 52.245-1.

3. Therefore, there is a “good fit” between the VCS and the FAR Requirement.

This is an example where the use of a VCS works quite well. But in other situations there may NOT be a good fit.

1. ISO, the International Organization for Standardization, http://www.iso.org/iso/home.htm, also publishes VCS. Many contractors are ISO Certified. Some have approached the Government property and said, “Hey, were going to use our ISO Procedures for Government Property Management,” – that, in and of itself does not provide a good “FIT.” For example, though many of the ISO Standards provide for the

[36]

establishment and maintenance of records – there is no specificity as to the detail of the records, i.e., the specific record fields, data fields that are to be established and maintained. The FAR Process requirement for RECORDS under FAR 52.245-1(f) (1) (iii) is quite specific and detailed as to the data fields. Notice – there is a disconnect.

2. Now, if the contractor says that they want to use ISO 9000 (Depending upon the TYPE of business they are in) for the process of MAINTENANCE – then I would be far more amenable to that application. Why? Because ISO has great specificity regarding maintenance due to it impact on quality. The FAR GP Clause language regarding maintenance leaves much to the contractor’s expertise vis-à-vis the Government prescribing “HOW” maintenance is to be done.

So, the step by step process consists of the following:

1. Read the procedures. 2. Compare the FAR requirement with the applicable VCS or ILP for

goodness of fit and ensure that it is truly applicable to the PROCESS called out in the GP Clause.

Lastly, and this will be of GREAT IMPORTANCE AND SIGNIFICANCE later in this class, you must determine if there are any DATA POINTS or METRICS or PERFORMANCE STANDARDS or OUTCOMES specified in the VCS or ILP. In other words we are looking to see if there are any objective measurable quantifiable points that could provide an auditable data element. If there are objective – based upon observable evidence, versus subjective – based upon feelings, these data points should be addressed within the contractor written procedures. The performance standards set forth in the VCS or ILP should be carried over into the contractor’s procedures as part of the PMS. We will talk about this in greater detail when we discuss the actual auditing of the PROCESSES later in this class. PLANNING AND SCHEDULING OF A PROPERTY MANAGEMENT SYSTEM AUDIT

NOTE: The following actions are directed towards the GPA – acting as an AUDITOR. Contractors, acting as INTERNAL AUDITORS doing SELF ASSESSMENTS, would be

wise to apply and follow the same type of process. The GAO Yellow Book directs us to PLAN our PMSA. Paragraph 7.06 states quite simply, “Auditors must adequately plan and document the planning of the work necessary to address the audit objectives.” These two areas are inexorably linked, as they must be treated together yet have application separately. Let me discuss "Scheduling" first and then the interaction with "Planning" second. Fiscal years roll around pretty quickly and when the end of one and

[37]

the beginning of another occur, well, there is work to be done. For the itinerant PA it requires the preparation of a schedule for the entire fiscal year of the contractors that will be visited. Basically, this planning and scheduling is a MANAGEMENT TOOL! It allows your boss, or supervisor or even the director of the property center to see your workload. This schedule will set forth WHEN you plan to conduct the PMSA of that contractor. For the resident PA, say at a contractor’s Plant, or an Army Ammunition Plant (AAP), or a Supervisor of Shipbuilding (SUPSHIP) this may entail the scheduling of one PMSA over the span of the entire year. Rather than specifying that a survey will be performed it should specify which portions of the survey should be performed - when! In other words, what functions or functional segments/process or process segments will be reviewed at specified points during the fiscal year? Well, all of this seems simple enough, but how do I know which contractors to schedule at what times during the year as well as which functions or functional segments/process or process segments to schedule? This is where planning comes into play. Each PA needs to properly and adequately PLAN for the performance of a PMSA. Can we tell you exactly how to do it, step by step, check box by check box? NO! Why? Because there is a great deal of diversity in our world. Each and every contractor is different and if anyone was foolish enough to say they had the only way to plan or conduct an analysis they would be "The Fool." Systems analysis and the concurrent planning is a complex task that requires the development of strategies over a period of times. Strategies that may be borrowed, intuitively developed, or even stolen from techniques you've seen others successfully use. As requirements within the planning stage the GAO Yellow Book provides the following information in paragraph 7.09 and 7.10. It states,

7.09 Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included. 7.10 The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors will carry out to address the audit objectives. Auditors should design the methodology to obtain sufficient, appropriate evidence to address the audit objectives, reduce audit risk to an acceptable level, and provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions. Methodology includes both the nature and extent of audit procedures used to address the audit objectives.

So, what MUST the PMSA plan contain? The following is only a brief description:

• A Listing of the processes, process segments and criteria that are applicable. [NOTE: Not every process, process segment or criterion is applicable to every PMSA. You need only perform those functions/processes that apply to your environment. DO NOT DO UNNECESSARY WORK WHICH IS NOT

[38]

PERTINENT!!! WE HAVE ENOUGH WORK TO DO WITHOUT GOING OFF TANGENTIALLY.]

• A listing of the ESTIMATED line items of property by type. How do you get this ESTIMATE? One way is from past analyses, yet another possibility would be the contractor's physical inventory listings, etc. Notice that there are multiple methodologies and this will provide helpful information later on in defining your populations subject to sampling

• A record of your evaluation of the written property management procedures portion of the contractor's property management system. Even at this stage you should be noting any areas that may be deficient for correction or updating. In some cases there may be areas where the contractor is doing too much and your recommendation might be to reduce the level of effort in an attempt to achieve a greater economy.

• Lastly, when there is/are process/process segments that you are NOT going to review you must document WHY you are waiving these requirements. For example, has the contractor been satisfactory over the past three years or longer? Do you have a handle, an "emic" perspective, regarding this contractor? Has the workforce and the amount of Government property been relatively stable over the past few years? These are all questions that could be discussed. There is far more you can do at this stage and we will discuss the planning aspects later in this discussion.

Now why then are planning and scheduling inseparable? Because without an idea as to the quantity of Government property in the contractor's possession and the complexity of the contractor's property management system how can you adequately logistically PLAN for the scheduling of an entire year. EXAMPLE: Leaving a standard audit for the end of the fiscal year, i.e., September would not be a prudent move when you know it takes you at least eight (8) weeks to perform the analysis. The fiscal year would have ended before you finished your audit. Therefore, you must exercise good judgment when planning your schedule. I will not use the word "proactive" as this is not being proactive. Rather this is using simple, God given common sense. NOTIFICATION TO THE CONTRACTOR The GPA needs to notify the contractor that a PMSA is going to be performed. In the past the GPA notified the contractor of the occurrence – and had a requirement to do so 30 days before the PMSA. The GAO Yellow Book, under item 7.48, requires that the GPA notify the contractor in writing. It states,

“Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an ENGAGEMENT LETTER (Emphasis added) to communicate the information. Auditors should document this communication.”

[39]

COMMENTARY

Well, if you ponder the previous actions of scheduling and planning you will find that we already know, at the beginning of the fiscal year, when we are going to perform the PMSA. Why then don't we inform the contractor? Some have said "Well, I don't want them to know when I am coming into the plant! If they know when I'm going in to do my analysis they'll fix everything!" Huh? What? Where did this idea come from? IT IS WRONG! This is not an adversarial relationship. We are there to protect the Government's interests. Not sneak up on the contractor! That is not our role. Therefore, historically under the “old” DoD Property Manual we had a requirement to notify the contractor in writing no later than 30 days prior to the commencement of the analysis. There may be times and instances that though the Government PA has done the scheduling there is a conflict with the contractor at the time scheduled. This may be due to other audits, major program requirements, surge capacity needs to be met, even war, as we saw with Desert Storm/Desert Shield, Operation Iraqi Freedom/Operation Enduring Freedom. In these instances, the analysis may be rescheduled to a more mutually acceptable time. ENTRANCE CONFERENCE Great! The GPA has done the scheduling, done the planning and notified the contractor of the planned PMSA. The time arrives to actually enter the contractor's place of business and start doing the AUDIT! Right? Well, not just yet. You see there is the small matter of an ENTRANCE CONFERENCE - really no small matter as this entrance conference sets the stage for the contractor and the Government as to the expectations of both parties. Within the Defense Contract Audit Agency (DCAA) Manual 7640.1 we see an excellent discussion of the requirement and purpose of an entrance conference. Under Section 4-302.1 entitled “General Procedures for Entrance Conferences” it states,

a. … hold an entrance conference with the contractor's designated representative(s) at the start of each separate audit assignment (or each group of assignments to be covered in a single field visit). Document the date, participants' names and titles, and primary discussion points, including specific identification of requested data to control what was requested and provided during the audit…. b. As a minimum, explain the purpose of the audit, the overall plan for its performance including the estimated duration, and generally the types of books, records, and operations data with which the auditor will be concerned. If applicable, the following matters should be handled during or shortly after the entrance conference:

(1) …..Omitted by author. (2) Ask the contractor to designate primary and alternate officials with

whom audit matters are to be discussed during the course of the assignment.

[40]

However, make it clear that such an arrangement does not preclude access to other knowledgeable contractor personnel as needed during the audit

(3) and (4) Omitted by Author (5) Arrange to review the planning documents, working papers, and audit

reports of the contractor's internal and external auditors for any audits or reviews performed or planned that may curtail the planned scope of work. See 4-202 for guidance on coordinated efforts with the contractor's auditors

The entrance conference is critical! It is a wonderful opportunity to impress upon ALL PARTIES INVOLVED the importance of property management/property administration. You should avail yourself of this opportunity to the fullest extent possible. Contractors – when you are going to perform an INTERNAL AUDIT – would it not be wise to conduct an ENTRANCE CONFERENCE with the department, location or site that YOU will be auditing? MOST DEFINITELY!!! So though there is a MANDATORY REQUIREMENT for the Government to conduct this meeting, it is just as critical for YOU, doing an internal audit to do the same! Flesher (1996) in a wonderful text entitled “Internal Auditing Standards and Practices” cites this as a requirement in the Internal Auditing Oh, and there are two other reasons First, it has to do with professional negligence. In a court case, which you will read later in this class, brought by General Dynamics against the United States In this case the United States Government and DCAA were found to have committed professional negligence and breached this duty of due professional care. Item 77 in the case charges that the auditor DID NOT hold an entrance interview. There are numerous other references within the court case documents that cite the provision of conducting an entrance conference it is your responsibility to exercise “due professional care” in the conduct of this assignment Second, it has to do with LIABILITY. If you remember from the Basic Contract Property Class, either my class or another instructors, generally the Government DOES NOT hold contractors liable for the Loss, damage, destruction or theft of Government property under certain types of contracts. And the key to this decision is the FAR defined concept of MANAGERIAL PERSONNEL. We encourage you to conduct the PMSA Entrance Conference with individuals fitting the definition of MANAGERIAL PERSONNEL! Why? Those individuals have the AUTHORITY to direct the changing of a contractor PMS. Yes, most dealings are between the GPA and the Contractor Property Manager. But there are times when that additional attention, the additional AUTHORITY brought to the table by contractor’s MANAGERIAL PERSONNEL can greatly affect the changing of a PMS from a system with deficiencies to a system running smoothly! So, some items to be discussed at the Entrance Conference: - That a scheduled PMSA will take place (Remember, you've already notified the auditee in writing - this should come as no surprise.). - The timeframe for performance. - The functions or now PROCESSES that are subject to review. - The areas of a contractor's operation that will be visited.

[41]

- Other pertinent items: - Previously disclosed deficiencies (Both those resolved in the last analysis as well as those possibly still unresolved since the last analysis.). - Current Status of the Property Control System now a Property Management System, i.e., Compliant or Non-compliant, Adequate or Inadequate. Lastly, it is prudent for the GPA and the Contractor Property Manager (And even the Contractor Auditor if doing a JOINT AUDIT) to discuss the proposed criteria that are to be used in the performance of the PMSA. In fact, it would be most expedient for ALL PARTIES TO HAVE A LISTING OF THE CRITERIA TO BE USED IN PERFORMING THE PMSA. Why? Because we are trying to perform in the most efficient, economical, effective manner possible - the most efficacious fashion possible.

[42]

Defense Contract Property Control Systems Analysis Primer By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 5

Statistics & Sampling

By the end of this module, you should be able to:

• Prepare a random sample number list By completing the lesson, you should be able to:

• Define the make up of a population

• Determine a sample size using the “Old” DoD Property Manual

• Select/choose random sample numbers from the Random Sample Number Table

STATISTICS Well, finally we get to some discussion about statistics! A really amazing field, and one that everyone, I REPEAT, EVERYONE NEEDS TO KNOW ABOUT AND UNDERSTAND! Why? Because every professional today needs to have an understanding of statistics that goes well beyond the common knowledge of the mean, median and mode. You read the newspapers everyday and there are statistics cited. You read a magazine and there are data (Tiny little note: Data is plural, Datum is singular - remember that!) reported. Within those reports you might find discussions of a standard deviation, correlational analyses, multiple regression, even factor analysis. Do you need to know how to compute these items? Not necessarily - you can use a calculator or a computer to do that. But, you do need to know what they “mean” (No pun intended!). You do have to understand their underlying principles and usage of the various and sundry equations. An excellent text that I would recommend for every Property Professional is entitled Statistics A Spectator Sport by Richard M. Jaeger, published by Sage publications, Newbury Park, NJ. It is a brilliant book in that it does not use a single formula or mathematical equation. It is purely descriptive in nature and explains, in English, the meaning and use of statistics. Though we are of the belief that every Property Professional should have had courses in statistics such may not be the case today. Therefore, we are going to attempt to teach you just a few of the basics. So let's try this part together. INFERENTIAL STATISTICS - We see a lot of data coming across our desks every day. We see loads of numbers. But, sometimes we have to go beyond those numbers.

[43]

We have to make inferences; we have to infer something from the number we do have about numbers we don't have. When we perform our system audit we have a population or populations that we are going to test or audit or analyze. We defined the term population earlier in this paper as "An aggregation of documents, records, assets, or actions selected for review due to common characteristics. Also known as a "lot." Generally we think of populations as people. But in our case a population usually consists of inanimate objects, e.g., Government property, records, automated record keeping systems, etc. Now, it would be impossible for us, in most cases, to review every single record in the contractor's operation. There is just no way for us to do that. Rather, we break our system analysis into segments and for each of these segments we determine a population and from that population we pull a SAMPLE. From this analysis of the SAMPLE we make inferences about the LARGER POPULATION from which the SAMPLE was selected. O.K., let's take this slowly for a minute and see what it says. STEP # 1 - We determine our population subject to analysis - the population is determined by items having COMMON CHARACTERISTICS (We will have more information on selecting a proper population later in this paper). STEP # 2 - We select a RANDOM sample from this population. STEP # 3 - We analyze/study the sample for the criteria and make a determination regarding the sample. STEP # 4 - We reach a generalizable conclusion from the sample as to the population from which the sample was taken. "Well, that sounds easy enough to do. I can do that. Just get a bunch of the documents together and look at a few of the documents from that bunch and if I find any errors the contractor is unsatisfactory. Right?" "Welllllll, not exactly! We need to go further in our discussion of selecting a POPULATION and this new concept about selecting a SAMPLE." SELECTING POPULATIONS [NOTE: EXTENSIVE INFORMATION IS PROVIDED TO THE PROPERTY PROFESSIONAL IN APPENDIX A OF THIS REFERENCE REGARDING THE SELECTION OF PROPER POPULATIONS FOR EACH FUNCTION/FUNCTIONAL SEGMENT.] The proper selection of a population for analysis is one of the most critical steps in the performance of a system analysis. Properly framing the population MUST be carefully performed otherwise the results that you obtain may not be applicable or generalizable. How may you frame a population? Let's talk about certain techniques. First thought - it

[44]

depends on what you are measuring. A common usage of verbiage in this area is that of "transactions." Many of the processes that we review during the system analysis are based upon types of TRANSACTIONS that have occurred. For instance, the function of acquisition is to determine whether acquisitions, purchases, made over a period of time have been adequate. Notice that you have an ACTION occurring and these ACTIONS are occurring over a period of time. TRANSACTIONS are taking place. The function of receiving would also be considered a transactional functional area. We are checking the adequacy of the receiving TRANSACTIONS or ACTIONS that have taken place. This is one method used to establish a population. The transactions are one of our drivers for selecting a population. O.K., then we use all acquisitions right? Well, not exactly. We need to more clearly define our TIME FRAME for covering the transactional items that we have selected as the first defining parameter for our population. In the "old Supplement 3” there was the allowance to go back for a period of ninety days. In other words you would select, as your population, those acquisitions that had occurred in the past ninety days. If your population was not sufficiently large in size you could increase this time frame another ninety days, repeating this action for another ninety days and again until you reached the time frame of one year. THIS NINETY DAY TIME FRAME FOR SELECTING YOUR POPULATION NO LONGER EXISTS!!! The “Old” DoD Property Manual requires that you use as your time frame ONE YEAR OR BACK TO THE LAST SURVEY - whichever is less. It appears then that there are two parameters that drive the selection of transactional functions: the types of transactions that are occurring and the timeframe during which they occurred. Ahhh, but there is one other parameter - the functional segment or process segment that is subject to review. The functional segment is structured as a subelement under a function and therefore may help you determine how to properly frame your population. The functional segment may be driven by the type of property, either origin (GFP Versus CAP), or classification (Material, Special Tooling, Special Test Equipment, Equipment or Real Property), or even the purpose of the property. Generally, auditors, for example Certified Public Accountants, deal with transactions and transaction cycles. For example, some of the major classes of transactions consist of: Sales Purchases Cash Receipts Cash Disbursements and Production. But for the world of Government property, in addition to "Transactional" functions and functional segments, there may be functions whose populations are non-transactional. This is where we do NOT measure transactions over a time frame but rather test other parameters or "Attributes." For example, the function of storage. How would we frame our population? Would we ask the contractor to show us all transactions that have taken

[45]

place in the storage areas? Wait a minute - what transactions in the storage area? There is receiving, there is issuing, but these are not the function that we are reviewing which is storage. We are auditing the actual storage areas for housekeeping, etc. Our population here would consist of all locations where property is stored! For this non-transactional function, or function where we are testing for attributes, I am not concerned with the transactions that may have occurred in the areas where property has been stored. Rather, I am concerned with the actual PHYSICAL locations where property is stored and its condition. We could do the same with the function of Records and other functions and functional segments where we determine our population not based upon transactions but rather on the handling of the property at a certain time. We will discuss this distinction later under each of the functions/functional segments used for our system analysis. SAMPLING Let us assume then that we have selected our population for a Process or Process Segment. And through the defining of this population under this process we have a collection of documents. Let's say we are using the Process of "Records." We have a computerized listing, provided by the contractor of all special tools in the contractor's possession. Or we might have a manual record system, a card file. Here we have a population. Both of these items, the computerized listing and the manual system have 1467 items listed. "How then do we select our sample?" "Simple - I'll just select maybe five or ten percent of the records." "You will? Wait a minute! Ten percent of 1467 is 147 records. Are you going to have the time to review 147 records?" "Well maybe I'll just do five percent". "Great, now you'll only review 74 items." “O.K., I get your point. Then how do I know how many items TO select as my sample?" "Ahhh, am I glad you asked." There are a number of different sampling methods available, probabilistic and non-probabilistic. Under probabilistic there is random sampling, replacement versus nonreplacement sampling, and systematic selection. Under nonprobabilistic there is block sampling, haphazard selection, and judgmental (Yeah, we'll talk about this later) to name just a few. Generally, we use a probabilistic method, using nonreplacement random sampling. But, in some cases you may use judgment sampling, in some cases you may use systematic selection and even another form of nonstatistical sampling - purposive or purposeful sampling. These will be discussed later and under what conditions they may be used.

[46]

In regard to Statistical Sampling the Government Accountability Office (GAO) provides its direction for sampling. IN GAO 07-731G Government Auditing Standards it states in paragraph 7.63, “7.63 When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques.” The number of items to select from a population was computed for you in the “Old” DoD Property Manual 4161.2-M. You can find this table in Appendix B. It is referred to as a double sampling plan and has a 90 percent confidence level. Let us digress just for a minute and talk about two of these terms: the double sampling plan and the confidence level. Confidence level Flesher (1996) gives an excellent description of “confidence level” or “reliability.” He states “The confidence level or reliability is the probability that a sample will accurately represent the population from which it was selected. For example, a sample with a 95 percent confidence level would be said to accurately reflect the population 95 percent of the time. That is, if 100 samples were selected from the population, 95 of those samples would accurately reflect the population.” The Government, through the “Old” DoD Property Manual, has already established for us that the confidence level we will use is at 90%. I have taken the liberty of including TWO OTHER Sampling tables with different confidence levels. One at a 95% confidence level and one at a 97% confidence level. These were designed SPECIFICALLY for the DoD Property community through a research report prepared for the Defense Contract Administration and Services organization – the old DCAS, DCASR and DCASMA operations – the precursor for Defense Contract Management Command (DCMC) now the Defense Contract Management Agency (DCMA). The origins of these organizations can be traced back to Secretary of Defense McNamara under Project 60 – but that is a whole ‘nuther paper! In other endeavors higher confidence levels may be required; Levels such as a 95% confidence of rejecting lots having 10% or more defectives or a 97% confidence of rejecting lots having 10% or more defectives. Notice that the Government is not asking for a 100% confidence level. Rather, it has consciously determined that 90% is an acceptable confidence level for the work being performed by the contractor. If we were doing Quality Assurance work for the Nuclear Navy that confidence rate would be far higher. Why? Because there would need to be a far greater degree of compliance at that higher rate. The Government has established what it believes to be an acceptable rate for us. This confidence rate is then one of the drivers for the number of samples that we select.

[47]

Double sampling plan There are a number of different sampling plans available also. Under the old DFARS Sup. 3, (You know, back in the old days when I was a working PA) prior to 1983, there was the requirement for a single sample to be drawn from the population. This entailed, for many large populations, that 65 samples be drawn!!! This was extremely time-consuming and though it provided a correct statistical significance to the findings and did provide a valid acceptance/rejection rate there were more efficacious methods available. If you review some of the early statistics and auditing texts, some of which are referenced throughout the paper, you will find that double sampling did not come along until the late sixties, the early seventies. Prior to this, the single sampling technique was most frequently used. Through the academic research conducted by the mathematicians and statisticians a double sampling plan was found to provide the same reliability and validity as a single sample and one could save time and money using that double sampling plan. I thanked my lucky stars when the powers that be allowed the use of double sampling plan in 1983. For those of you who remember selecting and reviewing 65 samples, my hat goes off to you. The current sampling plan is superb in comparison. The double sampling plan allows for the use of a smaller sample size with no reduction of the confidence level. If you really are interested, I can give you the formulae for computing the sample size under a double sampling plan? For those of you interested in the formulae here are some basic items:

N = lot size

D = number of assumed defects in lot

n = sample size

x = number of defects in sample

P(x) = Probability that n sample will have x

defectives and is selected from lot of size N

with D defects.

p = population fraction defective, 0 =< p <=1

(1)Hypergeometric Distribution

P(x) =

(D) (N - D)(X) (n - x)

(N)(n)

(2)Binomial Distribution

P(x) = (n) (x) p (1 - p )x n-x

[48]

Pa = probability of lot acceptance

c1 = acceptance number for first sample

r1 = rejection number for first sample

c2 = acceptance number for second

sample (Defects in both samples

must not exceed this number)

j = number of defects in second sample

At this point I imagine that all of you are saying, “Thank you for sharing this with us but we really didn't want to see all of these formulae. This is TOOOO much information!" "No? O.K., see if I care that you don't want to do some algebraic equations!" Suffice it to say that those wonderful people with the green eyeshades sat down and computed for us the number of samples that we need to select. All of these sample sizes are set forth in the references for this course. The double sampling plan requires the selection of two samples. Vance and Neter (1956) state the following in regard to double sampling plans, Another type of sampling plan involved two possible stages of decision

making. Initially only part of the total sample is selected, and a final decision of acceptance or rejection is reached at once if the sample indicates exceptionally good or poor quality. Otherwise the remainder of the sample is selected and a final decision whether to accept or reject is made at that time. This is called a double sampling plan because it may involve two sampling stages.

"Well, tell me what is the sample size for the population of 1467 records that we are going to review?" THE ANSWER: 34 "Sure, that was easy. So all I need to do is select the first 34 items from the bunch of records and review those. Right?" "Well, not exactly. Because another fundamental issue in terms of inferential statistics is that the sample must be RANDOM!!!" RANDOMNESS "Wait a minute. You didn't say anything about that before! I know where the problems are. I can select any items I want to! Why do the items selected have to be random?"

(3)Double Sampling Formula

ax=0

c

x=c +1

r -1

j=0

c -x

P = P (x) + [P(x) P(j)]1

1

1 2

∑ ∑ ∑

[49]

"Because inferential statistics is based upon some very strict rules." Carmichael and Willingham (1989) define random selection as "... a sample that is selected in such a way that every item in the population has an equal chance of being selected" (p. 247. Arens and Loebbecke (1988) state, A random sample is one in which every possible combination of items in the

population has an equal chance of constituting the sample. The only way an auditor can be confident a random sample has been obtained is by adopting a formal methodology that is designed to do this (p. 391).

Random sampling helps to protect against and preclude the inherent BIAS that most of us have. Very simply, by using random sampling you apply the rules of statistics and the contractor cannot claim that your sample is biased and therefore not generalizable to the larger population from which it was selected. Block sampling, where you just wanted to pick the first 34 items from the list, even though it is not biased, is also unacceptable. Carmichael and Willingham (1989) state, Certain selection methods that have been used by auditors in the past are

methods that cannot be expected to produce representative samples. This means these methods are not acceptable to statistical or nonstatistical audit sampling.

What is one of these methods? Block selection! "Well, how can I be sure my sample IS random?" The “Old” DoD Property Manual provided Appendix C for just such a purpose – and every statistics book has a RANDOM NUMBER TABLE. There are other methods, such as the computer programs that are available. Even MS-Excel ™ has this ability. But, you may not have access to a computer all the times so let's walk you through selecting a random sample using Appendix C and discuss the concepts of starting point, column, row and routing.

STOP! DO RANDOM NUMBER SAMPLE EXERCISE @ the EXERCISE SECTION OF THIS TEXT!

[50]

Now that you have all muddled through the process of using the random number tables in Appendix C let me provide some concrete direction as to "How" the tables may be used. This is nothing new. Direction was contained in the old DAR/ASPR Supplement No. 3. I have copied that DIRECTION as to how to use the table – and I hope that this explains to you the actual PROCESS of selecting Random numbers. It stated, (c) Random Number Table. The following information is a guide which

may be used in drawing a sample with a table of random numbers. Other randomization techniques may be applied provided they are defined beforehand in the property administration survey plan and exhibit clear protection against bias. Care must be exercised to assure that the number of items in the lot is not overestimated so as to avoid selection of random numbers greater than the lot. For example, if the lot is 9,000, only numbers lower than 9,001 shall be selected. Using a random table to draw a random sample requires four steps which are:

(i) First Step: A pattern must be established between the numbers in

the table and items in the lot to be sampled. It is possible to use the whole random number or any portion thereof. For instance, the number 18,967 may appear in the table. If the lot size is more than 99 but less than 1,000, a three digit number is required and either the first three digits 189 or the last three (967) may be used. If the lot size is more than 999 but less than 10,000, a four digit number is required and either the first four digits (1,896) or the last four (8,967) may be used. Once this pattern has been established, it must be consistently used throughout the sample selection process.

(ii) Second Step: A procedure for selecting the numbers from the

table must be selected. Any systematic path for going through the table, if the path is clear and does not cross over or reuse any number previously used, is acceptable. It is possible to proceed across rows, down columns, diagonally, clockwise, counter-clockwise, or in the same combinations of these methods; however, it is usually desirable to choose a simple pattern and go down columns or across rows.

(iii) Third Step: The starting point in the table shall be selected at

random. The most used method is to open the table of random numbers to any page and to use the number upon which the pencil point falls as the starting point.

(iv) Fourth Step: Beginning at the starting point and proceeding

through the table as planned in the Second Step, record the numbers found in succession in the table, using all or part of the number as planned in the First Step. Duplicate numbers shall be skipped. The selection process shall be continued until the required sample size is drawn.

[51]

Number taken from the random table shall be arranged and recorded in numerical order.

If we were to review texts on sampling we would find similar directions. The process of using random number tables is fairly uniform and consistent. CORRESPONDENCE BETWEEN THE RANDOM NUMBERS AND THE POPULATION ITEMS Excellent! You have successfully selected a set of random numbers from a random number table. Pragmatically I recommend that in the future you use a nifty little web site call the RANDOMIZER!!! It is found at WWW.RANDOMIZER.ORG. It is a heck of a lot easier and there is nothing wrong with the use of a computer to perform that job. Brink and Witt (1982) advocate the use of computers in the audit process. They state, "There are various statistical sampling programs available in the software packages. Some commonly used ones are as follows: 1. Random Number Generators ... 2. Determining Sample Size ... 3. Appraisal of results." Folks, putting it simply, computers are here to stay. They are not just a passing fancy like the car and the telephone but are powerful tools developed for your use. [Sorry, just a little bit of humor! Aren’t you glad they do not pay me for my jokes?!?!] So you have in front of you 34 random numbers. [NOTE: Really you should have 68 random numbers as you must pull both samples, i.e., the double sample numbers, before selecting those items from the population. Otherwise, when you go back to pull another sample all items in the population must stand the chance of being selected and there is that probability that you will select an item that you have tested previously and that was already found deficient. This is the distinction between replacement and nonreplacement sampling. The sample item number can only be selected once! Therefore we use a nonreplacement method.] So, what do you do with those 34 (68) numbers? You establish correspondence between the random numbers and the population items. If it is a computer listing this should be a fairly easy task. Ahhh, but your listings may not always be numbered. What do you do now? Vance and Neter (1956) state, "In some cases auditing populations are not already numbered... In these cases numbers may be assigned to the items so that random numbers can be used" (p.123). I know, I know, this is time consuming and laborious. If you can come up with a better way let me know. Otherwise you have to number the items in some sequential fashion. Even the old, aforementioned Sup. 3 stated, If the units of the lot to be examined are already consecutively numbered,

the units having the numbers corresponding to those taken from the random table become the sample units. Otherwise, the sample units shall be found by counting down to the numbers taken from the random table.

[52]

Therefore, if your population is a set of record cards you will have to sequentially count out the cards and assign numbers to those cards, if not already done, for the purposes of linking a sample number to an item in the population. GENERALIZABILITY "What does all of this work do for us?" Well, from the standpoint of inferential statistics it provides us a mechanism by which we determine and define our population and attributes or transactions that we wish to audit, select our random sample numbers and correspond those sample numbers to our population, thereby select our sample, record and analyze the data from that sample, reach some conclusions and then, hopefully, our conclusions would be generalizable to the larger population from which the sample was taken. Notice, that we need not review every item in the population. Rather through inferential statistics we can review only a small portion, a RANDOM SAMPLE of the population and reach some conclusions about the entire population from which the sample was drawn. Pretty nifty trick, huh? Does it work? Absolutely!!! But only if the statistical underpinnings are properly applied. CLASSES OF CRITERIA

[NOTE: REMEMBER THAT THE “OLD” DOD PROPERTY MANUAL 4161.2-M IS SORTA’ OBSOLETE. THEREFORE THE FOLLOWING INFORMATION IS PROVIDED

TO GIVE YOU A BASELINE AS TO PAST PERFORMANCE METHODS.] The “Old” DoD Property Manual specified that for each criteria there is a "CLASS" designated. What relationship does this have to Inferential Statistics, and to all of the information just discussed? These classes dictate, for the PA, whether statistical sampling shall/must (Command/imperative) be used or some other form of nonstatistical sampling may be applied. There were three classes listed at the top/beginning of Appendix A in the “Old” DoD Property Manual. These are: CLASS I STATISTICAL SAMPLING CLASS II JUDGMENT SAMPLING CLASS III PURPOSIVE SAMPLING This requirement established for the PA that he/she must use statistical sampling for any criterion designated as a CLASS I criterion. The PA may use judgment sampling on any CLASS II criteria or he/she may upgrade that CLASS II criteria to a CLASS I criteria. Notice that the “Old” DoD Property Manual had this allowance as a note to the heading of

[53]

Appendix A. It states "A CLASS II sampling may be changed to a CLASS I sampling by the PA dependent upon the circumstances and situations affecting the analysis." Great, so this means that I could also change a CLASS I to a CLASS II. NO! NO! NO! There WAS NO allowance to "downgrade" a criterion that requires statistical sampling to judgment sampling. There WAS the allowance to "upgrade" from a judgment sampling to a statistical sampling.

COMMENTARY Since the “Old” DoD Property Manual is obsolete and no further guidance has been issued

by DoD I would encourage you to apply the above discussed concept and align the PROCESS CRITERIA along the lines of which criteria require statistical sampling and

which require or would allow judgment sampling. JUDGMENT SAMPLING We have delved into the world of statistical sampling quite heavily, but we haven't discussed the use of judgment sampling. What exactly is judgment sampling? In a classic text Vance and Neter (1956) describe judgment sampling as, A Judgment ... sample is one where the selection of specific sample items

depends to a large extent upon individual judgment, or where judgment decisions are made about portions of the population for which the sample did not obtain the necessary information... Judgment samples may at times be quite useful, but their results cannot be evaluated on the basis of the sample by statistical methods (p.17).

[NOTE: Everything old is new again! These guys talk about Deming in the present tense even though the literature they cite is over forty years old. AMAZING!] Arens and Loebbecke (1988) also provide input in this area. They state, Many auditors believe that it is desirable to use professional judgment in

selecting sample items for tests of transactions. When sample sizes are small, a random sample is often unlikely to result in representative samples. ...judgment methods of selection are often useful and should not be automatically discarded as audit tools. In many situations, the cost of unbiased or more complex selection methods outweighs the benefit obtained from using them.

But, they also issue a warning similar to Vance and Neter, "It is improper and a serious breach of due care to use statistical measurement techniques if the sample is selected by the haphazard, block, or any other nonprobabilistic approach" (p.397).

[54]

The “Old” DoD Property Manual uses CLASS II - Judgment Sampling only in those areas where populations: May not be that large, Criteria are not that critical but still necessary, or Where the cost of using statistical methods would far outweigh the benefit reaped by either the Government or the contractor. How then should a PA select that judgment sample? Well, in a number of ways. In some instances all items might be selected, e.g., the Process of Storage. I would not statistically sample the storage areas for housekeeping. It would be more cost effective to use judgment to test those areas. This is just one example. But, as stated before there may be instances where, though a criteria is listed as a CLASS II criteria I have the option of "upgrading" that criteria to a CLASS I and using statistical sampling. If you were to peruse the entire Appendix A you will notice that there are no criteria with a CLASS III rating. Why is this included? We will discuss the use of PURPOSIVE/PURPOSEFUL SAMPLING later in this text. But, suffice it to say, it also is a nonstatistical method and needs to be handled and used very judiciously. NEW DEVELOPMENTS With the publication of the new Government Property clauses and policy of FAR Part 45 in May/June of 2007 the Government has moved away from the prescriptive regulatory application and moved towards the use of Voluntary Consensus Standards (VCS) and Industry Leading Practices (ILP). Throughout this document I have made reference to numerous “OLD” documents. I have referenced the old Armed Services Procurement Regulations, the ASPR. I have also referenced the old Department of Defense Manual for the Performance of Contract Property Administration, 4161.2-M, which I have referred to as the “old” DoD Property Manual. They have utility for contracts awarded BEFORE June of 2007 where contractors are bound by the old regulations (And which have NOT been modified to incorporate the NEW GP Clauses) and their surveillance/auditing by you the Government PA.

IMPORTANT!!! These documents DO NOT have complete applicability to the NEW GP Clauses!!! Care must be taken to use those sections that CAN be used. Care must be taken to NOT impose any of these requirements on the contractor – as this manual is

NOT contractually binding upon the contractor.

There are portions of the “old” DoD Property Manual mentioned in this chapter that STILL have applicability – those portions include the SAMPLING PLANS, RANDOM NUMBER TABLES – and selection of RANDOM NUMBERS.

[55]

I would recommend that you reference the GAO Yellow Book that we discussed earlier in the chapter. I would also recommend that you read the Defense Contract Audit Agency Manual, DCAAM 7640.1, in regard to SAMPLING!!! It has great depth and detail from a number of different perspectives – and will allow you to grow intellectually as an auditor in the field of Government Property Administration and Management. APPLICATION OF STATISTICAL SAMPLING AND JUDGMENT SAMPLING UNDER THE POTENTIAL AUDIT CRITERIA USED FOR THIS CLASS Later in this class you will reference a document entitled POTENTIAL AUDIT CRITERIA. You will notice that it is VERY similar in feel and flavor to the “Old” DoD Property Manual Appendix A – the listing of Criteria for performing a Property Control System analysis (Yes I said PCSA versus PMSA – as I am referencing the OLD document). In the NEW AUDIT CRITERIA you will find that there is no column tasking you to use either a Class I or Class II process, i.e., statistical sampling or judgment sampling. Why? Because there are too many unknown variables! Huh? What? Seriously, contractors are now tasked to use VCSes and ILPS. I cannot create an Audit Criteria for variables that I do not know. Therefore, you, the Government Property Administrator, and you, the Contractor doing their own internal Audits -- are now going to have to determine which form of testing -- statistical sampling or judgment sampling, is applicable to the criteria you are testing! Look, you are the expert in that PMS and the performance of the PMSA or Internal Audit! We are asking you to decide intelligently, based upon your INSIDER’S PERSPECTIVE WHEN to use a STATISTICAL APPROACH, and WHEN to use a JUDGMENT APPROACH for determining how to sample. I know this isn’t easy, but following the principles of Total Quality Management in this case it definitely is one of those items that should be created by the expert in the field versus having the someone else tell you how to do your job. ___________________________________________________________________

[56]

Defense Contract Property Management Systems Audit Primer

By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 6

PROCESSES AND OUTCOMES

At the completion of this module, you should be able to:

• Describe the Property Management Systems Audit (PMSA) or Internal Audit process for the selected processes

By completing the lessons, you should also be able to:

• List the potential processes under a PMSA or an Internal Audit or Assessment • List the process segments under the processes called out in the Government

Property clause of FAR 52.245-1(f) including: Acquisition, Receiving, Records, Physical Inventory, Reports, Utilization, Maintenance, Subcontractor Control, and Contract Closeout as well as the EMBEDDED processes, e.g., identification, consumption, and disposition to name a few

• Define the population for the process/process segment • Define the criteria for the process/process segment • Describe the characteristics of the criteria reviewed under the process/process

segment

Ladies and gentlemen, now we are starting to get into the technical “meat” of property audits – the actual processes that we are to audit. This is the longest chapter that you are going to have to read. Therefore, get a cup of coffee, sit back and plan to spend some time looking through each of the processes that are called out in the FAR GP Clause and that we, within the Department of Defense are required to use as our baseline for auditing Government property in the possession of contractors. Processes In Appendix A of the “OLD” DoD Property Manual there were fifteen processes subject to analysis by the Auditor, as applicable to the contractor being reviewed. These processes were: Property Management Acquisition

[57]

Receiving Identification Records Movement Storage Physical Inventory Reports Consumption Utilization Maintenance Subcontractor Control Disposition and Contract Closeout Under the NEW GP Clause of FAR 52.245-1(f) we see that there are ten processes called out for application in the contractor’s Plans and Systems. The PROCESSES called out are:

Acquisition Receiving Records Physical Inventory Subcontractor Control Reports Relief of Stewardship responsibility Utilization Maintenance Contract Closeout Now, because we are in the AUDIT mode we need to do a little intellectual disputation and understand that though these above ten processes appear in the clause – that there are two problems presented in this representation:

1. Not all of the PROCESSES are found under the “Contractor plans and systems” paragraph of the GP clause, and

2. A number of processes are “EMBEDDED” under a singular heading. Let talk first about…

PROCESSES OUTSIDE OF THE CONTRACTOR PLANS AND SYSTEMS PARAGRAPH OF THE GP CLAUSE – 52.245-1(f).

The first process we need to address is that of disposition. Disposition has an entire paragraph devoted to it under the GP Clause of 52.245-1. Paragraph J, entitled Contractor inventory disposal, and it has a PROCESS feel and flavor to it – with numerous SUB-PROCESSES embedded within it. Yet, from a strict constructionist

[58]

standpoint – it is not a process. Why? Because it is not addressed in the plans and systems paragraph where we see the process and outcomes requirement. Does that mean we should NOT audit or assess that process? ABSOLUTELY NOT!!! In point of fact the PROCESS of DISPOSITION is a CRITICAL PROCESS for you to audit – as it, versus many of the other processes that are called out, is driven by LAW! Not just regulation, i.e., the FAR, but by LAW/STATUTE – the Federal Property and Administrative Act of 1949, as revised. So, we have another process to review OUTSIDE the GP clause’s process paragraph. How about the “old” process of Property Management? No longer is it called out as a “process” requirement. Yet we see Paragraph (b) of the GP Clause entitled “PROPERTY MANAGEMENT” imposing a requirement with a very clear OUTCOME – in point of fact an outcome or outcomes that overarch and permeate every OTHER process. Should we then ignore this process and outcome requirement because it is not called out in the plans and systems paragraph? ABSOLUTELY NOT! If one were to review the ASTM International Voluntary Consensus Standards relating to Property management we would find numerous references to plans and procedures and even the overarching concerns of property MANAGEMENT – not just property control. The Equipment Management Process Maturity Model (EMPM), ASTM E2452-05 is one methodology for determining the level of maturity found within an entity’s property management system.

COMMENTARY

In my opinion, It is critical when using the EMPM that the GPA or internal auditor obtain the CRITERIA used to determine the subjective rating determined by the contractor Many of the criteria echo the original concerns set forth in Appendix A of the “OLD” DoD Property Manual. Without audit evidence, supporting the criteria embedded within the EMPM, there may be no reliability or validity to the determined EMPM level. So, if we were to list ALL of the PROCESSES described in the GP CLAUSE of 52.245-1 – NOT JUST THOSE LISTED IN PARAGRAPH (f) we find that there are SIXTEEN (16) PROCESSES. These are: Property Management (1) -- Not in Process Paragraph Acquisition of Property (2) Receiving of Government property (3) Identification of property (Embedded) (4)

[59]

Records of Government property (5) Physical Inventory (6) Subcontractor Control (7) Reports (8) Utilization of Government property Utilize (9) Consume (Embedded) (10) Move (Embedded) (11) Store (Embedded) (12) Maintenance (13) Property Closeout (14) Relief of Responsibility (15) – Let’s rename this LIABILITY as the real description set forth under relief of responsibility does impose this as a process and outcomes issue but rather a description of WHEN the contractor is no longer “responsible” for Government property. TECHNICAL CORRECTION - As an academic note, it would probably be simpler and more easily understood to rename this LIABILITY for L, D, D and T of GP – with the accompanying REQUIREMENT to have a PROCESS to promptly disclose and report any instances of L, D, D and T of GP including the outcome of the report set forth in (vi) (a) of the GP clause. And lastly… Disposition (16). Now, you will notice that I “broke out” the EMBEDDED processes that were/are subsumed under the top level process – UTILIZE Government property is a good one to start with. Under this top level process there are really FOUR embedded processes – Utilize, Consume, Store and Move Government property. You may wonder why I SEGREGATE them into their own processes. Simple! They all have DIFFERENT POPULATIONS as a process. Let me try and explain that a little more and you will see this later on in this chapter. Let’s compare utilizing property with consuming property. What type of property is utilized? Equipment, Special Tooling and Special Test equipment (And yes we could even throw in Real Property (RP) if RP is accountable to your contractor. What type of property is consumed? Material. The records that you would be reviewing under utilization may NOT be (And probably aren’t) the same records that you review for consumption. Therefore the POPULATIONS need to be properly stratified which leads to the breaking out of the processes.

[60]

Let’s look at storage and movement. Again, the POPULATIONS are different for these processes. Where for storage you are going to review the actual, physical storage LOCATIONS, for movement you are going to review the MOVEMENT of property and the documents that affect that movement. If we were to lump these processes together for audit purposes it is highly probable that our findings would be specious – simply put, they would be wrong, and the contractor would have every right to debate and dispute the ‘rating” we assigned this process. It is NOT my intent to create MORE work for the Government Property Administrator or the internal auditor. I am only trying to accomplish two things:

1. To ensure that the Auditor performs a thorough and complete AUDIT of the contractor’s PMS when tasked to do so and

2. To provide CLARITY in defining and APPLYING POPULATIONS for each of the process and outcome requirements. And this is critical!!! If you define a population incorrectly – your results will be incorrect. They will be specious! So, if you were to define a population for Utilizing Government property under the GP clause, FAR 52.245-1, Paragraph (f)(1)(viii) – and attempt to test the four embedded processes with that ONE POPULATION your results will most definitely have no statistical reliability or validity and quite possibly (In fact probably) you will find the contractor inadequate due to the specious population.

[61]

THE INCREDIBLE DISAPPEARING APPENDIX A Under the “OLD” DoD Property manual there was a wonderful, useful tool for the Auditor of a Property Management System. It provided objective CRITERIA for the various contract requirements imposed by the OLD GP clauses as well as the requirements of FAR 45.5. Well, the “OLD” DoD Property manual has technically been overcome by events– as we have discussed a number of times in the Primer. So, what should we use? Let me be pragmatic for a moment. There was a team of expert Property professionals brought together to rewrite the DoD Property Manual. The product of this team and its efforts has not yet been published. But, all of the various components of the document still exist and I am taking the liberty of using a portion of this documents for educational purposes. When Official Policy is published, these materials will be updated and the new requirements will be incorporated.

WARNING!!! THE DISCUSSION OF THIS LISTING OF CRITERIA IS NOT TO BE CONSTRUED AS

OFFICIAL DOD POLICY OR REGULATION OR REQUIREMENT. BUT, SINCE THERE IS NO OFFICIAL POLICY THEY ARE BEING PRESENTED AS

EDUCATIONAL MATERIALS ONLY. REPEAT, THEY ARE PROVIDED FOR EDUCATIONAL PURPOSES ONLY.

THE GAO Yellow Book, GAO-07-731G, is quite specific in its direction to identify AUDIT CRITERIA. In Paragraph 7.37 it provides the following guidance:

7.37 Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter. 7.38 The following are some examples of criteria:

a. purpose or goals prescribed by law or regulation or set by officials of the audited entity,

b. policies and procedures established by officials of the audited entity (i.e., Contractor Managerial Personnel (Author’s Comment)),

c. technically developed standards or norms, (Emphasis added) d. expert opinions, e. prior periods’ performance, f. defined business practices,

[62]

g. contract or grant terms, ,(Emphasis added) and h. performance of other entities or sectors used as defined benchmarks.

We can’t leave you hanging here – so the following pages provide you ALL of the

PROCESSES and CRITERIA that you may be dealing with in a narrative form. We need to provide you an overview of each process and the process segments and criteria that are embedded under each process. To do that we will walk you through all fifteen processes and the process segments embedded under each process. As stated, we will be walking you through each of the fifteen processes and their process segments. To assist you in learning this material, we have established a pattern, an approach that we will try and follow throughout this module.

• Specifically, we will introduce each process with a brief explanatory description.

• We will then list the process segments. • We will then provide you a description of the potential population for this process

or process segment.

• Lastly, we will address the type of questions that should be posed to obtain the information needed to answer the criteria posed by Appendix A of the DoD Property Manual.

So, ladies and gentlemen, let's look at the processes! Ahhhhh, but there is one more item BEFORE we get to that aspect of this chapter.

VOLUNTARY CONSENSUS STANDARDS (VCS) AND INDUSTRY LEADING PRACTICES (ILP)

It would be IMPOSSIBLE for us to address every possible VCS and ILP – they are myriad in number and application. And, due to the diversity of the contractors performing work with the Government it would be impossible to list every VCS you’re your contractor may choose to use. Rather, it is CRITICAL that you be aware first of the contractual requirement that the contractor USE VCSes and/or ILPS and then HOW they apply these items within the contractor’s Property Management System. As our occupation grows and matures into a profession it is important for us to understand that the depth and breadth of coverage provided by VCSes and ILPs is expanding exponentially. And we require the contractor to USE those items. Well, how am I, the GPA or the Contractor Auditor, supposed to audit to that standard? Exactly, you are to audit to that standard.

[63]

Yeah, that’s what I asked – how do I audit to them? It is a rather simple process:

1. Read the PROCEDURES contained within the PMS. 2. Reference any VCSes or ILPs called out in that procedures.

a. Including specific VCS # and date or b. Where ILPs are used, provide the basis for this usage.

3. Determine if there are any OBJECTIVE MEASURABLE OUTCOMES contained within the Procedures based upon the VCSes of ILPS a. These OBJECTIVE MEASURABLE OUTCOMES may consist of

timeframes for performance or reporting – in other words ACTIONS that SHALL be taken, allowable quantity variances, frequency of use, etc.

b. There may be requirements ABOVE and BEYOND the FAR requirements. If this is the case then the contractor – in performing in accordance with the VCS needs to meet THOSE PERFORMANCE STANDARDS, even if they exceed the FAR requirements.

c. Any requirements in the FAR that are NOT in the VCS or ILP still need to be APPLIED – UNLESS – and this is a critical issue – the PA determines that these outcomes or data requirements are NOT required for the effective and economical performance of the contract. (NOTE: You are given this authority in FAR 52.245-1(f)(1)(iii)(A))

4. Ensure that on your WORKSHEETS – discussed in an earlier chapter – that you include columns to OBJECTIVELY EVALUATE the contractor’s performance to these VCSes and ILPs.

O.k., now onto the PROCESSES and their OUTCOMES!!!

[64]

Process 1: Acquisition Purpose: The primary objective of conducting a PMSA on the acquisition of Government property is to ensure that only those items and quantities authorized by contract terms and conditions are acquired or fabricated and to ensure the validity of the property classifications. To meet this objective, the Auditor’s analysis shall include a review of the actual procurement and fabrication documents, including material requisitions, purchase orders, contract transfer documents, petty cash documents, fabrication orders, or engineering change proposals, as applicable. These documents may serve as the population for selection of the sample to be analyzed. Another objective is to determine if acquisitions involve excessive quantities resulting in unnecessary costs and increased storage and handling charges. Examination of the items acquired is necessary to determine if the property is appropriate for direct charge under the contract and reasonably required in the performance of the scope of work. Examination of manufacturing order quantities is also necessary to determine if excessive quantities of parts or assemblies (taking into consideration minimum buys, bulk purchases, mortality, economic order or manufacturing quantities, etc.), were manufactured. Process Segments:

• Acquisition Authority

• Classification of Property

• Requirements Computation

• Ordering Practices

• MILSTRIP Acquisitions

[65]

Process 1: Acquisition Population:

ITEMS: All purchase orders, material requisitions, contract transfer documents, petty cash documents for property to which the Government has title –

TIMEFRAME: Since last PMSA or back one year, whichever is less.

The same population may be used for the first four process segments:

• Acquisition Authority, • Classification of Property, • Requirements Computation, and • Ordering Practices.

[NOTE -- The population for the process segment of MILSTRIP requisitions is different from the population used for the first four process segments.]

Process Segment: Acquisition Authority This process segment focuses on the buying or fabricating or making or transferring Government property. QUESTIONS?

• Are purchasing, material control, and engineering aware of contractual requirements for Government property acquired by the contractor?

• When material is moved between contracts as a cost transfer, e.g. MMAS or credit/debit system, is there adequate documentation?

• Is there documentation of CO consent where required, e.g., special terms and conditions in the contract, purchases over the dollar threshold in Subcontract Clause, FAR 52.244-2, or where there is no approved purchasing system, etc.

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

[66]

Process Segment: Categorization/Classification of Property Population: Use same population AND SAMPLE for this process segment as for the process segment of ACQUISITION AUTHORITY. QUESTIONS:

• Is property properly classified, e.g. Material, Special Tooling, Special Test Equipment, and Real Property, for purposes of acquisition to preclude property being acquired without the proper authorizations, e.g., misclassifying an item as STE instead of Equipment to allow direct charging of the item.

Process Segment: Requirements Computations Population: Use same population AND SAMPLE for this process segment as for the process segment of ACQUISITION AUTHORITY. QUESTIONS:

• Why is the entity/activity buying the item of property? • Is there a need for the property supported by the proper documentation, e.g. Bill

of Material, Material Requirement Lists, Tech drawings, etc? • Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS?

Process Segment: Ordering Practices

Population: Use same population AND SAMPLE for this process segment as for the process segment of ACQUISITION AUTHORITY. QUESTIONS:

• On the acquisition document is there the required data: Item name, description, price, quantity, contract #, etc?

• Items and quantities acquired are reasonable and needed? • Is there a balance on hand already? • Is there over acquisition (Buying more than is needed)? • Time frames for ordering are reasonable (What do the PMS procedures say?) • Are modifications to orders controlled so as to not buy stuff the G doesn't need? • How are Purchase Orders controlled and distributed? • Is it adequate?

• Is it in accordance with the PMS? • Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS?

[67]

Process Segment: MILSTRIP Requisitions Population: ALL MILSTRIP REQUISITIONS for the past year or since last PMSA whichever is less. QUESTIONS:

• How are requisition documents maintained? • Are the documents properly prepared? (Same data as for other property +

MORE!) • Is the contractor using the correct Fund codes, Priority Designator, Force Activity

Designator as specified in the contract? (See FAR 52.251 and the MILSTRIP MANUAL http://www.dla.mil/j-6/dlmso/eLibrary/Manuals/MILSTRIP/Default.asp.)

• Are emergency priorities used and if so is the use proper, i.e., authorized in the contract?

[68]

Process 2: Receiving Purpose: Receiving Process: The Auditor’s responsibilities, as part of the PMSA or Internal Audit program, include a review of the contractor's receiving system to ensure that the system specifies:

• Physical inspection of the shipping containers for evidence of obvious damage, comparison of incoming receipts with due-in records to determine if the correct item and/or quantity was received, and immediate notification to shipper (driver) of obvious damage disclosed during the initial receiving of Government property.

• Special handling instructions regarding the acceptance inspection and/or test requirements, sensitive property; i.e., precious metals, explosives, corrosive chemicals, etc., and special storage requirements.

Documentation supporting receipt. The Auditor must ensure that procedures require the receiving documents be maintained, distributed, and contain the entries necessary for the protection of the Government's interest. The Auditor should examine receiving reports and the supporting documents such as Government shipping documents (DD Form 1149, "Requisition and Invoice/Shipping Document"; DD Form 250, "Material Inspection and Receiving Report"; DD Form 1348-1, "DoD Single Line Item Release/Receipt Document"; and MCA reports). The population may be obtained from the contractor’s receiving log, MCA reports for GFM, and even fabrication records if the property IF the property is entered into the contractor’s PMS through receiving, where applicable. Process Segments:

• Receiving Process

• Discrepancies Incident to Shipment

[69]

Process Segment: Receiving Process

Population: All receiving reports generated for one year or since the last PMSA, whichever is less. (NOTE: Care should be taken as to how property fabricated in-house is input/received into the contractor's PMS.) QUESTIONS:

• Is the property promptly examined upon arrival to verify quantity received against shipping document, condition upon receipt against shipping document and other transit-related discrepancies?

• Timeframes for "Prompt" action as specified in PMS. [Judgment] Carrier's signature obtained, where applicable?

• Is the receiving report (RR) promptly prepared (TIMEFRAME IN PMS)? • Does the receiving report have the required data? • Reconciliation (How is the RR compared against the requisition, PO, etc? • Are RR distributed as specified in PMS? • Are items protected during the receiving process? • Are there any reusable containers involved? • Are the reusable containers properly controlled? • Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS?

Process Segment: Discrepancies Incident to Shipment Population: All contractor records indicating discrepancies incident to shipment. In addition, Government prepared documentation such as an SF 361 "Transportation Discrepancy report" or an SF 364 "Report of Discrepancy" may be other sources to use as part of the population.

REAL WORLD WARNING AND RISK!!! The contractor is not responsible for preparing the SF 361/364. Rather the contractor is

only required to REPORT the discrepancy to the Government. The PA or other government employee (Transportation or quality Assurance) may be responsible for

preparing the SFs. Therefore, using these documents may not provide a good “fit” for the population.

QUESTIONS:

• How does the contractor handle misdirected shipments? • Are misdirected shipments adequately segregated? • What caused the discrepancy? • Was it investigated and documented? • Did the contractor report the discrepancy to the PA in the time period set forth in

the PMS?

[70]

Process 3: Identification Purpose: The Auditor is responsible for ensuring that the contractor has established proper procedures for the identification, marking, and recording of Government property upon receipt or fabrication. The basic objective is to determine the effectiveness of the contractor's system in identifying Government property. A thorough analysis would validate that the assigned numbers are recorded on all applicable documents, as well as marked on the particular pieces of property. Testing of this process may be accomplished during the testing of other process segments. Process Segment:

• Identification Process Population 1: You may use the same population as for the Receiving Process Segment. That is, all receiving reports generated for one year or since the last PMSA, whichever is less. (Again NOTE: Care should be taken as to how property fabricated in-house is input/received into the contractor's PMS.) WARNING!!! A drawback to this approach is that not all items may have gone through the full receiving and inspection process. Therefore, some items may NOT have had labels, tags, bar codes, etc., affixed to the items. Population 2: Another possible population would be to use the same population as used for testing the process of records. By using this population you ensure testing ALL property, both old and new items, to ensure that identification is applied and continues to be applied, i.e., that for “old” pieces of property the identification tag or label has not fallen off and not been replaced. QUESTIONS:

• Has the item had the proper form of identification applied? • Is the form of identification as specified in the PMS? • Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS? NOTE – Care should be taken when dealing with the IUID Requirements. These are NOT driven by the GP Clause rather there are separate clausal requirements for this application!

[71]

Process 4: Records Purpose: The Auditor is responsible for ensuring that the contractor has established proper records for all Government property. The basic objective is to determine the effectiveness of the contractor's system of records for accountability of Government property in accordance with the GP clause of FAR 52.245-1(f)(1). In conducting reviews of the records process, the Auditor should examine the contractor's STEWARDSHIP records and support documentation by physical verification. The following guidance is provided to aid the Auditor in selecting appropriate documents for establishing a population and selecting samples: a. The population for the process of records may be obtained from the following: stock records (whether manual or automated, for all classes of Government property, except for material accountable under a receipt and issue system), historical records, fabrication records, custodial records, warranty item records, and scrap and salvage records. NOTE: ALL Government property MUST HAVE A RECORD. The depth and detail on the record is subject to variability based upon: i. The PA’s approval of any deviation to the record keeping requirements (Which is NOT a formal FAR Deviation but allows judgment on the part of the PA) and/or ii. The VCSes and ILPs adopted by the contractor. Note – even if a VCS allows deviation to the record keeping requirement it must be approved by the PA. b. Samples from these populations shall be reviewed for proper postings of receipts, issues, returns, inventories, adjustments, and disposition, in an accurate, complete and timely fashion. Documentation should be available to support all entries. These support documents may consist of receiving reports, requisition slips, issue documents, inventory adjustment vouchers, transfer documents, shipping documents, etc. Verification of the actual physical property (location, description, quantity, etc.) is required as part of this review. In addition to the records to property review, the Auditor shall perform a property to records review to ensure that records have been established and the locator system is adequate. Process Segments:

• Records of All Government Property • Receipt and Issue System for Government Material • Material Management Accounting System (MMAS) Records

• Property to Records Reviews

[72]

Process Segment: Records of All Government Property POPULATION: All property records, e.g. inventory control records, tool crib records, equipment records, real property records, etc. NOTE: This process segment is often done erroneously through the breakdown of the population by type/classification of property. Remember that one of the premises behind inferential statistics is common characteristics. Since all of the record requirements for Government Property are the same for all classes of Government Property -- this could be done as ONE POPULATION. Your population should be as large as possible. Therefore, all types of property have the same RECORD KEEPING requirements and under this rule the property may be considered ONE POPULATION. So the first part of the population should consist of the ACTIVE PROPERTY RECORDS. In addition, the population must take into consideration all property records CLOSED since the last PMSA so as to be able to answer the criterion addressing closed records. As more and more contractors are using automated systems, some even commercial off the shelf (COTS), the generation of reports to provide these listings is far simpler than years ago when manual records were the norm. QUESTIONS:

• Do the KTR.'s records comply with the FAR GP Clause record keeping requirements, FAR 52.245-1(f)(1)(iii)?

• Is the support documentation available for record posting, e.g. Receipts, Issues to the Floor, Credits slips, etc? Are they accurate and complete?

• Are transactions PROMPTLY posted? • What is the timeframe specified in the Ktr.'s PMS for this action? • Do they comply with this timeframe?

• Are records established for assets that did not enter the system through the normal receiving process, e.g., ST fabricated in-house, fabricated parts, cannibalized unit parts, hand carried items?

• Is the record closed by proper posting entry? (NOTE: As this population does not focus on closeout the majority of records will still be in active status. Therefore, it is important to properly frame the population.)

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

[73]

Process Segment: Receipt and Issue System for Government Material Population: A different population is applicable for this process segment. Notice first that this record keeping system applies ONLY TO MATERIAL! A “receipt and issue system” (R&I) allows the contractor to maintain a file of appropriately cross-referenced documents evidencing receipt, issue and use (Really CONSUMPTION) of material. Generally speaking an R&I System is maintained OUTSIDE of the normal property record keeping process – though numerous Commercial Off The shelf (COTS) Property Management Systems have an R&I Module. Therefore, my population for this process segment would be all "Receipt and Issue" documents maintained by the Kr. in accordance with the PMS including those closed since the last PMSA or one year, whichever is less. QUESTIONS:

• Under receipt and Issue records is there a file of appropriately cross referenced documents to support the acquisition and consumption/use of this property?

• Is property under the R&I System consumed “IMMEDIATELY” as defined by the contractor and approved by the PA?

• If material is not consumed immediately, is there a periodic review to ensure that the property is returned to the stock room with a record established?

Process Segment: Material Management Accounting System (MMAS) Population: A different population is applicable for this process segment. Notice first that this applies ONLY to MATERIAL – but EXCLUDES Government FURNISHED Material. Second, the ACO is the team lead for performing this review though he/she may request the assistance of DCAA, other government specialists as well as the PA. Contractors are ALREADY REQUIRED to perform a SELF ASSESSMENT of the MMAS as directed by the MMAS Clause DFARS 252.242-7004. I have included a series of Criteria under our POTENTIAL AUDIT CRITERIA for this Process Segment. NOTE # 1 – GOVERNMENT PA TAKE NOTE -- A Review of the MMAS standards, as set forth in DFARS 252.242-7004 is NOT performed other than at the request of the ACO. NOTE # 2 – ALL AUDITORS TAKE NOTE -- There are a number of “standards” that were established under the MMAS, one for Record Accuracy and one for Physical Inventory accuracy. As a contractual requirement of DFARS 252.242-7004 Contractors SHALL use the standards/requirements set forth in the clause unless a VCS or ILP requires a HIGHER standard.

[74]

Property to Record Reviews: In addition to the normal "record to property" analysis it is recommended that the auditor performs a "property to record" review. This entails the random selection of property from the floor then being traced back to the record to assure that a record has been generated or is being maintained. If the Auditor plans to use statistical sampling, and the commensurate 90 % acceptance and rejection rates it is important that the Auditor be aware that the selection of the property from the floor be random. True randomness cannot be achieved simply by walking around (perambulating) the factory/plant and saying "I'll take that one, and that one, and that one." It may sound random but the statisticians would dispute this claim. Rather a random plan must be generated before the selection process starts. A simple technique or plan to assure randomness is to use the same sample size determined under the Process Segment of "All Records of Government Property" and prior to reviewing these items, determine that you will select either the item above, below, to the left or to the right of the sampled item as your "property to record" sample. This way you remove the possible accusation of selecting a BIASED sample. If the Auditor chooses to do a judgment sample for this process analysis he/she must be aware that the results from this review would NOT be generalizable to the larger population from which selected. Any discrepancies/deficiencies would be isolated in nature. You could ask the contractor to correct those uncovered discrepancies BUT you could NOT ask for a corrective action plan as the discrepancies are not generalizable to the population from which they were selected. [Remember, you chose the judgment sample! You could have used statistical analysis.] "Wait a minute! I found a bunch of errors. And you're saying this is not a systemic problem?" "That's right!" You may think it is systemic, but you could not statistically PROVE that point as you did not use random sampling. Using a judgment sample, you might think you have a systemic defect but statistically you CANNOT make that statement!

[75]

Process 5: Physical Inventory Purpose: The Auditor is responsible for ensuring that the contractor has scheduled and performed physical inventories of Government property in accordance with the contractor's approved PMS. The basic objective is to determine the effectiveness of the physical inventory process about physically locating and counting Government property, comparing the results to the records, posting the findings and adjustments, and reporting the adjustments to the PA. Process Segments:

• Performance

• Recording

• Material Records Adjustments

• Reporting of Inventory Findings Population: The Auditor has the option of performing the PMSA of the contractor's physical inventories either during the performance of the inventory or subsequent to its completion. In either case, the tests shall evidence physical counts of selected items, verification of the entries on count slips, comparisons with records, preparation of documents necessary for any adjustments required, approval of adjustments, and the referral of lists of all recorded adjustments to the PA. Populations and their respective samples may be drawn from physical inventory documentation such as count slips, inventory tickets, computer printouts, or similar items. Subjective evaluations may include a review of the techniques employed by the contractor to accomplish the physical inventory; e.g., ensuring the inventory was accomplished and completed as scheduled, ensuring the inventory was not performed by the individual(s) responsible for keeping the records, and inventories are performed at contract completion, when required.

[76]

Process Segment: Performance Population: Populations may be arrived at using a variety of techniques. One method, for contractors with limited amounts of Government property who use a wall-to-wall inventory would be to use the entire physical inventory listing compiled through the accomplishment of the physical inventory. This may be in the form of a computer printout, in the case of an automated system, or the actual count sheets in a manual system. Another method may be used when a cyclic physical inventory is performed. This involves the selection of a sample from the items completed during that cycle, e.g., those items counted in a one month period, etc., rather than waiting for the entire physical inventory to be completed. QUESTIONS:

• What process is the contractor using for performing the required physical Inventories? Cyclical, stratified, Inventory by Exception, etc.

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Are the physical Inventories performed in accordance with the schedules and procedures (PMS) approved by the PA?

• Review submission letters for statement of dates performed, when applicable. • Who performed the inventory? How do you know who performed the inventory? • What procedures does the contractor have for performing physical inventories

upon contract completion or termination? • Have these procedures been used during the past PMSA cycle? Has the

Government PA, waived these requirements for transferred items? • Has the property, during the course of the physical inventory (including inventory

by exception) been sighted and counted, either manually or electronically? • Is there documentation or data to support this? • Was the count accurate?

[77]

Process Segment: Recording Population: The same population(s) may be used for performing this Process Segment as for the Process Segment of PERFORMANCE. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Was the inventory posted to accountable record within a reasonable period of time in accordance with the contractor's PMS?

• What is the time frame specified within the contractor's PMS? NOTE: In the case of automated systems this may be immediate or done as a down load to a mainframe or desktop PC.

• In a manual system, were the quantities on the record the same as the quantities on the count slips?

• Were the entries specified as the periodic physical inventory? Process Segment: Material Records Adjustments

Population: The documentation may consist of the contractor's required listing of all discrepancies reported to the PA. From this listing all reports of MATERIAL adjustments should be used as the population from which to select a sample. In a cyclic or inventory by exception basis, only those items reported discrepant during the specified period of counting, issuing, maintaining, etc will be used as the population. These discrepancies need to be evaluated from the standpoint of prompt and timely posting to the accountable records as well as reasonableness. QUESTIONS:

• Were the material adjustments posted to the stewardship records? [NOTE: Many PAs make the mistake of believing that they must approve the adjustments prior to the contractor posting the results. This is incorrect in that the PA is only involved from a liability standpoint and therefore his/her decision has no impact or role in regard to the actual physical count that the contractor made.]

• Were the material adjustments PROMPTLY posted to the accountable records? • What is the timeframe for posting specified in the contractor's PMS? • Were these entries clearly identified as inventory adjustments on the

accountable record?

[78]

Process Segment: Reporting Inventory Results Population: The documentation may consist of the contractor's required reporting of all discrepancies reported to the PA and, where requested, to the Contracting Officer. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Were the results of the physical inventory submitted to the PA in the time stated in the contractor's PMS?

• If the contractor did not report as stated in its PMS was a delay authorized by the PA?

Property to Record Reviews (REDUX) In addition to the normal record to property analysis it is STRONGLY SUGGESTED that the Auditor perform a property to record review. This entails the random selection of property from the floor with the property then being traced back to the record to assure that a record has been generated or is being maintained. It is important that the Auditor be aware that the selection of the property from the floor be random. A simple technique to ensure randomness is to use the same sample sizes determined under the Process Segment of "All Records of Government Property" and prior to reviewing these items, determine that you will select either the item above, below, to the left or to the right of the sampled item as your property to record sample. This way you remove the possible accusation of selecting a biased sample. The main concern in this Process is to assure that all property was physically inventoried. The Auditor shall select a random sample of the same size as the sample selected for either performance or recording. A random selecting of the property on the floor must be chosen as described above and then verified to see if this property was physically inventoried and posted to the records! The purpose of this property to records review is to assure that all property was in fact inventoried. Reason: Only the property actually counted will show up on the reports -- there may have been some property "missed."

[79]

Process 6: Subcontractor Control Testing Subcontract Control. The Auditor is responsible for ensuring that the prime contractor has established adequate control over its subcontractors who have been provided Government property. This may take place either through the prime contractor performing surveillance of its subcontractors or through the prime contractor electing to rely upon the Government's surveillance through the operation of a support property administration delegation. The Auditor should be aware of all subcontracts, purchase orders, Interdivisional work authorization (IDWAs), Interorganizational transfers (IOTs), etc., that contain or provide Government property to a subcontractor. The population for analysis may be predicated on these documents. Areas within the subcontract process that are of critical concern are:

a. The flowdown of proper clauses and provisions; e.g., the requirements of the GP Clause FAR 52.245-1, the proper liability provisions -- either the FULL risk of loss or the LIMITED risk of loss requirements depending upon the type of contract, listings of GFP, etc.

b. The adequacy of the contractor's system of surveillance incorporated in its PMS and applied throughout the life of the subcontract, etc.

Process Segment: Prime Contractor Responsibilities Population: I want to look at all purchase orders, subcontracts, IDWAs, IOTs, etc., regardless of when they were issued that have GP furnished to the subcontractor or authorize that subcontractor to acquire GP, that are still active as well as those that have been closed since the last PMSA. (Notice, no one year time frame here.) QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Does the PO have all of the required data: Listing of Property as well as flowdown of contractual requirements?

• Are these flowdown provisions accurate and correct? • How does the prime perform surveillance over the subs? • Is the surveillance adequate? • What documentation do you have that it is adequate? • Have there been any reports of L,T,D or D from/at a sub? • Have they been handled in accordance with the approved PMS? • Is the process described in the PMS adequate? • Does the subcontract specify property disposal directions and timeframes? • Do these timeframes allow compliance with the timeframes set forth in FAR

52.245-1(j)?

[80]

Process 7: Reports Testing Reports Preparation. The Auditor is responsible for ensuring that the contractor has established a proper method of creating, preparing and submission of reports that reflect the status of Government property, as required by contract or regulation. The basic objective is to determine the accuracy, completeness, and timeliness of submission. Evaluation may include reviewing such reports as the NASA 1018, AF G009, Physical Inventory results, Reports of Discrepancies and other reports as required by contract terms and requirements. Process Segments:

• Accuracy and Completeness

• Report Submission

Process Segment: Accuracy and Completeness This process focuses on the procedures that the contractor has established for the collection of data used in submitting the various reports that are contractually required. In this Process Segment the Auditor should review for coverage in the contractor's property control procedures and the supporting documentation. Population: The population for this Process Segment consists of the contractor property control procedures and the documents that support the procedures for the contractually required reports, including but not limited to: NASA form 1018, AF GOO9 and DO34s, Physical Inventory results, Reports of Discrepancies etc., back one year or to the performance of the last PMSA. NOTE: There is an inherent weakness to this population in that you will not see any reports that were NOT submitted – thereby potentially rendering an incorrect evaluation. Auditors need to be knowledgeable of ALL of the CONTRACTUALLY required reports to ensure proper reporting QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Is there a responsible office/job title assigned the process to compile the necessary data and submit the reports within the Contractor's PMS and the commensurate procedures?

• Has this office/individual followed the approved PMS? • Are the Sources of data clearly established in the contractor's PMS? • Are these sources accurate/complete and how can these be verified (Is your

decision based upon the status of the other processes of the PMSA? If so, were any other processes rated unsatisfactory that impact or affect the records used in compiling this data?)

• Does the contractor have an internal system to verify the report's accuracy?

[81]

Process Segment: Report Submission This process focuses on the actual submission of reports. Population: This population should consist of all contractually required reports submitted during the period dating back one year or to the last system audit. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Was there adequate lead time allowed in the contractor's PMS for the collection of data?

• Were the reports distributed/submitted as specified in the contractor's PMS? • Were the reports submitted by the contractually specified date(s)?

NOTE – I HAVE NOT DISCUSSED REPORTING LTD&D UNDER THIS HEADING AS IT FITS BETTER UNDER THE RELIEF OF RESPONSIBILITY//LIABILITY PROCESS

HEADING. SEE PROCESS 9 ON THE NEXT PAGE!

[82]

Process 8: Relief of Stewardship Responsibility/LIABILITY CRITICAL NOTE: If you were to carefully review the language under FAR 52.245-1(f)(1)(vii) entitled Relief of stewardship responsibility, you will find that it is NOT a process statement with an outcome. It states,

“the Contractor shall be relieved of stewardship responsibility for Government property when such property is—

(A) Consumed or expended, reasonably and properly, or otherwise accounted for, in the performance of the contract, including reasonable inventory adjustments of material as determined by the Property Administrator; or a Property Administrator granted relief of responsibility for loss, damage, destruction or theft of Government property;

(B) Delivered or shipped from the Contractor’s plant, under Government instructions, except when shipment is to a subcontractor or other location of the Contractor; or

(C) Disposed of in accordance with paragraphs (j) and (k) of this clause. Rather it is a description of WHEN the contractor s granted relief of responsibility. This may happen through the contractor:

Consuming Material Inventory Adjustments (Via a Physical Inventory) LTD&D actions by the PA granting relief and Shipment (Except to a Subcontractor) and/or Proper disposal.

As such it would be very difficult to define a population to assess this “outcome.” Rather, each of these ACTIONS that lead to relief are covered under OTHER processes. For example – proper consumption of material is covered under the process of Consumption, Inventory adjustments are covered under the process of Physical Inventory, Disposal is covered under – well – disposal, and shipment may be covered under Movement. The only one NOT covered would be the PROCESS of Liability – or the actions involved with a liability case. Since it is NOT a process statement with an outcome, I have taken the liberty of converting this to address the issue of LIABILITY – one of the methods by which a contractor may obtain relief of responsibility.

[83]

Process Segment: Reporting L,T,D and D This process focuses on the reporting of instances of L,T, D and D. Population: All reported instances of L,T,D and D submitted during the period dating back one year or to the last system audit.. Note - you may also use all cases on the Liability Register, maintained by the PA, since last PMSA, or one year, whichever is less. In addition, a purposive sample may be drawn from the records to see if there were any cases of L,T,D and D NOT reported. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Does the contractor promptly report all L,T,D and D? • Do the timeframes for reporting agree - Timeframe for reporting set forth in

Contractor's PMS versus actual time it took to report L,T,D and D? • Does the contractor furnish all data as required by the Government property

clauses? • Are corrective action plans instituted where necessary to preclude reoccurrence

of the incident(s) of L,T, D&D? • Where the contractor is granted relief of responsibility by the PA are the

contractor’s records adjusted to reflex this action. • Where the contractor is held liable by the Contracting Officer Administering

(ACO) the contract are funds forwarded to the ACO?

[84]

THE PROCESS OF UTILIZING GOVERNMENT PROPERTY As we discussed earlier the process of utilizing GP is really FOUR SEPARATE AND DISTINCT PROCESSES. Though for listing in the FAR GP clause they are all subsumed under one process – in point of fact for AUDITING they need to be segregated in their own respective processes. That being: USE CONSUMPTION STORAGE and MOVEMENT. With that said – let us discuss each of THESE PROCESSES!

UTILIZING

USE CONSUME STORE MOVE

DEFINE THESE POPULATIONS

Can I use ONE population to test all four SUB-PROCESSES?

Should I use FOUR populations to test all four SUB-PROCESSES?

CAREFUL – it may not be as intuitive as you think!

[85]

Process 9: Utilization Purpose: Testing Utilization. The Auditor is responsible for ensuring that the contractor has used Government property in accordance with contractual authorization and the contractor's approved PMS. The basic objective is to determine if the contractor is using the Government property for the purposes and time authorized. The population should be selected from all Government property records (excluding material), and either grouped together as one population or stratified by property type with common utilization characteristics. For example, ST and STE may be grouped as one population for sampling purposes while equipment may be grouped as another. The Auditor must use sound judgment in determining the groupings selected for testing the utilization process. The Auditor should be particularly concerned with any unauthorized use, use in excess of allowable time on non-Government work, proper recording of actual use, and failure to maintain the required utilization records.

a. The contractor should use Equipment, STE, and ST only as authorized in their contracts, and have a system to determine if this property is excess to the contractor's needs. [NOTE – MATERIAL is Consumed – that is why it is not discussed under Utilization.] There must be a contractual requirement for each item in the possession of the contractor. The Auditor should perform utilization evaluations to ensure the proper utilization and declaration of excess. Auditors should be aware that the utilization levels of these items may be affected by the purpose of the contract (overhaul and maintenance versus production), the type of testing the item was used for (continuous versus final acceptance), and lastly the reason the property was provided; e.g., as a model or for configuration standards.

b. The Auditor should be concerned with the authorized limits of non-Government usage as approved by the CO. In addition, the Auditor should be aware that non-Government use that exceeds 25% of the time available for use requires advance approval of the head of the agency. c. The Auditor should conduct reviews as part of the PMSA program of vehicular equipment provided to the contractor in support of contract performance. Such reviews should be made to ensure that Government-owned vehicular equipment is in an economical operating condition and is still justified for retention by the contractor, and meets the requirements of DoD 4500.36-R, Management, Acquisition, and Use of Motor Vehicles. Process Segments:

• Authorized Use

• Identification of Excess

[86]

Process Segment: Authorized Use Population: You want to look at the ACTIVE usage/utilization records for all non-consumable types of property. What are they? EQUIPMENT, ST, STE, and REAL PROPERTY. This would also include all property records CLOSED since the last PMSA or one year whichever is less. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Is the property being properly used? • Is it being used only on those contracts that authorize its use? • Compare the contract # on which used to the contract # recorded on the usage

record. • Is the amount of utilization within the allowable limits?

Process Segment: Identification of Excess

Population: The same as for the Process area of AUTHORIZED USE. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• How much is the contractor using the non-consumable property? • Is it sufficient to warrant retention of the property in their possession? • How much use is sufficient? • Has the contractor established a minimum level of usage which would justify the

item being declared excess? • Does the contractor have a mechanism built into their PMS to screen for property

that is excess/no longer needed by the contractor? • Does the contractor follow this procedure?

[87]

Process 10: Consumption Purpose: The purpose of consumption analyses is to determine that materials are consumed commensurate with contract requirements, with reasonable allowances for scrap and spoilage and not diverted to other work. The Auditor shall evaluate consumption consistent with the contractor's environment, be that production; overhaul, modification, and repair; or research and development (R&D). Consumption may be tested using the Consumption Analysis Worksheet included in the DoD Property Manual, or automated equivalent. Reasonableness of consumption in an R&D environment requires a somewhat different approach since bills of material are not normally available. The quantity issued for use must be determined by examining the issue or movement documentation. The decision on whether the consumption was reasonable depends primarily on judgment supported by sufficient investigation to reach a decision. When the quantity issued is relatively small, indicating immediate use, and then there is little possibility of unreasonable consumption. However, where a larger quantity is issued, the possibility of unreasonable consumption may exist. Additional discussion with Government or Contractor technical personnel may be used to confirm the conclusions. The adequacy of the physical controls should also be considered as this is a factor that may have a bearing on the possibility of unauthorized use or pilferage. A consumption analysis should be performed outside of the system analysis when the Auditor has identified symptoms of unreasonable consumption. These conditions are most readily visible when it is determined that the contractor has exhausted the stock of materials before contract completion or has acquired quantities that exceed planned material requirements. When these conditions are identified, consumption analyses should quantify the extent of the problem and identify causal factors. When the analysis discloses consumption of Government material that is considered unreasonable by the Auditor, action shall be initiated to determine the liability of the contractor for the unreasonable consumption. The Consumption Analysis Worksheet has been developed to be used as a tool in performing these analyses. The worksheet format provides latitude to the user, and all elements do not apply to all materials being reviewed. The format may be adapted by the Auditor for analyses on R & D, production, or overhaul and repair contracts. Consumption analysis reviews can be extremely complicated and the format may require modification to address certain conditions. As such, the use of the Consumption Analysis Worksheet is a good tool, but other techniques may be applied when required.

[88]

Process Segments:

• Reasonableness of Consumption

• Identification of Excess

Process Segments: Reasonableness of Consumption This process focuses on the proper consumption of those consumable items -- material. Population: The population for this Process Segment consists of the records of material. This includes those ACTIVE records currently in use AND those records from contracts CLOSED since the last PMSA or one year, whichever is less. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Are the materials consumed only as contractually authorized? • In other words, were the items issued to the proper accountable contract?

• Are the quantities consumed reasonable when compared to bill of material, material requirement list, etc?

• Is there an issue document? • Is it accurate and timely (as specified in the contractor's PMS)?

• Is there a (First In First Out) FIFO system for age sensitive property? • Is it being used?

• Have there been any reports by the contractor of over consumption?

[89]

Process Segment: Identification of Excess This process focuses on the issue of excess that has been declared excess or is in the contractor's possession that needs to be declared excess. Population: This population should consist of the same as previous Process Segment. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• If there is a balance on hand for the property is its continued retention justified? • How is continued retention justified?

• Contractual authorization, additional quantities of the end item left to be delivered, etc?

• Is there a timeframe specified in the contractor's PMS for when an item is excess on the floor?

• Do using areas identify excess, in accordance with this timeframe, and promptly return those items to the appropriate stores?

• Does the contractor's PMS have a mechanism to screen for excess due to engineering changes, contract modifications, etc?

• Does the contractor's PMS have a mechanism to screen for excess due to bulk purchases or min for max buys?

• Does the contractor promptly identify excess to the Government for disposal purposes?

Auditors may use the "Consumption analysis worksheet and instructions." THIS WORKSHEET IS NOT MANDATORY! It may be modified or altered depending upon the environment the Auditor is working in OR an alternate methodology may be used by the Auditor. This alternate methodology must protect the Government's interest and provide a clear analysis of the actual consumption of the material.

[90]

APPENDIX D CONSUMPTION ANALYSIS WORKSHEET AND INSTRUCTIONS CONTRACT NUMBER: ______________________ ASSEMBLY AND/OR PART NUMBER: _____________________________________ NOMENCLATURE: ___________________________ SECTION A - PLANNED MATERIAL REQUIREMENTS 1. Quantity of Part Number Required Per the Next Higher Assembly ______* 2. Quantity of the Next Higher Assembly Required by the Contract: _______ (Use best estimate and/or Material Requirements List (MRL) for overhaul and repair contracts) 3. Determine the Net Quantity Required (Line 1 X Line 2) ______* 4. Planned Mortality and/or Scrap and/or Attrition and/or Usage Variance Factor (Percent) _____%* 5. Projected Mortality Quantity (Line 3 x Line 4) ______* 6. Total Projected Requirements (Line 3 + Line 5 for production contracts) _______ (Use historical data, if available, for overhaul and repair contracts when a bill of material or MRL is not available.) * Items 1, 3, 4, 5, & 17 MAY NOT BE APPLICABLE TO OVERHAUL AND/OR REPAIR CONTRACTS WHEN A BILL OF MATERIALS OR MRL IS NOT AVAILABLE.

[91]

SECTION B - QUANTITY ACQUIRED 7. Quantity Received or Transferred for Use on Contract _______ 8. Quantity on Order Due In _______ 9. Quantity Projected for Future Acquisition Under the Contract _______ 10. Quantity Rejected or Pending Material Review Board _______ 11. Quantity Transferred from Contract _______ 12. Net Quantity Acquired (Lines 7 + 8 + 9 - 10 - 11) _______ SECTION C - CONSUMPTION 13. Quantity Consumed Within the Next Higher Assembly (including scrap) _______ 14. Number of Higher Assemblies Produced and/or Repaired to Date for the Contract _______ 15. Actual Consumption Rate Per Higher Assembly (Line 13 divided by Line 14) _______ SECTION D - EXTENT OF EXCESSIVE ACQUISITION AND/OR CONSUMPTION 16. Projected Requirements for Contract Based on Current _______ Consumption Rate (Line 2 x Line 15) 17. Quantity Authorized by Contract Requirements/Forms, When Applicable __________* * Items 1, 3, 4, 5, & 17 MAY NOT BE APPLICABLE TO OVERHAUL AND/OR REPAIR CONTRACTS WHEN A BILL OF MATERIALS OR MRL IS NOT AVAILABLE. 18. Quantity Acquired That Exceeds Authorization or Projected Requirements (Line 12 - Line 17 for contract requirements/forms) (Line 12 - Line 6 for others; If less than 1, enter N/A) _______ 19. Actual or Projected Excessive Acquisition Due to Variance Between Planned and Actual Consumption (Line 6 - Line 16) (Note: Negative Number Indicates Possible Over Consumption that must be separately explained but not used to compute Line 21) _______ 20. Quantity in Line 18 and 19 which is Justified (Such as inventory losses for which the contractor is not liable) (Provide explanation) ______# Explanation: ______________________________________________ _________________________________________________________ 21. Unjustified Actual or Projected Excessive Acquisition (Line 18 + 19 - 20) _______ 22. Projected Dollar Impact (Line 21 x Unit Price of Item) ______* * PA SHOULD DETERMINE IF # ITEM 20 AMOUNT IS THE RESULT OF PUSHED GFM IN EXCESS OF QUANTITIES AUTHORIZED BY CONTRACT REQUIREMENTS/FORM. _________________________________ ________________________ SIGNATURE OF EVALUATOR DATE

[92]

INSTRUCTIONS FOR USING THE CONSUMPTION ANALYSIS WORKSHEET 1. The Consumption Analysis Worksheet is intended to provide a standardized technique for determining the reasonableness of consumption of Government Furnished Materials (GFM) and Contractor Acquired Materials (CAM) that are subject to a Government property clause. 2. It is recognized that consumption analyses are more effective on production contracts where the consumption rates are projected and can be analyzed. For example, on research and development (R&D) contracts, consumption analyses are often highly subjective since material requirements are primarily developed based on engineering estimates. On overhaul and repair (O&R) contracts, materials are consumed as needed, thus making the materials requirements planning process susceptible to error. The consumption analysis worksheet is based on data generally available and required for production contracts. Several data elements do not apply or must be subjectively developed for non-production effort. 3. The worksheet will identify and document cases in which quantities of GFM and CAM have been acquired in excess of contractual authorization and reasonableness. In addition, the worksheet identifies variances in consumption rates for both GFM and CAM that could indicate either excessive acquisition or consumption. Obviously, the ultimate determination of over consumption is consumption of all planned materials before completion of contract effort. Similarly, the extent of possible over acquisition is difficult to quantify until the contract reaches completion. Analyses are prone to error until accurate consumption rates are determined. Thus, analyses during the start up portion of a contract should be considered to be preliminary, and either proven reasonably accurate with further analysis or possibly inaccurate due to other new or changed factors. 4. Instructions for completion of the worksheet: a. Section A of the worksheet (Planned Material Requirements) is intended to document the quantity of an item of material that the contractor projects will be needed to complete a contract. For production contracts, bills of material are the primary source of information pertaining to requirements planning. For R&D or O&R contracts, estimates should be made based on engineering judgment, material requirements lists, past history, or other available information. Step 1 of the worksheet documents the quantity of the item of material that is planned for incorporation into the next higher assembly. In most cases, this can be based on bill of material data. In the event that an item of material is used on two or more higher assemblies, Sections A and C of the worksheet must be completed for each higher assembly that uses the part on the contract. Step 1 may apply to some non-production contracts based on engineering estimates or past history. Step 2 is the quantity of the next higher assembly required for the contract. Once again, this is most meaningful on production contracts where the manufacturing requirements are fully defined. Engineering estimates or material requirements lists may exist for R&D contracts, and historical data may provide the best source of this information for O&R contracts. Step 3 is simply the multiplication of the quantities from Steps 1 and Step 2 to determine material requirements without consideration of scrap or mortality factors. This step will not apply to all R&D or O&R contracts. Step 4 provides for acquisition of additional materials based on projected scrap factors. These should be developed based on past historical data, when available. The Property Administrator should question scrap factors that appear excessive. This factor should be entered on the form as a percent of net requirements. Step 5 computes the amount of materials that are projected based on the scrap and/or mortality factor from Line 4. This quantity must be added to the net requirements in determining total material requirements.

[93]

Step 6 provides an estimate of total material requirements for the item being reviewed based on quantity required per higher assembly, number of higher assemblies, and projected scrap rates, and is derived from the sum of Items 3 and 5. For R&D or O&R contracts without firm material requirements, the best available estimate of material requirements for the contract should be used. When utilizing a highly subjective number, "est" or “E” should be added to denote the fact. b. Section B of the worksheet (Quantity Acquired) provides a summary of past, present, and projected acquisitions for the item being reviewed. Obviously, excessive acquisition is more readily visible during the latter part of a contract than early in the contract when quantities to be acquired are subject to revision. Step 7 is the quantity of the item being checked that has been received or transferred to the contract from other contracts. Include all quantities, whether ultimately accepted, rejected, or transferred out. Step 8 is the quantity on order that has not yet been received. Step 9 is the quantity planned for future orders to satisfy contract requirements. This is needed to project total acquisitions for the contract. Step 10 provides a means of identifying quantities of an item that are rejected or pending review. This information is especially valuable to highlight quality problems associated with delivery of GFM. If GFM does not meet specifications, then the CO must initiate action to repair or replace the faulty materials. Step 11 shows the quantity of the item transferred from the contract for use on other contracts. This is one obvious method of reducing the impact of acquisitions found to be excessive. If records show large quantities of materials ultimately transferred from the contract, the evaluator should determine the cause for the high rate and ensure that Government contracts are not routinely used as the mechanism to acquire materials actually intended for other contract efforts. Step 12 is the net quantity of materials acquired to date or projected for acquisition against the contract. It is the sum of lines 7, 8, and 9 minus lines 10 and 11. If the quantity acquired exceeds total projected requirements (line 6), then the potential for excessive acquisition exists. However, consumption rates must be considered before making conclusions in this area. c. Section C (Consumption) provides a mechanism for comparison of planned against actual consumption data. This produces a revised projection of material requirements for the contract. Step 13 is the quantity of material consumed within the next higher assembly. This quantity may be available from manufacturing records, or it may be necessary to total the issue documents for the materials being reviewed and reduce this amount by the stock of the materials in the production area that have not been used. Quantity scrapped should be included in this figure. Step 14 is the number of higher assemblies produced or repaired to date for the contract. This data will generally be obtained from production records. Step 15 is the actual consumption rate for the item being checked which is determined by dividing the quantity consumed (line 13) by the number of higher assemblies produced (line 14). Step 16 is a projection of contract requirements based on actual consumption rates. It is computed by multiplying the consumption rate per higher assembly (line 15) by the total number of higher assemblies required for the contract (line 2). If it is significantly different from the original planned requirements (line 6), then the potential for excessive acquisition or over consumption is indicated. d. Section D (Extent of Excessive Acquisition and/or Consumption) is the mechanism for concluding whether or not excessive acquisition or consumption is indicated. Once again, data is more

[94]

conclusive on contracts nearing completion than on contracts starting up. However, the worksheet provides a mechanism for conclusions based on the best available information. Step 17 is included to readily identify quantities of GFM that exceed contractual authorizations. This step is the quantity of the item being checked that is authorized by the DD Form 610 (The Department of Defense Government Furnished Equipment Requirement Schedule). This line obviously does not apply to contractor-acquired materials. Step 18 is a simple comparison of quantities acquired (line 12) against quantities authorized by DD Form 610 (line 17) or against projected requirements for other items (line 6). Obviously, if acquisition exceeds authorization or planned requirements, further explanation is needed. The reasons for these situations need to be fully identified and documented. If neither of these conditions exists, enter "N/A" on line 18. Step 19 compares actual consumption rates against projected rates to identify possible excessive acquisition or over consumption. When reliable consumption rates are available, significant variances between planned and actual consumption rates are indicators of potential for excessive acquisition (positive number in line 19), or for over consumption (negative number in line 19). The contractor should be tracking consumption rates and reducing projected requirements where the planned rates are found to be overstated. If consumption rates are not available so state. This may be the case during the initial part of contract performance. If line 19 is negative, provide a separate explanation of the nature or potential for over consumption and any actions that are required to correct the condition. However, do not use a negative number in Line 19 to compute Line 21. Step 20 provides the evaluator the opportunity to identify mitigating factors and to consider whether the data collected is conclusive or inconclusive. If data is inconclusive, and the contractor is able to justify its position, the evaluator should reduce the quantity of potential over acquisition from lines 18 or 19. If line 19 suggests over consumption (negative value), which the evaluator feels is justified or inconclusive, enter "see remarks" in line 20 and provide a separate explanation. Step 21 summarizes the extent of excessive acquisition that is considered to be conclusive by the evaluator. Step 22 projects the dollar impact of unjustified excessive acquisition.

[95]

Process 11: Movement Testing Movement: The Auditor is responsible for ensuring that the contractor has established a proper method of movement for all Government property. The basic objective is to determine if Government property is moved under the proper authority, with appropriate documentation, adequate protection is provided during movement, location changes are promptly posted to the records, and any losses or damage occurring during movement are promptly reported to the Government.

Process Segment: Material Handling This Process Segment is primarily focusing on the movement and protection while undergoing movement for all Government property in its possession. Population: The population for this process may be drawn from all location change orders or move tickets, custodial transfer documents, maintenance work orders, issue slips, shipping tickets, and other similar documents. As these items are transactional in nature the population's timeframe for sampling should encompass one year or back to the last PMSA whichever is less. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Are the items moved under proper authority? • What documentation supports that movement i.e., move ticket, location change

order, etc? • Were the items moved in accordance with the contractor's PMS? • Were the items moved within the timeframe(s) specified in the contractor's

PMS? • Was there adequate protection provided during the movement? • Was there any damage to the Government Property during this movement that

was or should have been reported to the Government PA?

[96]

Process 12: Storage Purpose: The Auditor is responsible for ensuring that the contractor has established a proper method of storage for all Government property. The basic objective is to determine the effectiveness of the storage process on the control, protection, and preservation of the Government property in storage. This process is normally reviewed by visual inspection of the areas where Government property is stored. Visual inspection of these areas may also be accomplished during the testing of other process segments. Subjective evaluation may include reviewing the housekeeping, access, packaging, and preservation of the Government property located in the storage areas. For example, the storage areas are clean and organized, access is limited to authorized personnel, and items are treated for short term or long term preservation. Objective evaluation may include reviewing the physical security of the Government property located either in inside storage or outside storage, if required. For example, for outside storage of Government property there is adequate lighting, fencing, or control of access to those locations to prevent theft of Government property. In addition, items stored outside are not prone to rust or deterioration and may be better suited to inside storage. Certain types of Government property, such as arms, ammunition, and explosives, may require more stringent storage requirements. Where necessary, the review of these storage areas should be coordinated with the appropriate technical representatives; e.g., Quality Assurance, Safety, or Security. Process Segments:

• Storage Areas

• Special Storage Areas

[97]

Process Segment: Storage Areas Population: The population consists of all areas where property is stored or is located awaiting usage. These areas may consist of the stockrooms including engineering stockrooms, warehouse space, factory locations, tool cribs, outside storage, etc. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Is the general housekeeping of each sample item area reasonable? • Is Government property segregated from contractor property, when required?

(NOTE: Please remember from your basic class the difference between collocation and commingling, as well as the MMAS allowance of commingling.)

• Is there adequate/reasonable physical security provided for assets? • If no, why and what are or should be the protective measures?

• Is access to the Government property limited to authorized personnel, when necessary?

• Are assets properly packaged and preserved, when required e.g., special tooling stored for an extended period?

Process Segment: Special Storage Areas

Population: The population should consist of all areas that are used for the storage of Government property needing/requiring special controls. This would include arms, ammunition and explosives (A,A&E) as well as property that may carry a classified designation. In addition, when APP contractually requires special storage due to its nature special storage may be required. This process segment may require interaction with the quality assurance representative, the Defense Investigative Service (for A,A&E), etc. In addition, there may be other regulations and manuals contractually required of the contractor, e.g., Physical Security of Sensitive Conventional Arms, Ammunition and Explosives, DoD 5100.76-M QUESTIONS:

• SEE APPENDIX 2 of the Physical Security of Sensitive Conventional Arms, Ammunition and Explosives, DoD 5100.76-M, for requirements applicable to contractors.

• Is the contractually required security and protection, e.g., bunkers, blast walls, controlled access, and provided this property?

• Are the other required controls, where applicable, properly imposed upon the property?

•

[98]

Process 13: Maintenance Testing Maintenance. The Auditor is responsible for ensuring that the contractor has established a proper method of maintaining Government property. All property shall be reviewed to ensure that all required maintenance is scheduled and performed. The population for analysis may be selected from all items that require maintenance as part of their normal operation or stratified by property type requiring varying levels of maintenance actions. Maintenance actions and records shall be reviewed to determine that they have been performed and recorded in accordance with the maintenance portion of the contractor's approved PMS. Also, maintenance and repair records shall be analyzed to determine the cause of breakdown to ascertain the possibility of inadequate preventive or routine maintenance. If the Auditor is not technically qualified in the area, this process may be reviewed by technical specialists other than the Auditor, e.g., the Quality Assurance or an Engineering Representative. Process Segments:

• Preventative Maintenance

• Capital Type Rehabilitation

Process Segment: Preventative Maintenance Population: You want to look at the records for all types of property that require maintenance. Equipment, ST, STE, and Real Property. This would also include all property records closed since the last PMSA or one year whichever is less. Again, as in utilization, this process segment may be performed by another specialist, in this case - the Quality Assurance Representative (QAR) . If such is the case you, as the Auditor, are still responsible for the data that the QAR puts into his/her report as the total PMSA is your responsibility. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS? • Does the contractor have a maintenance plan as part of its approved PMS? • Does the contractor have the appropriate technical publications, when

applicable? • Is the item scheduled for periodic maintenance [Generally for equipment)? • Is inspection/periodic maintenance performed as specified in the PMS?

(Compare date scheduled with date performed.) • Does the contractor promptly and properly record the maintenance that has been

performed?

[99]

Process Segment: Capital Type Rehabilitation (CTR) POPULATION: Equipment and real property are usually the only items that require CTR. Therefore your population has some delimiting factors. Only Equipment and RP would make up your population. To further delimit your population you could select only those items that had had CTR during the period since the last PMSA or one year, whichever is less. [NOTE: This MAY leave you with NO population to sample.] Notice we started with a non-transactional population in this process segment and converted it into a transactional population through the combining of two methods of selecting a population - type of property and timeframe, thereby downsizing the population. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Does the contractor have a mechanism in the PMS for disclosing the need for CTR?

• Is this inspection performed? • Is there documentation to prove this inspection? • Where CTR is done has authorization been granted by the CO? • Was the CTR actually done? • Was it done on a timely basis as defined in the contractor's PMS?

[100]

Process 14 Disposition Testing Disposition

a. The Auditor is responsible for determining if the contractor has a system for disclosure of excess Government property and effecting its timely disposition. The basic objective is to determine the effectiveness of the disposition process on screening, identifying, submitting inventory schedules to the proper Government representatives, obtaining the proper authority for disposal of excess Government property, and reviewing the disposal of Government property under an approved scrap procedure.

b. PCARSS should make the compiling of a listing of these

actions/documents much easier on the contractor, the PA, the PLCO and the Auditor.

c. This process is normally reviewed by selecting as a population all disposal records including plant clearance cases, transfers, scrap tickets, GFM return documents, and other appropriate documents. These records should include a file containing proof of in-house screening and a copy of the inventory schedule or other appropriate documents. In addition, the contractor's records shall have written authority for disposal and a copy of the disposal document to provide a complete audit trail. When appropriate, the Auditor should ensure that the contractor has a system for properly crediting the Government with the proceeds realized from the sales of assets. When all property has been dispositioned through plant clearance, the Auditor may select samples from inventory schedules or other plant clearance documentation for this analysis. However, when multiple disposition methods are utilized; i.e., transfers, returns to supply sources, plant clearance, etc., the Auditor should select samples from inventory records reflecting disposition to determine that all actions taken were properly authorized. This analysis is appropriate in conjunction with the contract closure task. If the disposal action was unauthorized, the contractor should investigate and report the incident for determination of liability or other remedy before relief of responsibility.

[101]

Process Segments:

• Disclosure of Excess

• Disposal

• Approved Scrap Procedure

Process Segment: Disclosure of Excess Population: We want to look at all plant clearance cases, closed and open, since the last PMSA or one year, whichever is less as well as all other declaration of excess documents, e.g., reports of excess, periodic screening lists generated by the contractor, etc. Weakness: Not everything dispositioned or disposed of may have gone through the Plant Clearance process. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Has the contractor screened these assets for any in-house use on other contracts or commercial work? • Is this process documented in the contractors PMS • Is there evidence of screening? • Are items promptly reported?

• Define promptly! Check the Contractor's PMS. • Are the inventory schedules accurate and complete? Talk to your Plant

clearance officer (PLCO).

Process Segment: Disposal Population: All disposal actions, e.g., DD 1149 shipping documents, transfers between contracts, sales documents, scrap tickets, etc., as appropriate. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• If asset has been disposed of was there authority to do so? • How was disposal accomplished? -Sale, Donation, Scrapping, Shipment? • What was the time period from time disposition instruction given to time of actual

disposal? • Was it reasonable?

[102]

• Was ID removed? Was this verified by a Government Representative? • What documents verify that disposition was accomplished. Receipts, checks,

weight slips, QAR verification, etc? Be careful - there is increased scrutiny in the areas of hazardous wastes and demilitarization items.

• What happened to the proceeds of sale generated from the sale/disposal of property?

- Check to the Government? - Credited to contract?

Process Segment: Approved Scrap Procedure Population: All items processed through the contractor's Approved Scrap Procedure since last PMSA or one year, whichever is less. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Does the contractor have an Approved Scrap Procedure? • Is the contractor complying with the Approved Scrap Procedure? • Are only items that are allowed to be processed through the Approved Scrap

Procedure using this system, i.e., production scrap and production spoilage as well as parts removed from overhaul contracts that are in scrap condition?

• Where are the proceeds from the sale of scrap going? - Overhead? - How do you verify this? Authority for Disposition This process is another where a reverse analysis might prove fruitful. Specifically, we have been going from the records to the property, checking to see that what the contractor has already told us about has been done. There might be items that have slipped through the cracks. A review of the inventory records to purposefully seek out disposals and then tracing these items, through their posting references would assure that all items have been processed through the approved/usual disposal routes. Through this reversal of the normal audit process we can check for the proper authority for disposal.

[103]

Process 15 Contract Closeout Testing Contract Close-Out

a. The Auditor is responsible for ensuring that the contractor has a method to ensure that all contract close-out actions related to property are completed. The basic objective is to determine the timeliness and effectiveness of the contractor property close-out process.

b. This process may be analyzed during the Auditor’s final review of contractor close-out actions, or the Auditor may test all contractor close-out actions over a period of time. Subjective evaluation may include reviewing the timeliness of submission of contractor close-out reports, accuracy of reports, the adequacy of the contractor's method for tracking contracts nearing completion, and the timely initiation of appropriate actions to close-out affected contracts. Objective evaluations may include verifying that the contractor has obtained all required authorizations for property transfer, completed directed disposition actions, ensured completion of liability determinations, and submitted all required reports.

c. When no contract close-out actions have been initiated or completed since the last analysis, the Auditor may only address the tracking of contracts nearing completion. Where no contract close-out actions have been reported, the Auditor should review for any contracts that have been completed but not reported for close-out. Process Segments:

• Relief from Responsibility

• Final Contract Review

[104]

Process Segment: Relief From Responsibility Population: All closed contracts since the last PMSA or one year, whichever is less. For these closed contracts the disposal documents involved e.g., inventory schedules, disposition documents, shipping documents, transfer documents, etc. In addition, other documents relative to relief from responsibility should be included e.g., inventory adjustment vouchers, liability determinations, etc. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Did the contractor have the authorization to transfer property? • For idle assets, does the contractor have the authority to retain the asset? Be

careful, the belief that another contract will be awarded is insufficient to justify retention. There must be some WRITTEN authorization.

• Have all inventory adjustments, liability determinations, title issues, been resolved?

NOTE: There is a real problem on the Government's part with non-responsive contracting officers. It is imperative that the PA/PLCO maintain follow-up for the proper disposal/resolution of these property matters. In addition there is a real problem with the premature close-out of contracts prior to the receipt of a DD form 1593 by the Contracting Officer administering the contract. This is another area where the PA's relationship with the CO is critical. In many instances Contractors are stuck between the proverbial “rock and a hard place” if the CO refuses to act or answer.

Process Segment: Final Contract Review Population: For Criterion # 2 below a judgment review may be performed. This would review the contractor's PMS and the procedural portion as well as holding discussions with the contractor personnel responsible for the final contract close-out to assure that they are aware of their responsibilities. QUESTIONS:

• Where VCSes or ILPS are applied for this process are the criteria set forth in the VCS/ILP applied through the contractor’s PMS?

• Is the contractor aware of contracts approaching completion? • How?

• What mechanism is in place to notify the contractor or the contractor's employees of this forthcoming event?

[105]

Process 16: Property Management Purpose: An audit process is necessary to ensure that the contractor establishes and maintains an adequate and compliant PMS. The basic objective is to determine the effectiveness of the contractor's property management system and the possible systemic impact of any deficiencies identified. An additional objective of this review is to provide a management overview identifying causal factors that may contribute to deficiencies in other processes and process segments. Subjective evaluations may include outlining the scope of the PMSA performed, summarizing the processes and process segments reviewed, and examination of any deficiencies identified for possible trends. Lack of training provided to the contractor's personnel, ineffective communication between organizational elements, failure to be responsive to identified deficiencies, failure to establish current and adequate procedures, or failure to provide adequate protection for Government property to prevent LTDD are examples of trends that may have an adverse impact on the contractor's PMS. The contractor is also required to perform its own self assessments or audits of its Government property Process Segments:

• Management

• Contractor Self Assessments/Audits of Government Property

[106]

Process Segment: Management QUESTIONS: Are there procedures? Are the procedures maintained in an up-to-date fashion? Is the PA made aware of significant changes prior to implementation? Are contractor personnel made aware of procedures? When there are deficiencies does the contractor take prompt corrective action? When there are deficiencies does the contractor take interim steps to protect the Government Property? These are subjective evaluations that only experienced Auditors should determine to be satisfactory or unsatisfactory as they threaten the approval/disapproval of a contractor's PMS.

[107]

Process Segment: Contractor Self Assessment and Internal Audit of GP The contractor is also required to perform their own self assessment. FAR 52.245-1 (f)(3) states, “The Contractor shall establish and maintain procedures necessary to assess its property management system effectiveness, and shall perform periodic internal reviews and audits.” So we see that there is a CONTRACTUAL requirement for the contractor to perform their own audits or assessment. These can take a VARIETY of different forms and formats. More traditional audits may be performed by the Internal Audit groups or large contractors using the standards of the Institute of Internal Auditors, external audits using Generally Accepted Auditing Standards (GAAS). The contractor may choose to use the form and format of the GAO Yellow book, or even Statistical Process Control (SPC) methods based upon a Metrics based systems. Lastly, the Contractor may choose to use a VCS, such as the ASTM International’s Equipment Management Process Maturity Model (EMPM), ASTM E2452-05. [PERSONAL NOTE: The EMPM is an excellent tool! However, the Auditor must ensure that the contractor has established OBJECTIVE MEASURABLE CRITERIA for addressing and determining the MATURITY LEVEL assigned. The Maturity level is a SUBJECTIVE determination made by the contractor, but it needs to be based upon the OBJECTIVE CRITERIA that support this level. Under the EMPM it is not until you get deep into the process that these criteria come to light – similar to the criteria set forth in the “Old” DoD Property manual (Again, now obsolete).] Last item, there are no restrictions on the PA PARTICIPATING side by side with the contractor in working through the EMPM process – in fact I strongly ENCOURAGE IT!. Significant deficiencies disclosed through these types of internal audits should be reported to the PA as well as corrective actions taken by the contractor to correct and prevent recurrence of the problems. Where deficiencies were disclosed through the contractor's internal audit and not corrected, the PA shall notify the contractor and request prompt correction. QUESTIONS:

• Does the contractor perform the internal assessments/audits as specified/scheduled in PMS?

• Does the contractor initiate corrective action(s) when deficiencies are disclosed? • Does the contractor coordinate with Government PA so as to preclude

duplication? • Where VCSes or ILPS are applied for this process are the criteria set forth in the

VCS/ILP applied through the contractor’s PMS?

[108]

Defense Contract Property Management Systems Audit Primer

By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 7

Worksheets and Narratives By the end of this module, you should be able to:

• Describe how to prepare the worksheets and narratives involved with a PMSA By completing the lesson, you should be able to:

• Explain the requirement to have worksheets as the Government’s “audit evidence” • Describe the general information required on each worksheet within the PMSA • Describe the information that would e entered on the worksheets for each function • Describe the information that would be included in the narrative accompanying the

worksheets

RECORDING OF DATA It is amazing how much work is entailed in just determining the correct population(s), and selecting the proper sample size and sample. But, there is even more work ahead. That work is the actual recording of the data, the second part is the analysis of the data. "Wait a minute. I got the population, I even have the sample and sample items. What data am I supposed to record and where?" The “where” question is easier to answer than the “what” question. So, let's take them in that order." WHERE TO RECORD THE DATA As foolish as it may sound, certain data need to be recorded. Again, if we may steal from a related field, the CPAs of the world, the AICPA has the Statements of Audit Standards. Arens and Loebbecke (1988) cite these standards regarding workpapers, According to SAS 41 (AU 338), working papers are the records kept by the

auditor of the procedures applied, the tests performed, the information obtained, and the pertinent conclusions reached in the engagement. Working papers should include all the information the auditor considers necessary to conduct the examination adequately and to provide support for the audit report (p. 174).

Sawyer (1981) in one of the classic internal auditing texts provides this basis for working papers,

[109]

Working papers document the audit. They contain the records of preliminary planning and surveys, the audit program, the results of field work, and other documents relating to the audit. Working papers are prepared from the first time auditors launch their assignments until they write the final reports. Skillfully prepared working papers are the trademark of a professional!

Even the Government has established that work papers need to be maintained. In what is commonly referred to as the "Yellow Book" published by the Government Accountability Office, the investigative arm of Congress, has established the document entitled Government Auditing Standards (July 2007) – which we have discussed before. It states, 4.19 Under AICPA standards and GAGAS, auditors must prepare audit documentation in connection with each audit in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached. Under AICPA standards and GAGAS, auditors should prepare audit documentation that enables an experienced auditor,52 having no previous connection to the audit, to understand

a. the nature, timing, and extent of auditing procedures performed to comply with GAGAS and other applicable standards and requirements;

b. the results of the audit procedures performed and the audit evidence obtained; c. the conclusions reached on significant matters….

Page 71 One additional reference is provided by Flesher (1996) where he states “Although an audit report is the end product of an audit, the report is supported by evidential matter. The Standards for the Professional Practice of Internal Auditing emphasizes the importance of evidential matter. Standard 420 states that auditors ‘should collect, analyze, interpret, and document information to support audit results.’ Audit evidence should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations. Sufficient means that audit evidence should be ‘factual, adequate, and convincing so that a PRUDENT, INFORMED PERSON WOULD REACH THE SAME CONCLUSIONS AS THE AUDITOR” (emphasis added). If we could again look at the General Dynamics Corporation versus U.S. (1996 WL 200255 (C.D. Cal.)) case we can see in item # 157 that “The result was an audit report whose findings, conclusions and recommendations were not supported by evidence in the working papers even though, in the opinion of the Government’s expert, the single most important aspect of due professional care is that the work papers contain sufficient evidential matter to support the result.” Various DoD agencies have prepared working papers or worksheets for use by their Auditors in performing their PMS Audit. Yet, even within DoD agencies there may be variations amongst those districts as to the proper worksheets. Sometimes the agencies leave that decision totally within the purview of the Auditor - left to dangle in the wind is more like it. In addition, there are many AUDIT SOFTWARE programs out there – though I am not aware of one specifically tailored to Property Management and Administration.

[110]

From a historical perspective, the Defense Contract Management Command (Now an Agency) had designed and prepared a software program to assist the auditor in performing this task. That software program was called the Property Control System Analyzer written and encoded by Mr. Jeff Curtis of the Defense Logistics Agency. It was available for use in Version 1, and there was supposed to be a Version 2.0 – but that never came to fruition. Computers are perfectly acceptable for use in performing system analysis. I would like to digress just for a minute and continue the discussion, started in Chapter One of this text, on computers. Brink and Witt (1982) further discuss the use of computers. The computer has proved to be an invaluable tool to auditors in applying

statistical sampling. It simplifies the calculation necessary, eliminating the need for reference to formulas or tables. In addition, it facilitates the use of sophisticated techniques, thus enabling auditors to obtain precise and unbiased results. The auditor can, of course, use calculations in some instances to solve formulas when a computer is not available, but this is more time consuming. Auditors can sometimes take a portable terminal to the site when needed for statistical applications. The auditee may have a computer available.

Computers are powerful tools and as our field matures and develops and as computer software becomes more powerful and user friendly it is hard to imagine any aspect of our professional lives not being affected or impacted by the use of computers. Now, in spite of all that I have said regarding computers for the purposes of this class we will be using manual worksheets due to the diversity of agencies attending this class. It is far more critical for you to understand the theoretical underpinning as to "WHY and HOW" we do something than the operation of a software program. For one reason: Good theory makes for good application. What is the old Chinese proverb? "Give a man a fish he will eat for a day. Teach him HOW to fish and he will be able to feed himself forever." We are going to teach you how to fish, or in our case THE HOW’s of doing a PMSA. STRUCTURE OF WORKSHEETS For the Department of Defense to attempt to prescribe or mandate the use of one type of worksheet for all departments would be ludicrous. There is such a rich diversity of environments performing the work of property administration that any one design would most certainly be flawed. Its applicability from one environment to another would and should be challenged. Rather, broad general guidelines are provided that can be tailored to each environment. Think for a moment about the breadth of property management. There is research and development work, there is overhaul and maintenance work, there are service contracts, there are Government Owned/contractor operated plants, there are bases and installations, there are even contractors performing work overseas and in war zones!!! One set of worksheets for everyone? I don’t think so.

[111]

Through experience I have seen numerous different forms and formats used as the worksheets. My favorite story regarding worksheets deals with an individual, who shall remain nameless. For a class I had requested that each student bring in a worksheet. My idea was to have the students compare the diversity of worksheets, looking at the column headings and the criteria for each process. Well, most had preprinted sheets with headers and columns and lines for the sample items and even labels for the columns already done. Well, this one individual provided me with a blank sheet of ledger paper with the comment, “This is my system analysis (audit) worksheet?” I was at first a little perturbed, then slightly amused, then startled to realize that this individual came closest to being a “true” auditor. Why? Because he realized that each environment he audited would have different operating systems and therefore he would need to organize his work differently. Personally, I don’t care what you use for worksheets - just so long as it provides the AUDIT EVIDENCE necessary to support you findings. You can use ledger paper, preprinted worksheets, worksheets mandated by your department, agency, district or headquarters or even computer files. Each one of these aforementioned activities probably has a different idea how these items should look. You job is to accomplish two things: 1. Perform your audit and 2. Provide Audit evidence. There should be contained, as a minimum, the following information on the top of the worksheet(s): Auditee’s Name (yes, it would have been easier to say Contractor – but since we are looking at this from BOTH Directions, i.e., internal audits and assessments as well as Government Audit – better to deal with BOTH parties!) Period being reviewed by PMSA – or the internal Audit Process being reviewed Process Segment being reviewed Population - What documents/items/locations, etc., make up your population Quantity of items in population Sample Size The next step is the form and structure of the worksheet(s) for recording the data.

[112]

WHAT DATA TO RECORD The recording of the data provides AUDIT EVIDENCE. We can deal with this evidence from the standpoint of competence, relevance, independence, sufficiency, timeliness and their combined effect. The use of simple “YES” or “NO” answers may be insufficient to answer many criteria applicable under the PROCESS requirements of FAR 52.245-1(f), i.e., the Government Property clause. Rather the PA must extract data from the records and provide evidence of actually performing the audit. For example, let us select one process, and the criteria embedded in this process to support this contention. Let’s use the PROCESS OF ACQUISITION! FAR 52.245-1(f) states, “(i) Acquisition of Property. The Contractor shall document that all property was acquired consistent with its engineering, production planning, and material control operations.” So, what items would make up our population and then what questions or criteria must a contractor have to adequately comply with this process requirement? Here is one way to do this [NOTE – this is only ONE population that may be defined. There are MANY other ways to define this population]:

1. With this Process we will be reviewing all purchase orders for contractor acquired property (CAP) as defined at FAR 52.245-1(a) for one year or back to the last audit, whichever is less, as our population. Note – this is a TRANSACTIONAL Population as we are testing ACTIONS that have occurred over a period of time, i.e., all purchases made!

2. The population consists of 2649 items. (Don’t worry, I just made up this number).

3. The sample size is 34. How do I know that the contractor has documented all property acquired AND it is consistent with engineering or production planning, etc? So for this process and the embedded criterion we can answer yes or no for this question? Right? Welllllllll, not exactly. Because if I answer this criterion yes or no what evidence to I have to support that statement? Your reply "Well, I saw the purchase order!” Great! But that only supports that an action took place – NOT that the action was proper! Was there an item that could serve as a SUPPORTING DOCUMENT for that purchase order? Was there a purchase requisition, or a drawing or a material requirements list or a blueprint that showed that the item ordered was ACTUALLY NEEDED – and needed in the QUANTITY ORDERED?

[113]

Was there any other data you could have culled from that letter that would have substantiated that approval for the acquisition existed? This is the type of data that will allow you to replicate and substantiate your findings. How do you know what information the contractor is required to have to support their actions in this regard? READ THEIR PROPERTY MANAGEMENT SYSTEM PROCEDURES! NOTE – you should have done this WAY before you even started the audit. I know this seems self evident – but I just wanted to reinforce this issue. The contractor will tell us, will describe to us the “Who, What, Where, When, How and Why” they will perform these actions in their PMS. Remember also that their PMS is based upon VCSes and ILPs. Therefore, if VCSes are referenced in the contractor’s PMS you should ensure that the data elements set forth in the VCS are indeed APPLIED in the PMS processes. So, for every process or process segment that I review/audit I must ensure that I have audit evidence to support: The PERFORMANCE to that requirement and Any criteria EMBEDDED in that Process. Let's do one more example. This time it is the PROCESS of RECEIVING. Again, this PROCESS requirement is found under FAR 52.245-1(f). It states, (ii) Receipt of Government Property. The Contractor shall receive Government property (document the receipt), record the information necessary to meet the record requirements of paragraph (f)(1)(iii)(A)(1) through (5) of this clause, identify as Government owned in a manner appropriate to the type of property (e.g., stamp, tag, mark, or other identification), and manage any discrepancies incident to shipment. O.k., let’s try this again in defining some of the criteria! 1. This time our population is all receiving reports, etc. for the past year or to the last audit whichever is less. 2. We have 7843 receiving reports (RR). 3. Our sample size is 34. 4. We set up our worksheet to ask and answer this question under this process. Are receiving reports promptly prepared that document items and quantities received? Yes, we can answer that question with a, “YES.” But that would be inadequate! Think about it? What would be wrong with answering this criterion yes or no? Again, we have no AUDIT EVIDENCE to support our findings, one way or the other. Rather I would want to see a recording of the RR number, listing of item(s) on the RR, quantities on the RR, listing of the condition or condition codes, listing of the date received, comparative analysis of the data on the Shipping Document with the information on the RR, etc. ALL OF THIS SHOULD BE LISTED ON MY WORKSHEETS TO PROVIDE PROOF OR VERIFICATION WHEN NECESSARY TO THE AUDITED ENTITY THAT I AM PERFORMING MY SYSTEM AUDIT ON OR TO MY KEY BOSSES, OR EVEN A COURT OF LAW!!! These data on the worksheets verify that you have done your job --

[114]

and done it correctly, adequately, accurately and completely. Without this data you have no substantiation, no AUDIT EVIDENCE that you have done your work. HOW TO RECORD THE DATA We talked about the “Structure of the worksheets” earlier in this chapter. It would be a good idea to get a visual representation of a worksheet. As stated, there is no one standard form or format. But, there are practices that are acknowledged as acceptable. Let’s take a look at one suggested form/format. Here is a form and structure that is capable of being applied to virtually every function and functional segment through the application or assignment of the criteria to the various columns. Take for instance COLUMN 1. We would use this for listing our Sample Number. Sample Number

The next column would be the Sample Item Description. Basically, this would be a noun name of some kind; Nut, bolt, screw washer, etc.

Sample Number

Item Description

If we were doing the Process of “RECORDS” from the GP Clause requirement it requires that:

(iii) Records of Government property. The Contractor shall create and maintain records of all Government property accountable to the contract, including Government-furnished and Contractor-acquired property.

(A) Property records shall enable a complete, current, auditable record of all transactions and shall, unless otherwise approved by the Property Administrator, contain the following:

(1) The name, part number and description, manufacturer, model number, and National Stock Number (if needed for additional item identification tracking and/or disposition).

(2) Quantity received (or fabricated), issued, and balance-on-hand. (3) Unit acquisition cost. (4) Unique-item identifier or equivalent (if available and necessary for

individual item tracking). (5) Unit of measure. (6) Accountable contract number or equivalent code designation. (7) Location. (8) Disposition. (9) Posting reference and date of transaction. (10) Date placed in service.

[115]

So we have ten (10) data items listed (And there are really more if you analyze this requirements carefully) that a contractor must have on its records – whether manual or automated. Let’s say that we have selected a population of “All Material Records.” [NOTE: THIS IS NOT TO IMPLY THAT THIS A CORRECT POPULATION SELECTION. RATHER IT IS BEING USED AS AN EXAMPLE OF PROPER WORKSHEET DESIGN.] With this framed as our population and then selecting the random sample we would analyze the sample items for the following characteristics under the appropriate criteria.

Remember, we can not just answer a criteria “yes” or “no.” We must be able to justify our answer through the audit evidence presented on our worksheets. What would the data be? Well, the contractual requirements of FAR 52.245-1(f)(iii) would be an excellent starting place. We have just seen that it lists the following “bits” of data as being required for EVERY item of Government Property :

Name, part number and description, manufacturer, model number, and

National Stock Number (if needed for additional item identification tracking and/or disposition).

Quantity received (or fabricated), issued, and balance-on-hand. Unit acquisition cost. Unique-item identifier or equivalent (if available and necessary for individual

item tracking). Unit of measure. Accountable contract number or equivalent code designation. Location. Disposition. Posting reference and date of transaction. Date placed in service.

If we were to follow this progression on our worksheets it would look as follows:

Sample Number

NAME Part Number

NSN

Let’s change the order of the data requirements just for ease in creating this worksheet. Contract number and unit price would appear to be the next logical data fields. Sample Number

NAME Part Number

NSN Contract Number

Unit Price

[116]

Notice that these criteria are applicable to every sample item that we review and that our worksheet and its respective columns are increasing. Notice also that we are NOT looking for “yes” or “no” answers – rather we are looking for the actual data. We are looking for an item description, a National Stock Number, a contract number and a unit price to be placed in these columns from the record maintained on that sample item! O.K., you think you have a handle on this? Let’s take a look at some of the other criteria. This may get a little more difficult. One of the other items under FAR process requirement is Quantity received, issued and on hand. Rather than add to our already burgeoning worksheet let’s treat these items as three separate columns. They would look like this:

Quantity received Quantity issued Balance on Hand Seems simple enough! “We just put down those items” you say. My response, “Which items?” “Well, the quantity received, the quantity issued and the balance on hand.” “Great, I understand the balance on hand, but which quantity received?” “What do you mean ‘Which’ quantity received?” “Are you telling me that the contractor has received this type of material ONLY ONCE?” “Well, no. There were a lot of receipts of that property.” “Well, again I have to ask ‘WHICH’ quantity received?” Has the light bulb gone on? With on ongoing process there may be tens, hundreds, even thousands of receipts for that property over the life of a five year R&D contract. Therefore, which “receipt” of property do you pick? Generally, since you are testing the contractor’s CURRENT operations you will select the last receipt posted to the record. I can hear you all complaining now, “Well why didn’t they say that?” It was there all along – you just didn’t realize how your actions were driven by that requirement. The same holds true for “quantity issued.” There were probably numerous issuances of that property over the course of the year. Which one is to be selected? Again, generally, you will select the most current, the most RECENT transaction – the LATEST transaction. But these three columns aren’t done just yet. How can I be sure that what is on the record card is accurate and correct? You are required to review the SOURCE document that triggered the posting of that transaction. “Wait a minute – where does it say that?” FAR 52.245-1 (f)(iv) entitled posting reference and date of transaction.

[117]

Many folks confuse the issue of reviewing the Function of RECEIVING with testing the receipt of property under the Function of RECORDS. Yes, I agree that you test the receipt of property under the Function of Receiving. But, do you trace it through all the way to the record card or record system where it enters the contractor’s inventory system? Generally not. You are testing the PROCESS of RECEIVING Government property in one audit process – and testing the PROCESS of ESTABLISHING AND MAINTAINING RECORDS of Government property in this other process. Therefore, this check of the process is comparative in nature. You are doing a comparative analysis of three things: 1. What the audited entity said he/she would do in the procedures, 2. What happened with this receipt (or issuance) as posted to the in your hand, or the computer screen and 3. The STANDARD set forth in the contractor’s procedures. So what really happens when we select that last receipt of property onto the record changes from one column to four columns. Rather than just:

Quantity Received

You will now have five columns with the columns entitled:

Receiving Report Number

Qty. On Receiving

Report

Qty. Posted to Record

Date of Receiving

Report

Date Posted on Record

This grouping of columns allows you to test through a comparative analysis the criteria required and set forth in FAR 52.245-1(f). This would include Quantity received, Posting Reference and Date of Transaction. This comparative analysis of data is to ensure that: 1. Quantities received are actually posted to the record, i.e., the counts on both documents/records match and 2. The transactions are accomplished in a timely manner. Timely being defined by the contractor’s property control system and the written procedures. This is a lot different than the first answer provided where there was only ONE column. And again, I would like to emphasize that these columns CANNOT be answered with a simple “yes” or “no.” They must have data inserted into them so that an external auditor, would be able to REPLICATE your findings.

[118]

The same type of columnar structure can be established for issuance.

Issue Slip Number

Qty. Issued Qty. Posted Date Issued Date Posted

If we were to look at all of the data item elements that we have covered it would look something like this. Sample Numbe

r

Item Desc.

NSN Contract #

Unit Price

RR #

Qty. On RR

Qty. On Record

Date of RR

Date posted

Issue Slip #

Qty. Issued

Qty. Posted

Date Issued

Date Posted

Gets kinda’ tight doesn’t it? Unfortunately, we are not yet done with this one functional segment, or even the first criteria. Wait, What Process were we doing? Records There is still another data item under FAR 52.245-1(f) that we have not addressed. This is the requirement for the posting of LOCATION. Location is also a comparative item. Specifically, we would want to record the location from the record on our worksheet and then physically inspect that location to ensure that the item was where it was recorded to be. There are two caveats to this. The first is that if a contractor is using “summary” records as authorized for say equipment then specific locations are NOT required. In addition, there may be a voluntary consensus standard that allows the contractor – with the PA’s APPROVAL – to relieve the contractor from the record keeping requirement. Yes, we would expect an initial location to be posted to the record but subsequent changes of location need not be posted. With this LOCATION item we now add two more columns entitled:

Location on record Actual Location If we were to establish a worksheet with ALL of these data item elements on them it might look like this.

[119]

SAMPLE WORKSHEET FOR THE FUNCTION OF RECORDS [WARNING!!! THIS IS A SAMPLE ONLY. IT IS NOT FOR USE!]

Sample Number

Item Desc. NSN Contract # Unit Price RR # Qty. On RR Qty. On Record

Date of RR Date posted

Issue Slip # Qty. Issued Qty. Posted

Date Issued

Date Posted

Record loc. Actual loc.

[120]

In the “old days” when I was a working industrial property management specialist we had an experienced Property Administrator guiding us through the lengthy process of LEARNING HOW to do a PMSA or the old term, a property control system analysis or the older term, a system survey. I was lucky to have as my PA a gentleman by the name of Mr. Vinnie Carnevale -- back in the old days of the Defense Contract Administrative Services Management Area (DCASMA), New York. As a trainee Vinnie took me out to EVERY contractor’s plant, site or facility under his cognizance and literally WALKED me through the survey. He showed me numerous different techniques and methods. He provided me a firm foundation in the system survey process. One of his areas of emphasis was that of the system analysis workpapers. Vinnie was a believer that the workpapers needed to provide CLEAR, FACTUAL EVIDENCE of the findings and this HAD TO BE WELL DOCUMENTED. Now, I don’t know if Vinnie ever had any classes in auditing. He wasn’t a Certified Public Accountant. But, in the thirty years I’ve been involved with Government Property I can count the number of times he was wrong on one hand. What does this have to do with our current property control system analysis? Well, an area of weakness in the PMSA process is that of WORKPAPERS! A PMSA is NOT a haphazard process. To carry out this process the PA must have a systematic approach, establish a record of what was done, and to accumulate the data, the auditor must prepare WORKPAPERS. Bottom line – these workpapers are your AUDIT EVIDENCE. Don’t take my word for it – look to the experts. Arens and Loebekke in Auditing, an Integrated Approach (1988, 4th Ed.) quote one of the Statements of Accounting Standards, more commonly referred to as a SAS. SAS 41 states “Working papers are the records kept by the auditor of the procedures applied, the tests performed, the information obtained, and the pertinent conclusions reached in the engagement” (page 174). Over the past few years I have seen a wide variety of “workpapers” presented in the line classes I have taught. Some have been excellent – others, well, they needed some work. These workpapers are CRITICAL to the proper supporting of your findings in the system analysis. Now think about YOUR workpapers. If I were to come into your office, look at one of your last audit, could I then take YOUR workpapers and REPLICATE your findings. Let me say that in English. Could I go to the audit site and find the exact RECORD from which you obtained that data? What I am really driving at here is the use of survey questionnaires with yes or no answers. I have seen numerous workpapers that consisted of NOTHING MORE than yes and no answers. My question to these individuals is “How do I know WHAT you audited?” Their response “Well, I went to audit site and did this and that and the other thing!” My response “Gee, that’s great. Please show me that work.”

[121]

Their response “Well, here – these are my workpapers. See, I answered the questions yes or no and that means I reviewed their system.” My response “Nope, those papers are MEANINGLESS as there is NO AUDIT EVIDENCE.” Now, it’s rare that Property Professional get dragged into court (Though it HAS happened!). But that doesn’t mean it WON’T happen – and the courts are far less forgiving that your management and leadership that may perform a review of your work! Let me provide you another quote from Arens and Loebekke. They state that “Working papers are the primary means of documenting that an adequate audit was conducted in accordance with GAAS (Generally accepted auditing standards – which we have discussed a number of times). If the need arises, the auditor must be able to demonstrate to regulatory agencies and COURTS (Emphasis added) that the audit was well planned and adequately supervised (Supervisors take note – you’re not off the hook so easily here either), the evidence accumulated was competent, sufficient and timely, and the audit report was proper considering the results of the examination.” I know, I know – you’re going to say, “We’re not financial auditors. We’re auditing Government Property records and property management systems!” I fully well understand that. I’ll agree – we’re doing operational audits. So let me cite the literature from that field. Reider in “The Complete Guide To Operational Auditing” (1994) states that “Workpapers are used:

1. As a repository of the information obtained. 2. To identify and support problems, events, or actions occurring

during the engagement (Don’t you just love that word – our PMSA is an engagement!), findings, meetings and the like.

3. To give support to discussions with operating personnel. 4. To provide support for the report (Our audit summary). 5. As a line of defense when FACTS, CONCLUSIONS AND

RECOMMENDATIONS ARE CHALLENGED…” Plus other items too numerous to list in this short article. Even in the world of Internal Auditing, another closely related field, working papers have been assigned a Professional Standard number with descriptive literature surrounding it (See Flesher, D.L., Internal Auditing, Standards and Practices, 1996). The point of all this discussion is that each and every Property Professional and his or her supervisor must ensure that audit workpapers thoroughly document the process and items reviewed during that PMSA. What then should be in the workpapers? 1. The process undergoing the review, 2. The population, CLEARLY DEFINED, SO IT CAN BE REPLICATED, 3. The sample size (If using statistical sampling),

[122]

4. The specific sample items selected. Yes, listing each and every sample item selected by some identification, e.g., Nomenclature, National Stock Number, Part Number, Purchase Order Number, Plant Clearance Case number (And yes, I know that some of these items may have multiple iterations – at which point your description must be even MORE specific such that I could find the EXACT item of documentation that you used for your SOURCE document.),

5. The Descriptive and Quantitative data that supports the contractual requirements of the Government Property Clause, FAR 52.245-1(f).

6. Reference numbers related to SOURCE DOCUMENTS, or copies of source documents, and reference numbers relating to supporting documents.

I have no preference as to how this is done. You may use hand written sheets on log paper. You may use worksheets designed by your office as a “standard.” You may use computer-generated worksheets. You may even use computer programs such as MS-Excel [Note – this does suggest that I am endorsing MS-Excel! Just addressing that it may be used. ]. You may use ANY METHOD you want of creating, completing and maintaining those worksheets – SO LONG AS THEY PROVIDE REAL SUBSTANCE AS TO THE PERFORMANCE OF A SYSTEM ANALYSIS and WHERE AN OUTSIDE REVIEWER CAN REPLICATE THE INFORMATION YOU ORIGINALLY OBTAINED. O.k., we covered the area of PMSA Workpapers. I stressed the CRITICAL nature of properly documented workpapers as a source of AUDIT EVIDENCE. We stress how important it is to properly document the source data that support each sample and sample item and the associated criteria. And, most importantly, those simple yes or no answers to those criteria FAIL to meet the standard of audit evidence. In this past discussion I provided strong evidence as to the specific requirements for those worksheets – not by MY opinion (Because that really doesn’t matter), rather, the opinion of renowned experts from the field of AUDITING!!! Well, I received a number of E-mails and phone calls about audits and had lots of discussions with my property peers out there in the field. One area that kept surfacing, and was directly related to the issue of workpapers was the area of NARRATIVES – Narratives that accompany and report on the findings in those workpapers. NARRATIVES Now, I like writing. I may not write well all the time, but I try to put pen to paper and present technical issues with some degree of clarity (Yes, there are a few that have enjoyed the task of CORRECTING my writing. Those individuals have taken GREAT JOY at finding my errors. No, I won’t name them here – THEY KNOW WHO THEY ARE!!!). Writing is another CRITICAL SKILL that property folks need to develop. The writing of narratives in the context of a PMSA is one area where that skill comes to the forefront of application! Let me try and place this into the proper perspective. You scheduled the system analysis with your contractor.

[123]

Possibly done a risk assessment of the contractor’s PMS. Conducted your entrance conference with the contractor. Performed the PMSA in accordance with the GAAS, GAO Yellow, and ILP protocols. Collected all of your data and prepared the finest workpapers ever prepared!!! Now comes the time that you need to tell the world the findings and the condition of that contractor’s PMS. What happens? You freeze! You say “I’m not a writer.” You know that you have all of the data in front of you. There are reams of paper, and notes, and documents – but you can’t think of one word to put down on paper to describe all of the “stuff” (Both good and bad) that you found. Where do I start? HOW do I start? POPULATION AND SAMPLE Well, let’s start with the simple stuff. TELL ME IN SIMPLE ENGLISH WHAT YOU DID IN CONDUCTING YOUR AUDIT OF THAT PROCESS! What Process did you review? What criterion or criteria did you review? What documents, locations, types of property, etc., made up your population? What was the size of your population? What sampling technique did you use? What was the size of your sample? How did you select the sample numbers? How did you align the sample numbers with the population items? Let’s change this to a narrative. This narrative covers the Process of RECORDS and the requirements of FAR 52.245-1(f)1)(iii). It covers all criteria established and required by the aforementioned clause. The documents reviewed consisted of the inventory records of all Government Owned material accountable under active contracts as well as material accountable to contracts that had been closed since the last systems analysis. This population consisted of 1276 items (Record Cards). Statistical sampling was used. Following a 90% confidence rate, a sample size of 34 was used with the actual sample numbers being selected by using the program found at www.Randomizer.org (Printout attached). As the contractor provided a sequentially numbered computer listing of the material the sample numbers were aligned with the printout numbers. Notice that we have taken the original questions – which you need to answer to actually PERFORM your system analysis of the function, and converted them to simple phrases.

[124]

By answering these questions you can easily craft the opening portion of your narrative for each and every function, functional segment, and criteria. All we did was take the information that you already had at hand, logically ordered it and provided the reader (Well, at least the reader reasonably knowledgeable in property) a clear description of what we did to start our analysis. FINDINGS O.k. that tells me HOW I obtained my sample items. But how do I explain my FINDINGS? Use the same technique. Ask some simple questions! What sample items were reviewed? (Quick Reiteration) What Criteria were reviewed? What Systemic Quantitative and Qualitative Information was obtained? (Remember, our focus needs to be on the SYSTEMIC defects – not nitpicks) What requirements/criteria was found Adequate? What requirements/criteria was found Inadequate? WHY? How did you rate the Process? WHY? Change these answers to simple Phrases. Thirty-four sample items consisting of inventory records for Government owned material were randomly selected and reviewed. The criteria tested were the data items required for this process. Property control records conform to GP Clause requirements, or the VCS or ILP requirements when and if applied – etc. Support documentation Prompt posting of Transactions Sensitive property Inventory control records are properly closed. [Note: Now I realized that I paraphrased these items. I did so for the sake of brevity.] But let’s take these and address them, as before, in some simple phrases. The criteria tested included a review to insure that all Government owned material property control records conformed to FAR 52.245-1(f)(1)(iii) requirements including; name, description, identification number, quantity received or fabricated, and on hand, the unit price, contract number, location, disposition (If disposed of since last analysis), the posting references to support any actions and the closure of the accountable record where the material was dispositioned and the record closed for property management purposes.

[125]

Let’s continue. The criteria of name, description, balance on hand, the unit price, and contract number were found to be satisfactory. No discrepancies were found in any of the sample items for these criteria. Five defects were found for the criterion of location. Contractor was not promptly posting location changes in accordance with its Property Management System (Reference Contractor X, Procedure 234-A, Chapter 5) which requires all location changes to be posted within five business days. This review found that these five items had not been posted for over 30 days. These items of material each had an acquisition cost of over $10,000. As the number of defects exceeded those allowed by the 90% confidence rate sampling table and the discrepancies were of a systemic nature this process is considered unsatisfactory. Notice that we have provided answers to all of the questions posed above. We have provided the good, the bad and the ugly -- The items that were satisfactory, the items that were found unsatisfactory, both quantitatively and qualitatively. Specifically, how many were “defective” and WHY were they defective. Now I know that this was a rather simplistic scenario, and you may say that your world is different. I agree with you – but most, not all, but MOST of the folks out there as Property Professionals have been doing this job for years, and as such there is a level of expectation. We are PROFESSIONALS and therefore, our reputation and the way we are viewed by others that do not know us personally is directly tied to our WRITING! If we present a poor image to the outside world through our writing, their perception of us will be all the less.

[126]

Defense Contract Property Control Systems Audit Primer By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 8

Analysis of Data

By the end of this module, you should be able to:

• Start categorizing and summarizing the collected data By completing the lesson, you should be able to:

• Distinguish between defects and deficiencies • Identify Sample item defects and sample item element defects • Distinguish between system and non-systemic defects • Understand and apply acceptance/rejection rates

ANALYSIS OF DATA In this class we have gone through the processes/process segments/criteria and performing some sample tests and providing some analytical question to assist you in performing this effort. And quite an effort it is! The analysis of the data that you have collected from your sample can be the most vexatious part of the audit process. Why? Because we have left a great deal of judgment in your hands!!! If your judgment is faulty, if you've had a fight at home and bring your problems into the office, if your boss tells you to do something that is improper all of these actions and inaction can temper the outcome of the PMSA - in spite of the application of statistical rules and regulations. Judgment, good, sound judgment plays and enormous role in determining whether or not a sample is satisfactory or unsatisfactory. How should data be analyzed? Let's look at some of the methods of data analysis. But before we do that, it would be prudent to clarify some of the words we are going to use in this section. (See Figure 1.) - Our first grouping is our population. - Our second grouping is our sample. - The sample is broken down by sample items. - The sample item is broken down into elements or sample item elements.

[127]

Figure 1- Population to sample item element

TYPES OF DEFECTS/DEFICIENCIES For example, a population has 7421 records in it. The sample size is 34. The sample then consists of 34 records. Each record of those 34 records would be considered a sample item. Lastly, you have the individual elements contained within the sample item. Let's reverse this analysis for classifying defects and build from the smaller to the larger. The first type of defect would be a sample item ELEMENT defect. This is where one element within the sample item is defective or a deficiency exists. It is possible that the sample item may be found acceptable but the sample item element is unacceptable. The second or next higher level is the SAMPLE ITEM DEFECT. A sample item defect is where an element or elements within a sample item are deficient and there is the determination that the entire sample item is affected. The sample item therefore is defective or deficient. Sufficient sample item element defects and sample item defects may lead to a function or functional segment as being evaluated as "UNSATISFACTORY." In light of this statement it is necessary to understand that the auditor must evaluate the sample a number of different ways: 1. Horizontally across the sample item. 2. Vertically down through the sample item elements. You finally say "I've recorded all of the data on the worksheets. I've found defects. I've found both what I consider sample item defects and sample item element defects. I found a total of six of them. And, if my population was 7421, the sample is to be rated unsatisfactory! It says so in the 90% Sampling confidence Table!"

[128]

It's not that easy. We need to look at two other factors before we can say a function or functional segment is unsatisfactory. These two other areas are: 1. The Acceptance and Rejection rates set forth in 90% Sampling confidence Table and 2. Whether the defects were SYSTEMIC or NONSYSTEMIC. SYSTEMIC OR NONSYSTEMIC DEFECTS Too many times there has been the anecdotal evidence of an auditor doing an audit, finding defects and, regardless of their impact on the contractor’s PMS, saying that the contractor's property control system was unsatisfactory. We hear this horror story over and over again. The auditor finds, during the review of the function of physical inventory, in the functional segment of performance that the contractor had reported and recorded 972 bolts (Bulk purchased at $4.79 per 1000). When the auditor counted the bolts, BY HAND NO LESS, the auditor only found 970. "Ahhh, a defect" the auditor says. Let's see how many more of these defects can I find?" And the auditor sets about busily counting the bulk quantity, low dollar value items and finds those SIX defects in this process and rates the contractor as unsatisfactory in the function of Physical Inventory. That simple! All done. Now, contractor, start the corrective action plans so that this terrible deed does not happen again! Tell me. What's wrong with this scenario? Were the defects uncovered, the wrong count of the low dollar value, bulk quantity material items, a problem that systematically impacted the contractor's operation or efficiency? No! These items were low dollar value items with minimal impact on the contractor's system of property control. And yet many times there have been contractors found unsatisfactory due to these types of problems. Therefore, the auditor must evaluate the SIGNIFICANCE of the defect. It is a systemic or non-systemic defect. In other words does the defect affect the contractor system so much so that it may harm the Government. This concept is nothing new. Sawyer (1981) emphasizes the concept of "Degrees of Significance." He makes the point that, No two deficiency findings are exactly the same. They will represent various

degrees of actual or potential loss or risk. Giving the same audit emphasis to several random clerical errors and to an overpayment of $100,000 is clearly illogical... An insignificant deviation -- the sort of clerical misstep which all organizations experience -- does not warrant formal action. Indeed, including it in a formal report would be counterproductive. First, it would tarnish the truly significant findings in the report, implying that the auditor could not discern the difference between a flyspeck and a spreading blot. Second, it would perpetuate an undesirable stereotype: the auditor as a NITPICKER(Emphasis added).

[129]

WE ARE LOOKING FOR SYSTEMIC DEFECTS THAT IMPACT THE CONTRACTOR'S SYSTEM OF PROPERTY MANAGEMENT. WE ARE NOT LOOKING FOR THOSE, in the words of Sawyer, NITPICKS. In the accounting world we would address this as an issue of "materiality." In the property world we could say that a defect was major or minor, systemic or non-systemic. But, every property person must recognize that defects come in all shapes and sizes. Every single defect is not the same -- some are humongous, others are trifling. You cannot write up a monstrous defect in a trivial fashion and maintain your credibility. By the same token, you cannot write up a trivial defect in an "end-of-the-world" fashion and maintain your credibility. You must be able to defend the seriousness of the findings. We provided guidance and direction in the “OLD” DoD Property Manual going one step further in carrying out this action. It states under Chapter 4 Section A. 11. a., Identification of Deficiencies When element or item defects are identified during the

PMSA, auditors shall take the following actions: (1) Determine whether the defects are isolated or are systemic in nature. (2) Assess the known or perceived impact of defects. (3) Determine the cause of the defects, where possible. (4) Notify the responsible contractor management personnel of the defects and request corrective action. This last item, "Notify the responsible contractor management personnel of the defects and request corrective action" shall be discussed in greater detail later in this paper. It is important that the responsible contractor party/ies is/are made aware of these defects and deficiencies. There should be no “SURPRISES” sprung upon the contractor – rather, we are a team working to support the warfighter – and as such we need to maintain open lines of communication. ACCEPTANCE/REJECTION RATES To assist the auditor in performing this task there have been established “Acceptance and Rejection Rates” in Appendix B of the “OLD” DoD Manual. But, and this is a big but, there is additional guidance found in the body of the manual that deals with the APPLICATION AND ANALYSIS OF DEFECTS!!! Guidance was provided in regard to the evaluation of a sample for SYSTEMIC defects, b. Appendix B sets forth acceptance and rejection rates for the various

population and sample sizes dependent upon the number of defects found within a

[130]

given function, functional segment, or criterion. The auditor shall use these rates for the acceptance or rejection of populations selected as functions, functional segments, or criteria. The following decisions shall be made by the auditor:

(1) If no defects are found in the first sample, the functional segment or criterion

shall be evaluated as satisfactory. (See Column 3, Appendix B.) (2) If the number of item defects found in the first sample is equal to the number

of defects found in column 4 of Appendix B, where the defects are not of a systemic nature the functional segment may be evaluated as satisfactory.

(3) If the number of item defects found in the first sample is equal to the number

of defects found in column 4 of Appendix B, where the defects are of a systemic nature, the functional segment shall be evaluated as unsatisfac-tory.

(4) If the number of item defects found in the first sample is equal to the number

of defects found in column 5 of Appendix B, the auditor shall use the second sample selected in paragraph B.4.c., above. If the total number of defects found in both sample 1 and sample 2 equals or is less than the number specified in column 7 of Appendix B, the functional segment shall be evaluated as satisfactory.

(5) If the total number of defects found in both sample 1 and sample 2 equals or

is more than the number specified in column 8 of Appendix B where the defects are not of a systemic nature, the functional segment may be evaluated as satisfactory.

(6) If the total number of defects found in both sample 1 and sample 2 equals or

is more than the number specified in column 8 of Appendix B where the defects are of a systemic nature, the functional segment shall be evaluated as unsatisfactory.

Carmichael and Willingham (1989) support this process. They state, A qualitative evaluation of sample results is equally important as a

quantitative evaluation whether the auditor is using a statistical or nonstatistical sampling approach... An important part of the auditor's qualitative evaluation is a consideration of whether the nature and cause of the errors indicates that they are either isolated or systemic.

We are asking you to do the same. Let me talk with you for a moment about “Research” and the evaluation of say, an analysis of a survey through statistical application. If we were doing a correlation analysis in a research program we would also have to test statistical significance. Yes, there may be a CORRELATION between two factors - but is that correlation STATISTICALLY SIGNIFICANT?

[131]

Here is an example of mistaking correlation for causality. More car accidents happen in the United States over the 4th of July holiday weekend than any other holiday weekend. More Ice Cream is sold over the 4th of July holiday weekend than any other holiday weekend. Therefore if we stop selling ICE CREAM on the 4th of July holiday weekend – car accidents will decrease. Right? Quite clearly, WRONG! Yes, there is a STRONG CORRELATION between the two variables – Accidents and Ice Cream. But that does not mean that there is any STATISTICAL SIGNIFICANCE between the two – and certainly the selling and eating of Ice Cream is not, in and of itself, the CAUSATION of the car accidents. THE GAO Yellow Book, GAO-07-731G Government Auditing standards addresses this issue of significance. It states in paragraph 7.04,

The concept of significance assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the impact of the matter to the audited program or activity. Professional judgment assists auditors when evaluating the significance of matters within the context of the audit objectives.

Therefore, you will notice that each of these statements requires the auditor to make a decision as to whether or not the defects found, whether sample item or sample item element defects, are systemic in nature or non-systemic, isolated, in nature. It also provides that auditor the latitude, the JUDGMENT, repeat JUDGMENT to decide, based upon their experience whether or not a defect is systemic or non-systemic. No longer is the auditor "locked" into blindly finding the contractor unsatisfactory due to the black and white, rigid requirement found in the old ASPR Sup. 3. I know, I know, some of you will say you have been doing this all along. Superb! While black and white may exist in a technical world, property management has shades of gray that must be treated with a great deal of professionalism. [Just look at my hair! Now what do you do with this finding. Well, think for a minute as to the type of action required to correct this problem. Is it something that can be corrected? Is it something that, through the modification of the contractor's property control system, can be prevented from happening again in the future? Always keep the question of "What can be done regarding these defects or deficiencies in the back of your mind. Why? Because they may help your formulate your recommendations to the contractor to assist with the corrective action plan or the corrective actions the contractor may take.

[132]

Defense Contract Property Management Systems Audit Primer

By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 9

PMSA Summary

By the end of this module, you should be able to: • Describe how to prepare the PMSA Summary and distribution requirement

By completing the lesson, you should be able to: • Explain the purpose of a PMSA Exit Conference/Interview • Explain the purpose of a Corrective Action Plan • Describe the two statuses of a PMSA • Define the concept of resurvey • List actions in the case of contractor non-responsiveness

PROCESS SEGMENT/PROCESS/PMSA STATUS Bravo! You have performed your audit of a process segment or a process. You've properly established your population(s), selected your sample numbers using a sound statistical methodology, established a correspondence between your sample numbers and the sample items, and collected the data from the sample items. You've evaluated the data both for the sample items and sample item elements, and reached a conclusion as to the status of the process or process segment, that being either satisfactory or unsatisfactory. Now it is time to rate the whole system. "Well" you say, "The audited entity’s property management system had one unsatisfactory process in the PMSA or internal audit and therefore the contractor is rated unsatisfactory!" The next auditor says "Wait a minute! That was only one process segment that was unsatisfactory! You can't call them unsat for that!" [This one is an excitable auditor.] "The contractor had fourteen other processes that were great. You found just one functional segment unsat and now you want to rate the entity unsat for the ENTIRE SYSTEM! What are you, crazy or something?" Well, what is a auditor to do?

[133]

Folks, for this issue YOU NEED TO LOOK AT your organization’s policy and guidance. Why do I say this? Because there is no Department of Defense Policy or OTHER guidance regarding the RATING of an audit or a PMSA. Historically, each of the Government agencies had a different policy. For example, the Air Force, under AFCMD, used AFCMD Reg, 78-7. There were color codings for the status of a contractor property control PMSA. Under DLA if even one function was unsat the entire PMSA is rated as unsatisfactory. Therefore our only advise on rating the PMSA – If you are a contractor doing internal audits or assessments you need to establish some rubrib for “Rating” YOUR INTERNAL AUDIT or ASSESSEMENT. EXIT CONFERENCE/NOTIFICATION OF DEFICIENCIES I've lumped these two items together as sometimes they may occur simultaneously while in other instances they may be spread out over a number of months. So, you’ve done your audit or self assessment. You have all of the data, the audit evidence, all of the information – AND EVIDENCE OF DEFICIENCIES. Do you have to tell the auditee??? Simple answer – Yup! When should you tell the auditee of the deficiencies? Well, it depends! It depends upon the structure of the audit. If it is a small audit of a small activity that is accomplished over a day or two or a few days – then wait until the end of the audit. If it is a LARGE ACTIVITY – with TONS of “stuff” – then that audit may take an extended period of time – and the notification of deficiencies MAY take place as each process or process segment audit is completed, rather than waiting until the ENTIRE audit is complete. In other words you want to be able to provide the AUDITEE feedback – the results of the audit – the good, the bad and the ugly – as SOON AS POSSIBLE! Stale data is just as bad as no data!

USE YOUR JUDGMENT AS TO THE MOST EFFICACIOUS TIME TO PERFORM THESE PERIODIC BRIEFINGS.

[134]

Let me address some aspects that have not been discussed and that require explanation. This again entails the notification to the contractor of deficiencies and also resolving of deficiencies. Resolving Identified Defects The DoD Property Manual in Chapter 4 Section A. 11. b. states that, "Minor or isolated property defects that can be corrected during the performance of the analyses should be resolved at the lowest possible management level with verbal or limited written contact." Very simply, those MINOR NONSYSTEMIC ERRORS NEED NOT BE FORMALLY DOCUMENTED. They do need to be documented for correction. Though your worksheets will show that defects were found, they should also reflect that the defects were corrected during the course of the PMSA and did not impact the property management system. These minor nonsystemic defects need not have formal corrective action plans created by the contractor. Again, as an auditor you are looking for SYSTEMIC DEFECTS. THE GAO Yellow Book REQUIRES that we document our findings. Paragraphs 7.77 through 7.79 state,

7.77 … the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. Auditors should prepare audit documentation that contains support for findings, conclusions, and recommendations before they issue their report. 7.78 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors’ professional judgment. 7.79 Audit documentation is an essential element of audit quality. The process of preparing and reviewing audit documentation contributes to the quality of an audit. Audit documentation serves to (1) provide the principal support for the auditors’ report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality.

This is where the auditor shall/must (Command/imperative) contact the appropriate personnel who have the ability to take corrective action. It is not sufficient to just correct the found defects. Since these were SYSTEMIC defects what actions are going to be taken to assure that this does not happen again. In other words a corrective action plan is to be created. (More on the Corrective Action Plan later.)

[135]

You are required to DOCUMENT the findings and NOTIFY the appropriate personnel! That may be a property manager. That may be a member of the contractor’s Managerial personnel. Usually there has been verbal communication of the deficiencies found during the PMSA as discussed above. Now the auditor must clearly and concisely put into writing what those deficiencies are so that the contractor can take corrective action. These should not come as any surprise - neither should they differ from those discussed during the exit interview. We should reach agreement as to the course of action required to correct these deficiencies. If you have established the appropriate professional relationship and rapport between the auditor and auditee -- this should not be a problem. Unfortunately, we have all run up against the adversarial relationship - on both sides of the fence - Government and contractor! We're all human, and must deal with the real world. Sometimes things do not go smoothly and we are unable to reach agreement. There will be further discussion under the "Resolution of Differences" section. As stated above, it is hoped that you, the auditor and auditee, have reached agreement that Corrective Action or a Corrective Action Plan is needed. Under the “OLD” DoD Property manual we had guidance in regard to a timeframe for corrective actions. It stated, "The period of time for corrective action shall normally be established at 90 days. This time frame may vary, either increased or decreased, dependent upon the complexity and nature of the corrective action(s) required and the impact of the deficiencies involved." This one section has already caused quite a stir amongst and between the various parties. The major complaint has been the established time frame of 90 days! 90 DAYS IS NOT SET IN CONCRETE. Rather it was meant as a point of reference for many applications but not all. That is why there is the allowance for either lengthening the time allowed for corrective action as well as shortening the time frame. Every audit is different and every corrective action required may need a different time frame. To establish one size fits all would be arbitrary and capricious. This is not meant to be either. It is only meant as a frame of reference. Finally we get to the exit conference. EXIT CONFERENCE This again may be one of the most powerful motivators available to the auditor. It is the time when the auditor can exhibit his/her true professionalism and the ability to interact with the top levels of contractor management. We discussed in an earlier chapter of this text that the auditor was to conduct an Entrance Conference – and we stipulated that this should be done with contractor’s MANAGERIAL PERSONNEL. Well, there is the same EXPECTATION for this to occur at the EXIT CONFERENCE! I have heard countless times that the auditor is not in a respected position. It is not a “VALUE ADDED” job! I DISAGREE!!! Here is your opportunity folks. Don't waste it! You have no excuse not to conduct an exit interview with MANAGERIAL PERSONNEL

[136]

(Emphasis added)! Do not disregard the importance of this meeting. It is a wonderful opportunity to impress upon the various management personnel the importance of property management/property administration. You should avail yourself of this opportunity to the fullest extent possible. O.K., some personal notes here. When it comes time for your performance evaluations you all want to hear everything that you've done wrong. The supervisor should only relate to you those areas where there are problems - right? No! You want to hear about those areas that are satisfactory, good, excellent, those areas where you ARE doing your job. Yet when we hold an exit briefing the only areas that are discussed are the problematic ones. The auditor needs to discuss the "OVERALL RESULTS" of the PMSA. This includes the good areas as well as the deficient ones. Please don't forget this. We spend enough time telling the audited entity what he or she is doing wrong. Why not provide a thorough and complete OVERALL evaluation. Yes, you need to discuss with the audited entity those areas that are unsatisfactory. And the auditor, yes that's you, shall advise the audited entity where corrective action is required. BE SPECIFIC AS TO WHAT THE DEFICIENCIES WERE/ARE! It is not sufficient to say "Well, the area of Physical Inventories was unsatisfactory." End of conversation. The real meat of the matter is "What was unsatisfactory?" Was it because no physical inventory was taken? Was it because the physical inventory was performed by the same person responsible for the records? Was it because the physical inventories were not posted to the record in a timely fashion? What specifically was the problem? You must be specific. During this exit conference agreement should be reached during the exit conference as to the corrective measures necessary. Generally this will be a verbal agreement at this time. It may require a period of time for the audited entity to develop a Corrective Action Plan, especially with the larger activities with multiple interconnected complex systems. Notice that this relates back to your notification to the entity of deficiencies. Generally, this previously discussed written notification takes place AFTER the exit conference. This may not be your PMSA Summary. That comes later! CORRECTIVE ACTION PLANS – Generally, entities will be responsive to preparing and submitting Corrective Action Plans (CAP). The audited activities realize that it is to their benefit to properly control, protect, preserve and maintain that Government property in their possession. I have yet to meet an organization that deliberately set out to lose, damage or destroy Government property. Rather, most understand that the FAR and DFARS requirements imposed upon them by the contract are reasonable in nature (Well, at least most of them are). Therefore, when reasonable requests are made to correct deficiencies, contractors are amicable to this idea.

[137]

The FAR Government Property clause, 52.245-1(g) is quite specific in this regard. It states,

“3) Should it be determined by the Government that the Contractor’s property management practices are inadequate or not acceptable for the effective management and/or control of Government property under this contract, and/or present an undue risk to the Government, the Contractor shall immediately take all necessary corrective actions as directed by the Property Administrator.”

What should an auditor be looking for in a corrective action plan? Well, here are some basic thoughts to ponder: 1. The discrepancy(ies) that is/are going to be corrected. 2. A time line, using whatever methodology to display it, showing when the corrective action will begin and be completed. 3. Documentation - what action is planned. 4. Responsible individual(s) and organization(s) within the audited activity and points of contact. Who is ultimately responsible and has the authority to "Make it so!" 5. Actions (Whom to contact, when, how) in case there is slippage of any of the due dates. 6. Notification requirement as to when the CAP is complete. The auditor should thoroughly document his/her files with the correspondence between the two parties. Why? Well folks, sometimes things do not work out. And, needless to say, we live in a litigious society. Both parties have lawyers, and these lawyers deal with a woman on an everyday basis - and this woman's name? SUE! If you have to defend your findings and your actions the court looks for documentation!!! Documentation of all of the actions you took: Your original PMSA or audit planning, the performance of the PMSA or internal audit or assessment, and the validity of your findings, everything - ! They will want to see all of your data and correspondence. I would heartily recommend that you DOCUMENT your files extremely well! In your readings of the General Dynamics versus DCAA Case quite clearly the documentation was woefully inadequate! INTERNAL AUDIT OR PMSA SUMMARY It's getting close to the end folks; we've scheduled, planned, conducted our internal audit or assessment or PMSA. We found deficiencies. We held our exit interview and reached agreement regarding any deficiencies. We've notified the contractor, in writing, of the deficiencies and the contractor has corrected them. We're back in our office and now what? Well, we need a summary for our records and to notify the contractor that the audit is complete. The GAO Yellow Book details the requirements for reporting the results of the audit. A whole chapter is dedicated to this requirement. Paragraph 8.03 is simple, clear and concise. It states,

[138]

Auditors must issue audit reports communicating the results of

each completed performance audit. This written summary is a discussion of the various parts of our audit. The document should be able to stand on its own. That is, someone that has no idea about the contractor should be able to understand what you did, when you did it, how it was accomplished and any problems you encountered, deficiencies corrected, etc. The GAO Yellow Book also addresses the form and content of the report. Let me extract some CRITICAL items regarding the audit Summary. The following paragraphs are critical to the auditor [NOTE – these are only EXTRACTS from the Yellow Book. I have not included the full text]:

8.08 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; …. 8.09 Auditors should include in the report a description of the audit objectives and the scope and methodology used for addressing the audit objectives. Report users need this information to understand the purpose of the audit, the nature and extent of the audit work performed, the context and perspective regarding what is reported, and any significant limitations in audit objectives, scope, or methodology. 8.10 Audit objectives for performance audits may vary widely. Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions, including why the audit organization undertook the assignment and the underlying purpose of the audit and resulting report. 8.11 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that they could reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of access to certain records or individuals. 8.12 In describing the work conducted to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence 8.13 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and audit techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives….

[139]

8.14 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Clearly developed findings, as discussed in paragraphs 7.72 through 7.76, assist management or oversight officials of the audited entity in understanding the need for taking corrective action.

WOW!!! Please do not be overwhelmed by this information – if you are an auditor that has done an Audit Summary over the past decade, you have already been writing these types of reports! Well, why do you have to do all of this? First off, other Individuals might review this document. There might be a corporate property councils, management and leadership teams, Government review Boards, and others., will all get a chance to second guess what you did. If there is any inconsistency they will find it! Remember this is an executive level document. Make sure it reads like one. In fact, why not let the other auditors in your office proof it for you with a critical eye for errors. Secondly, the audited party will be receiving a copy of this summary. "Wait a minute" you say. "I send them a letter saying they are o.k. What's this about sending them a summary?" Pragmatically, you are closing the loop for your engagement. You provided the audited entity a notification of your engagement, i.e., coming to do an audit. You are now telling the entity that the engagement is complete – other than for any required corrective actions. Your Audit Summary and its cover letter are notifying the entity of the AUDIT findings. Let us be more specific here! In our Contract Property environment this does not IMMEDIATELY affect the status of the contractor's PMS unless deficiencies are not corrected and the ACO's assistance is requested and ... well, that's a whole 'nother subject that I covered in basic Contract Property class. Thirdly, You want them to be documents that will proudly follow you the rest of your life. [I know from personal experience. There are still files written by a guy named Goetz that surface at contractor plants and in Government offices.] "Finally! I'm Done!" "Uhhh, well, not quite. You see, there is the small matter of a resurvey." RESURVEY or REAUDIT So, you found some problems. There were some deficiencies found in the audited entity’s system through the audit. The entity submitted a corrective action plan and adhered to it

[140]

and has contacted you to say that everything is corrected and that you need not bother with them until the next fiscal year. Go home, get a good night's sleep everything is O.K.! Unfortunately, you, the auditor, cannot just assume everything is O.K. Rather it is your responsibility to reaudit those processes/process segments that were deficient. The minor ones resolved on an informal basis need not be resurveyed. Rather the re-audits are for those processes or process segments where systemic defects/deficiencies were found and corrective action plans designed.

Should you use statistical sampling to test the correction of the deficient function/functional segment? If it was a systemic defect - YES! Why not just check those sample items that were deficient and see if they were fixed? Because you would then only know that those items already identified as being defective were fixed -- that is a Band-Aid approach. Rather, you want to make sure the SYSTEM is fixed and the only way that you can rest assured that the system is fixed is to test statistically. Do I have to pull the same number of samples? Yes! Why? Well, unless you know more than all of the statisticians throughout the past few centuries (And then what are you doing in property?) you have to apply the same statistical approach you did for your original audit. Sorry, you may not like it, but it would be very difficult to provide a defensible position otherwise. Do I have to use the same acceptance and rejection rates? Yes! "Oh, man, this is getting tougher by the minute. Why hasn't anybody said this stuff before?" "Because now people are finally paying attention to us!" Bear with me just a little bit longer. One more question - What happens if the audited entity doesn't want to take any corrective action, or delays the corrective action beyond a reasonable timeframe? Yes, I know that this should not happen - but what if it does?

WARNING: YOU ARE NOT TO DO A FULL AUDIT OF THE ENTIRE

PMS. RATHER, THIS IS A REVIEW OF THOSE PROCESSES OR PROCESS SEGMENTS THAT WERE EVALUATED AS BEING UNSATISFACTORY AND HAD

A CORRECTIVE ACTION PLAN DESIGNED AND IMPLEMENTED BY THE CONTRACTOR!!!

[141]

NON-RESPONSIVENESS ON THE PART OF THE AUDITED ENTITY TO CORRECT DEFICIENCIES If the audited entity is non-responsive to the requests by the auditor for corrective action it is time then to attack this from two different perspectives:

1. If this was an Internal Audit or assessment, then you need to elevate this to the next higher level of management within your company – and, provide notification to the Government (Generally your Government Property Administrator).

2. If this was a Government PMSA -- then there is clear guidance as to a course of action on the part of the Property Administrator.

We see direction in FAR 45.105, entitled Contractors’ Property Management System Compliance. Two paragraphs are critical to the auditor and the CO – paragraphs (b) and (c).

(b) The property administrator shall notify the contractor in writing when the contractor’s property management system does not comply with contractual requirements, and shall request prompt correction of deficiencies and shall provide a schedule for their completion. If the contractor does not correct the deficiencies in accordance with the schedule, the contracting officer shall notify the contractor, in writing, that failure to take the required corrective action(s) may result in—

(1) Revocation of the Government’s assumption of risk for loss, damage, destruction, or theft; and/or

(2) The exercise of other rights or remedies available to the contracting officer. (c) If the contractor fails to take the required corrective action(s) in response to the notification provided by the contracting officer in accordance with paragraph (b) of this section, the contracting officer shall notify the contractor in writing of any Government decision to apply the remedies described in paragraphs (b)(1) and (b)(2) of this section.

Notice that this is POLICY directed to the GOVERNMENT – it is NOT contractually binding upon the contractor. Rather this is guidance provided to the auditor and the CO such that THEY know what to do in this situation. So, I, as the PA – serving as an auditor, just send a letter to the CO – right? Should this be sprung upon him/her? Absolutely not! The ACO should have been a player all along in this process, or at least at that time when deficiencies were uncovered. Or, if you thought that everything was going along O.K., at least at the time when the

[142]

contractor started to slip on the timeline for the corrective action plan. If you failed to give to ACO a head's up before things got really bad don't expect the ACO to greet you with the warmest of welcomes. Remember, you are part of a team and as such the team needs to be aware of things that may impact the team. Again, the professionalism of the auditor may be called into question if you were lax in this regard. Well, you've gone through a lot of material. But, it ain't over yet. The next Chapter will cover some of the more unique and misunderstood areas of PMSA.

[143]

Defense Contract Property Control Systems Audit Primer By Professor Douglas N. Goetz, Ph.D., CPPM, CF

MODULE 10

Other Audit Techniques and Methods

By the end of this module, you should be able to:

• Describe a Property-to-records review By completing the lesson, you should be able to:

• Describe random sampling • Explain the use of one population for multiple functions Describe inappropriate usage Describe appropriate usage Explain Audit Trail Methodology

• Explain Purposive sampling and Purposeful sampling and distinguish between the two Describe when to use Purposive Sampling

• Describe Judgment Sampling • Describe the concept of Audit Independence • Explain the ethics of System Audit

OTHER AUDIT TECHNIQUES/METHODS So far we have primarily addressed the actions of performing a system Audit from a "record to property" perspective. In other words, we select our population from the records maintained by the contractor and then review the property associated with these records. At least in a number of functions/functional segments we review the property. There is an inherent weakness to this methodology. That weakness is that a record may not exist for the Government property in the contractor's possession -- the audited entity -- or there may not be a record of the action/transaction that the contractor is accomplishing. How can the auditor then have assurances that the audited party is maintaining the required records of all Government property for all transactions that are necessary? Through the use of another technique! Through the use of a "Property to Records" Audit. Property to Records How does one do a "Property to Records" review? Well, it's simple. You just select a judgment sample from the floor of the Government property and then trace it back to the existing (hopefully) record that the audited entity has established. NO!

[144]

Just because you have reversed the order of audit does not mean that you can throw out the laws of statistics. If one is statistically naive this might seem appropriate, but to select a judgment sample is incorrect and subject to disagreement and disputation by the contractor. In addition, the contractor could probably prove, statistically, that your results were not generalizable to the larger population. Your sample selection was biased therefore, your results were biased. There are statistical methods that would remove this bias AND SHOULD BE USED! There was some debate and disputation regarding this methodology. As such the Defense Logistics Agency asked its operations research people to take a look at this topic. When reviewing property to records what type of sample should be drawn. Two items were validated through this project. The first was that the sample size must be the same as the records to property reviews found in the “Old” DoD 4161.2-M using Appendix B of the manual. Second, that this review must use a random sample to ensure statistical validity.

Well, how do you apply statistical sampling - RANDOM sampling to a property to records review? Establish a methodology! The first step is already stated. You must use the same sample size as you used for that function or functional segment. You are NOT allowed to reduce this sample to 1/2 of our records to property review. Though this has been suggested in the past IT IS INCORRECT (DLAers pay particular attention). If you choose only 1/2 of your sample size for the property to records review what do you choose for your acceptance or rejection rates? 1/2 of those numbers? No, this would really be messing with statistics. The formulas for computing sample sizes are not based upon simple averages. Trust me on this one or refer to any statistics book for computing sample sizes. So, you have the sample size. How do you select a RANDOM SAMPLE for the property to records portion? Well, I just walk around the floor and select 34 items as my sample that look good. NO! Again, establish a methodology that you can consistently follow and would eliminate any BIAS. One of the easiest methods to apply would be the selection of the property to records sample at the same time as the records to property sample. This could be down through the following pattern.

What we are saying is that when doing a property to records review you MUST use a statistical sample size set forth in your sampling table based upon the confidence level that you are using that is commensurate with the population size from the function/functional segment that you are auditing.

[145]

1. You know the number of sample and the sample items that you selected under records. 2. When doing a location check establish which item you are going to select for a property to records audit. 3. This may be done by determining that you will select the item either: a. directly above, b. directly below c. immediately next to (left or right) the item selected for the records to property review. Why is this an adequate methodology? Because, as previously discussed, the sample for records to property was already established as being random. Therefore, you preclude against bias. The audited entity could not claim that your sample from the floor was biased and therefore was not generalizable to the larger population. If you do not protect against bias you will have a very difficult time defending your sample as to its generalizability. Your sample would only be related to the sample items and not to the larger population. You could tell the contractor to correct those problems that were found but you would not be able to tell the contractor to fix the system BASED UPON THAT BIASED SAMPLE THAT WAS SELECTED! Again, we must be very careful when using statistical sampling to preclude bias from creeping into our Audit. This would definitely happen if you were to use a judgment sample. USE OF ONE POPULATION FOR MULTIPLE FUNCTIONS There are a number of instances where a population that has been defined and the sample randomly selected from that population for one process may be used as the sample to analyze another process or process segment. That is certainly a mouthful but there is some real applicability of the premise in the audit process. Let's look at this premise first where it would not be applicable and second where it shows great promise. Inappropriate Usage Assume for a moment that under the Process of Acquisition you select as your population all purchase orders for the past year or from the last system Audit whichever is less. (NOTE: Selecting only purchase orders would be inadequate to review this function as there are other ways of acquiring property. P.O.s are being used only as an example.) There were 264 P.O.s during that timeframe. Our sample size would be 32. The function of acquisition is rated satisfactory as no defects were found. You think for a moment and say "Gee, why not use this same population and sample for the function of receiving? It certainly would save me a lot of work."

[146]

There are multiple reasons as to why this methodology would be and is wrong. Let's examine some of these ideas. The P.O.s selected were for the last year or from the last audit until the time of the current audit -- today. Yes, it is possible that many of the items would have been received. But, and this is a problem, it is probable that many of the items would NOT have yet been received. This is especially true when some of the sample P.O.s selected were of a recent vintage. If you used this methodology your population would not have been selected for the purposes of testing "Receiving." Rather you would be using a perverted or unpure population; Your population would not be representative of the function you were testing. You could carry this logic through from the beginning of your Audit to the completion of all functions and you would notice that your sample would stay the same but the number of applicable items would decrease with each continuing Process that you reviewed. For example, if you used this acquisition population and sample and followed it through the entire audit -- Acquisition → Receiving → Identification → Records → Consumption → Utilization → etc. Each Process would have less and less sample items applicable to it from your original sample. Yes, it is possible that the material the audited entity acquired from the original purchase order had been received, and had been identified and had been recorded but, it may not have been consumed. Therefore, how can you complete your audit criteria? Clearly, this is an erroneous methodology and it is not recommended for use. Appropriate usage "Well, O.K., when can I use one process' population and sample for reviewing another function?" The answer. "When the populations are essentially the same!" Look at the process of records. Here it is incumbent upon the auditor to very carefully define the appropriate populations for review. These populations are driven by the record keeping requirements set forth in FAR 52.245-1(f). Let's assume that we have established one population consisting of all material records active today as well as those closed since the last system Audit. The record keeping requirements for material are set forth in FAR 52.245-1(f). "Great! Our review of the records Process is adequate and compliant. Can we use this same population AND SAMPLE for any other processes in the audit?" "No! You told us we shouldn't do that." "That's right but there are times when you can and should use this technique as it will save you time and effort and will yield the same results!"

[147]

Consider for a minute the question of "How would you define your population for the process of consumption?" "Well" you respond, "I would want to look at all consumable property." "Good, for what timeframe?" "All property consumed since the last PMSA." "Better, but is there anything else?" "Well, the records that have been closed since the last PMSA." "Better still, we have defined our population as records of all consumable property that are active today as well as records of consumable property closed since the last PMSA." In this fashion we have a very "robust" population that gives us a lot of coverage. But, you'll notice that this population is exactly the same population as you selected for reviewing the records of material. So, it appears that we could use the same sample from the process of records (material) for reviewing the function of consumption. The same could be done with non-consumable property. For example, you could use the population and sample selected for reviewing records of equipment to perform the Audit of the utilization function, and possibly the maintenance function -- IF YOU CAREFULLY DEFINE YOUR POPULATION(S) SO AS TO HAVE COMMON CHARACTERISTICS. Uses of Audit Trail Methodology Remember I said before that you should not use the technique of testing Acquisition → Receiving → Identification → Records → Consumption → Utilization → etc., using the starting population and sample of acquisition? Well, now I'm going to tell you that you can use that approach - under very specific circumstances. This approach is useful for testing the audit trail of an item through its life cycle. You could select a population and trace its documentation from start to finish, or select a population halfway through its lifecycle and go back to its acquisition and forward to its use and possible disposition, or you could select something awaiting disposition and trace it from its original acquisition. This does NOT test the process, process segment or criteria under any one function. Rather, its purpose is to follow the audit trail and assure the auditability of a entity’s PMS. PURPOSIVE/PURPOSEFUL SAMPLING Are there times when judgment comes into play in the selection of a sample? ABSOLUTELY! There are techniques, legitimate techniques established in the field of auditing. Purposive sampling was originally derived from the work of anthropologists,

[148]

Margaret Mead for example, studying cultures. They didn't want to study just the average but many times wanted to study the extraordinary. Therefore, they would purposefully select an individual or occurrence to study. Lincoln and Guba were the parents of the use of purposive sampling in the qualitative field of educational research. Vance and Neter (1956) were one of the earliest to cite the use of purposive sampling in the field of auditing. They state, A judgment or purposive sample is one where the selection of the specific

sample items depends to a large extent upon individual judgment, or where judgment decisions are made about portions of the population for which the sample did not obtain the necessary information... Judgment samples may at times be quite useful, but their results cannot be evaluated on the basis of the sample by statistical methods. They are no better than the judgment of the individual who made the decisions, and that judgment is difficult, indeed, to evaluate (p. 17).

We allow the use of Purposeful sampling, a CLASS III type sample. But, if you peruse the “Old” DoD Property Manual you will not find any function, functional segment, or criterion that allows the use of Purposeful sampling, a CLASS III type sample. The GAO Yellow book recognizes that there may be and are situations where a purposive sample may be used. Paragraph 7.63 states,

When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques. When a representative sample is not needed, a targeted selection may be effective if the auditors have isolated certain risk factors or other criteria to target the selection (Emphasis added).

In addition, The “Old” DoD Manual states that, (1) Purposeful sampling is the process by which known, suspected, or

reported conditions of a critical or substantial nature are used to select areas, items, or actions for review to determine the possible adverse systemic impact. It is especially critical, when using purposeful sampling, that items being researched have the potential for significant systemic impact. When the PA determines the potential exists for systemic impact, conditions or items shall be reviewed to determine whether or not a systemic deficiency exists. Conditions or items which have defects but do not impact the system should be reviewed using other methodologies; e.g., Statistical or judgment sampling.

(2) Purposeful sampling is closely related to judgment sampling in that a purely random sample is not drawn. This process is particularly useful for resident PAs who have established a first-hand perspective of the contractor's operations. The use of purposeful sampling

[149]

presupposes that the PA is aware of a substantial adverse condition within the contractor's property control system that has been disclosed through some other review, occurrence, discussion with or notification by other functional Government area, e.g., Quality Assurance, Production, etc., or contractor operation. Using the information the PA shall purposefully seek out other similar conditions. As this sampling is purposeful, the random number tables in Appendix C would not be used.

WHEN TO USE PURPOSIVE SAMPLING This is an area where abuse may run rampant. The Auditor must maintain the highest ethical standard when using purposive sampling. Otherwise, it may turn into a witch hunt, a fishing expedition to see what he/she may find, regardless of the effectiveness and efficiency of the contractor's property control system. Notice that purposive sampling is for use with "KNOWN, SUSPECTED, OR REPORTED CONDITIONS OF A CRITICAL OR SUBSTANTIAL NATURE." Atkisson, et al, (1986) use the term "discovery sampling" and specify its use as "In certain situations the concern of the auditor may be as to whether a particular type of deficiency exists. The deficiency involved is normally a serious one and would be expected to have a very low occurrence rate." This is not for use with your everyday system audit but rather for those critical occurrences. There are some suppositions made regarding when to use this technique. "The use of purposeful sampling PRESUPPOSES (Emphasis added) that the PA – read this as the AUDITOR is aware of a SUBSTANTIAL ADVERSE CONDITION within the contractor's property control system that has been disclosed through some other review, occurrence, discussion with or notification by other functional Government area." This technique is only to be used when those occurrences of a CRITICAL OR SUBSTANTIALLY ADVERSE CONDITION exists!!! These defects may not be systemic, they may be nonsystemic or isolated in nature. But, they may adversely impact the Government property in the contractor's possession so much so that additional review is warranted. The use of purposive sampling does not give you, the Auditor, the authority to run rampant through the entity’s site looking for defects any time you think there is a problem. It is for use in extreme instances and had best have a large amount of substantiation BEFORE one engages in its use. PERAMBULATION/DCAAM The Defense Contract Audit Agency in its manual, DCAAM 7640.1, has a discussion using their term. Section 5-108 Part C of the DCAAM discusses "Perambulation." Don't you just love fancy words. What the heck is perambulation? Ahhhh, do any of you remember perambulators? A fancier term for a baby buggy! Well, the DCAAM is not suggesting that

[150]

the DCAA auditor take a baby buggy through the contractor's plant. Rather it is directing the auditor to become familiar with the contractor's operation(s) by walking through the plant, perambulating through the plant. I only mentioned this in passing because it is something that we, in property, do on a daily basis and yet DCAA has to be instructed to do it. Interesting, the different perspective! JUDGMENT SAMPLING We discussed "Judgment sampling" briefly in Chapter One under the "Classes of Criteria." Judgment sampling is allowable for those criterion listed as Class II criterion. The PA is NOT authorized to use judgment sampling for those criteria listed as Class I. "O.K.," you say, "NOW I can use those areas or items where I KNOW there are problems. Right?" In a classic text by Vance and Neter (1956) they state The method of choosing a sample has a crucial relationship to the

interpretation of the sample results... A judgment sample is one where the selection of the specific sample items depends to a large extent upon individual judgment, of where judgment decisions are made about portions of the population for which the sample did not obtain the necessary information.

Atkisson, et al, (1986) also provide some guidance on this matter. They provide the following defense for judgment sampling, Although the merits of statistical sampling are generally accepted, auditors

frequently use judgment, or non-statistical, sampling to perform tests... Auditors generally justify the use of judgment sampling by the following:

Auditing is a matter of judgment rather than mathematical analyses.

Judgment sampling is easier to apply. The auditor's general reviews and analyses identify the

sensitive items that need to be examined. Management is interested in information as to specific

deficiencies found, not projections based on statistical sampling.

Some of these beliefs may appear to be valid while others have inherent weaknesses to them. The Auditor must be extremely careful when using judgment sampling. It should not be used indiscriminately but, rather, should be used when the criterion being reviewed allows its use and the use of statistical methods is unwarranted. For example, let's assume that you are reviewing the process of Storage, at a small contractor's plant. There are a half dozen storage locations in the plant.

[151]

The first question that you should ask is "Can I use judgment sampling for this function and the criteria under the Process segment?" "Yes, you can! For criteria under the two Process segments under the Process of storage are all Class II criterion." The second question that you should ask is "Should I use judgment sampling for these criteria? "Yes, you have the authority to use judgment sampling but look at the population that you are going to review. Would it be that much work to review all six storage areas? How much property is involved at those storage areas? How large are those storage areas? Have there been problems with any of these storage areas in the past survey/analyses?" There are many factors that contribute to your decision. Choose carefully when you apply judgment sampling! Assume now that you are at a contractor's plant that has 24 storage areas. Ask the same questions that we did before: "Can I use judgment sampling for this function and the criteria under the functional segment?" "YES." "Should I use judgment sampling for these criteria? "Why not?" Notice that there are a lot more storage areas. If you choose a statistical sample you would have to randomly select 18 locations. Here, it would be a judgment sample, predicated upon YOUR experience and expertise. It is important that you use that knowledge and experience wisely. The evaluation of a judgment sample is another aspect that if improperly applied could have devastating results. I will repeat the Vance and Neter (1956) quote, they caveat their discussion of judgment sampling with the following warning, “Judgment samples may at times be quite useful, but their results cannot be evaluated on the basis of the sample by statistical methods. They are no better than the judgment of the individual who made the decisions, and that judgment is difficult, indeed, to evaluate.” (p. 17). AUDIT INDEPENDENCE There are some that say that there should never be a "unwitnessed" finding. This is not supported in any of the audit texts. The independence of the audit/auditor may be called into question if there is someone looking over his/her shoulder at every step of the way. In addition, the auditor may be tying up an audited entity’s representative for days on end, costing both parties lots of money. Rather the audit texts (Arens and Loebbecke (1988),

[152]

Carmichael and Willingham (1989), Chamber, Selim, and Vinten (1987)) DO require that all data be in a form that provides sufficient evidence of audit. Courtemanche (1986) provides a wonderful discussion of audit independence identifying five characteristics of audit independence. These consist of access, objectivity, freedom, diligence, responsiveness. Access, or the lack thereof, is one of those items that the auditor may face from time to time. From a Government perspective, the Government property clause, FAR 52.245-1, provides access to the contractor's premises, by the Government PA, for the purposes of inspecting the Government property. But there is more to Courtemanche's definition of access. He states, "Every auditor knows what access is. Access has to do with the availability of the information needed by the auditor to perform his audit. Access is broken down into three generic sources of information: facilities, records, and people." Facilities are the actual physical items. Yes, the records may show ten thousand troy ounces of Government furnished silver but I can never be sure unless I SEE the items. [Note: Don't laugh - this is a true story. The audited entity had superb records showing all of the silver was on hand until we asked to see the silver and the activity confessed that they had sold it unbeknownst to the Government.] Records - the life's blood of the AUDITOR!!! "Records are a representation of reality rather than the reality itself. In many cases the auditor does not have the means or the time to ascertain or evaluate the 'hard' reality which is the ultimate object of the audit. Instead, he tests the accuracy of records reflecting the reality and, if the records are adequate, he bases his evaluation on the records themselves. In order to do this, he must have access to the records. Lastly, Courtemanche lists people. "It often happens that the auditor knows of no record which might provide the information he requires. This is why he needs access to people. People can provide records which the auditor was not aware even existed or which are not generally available because they are closely controlled by the people in question." The Auditor must be extremely sensitive to the actions taken or those actions that may be taken against various employees that divulge information during an audit. One hopes and assumes that no activity would dismiss an employee because he/she provided the information required to be disclosed to an auditor. This certainly would not adhere to the Deming principle of TQM to "drive out fear." I do not believe that he had the idea of firing people as the method of driving out fear. The second characteristic of audit independence that Courtemanche lists is that of "objectivity." He lists four attributes under this characteristic: Intelligence, formal knowledge/education, experiential knowledge and absence of emotional bias. Boy, if this doesn't apply to the world of property audits I don't know what does. Does a property auditor require native intelligence? Yes! Must the property auditor have formal knowledge/education? Absolutely! Must the property auditor have experiential knowledge? Definitely! Should the property auditor be absent of emotional bias? Yup!

[153]

The first three are relatively simple to evaluate as they deal with the cognitive domain. The last more difficult as it deals with the affective domain. I can measure intelligence, and knowledge and education. How do I measure emotional bias? Well, that is a little more difficult - please see the last chapter with its discussion of ethics in property administration. Let’s go back to Industry Leading Practice for a minute – the GAO Yellow Book. Though the GAO Yellow book is NOT a Voluntary Consensus Standard (VCS) is comes extremely close to the hallmarks of a VCS due to its origins and maintenance. The Advisory council for this document is a who’s who of the auditing elite – clearly representative of the most knowledgeable people in regard to auditing. To discount its applicability would require one to provide concrete irrefutable evidence that the guidance and direction provided in the Yellow Book is specious. With that said paragraph 3.01 states,

“These general standards, along with the overarching ethical principles presented in chapter 2, establish a foundation for credibility of auditors’ work. These general standards emphasize the independence of the audit organization and its individual auditors….”

It continues in paragraphs 3.02 and 3.03,

3.02 In all matters relating to the audit work, the audit organization and the individual auditor… must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence. 3.03 Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information.

These are just a few of the key references that document our need for audit independence. Sometimes you, as an auditor, will be given free run of the contractor's plant or facility. Other times you will be escorted. Regardless of which occurrence is your situation you should strive to maintain that aforementioned audit independence. AUDITING ELECTRONIC DATA PROCESSING SYSTEMS - Reserved. THE ETHICS OF SYSTEM AUDIT There is one last area that must be discussed. That area is the concern with ethics. I am of the belief that every property auditor is above reproach and maintains the highest ethical standards. We certainly ascribe to that notion through the constant signing of documents attesting that we know the ethics regulations and the laws that surround our behavior. We attend the mandatory briefings. But, do ethics apply when we are doing an audit?

[154]

They most certainly do! Some examples of unethical practice in a system audit: The deliberate altering of data. The deliberate selection of sample item/numbers to "salt" the sample with known defects. The deliberate avoidance of areas where known defects exist. The deliberate use of an inappropriate audit methodology. The deliberate destruction of documents to prevent replication. The tempering of a process’ deficiencies because you may like the Audited entity’s personnel and don't want him or her to look bad. The worsening of a process’ deficiencies because your boss told you to "Get them because they've gotten off easy the past few years." The worsening of a audited entity’s summary because you want to keep your job and you figure if the audited entity is unsatisfactory the auditing activity will keep you. The "pencil-whipping" of an audit because you are short of personnel and

management doesn't want any backlogs. In this instance Management may be even more guilty of fraud in this day and age of down-sizing. Specifically, if there is too much work piled onto an individual to do and the work doesn't get done, whom do you think will get the "Blame" (Note: in the real world)? The Auditor! But, who, in point of fact is the real guilty party? Management, by not recognizing that they were putting the auditor in an untenable position. Management for putting an employee into a position where there was the impossibility of performance.

Do any of these sound familiar? Are any of them applicable in your environment? If so, and you were the one committing any of these acts, do you think that the Government or your employer should retain you as an employee? All of the above actions regarding the audit are unethical and some may be even criminal violations. The point is that there are many instances and occurrences where the auditor may be tempted to take shortcuts and that may border on unethical practice. The auditor needs to be ever vigilant to assure that he/she does not engage or fall prey to any of these occurrences. We live in a world of second guessers. There is always someone out there ready to look over your shoulder and tell you what you've done wrong. Maintain the highest ethical standards and you should sleep well at night. And if you can't, sleep well at night that is, try reading this document again! CONCLUSION Folks, we have tried to walk you through one of the most complex areas in the world of Contract Property Management. As Auditors much of our time is spent doing Property Management System Audits and yet it is the one area where there is a real lack of

[155]

technical information. This document and its Appendix is meant as a start to remedy that situation. My encouragement - 1. Read all that you can on the audit process. 2. Learn all that you can about statistics. 3. Learn all that you can to improve your worth to your employer, and to yourself. Good luck and God bless, Doug Goetz, Ph.D., CPPM, CF

[156]

POTENTIAL AUDIT CRITERIA As a replacement for APPENDIX A of

the DoD Property MANUAL NOTE – THIS IS NOT

OFFICIAL DOD GUIDANCE

Process #

Processes, Process Segments, and Criteria References

1. ACQUISITION: THE PROCESS OF THE CONTRACTOR ACQUIRING OR FABRICATING GP FOR THE PERFORMANCE OF A SPECIFIED CONTRACT. THIS PROCESS ADDRESSES THE ACQUISITION OF GP AND ITS REIMBURSABLE COSTS TO THE CONTRACT, AND THE ACQUISITION OF GP THROUGH REQUISITION FROM GOVERNMENT SOURCES OR THROUGH CONTRACT TRANSFER.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Acquisition Authority

All Government Property including GFP and all property acquired by the contractor (CAP), title to which vests in the Government under paragraph FAR 52.245-1, is subject to the provisions of this clause.

FAR 52.245-1 (d) (2) (i)

1 1 Contractor ensures, for fixed price contracts, when specified as a LINE ITEM IN THE CONTRACT that title to each item of equipment (EQP), special test equipment (STE) and special tooling (ST) acquired by the contractor for the Government under contracts shall pass to and vest in the Government when its use

FAR 52.245-1 (d) (2) (ii)

[157]

in performing this contract commences or when the Government has paid for it, whichever is earlier, whether or not title previously vested in the Government.

1 2 Contractor ensures, for fixed price contracts when the contract contains a provision, i.e., a LINE ITEM directing the contractor to purchase material for which the Government will reimburse the contractor as a direct item of cost under this contract, title to material purchased from a vendor shall pass to and vest in the Government upon the vendor's delivery of such material.

FAR 52.245-1 (d) (2) (iii) (A)

1 3 Contractor ensures title, for GP under cost-reimbursement or time-and-material contracts or cost-reimbursable contract line items under fixed-price contracts, to all property purchased by the contractor for which the contractor is entitled to be reimbursed as a direct item of cost under the contract, passes to and vests in the Government upon the vendor's delivery of such property.

FAR 52.245-1 (e) (3) (i)

1 3 Contractor ensures title, to GP to all other property under cost reimbursement or time-and-material contracts or cost-reimbursable contract line items under fixed-price contracts, the cost of which is reimbursable to the contractor, shall pass to and vest in the Government upon issuance of the property for use in contract performance; commencement of processing of the property for use in contract performance; or reimbursement of the cost of the property by the Government, whichever occurs first.

FAR 52.245-1 (e) (3) (ii) (A), (B), and (C)

1 4 Contractor ensures that all property acquired meets the requirements of being necessary for contract performance including FAR Part 31 requirements of being reasonable, Allocable and Allowable and is acquired only in the amounts needed to perform the contract

Process Segment: Classification of Government Property

1 5 Contractor ensures that property is properly classified prior to acquisition to ensure compliance with contractor’s accounting practices and Cost Accounting Disclosure statement, where applicable.

Process Segment: Requirements Computation

1 6 Contractor documents that all property acquired is consistent with its engineering, production planning, and material control operations.

FAR 52.245-1 (f) (1) (i)

1 7 Contractor’s property management system ensures as an outcome all property acquired is consistent with its engineering, production planning, and material control operations.

FAR 52.245-1 (f) (1) (i)

[158]

Non-Profit Issues

1 8 When FAR 52.245-1 Alt II is incorporated into the contract, contractor has obtained the CO’s approval before each acquisition purchased with funds available for research and having an acquisition cost of less than $5,000.

FAR 52.245-1 Alt II (e) (3)

1 9 When FAR 52.245-1 Alt II is set forth in contract(s) and title to property purchased with funds available for research and has an acquisition cost of $5,000 or more, contractor ensures title shall vest as set forth in the contract.

FAR 52.245-1 Alt II (e) (3)

1 10 When FAR 52.245-1 Alt II is set forth in the contract(s) and if title to property vests in the contractor, the contractor agrees that no costs shall be allowed for any depreciation, amortization, or use under any existing or future Government contract or subcontract.

FAR 52.245-1 Alt II (e) (3)

1 11 When FAR 52.245-1 Alt II is set forth in the contract(s), the contractor furnishes the CO a list of all property to which title is vested in the contractor under FAR 52.245-1 Alt II (e) (3) within 10 days following the end of the calendar quarter during which it was received.

FAR 52.245-1 Alt II (e) (3)

1 12 Contractor ensures title to GP is not affected by its incorporation into or attachment to any property not owned by the Government, nor shall GP become a fixture or lose its identity as personal property by being attached to any real property.

FAR 52.245-1 (e) (1)

Process Segment: MILSTRIP Acquisitions

1 13 Contractor shall ensure that all requisition documents are properly prepared including the use of routing identifiers, fund codes, etc.:

FAR 52.251-1 and DFARS 252.251-7001

1 14 Contractor shall ensure that the contractually specified Priority code and Force Activity Designator is used on all requisitions

FAR 52.251-1 and DFARS 252.251-7001

1 15 Contractor shall ensure requisitions are submitted in a timely fashion to minimize and avoid the use of emergency priorities unless authorized by the contract.

FAR 52.251-1 and DFARS 252.251-7001

[159]

2: RECEIVING: THE PROCESS OF GP INITIALLY ENTERING INTO A CONTRACTOR'S STEWARDSHIP.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Receiving Process

2 1 GP received is documented and information meets record requirements of FAR 52.245-1 (f)(1)(iii)(A)(1) through (5).

FAR 52.245-1 (f) (1) (ii) and FAR 52.245-1 (f)(1)(iii)(A)(1) through (5)

2 2 Contractor documents receipt of GP, records the information necessary to meet the record requirements of FAR 52.245-1 (f)(1)(iii)(A)(1) through (5).

FAR 52.245-1 (f) (1) (ii)

2 3 A timely written request is submitted to the CO when GFP is received by the contractor or for GFP after receipt and installation, in a condition not suitable for its intended use.

FAR 52.245-1 (d) (2) (ii)

2 4 A timely written request is submitted to the CO when GFP is not delivered to the contractor by the date(s) stated in the contract.

FAR 52.245-1 (d) (2) (i)

Process Segment: Discrepancies Incident To Shipment

2 5 Contractor manages any discrepancies incident to shipment. FAR 52.245-1 (f) (1) (ii)

2 6 A written statement is furnished to the GPA if overages, shortages, or damages and/or other discrepancies are discovered upon receipt of GFP, and it contains all relevant facts, such as cause or condition and a recommended course(s) of action,.

FAR 52.245-1 (f) (1) (ii) (A)

2 7 The contractor takes all actions necessary to adjust for overages, shortages, damage and/or other discrepancies discovered upon

FAR 52.245-1 (f) (1) (ii) (B) and

[160]

receipt, in shipment of CAP from a vendor or supplier, to ensure the proper allocability and allowability of associated costs.

FAR 31.201-4

[161]

3. IDENTIFICATION: THE PROCESS OF PROPERLY IDENTIFYING GP IN ACCORDANCE WITH CONTRACTUAL REQUIREMENTS AND ILP&Ss.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Identification Process

3 1 GP is identified as Government owned in a manner appropriate to the type of property.

FAR 52.245-1 (f) (1) (ii)

[162]

4. RECORDS: PROCESS OF ESTABLISHING AND MAINTAINING STEWARDSHIP RECORDS TO MANAGE AND CONTROL ALL GP PROVIDED TO THE CONTRACTOR.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: All Records Of GP

4 1 Records are created and maintained of all GP accountable to contracts.

FAR 52.245-1 (f) (1) (iii)

4 2 Property records enable a complete, current, auditable record of all transactions.

FAR 52.245-1 (f) (1) (iii) (A) and (1) through (10)

4 3 Property records contain minimum information required, unless otherwise approved by the GPA.

FAR 52.245-1 (f) (1) (iii) (A) and (1) through (10)

4 5 Government accounting source data is established and maintained, and as may be required by contract(s).

FAR 52.245-1 (f) (1) (x) (2)

4 6 Records of GP are readily available to authorized Government personnel.

FAR 52.245-1 (g) (2)

4 7 Records of GP are safeguarded from tampering or destruction. FAR 52.245-1 (g) (2)

4 8 When DFARS 252.245-7000, Government-Furnished Mapping, Charting, and Geodesy Property, is set forth in the contract(s), the contractor does not duplicate, copy, or otherwise reproduce the property for purposes other than those necessary for performance of the contract.

DFARS 252.245-7000 (b)

Process Segment: Receipt and Issue System Records

4 9 When approved by the GPA, the contractor maintains, in lieu of formal property records, a file of appropriately cross-referenced

FAR 52.245-1 (f)

[163]

documents evidencing receipt, issue, and use of material that is issued for immediate consumption.

(1) (iii) (B)

[164]

Process Segment: Material Management and Accounting System. [NOTE - These criteria are to be used when requested by the contracting officer to perform an MMAS review. PAs are to be part of the team performing an MMAS review.]

4 10 When DFARS 252.242-7004, Material Management and Accounting System, is set forth in the contract(s), the contractor maintains an MMAS that reasonably forecasts material requirements.

DFARS 252.242-7004 (b) (1) (i)

4 11 When DFARS 252.242-7004 is set forth in the contract(s), the contractor ensures that costs of purchased and fabricated material charged or allocated to a contract are based on valid time-phased requirements.

DFARS 252.242-7004 (b) (1) (ii)

4 12 When DFARS 252.242-7004 is set forth in the contract(s), the contractor maintains a consistent, equitable, and unbiased logic for costing of material transactions.

DFARS 252.242-7004 (b) (1) (iii)

4 13 When DFARS 252.242-7004 is set forth in the contract(s), the contractor assess its MMAS and take reasonable action to comply with the MMAS standards in DFARS 252.242-7004 (e).

DFARS 252.242-7004 (b) (2)

4 14 When DFARS 252.242-7004 is set forth in the contract(s), the contractor has policies, procedures, and operating instructions that adequately describe its MMAS.

DFARS 252.242-7004 (c) (1)

4 15 When DFARS 252.242-7004 is set forth in the contract(s), the contractor provides to the ACO, upon request, the results of internal reviews that it has conducted to ensure compliance with established MMAS policies, procedures, and operating instructions.

DFARS 252.242-7004 (c) (2)

4 16 When DFARS 252.242-7004 is set forth in the contract(s), the contractor discloses significant changes in its MMAS to the ACO at least 30 days prior to implementation.

DFARS 252.242-7004 (c) (3)

4 17 When DFARS 252.242-7004 is set forth in the contract(s), and the contractor receives a report from the ACO that identifies any deficiencies in the MMAS, the contractor responds in accordance with DFARS 252.242-7004 requirements.

DFARS 252.242-7004 (d) (1) (i) (A) and (B) and (ii)

4 18 When DFARS 252.242-7004 is set forth in the contract(s), the contractor has adequate internal controls to ensure system and data integrity.

DFARS 252.242-7004 (e)

4 19 When DFARS 252.242-7004 is set forth in the contract(s), the contractor has an adequate system description including policies, procedures, and operating instructions that comply with the FAR and DFARS.

DFARS 252.242-7004 (e) (1)

4 20 When DFARS 252.242-7004 is set forth in the contract(s), the contractor ensures that costs of purchased and fabricated material charged or allocated to a contract are based on valid time-phased requirements as impacted by minimum/economic order quantity restrictions.

DFARS 252.242-7004 (e) (2)

4 21 When DFARS 252.242-7004 is set forth in the contract(s), the contractor sets a 98 percent bill of material accuracy and a 95 percent master production schedule accuracy as a desirable

DFARS 252.242-7004 (e) (2) (i)

[165]

goal in order to ensure that requirements are both valid and appropriately time-phased.

4 21 When DFARS 252.242-7004 is set forth in the contract(s), (ii) If systems have accuracy levels below DFARS 252.242-7004 (e) (2) (i) requirements, the contractor s provides adequate evidence of no material harm to the Government due to lower accuracy levels; and the cost to meet the accuracy goals is excessive in relation to the impact on the Government.

DFARS 252.242-7004 (e) (2) (i), and (ii) (A) and (B)

4 22 When DFARS 252.242-7004 is set forth in the contract(s), the contractor provides a mechanism to identify, report, and resolve system control weaknesses and manual override and other operational exceptions, such as excess/residual inventory as soon as known

DFARS 252.242-7004 (e) (3)

4 23 When DFARS 252.242-7004 is set forth in the contract(s), the contractor provides audit trails and maintains records (manual and those in machine-readable form) necessary to evaluate system logic and to verify through transaction testing that the system is operating as desired.

DFARS 252.242-7004 (e) (4)

4 24 When DFARS 252.242-7004 is set forth in the contract(s), the contractor establishes and maintains adequate levels of record accuracy, and includes reconciliation of recorded inventory quantities to physical inventory by part number on a periodic basis.

DFARS 252.242-7004 (e) (5)

4 25 When DFARS 252.242-7004 is set forth in the contract(s), and inventory accuracy level for the system(s) is below 95 percent, the contractor provides adequate evidence that of no material harm to the Government due to lower accuracy levels; and the cost to meet the accuracy goals is excessive in relation to the impact on the Government.

DFARS 252.242-7004 ( e) ( 5) ( 1) and (2)

4 26 When DFARS 252.242-7004 is set forth in the contract(s), the contractor provides detailed descriptions of circumstances that will result in manual or system generated transfers of parts.

DFARS 252.242-7004 (e) (6)

4 27 When DFARS 252.242-7004 is set forth in the contract(s), the contractor maintain a consistent, equitable, and unbiased logic for costing of material transactions in accordance with DFARS 252.242-7004 (e) (7) requirements.

DFARS 252.242-7004 (e) (7)

4 28 When DFARS 252.242-7004 is set forth in the contract(s) and where allocations from common inventory accounts are used, the contractor has controls (in addition to those in paragraphs (e)(2) and (7) of this clause) and ensures compliance with DFARS 252.242-7004 (e) (8) requirements.

DFARS 252.242-7004 (e) (8)

4 29 When DFARS 252.242-7004 is set forth in the contract(s) and regardless of the provisions of FAR 45.505-3(f)(1)(ii), the contractor has adequate controls to ensure that physically commingled inventories that may include material for which costs are charged or allocated to fixed-price, cost-reimbursement, and commercial contracts do not compromise requirements of any of

DFARS 252.242-7004 (e) (9) (i) and (ii)

[166]

the standards in paragraphs (e)(1) through (8) of this clause and GFM is not physically commingled with other material or used on commercial work.

4 30 When DFARS 252.242-7004 is set forth in the contract(s), the contractor conducts periodic internal reviews to ensure compliance with established policies and procedures.

DFARS 252.242-7004 (e) (10)

[167]

5. PHYSICAL INVENTORY: THE PROCESS OF PERIODICALLY PERFORMING, RECORDING, AND REPORTING PHYSICAL INVENTORIES.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Performance

5 1 A physical inventory is periodically performed, recorded, and the results are disclosed.

FAR 52.245-1 (f) (1) (iv)

5 2 A final physical inventory is performed upon contract completion or termination, unless waived by the GPA.

FAR 52.245-1 (f) (1) (iv) and (x)

5 3 Contractor performs a final physical inventory upon contract completion or termination

FAR 52.245-1 (f) (1) (iv) and (x)

Process Segment: Recording

5 4 Physical inventories are recorded. FAR 52.245-1 (f) (1) (iv)

Process Segment: Reporting Inventory Findings FAR 52.245-1 (f) (1) (iv)

5 5 Physical inventory results are disclosed. FAR 52.245-1 (f) (1) (iv) and (x)

Process Segment: Material Records Adjustments FAR 52.245-1 (f) (1) (iv)

5 6 When applicable, the contractor has GPA determination of relief from stewardship responsibility for reported LTD&D of Government owned material for reasonable inventory adjustments.

FAR 52.245-1 (f) (1) (vii) (A)

[168]

6. SUBCONTRACTOR CONTROL: THE PROCESS OF THE PRIME CONTRACTOR’S MANAGEMENT OF ITS SUBCONTRACTORS POSSESSING GP.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Prime Contractor Responsibilities

6 1 Contractor shall ensure that subcontracts and purchase orders include the requirements of FAR 52.245-1 under which GP is to be acquired or furnished for subcontract performance.

FAR 52.245-1 (b) (3) and FAR 52.245-1 (b) (2) and FAR 52.245-1 (f) (1) (v) (A)

6 2 Contractor’s subcontracts clearly identify GP to be provided and ensure appropriate flow down of contract terms and conditions, e.g., extent of liability for LTD&D of GP.

FAR 52.245-1 (f) (1) (v) (A) and FAR 52.245-1 (b) (3) and FAR 52.245-1 (b) (2)

6 3 Contractor assures its subcontracts are properly administered. FAR 52.245-1 (f) (1) (v) (B)

6 4 Contractor periodically performs reviews as described in their PMS Procedures to determine the adequacy of their subcontractor’s property management system(s).

FAR 52.245-1 (f) (1) (v) (B)

6 5 Contractor ensures continued responsibility when GP is shipped to a subcontractor or other location of the contractor.

FAR 52.245-1 (f) (1) (vii) (B)

6 6 Contractor complies with the requirements of FAR 52.244-2 prior to awarding any subcontracts when approval is required of the Contracting officer.

FAR 52.244-2

[169]

7. REPORTS: THE PROCESS OF REPORT PREPARATION AND SUBMISSION, AS REQUIRED BY CONTRACT OR REGULATION.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Report Submission

7 1 Contractor has a process to create and provide all contractually required reports, e.g., report of discrepancies; LTD&D; physical inventory results; audits and self-assessments; corrective actions; and other property related reports as directed by the CO.

FAR 52.245-1 (f) (1) (vi) and (x)

Process Segment: Accuracy And Completeness

7 2 Source data to ensure accuracy and completeness of reports is available and is accurate and complete.

[170]

8. LIABILITY: THE PROCESS OF MANAGING ALL INSTANCES OF LOSS, THEFT, DAMAGE OR DESTRUCTION OF GOVERNMENT PROPERTY IN THE POSSESSION OF THE CONTRACTOR, OR ITS SUBCONTRACTORS [ NOTE – THIS WAS REFERRED TO AS RELIEF OF STEWARDSHIP UNDER THE CLAUSE – BUT THROUGH CAREFUL ANALYSIS IT WAS DETERMINED THAT RELIEF OF STEWARDSHIP WAS NOT A PROCESS, WHILE LIABILITY WAS/IS

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Reporting Of Loss, Theft, Damage, And Destruction (LTDD)

8 1 Unless otherwise directed by the GPA, the contractor investigates and promptly furnishes a written narrative of all incidents of LTDD to the GPA as soon as the facts become known or when requested by the Government.

FAR 52.245-1 (f) (1) (vi) (A)

8 2 LTDD reports contain the minimum information required by FAR 52.245-1 (f) (1) (vi) (B) (i) through (13).

FAR 52.245-1 (f) (1) (vi) (B) (1) through (13)

8 3 When applicable, the contractor has GPA granted relief of responsibility for LTDD of GP.

FAR 52.245-1 (f) (1) (vii) (A)

8 4 All reasonable actions are taken to protect GP from further LTDD. FAR 52.245-1 (h) (iii) (2)

8 5 After LTDD of GP, the contractor separates the damaged and undamaged GP, places all the affected GP in the best possible order, and takes other action(s) directed by the GPA.

FAR 52.245-1 (h) (iii) (2)

8 6 Contractor does not prejudice the Government's rights to recover against third parties for any LTDD of GP.

[Generally through the application of terms and conditions in the

FAR 52.245-1 (h) (iii) (3), DFARS 252.228-7001

[171]

subcontracts and Purchase orders.]

8 7 Contractor furnishes the Government all reasonable assistance and cooperation, including the prosecution of suit and the execution of instruments of assignment in favor of the Government in obtaining recovery.

FAR 52.245-1(h) (4)

8 8 All communications under FAR 52.245-1 are in writing. FAR 52.245-1 (l) 8 9 When DFARS 252.228-7001, Ground and Flight Risk, is set forth

in the contract(s), the contractor complies with clause requirements.

DFARS 252.228-7001

8 10 When DFARS 252.228-7002, Aircraft Flight Risk, is set forth in the contract(s), the contractor complies with clause requirements.

DFARS 252.228-7002

[172]

9. UTILIZATION: THE PROCESS OF USING NON-CONSUMABLE GP (EQUIPMENT, STE, ST AND REAL PROPERTY)

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Authorized Use

9 1 Contractor utilizes GP only as authorized in contract(s). FAR 52.245-1 (c) and FAR 52.245-1 (f) (1) (viii) (A)

9 2 GP is utilized only on the contract for which it was acquired or furnished unless otherwise provided for in the contract or approved by the CO.

FAR 52.245-1 (c) and FAR 52.245-1 (f) (1) (viii) (A)

9 3 Contractor modifies, cannibalizes, or makes alterations to the GP when the contract specifically identifies the work to be performed.

FAR 52.245-1 (c)

Process Segment: Identification Of Excess

9 4 Contract has a process to ensure that GP excess to contract performance is promptly disclosed and reported.

FAR 52.245-1 (f) (1) (viii) (A)

9 5 When FAR 52.251-2, Interagency Fleet Management System Vehicles and Related Services, is set forth in the contract(s), the use and service of interagency fleet management system vehicles and the use of related services by the contractor is in accordance with 41 CFR 101-39 and 41 CFR 101-38.301-1.

FAR 52.251-2, 41 CFR 101-39 and 41 CFR 101-38.301-1

9 6 When DFARS 252.251-7001 Use of Interagency Fleet Management System (IFMS) Vehicles and Related Services, the contractor complies with clause requirements, such as authorized use, establishment of penalties for unauthorized use by employees, and prime contractor’s request for use to CO, and prime contractor’s approval of subcontractor use, when appropriate.

DFARS 252.251-7001

[173]

10. CONSUMPTION: THE PROCESS OF INCORPORATING GP, e.g., MATERIAL, INTO AN END ITEM OR A HIGHER ASSEMBLY, OR OTHERWISE CONSUMED OR EXPENDED IN THE PERFORMANCE OF A CONTRACT.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Reasonableness Of Consumption

10 1 GP is consumed only as authorized in contract(s). FAR 52.245-1 (f) (1) (viii) (A) and FAR 52.245-1 (f) (1) (vii) (A)

10 2 GP is reasonably and properly consumed, expended, or otherwise accounted for in the performance of the contract.

FAR 52.245-1 (f) (1) (vii) (A) and FAR 52.245-1 (f) (1) (viii) (A)

Process Segment: Identification Of Excess

10 3 Contract has a process to ensure that GP excess to contract performance is promptly disclosed and reported.

FAR 52.245-1 (f) (1) (viii) (A)

[174]

11. MOVEMENT: THE PROCESS OF MOVING ALL TYPES OF GP UNDER THE CONTRACTOR’S STEWARDSHIP. THIS PROCESS ALSO ADDRESSES AUTHORIZATION FOR AND PROTECTION DURING MOVEMENT.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Movement

11 1 Contractor moves GP in an appropriate fashion to ensure safe internal or external transit and as authorized in contract(s).

FAR 52.245-1 (f) (1) (viii) (A)

11 2 Contractor provides adequate protection during movement

11 3 All movement of GP is documented

[175]

12. STORAGE: THE PROCESS OF STORING ALL TYPES OF GP

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Storage Areas

12 1 Contractor stores GP in an appropriate fashion for its classification to ensure it is adequately protected and preserved.

FAR 52.245-1 (f) (1) (viii) (A)

12 2 Storage facility for GP waiting plant clearance processing is appropriate for assuring the property's physical safety and suitability for use.

FAR 52.245-1 (j) (7) (ii)

12 3 GP is not commingled with property not owned by the Government unless otherwise authorized in the contract or by the GPA.

FAR 52.245-1 (f) (1) (viii) (B)

Process Segment: Special Storage Areas

12 4 When DFARS Clause of 252.223-7007 is incorporated in the contract ensure that requirements of DoD 5100.76-M, "Physical Security of Sensitive Conventional Arms, Ammunition, and Explosives", are applied.

DFARS 252.223-7007

[176]

13. MAINTENANCE: THE PROCESS OF PROPERLY MAINTAINING GP

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Normal Preventive Maintenance

13 1 GP is properly maintained. FAR 52.245-1 (f) (1) (ix)

13 2 Contractor's maintenance program enables the identification, disclosure, and performance of normal and routine preventative maintenance and repair.

FAR 52.245-1 (f) (1) (ix)

Process Segment: Capital-Type Rehabilitation (Including Real Property)

13 3 Contractor discloses the need for replacement and/or capital rehabilitation of GP

FAR 52.245-1 (f) (1) (ix)

13 4 Contractor reports to the GPA the need for replacement and/or capital rehabilitation of GP

FAR 52.245-1 (f) (1) (ix)

13 5 When FAR 52.251-2 is set forth in the contract(s), the contractor’s maintenance of interagency fleet management system vehicles is in accordance with 41 CFR 101-39 and 41 CFR 101-38.301-1.

FAR 52.251-2, 41 CFR 101-39 and 41 CFR 101-38.301-1

[177]

14. DISPOSITION: THE PROCESS OF DISPOSITIONING GP NO LONGER REQUIRED FOR CONTRACT PERFORMANCE. THIS INCLUDES DISCLOSING EXCESS, REQUESTING DISPOSITION INSTRUCTIONS, AND EFFECTING DISPOSAL OF GP.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Disclosure Of Excess

15 1 When CAP is no longer needed for contract performance, contractor executes predisposal requirements in order of priority set forth in FAR 52.245-1 (j) (2) (A) through (C).

FAR 52.245-1 (j) (2) (i) (A) through (C)

15 2 Contractor lists on Standard Form 1428, ALL Excess Government property (Both CAP and GFP) remaining after executing predisposal requirements set forth FAR 52.245-1 (j)(2)(i)(A) through (C).

FAR 52.245-1 (j) (2) (ii) and FAR 52.245-1 (j) (2) (i)(A) through (C)

14 3 Contractor submits inventory disposal schedules for scrap aircraft or aircraft parts and scrap that requires demilitarization, is a classified item, is generated from classified items, contains hazardous materials or wastes, precious metals, or is dangerous to the public health, safety, or welfare.

FAR 52.245-1 (j) (1) (i) and (B) (1) through (6)

14 3 Contractor shall require its subcontractors to submit inventory disposal schedules to the contractor in accordance with the requirements of FA 52.245-1 (j)(4).

FAR 52.245-1 (j) (10)

14 4 Contractor annotates on inventory disposal schedules property the contractor wishes to purchase from the Government.

FAR 52.245-1 (j) (3) (C) (ii)

14 5 Unless the PLCO has agreed otherwise, or the contract requires electronic submission of inventory disposal schedules, the Contractor prepares separate inventory disposal schedules for classifications of GP in accordance with FAR 52.245-1 (j) (3) (C) (iii) (A) through (G).

FAR 52.245-1 (j) (3) (C) (iii) (A) through (G).

[178]

14 6 Contractor describes the property in sufficient detail to permit an understanding of its intended use.

FAR 52.245-1 (j) (3) (C) (iv)

14 7 Contractor submits inventory disposal schedules to the PLCO in accordance with the TIMEFRAMES of FAR 25.245-1 (j) (4) (i) through (iii).

FAR 52.245-1 (j) (4) (i) through (iii)

14 8 When required, contractor corrects inventory disposal schedules as directed by PLCO.

FAR 52.245-1 (j) (5) (ii)

14 9 Contractor notifies the PLCO at least 10 working days in advance of its intent to remove item(s) from an approved inventory disposal schedule.

FAR 52.245-1 (j) (6)

14 10 Contractor amends an approved inventory schedule to show removal of item(s) after approval of the PLCO or upon expiration of the notice period.

FAR 52.245-1 (j) (6)

14 11 Contractor stores property identified on an inventory disposal schedule pending receipt of disposal instructions.

FAR 52.245-1 (j) (7) (i)

14 12 Contractor obtains PLCO’s approval to remove GP from the premises where the property is located prior to receipt of final disposition instructions.

FAR 52.245-1 (j) (7) (ii)

14 13 When DFARS 252.245-7000 is set forth in the contract(s), at the completion of performance of the contract, the Contractor, as directed by the Contracting Officer, shall either destroy or return to the Government all Government-furnished MC&G property not consumed in the performance of this contract.

When D FARS 252.245-7000 (c)

Process Segment: Disposal

14 14 Contractor ensures continued responsibility for GP until disposed of in accordance with paragraphs FAR 52.245-1 (f) (1) (vii) (C) or FAR 52.245-1 (j) and (k).

FAR 52.245-1 (f) (1) (vii) (C) and (j) and (k)

14 15 Contractor disposes of contractor inventory as authorized by the Plant Clearance Officer (PLCO), except as otherwise provided for in a contract.

FAR 52.245-1 (j)

14 16 Contractor prepares for shipment, deliver f.o.b. origin or destination and disposes of contractor inventory as directed by the PLCO.

FAR 52.245-1 (j) (8) (ii)

14 17 Contractor removes and destroys any markings identifying the property as Government-owned property prior to its disposal if property is not returned to the Government.

FAR 52.245-1 (j) (8) (ii)

14 18 Contractor demilitarizes GP prior to shipment or disposal per CO direction.

FAR 52.245-1 (j) (8) (iii)

14 19 Contractor credits the net proceeds from the disposal of contractor inventory to the contract, or to the Treasury of the United States as miscellaneous receipts when directed by the CO.

FAR 52.245-1 (j) (9)

[179]

14 20 Contractor gives written consent prior to the Government's abandonment of sensitive GP or termination inventory.

FAR 52.245-1 (k) (1))

14 21 Contractor has Government notice of abandonment of any non-sensitive GP.

FAR 52.245-1 (k) (2)

14 22 Contractor delivers or ships from the contractor's plant under Government instructions.

FAR 52.245-1 (f) (1) (vii) (B)

[180]

Process Segment: Approved Scrap Procedure

14 23 Contractor disposes of the property on an accepted scrap list in accordance with the contractor's approved scrap procedures if the Government does not furnish disposition instructions to the contractor within 45 days following acceptance of a scrap list.

FAR 52.245-1 (j) (8) (i)

14 24 When scrap to which the Government has obtained title under FAR 52.245-1 (e) and the contractor has an approved scrap procedure and scrap resulting from production or testing requires demilitarization or is sensitive property, contractor submits this scrap on an inventory disposal schedule and only disposes of this scrap with Government approval.

FAR 52.245-1 (j) (1) (i) and (A)

14 25 Contractor credits the net proceeds from the approved scrap procedures sale to an appropriate overhead account.

DFARS 245.610

Process Segment: No Approved Scrap Procedure

14 26 When the contractor does not have an approved scrap procedure, contractor submits an inventory disposal schedule for all scrap.

FAR 52.245-1 (j) (1) (ii)

14 27 When the contractor does not have an approved scrap procedure, Contractor obtains Government approval before disposing of scrap resulting from production or testing.

FAR 52.245-1 (j) (1) (ii)

Process Segment: Disposal At Installations

14 28 When FAR 52.245-2 is incorporated into the contract, the contractor replaces LTD&D GP at the contractor’s expense (and then has title to all replacement property) and continues to be responsible for contract performance.

FAR 52.245-2 (b)

14 29 When FAR 52.245-2 is incorporated into the contract, contractor notifies the CO of unserviceable and scrap property resulting from contract performance.

FAR 52.245-2 (c)

14 30 When FAR 52.245-2 is incorporated into the contract, and the CO does not determines otherwise, the Government abandons all rights and title to unserviceable and scrap property resulting from contract performance and the contractor removes such property from the Government premises and dispose of it at contractor’s expense.

FAR 52.245-2 (c)

[181]

15. CLOSEOUT OF PROPERTY: THE PROCESS OF PROPERLY CLOSING OUT THE PROPERTY REQUIREMENTS OF A CONTRACT.

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

[182]

Process Segment: Final Contract Review

15 1 Contractor promptly performs contract property closeout, to include reporting, investigating and securing closure of all LTD&D cases; physically inventorying all property upon termination or completion of this contract; and disposing of items at the time they are determined to be excess to contractual needs.

FAR 52.245-1 (f) (1) (x)

15 2 Contractor promptly reports to the GPA contract property closeout, to include reporting, investigating and securing closure of all LTDD cases; physically inventorying all property upon termination or completion of this contract; and disposing of items at the time they are determined to be excess to contractual needs.

FAR 52.245-1 (f) (1) (x)

[183]

AND A LITTLE BIT OF LAGNIAPPE

16 1 1. PROPERTY MANAGEMENT: THE PROCESS OF: (1) MANAGING GOVERNMENT PROPERTY (GP) IN THE CONTRACTOR’S POSSESSION; (2) ENSURING AN ADEQUATE PROPERTY MANAGEMENT SYSTEM(s) FOR GP THE IN ACCORDANCE WITH CONTRACTUAL REQUIREMENTS; (3) DETERMINING THE PROPERTY MANAGEMENT SYSTEM(S) IS CONSISTENT WITH VOLUNTARY CONSENSUS STANDARDS (VCS) AND INDUSTRY-LEADING PRACTICES AND STANDARDS (ILP&S) FOR GP PROPERTY MANAGEMENT EXCEPT WHERE INCONSISTENT WITH LAW OR REGULATION; AND (4) EVALUATING CONTRACTOR ASSESSMENTS, INTERNAL AUDITS AND CORRECTIVE ACTION(S) WHEN REQUIRED.

FAR 52.245-1, Alt I, and Alt II (June 2007)

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

Process Segment: Management of Government Property

16 1 The contractor’s property management system(s) adequately manages (control, use, preserve, protect, repair and maintain) GP in its possession.

FAR 52.245-1 (b) (1)

16 2 Contractor initiates and maintains the processes, systems, procedures, records, and methodologies, necessary for effective control of GP consistent with VCS and/or (ILP&S) for GP management.

FAR 52.245-1 (b) (1)

[184]

16 3 Property management plans, systems, and procedures at the contract, program, site or entity level are established and implemented to enable outcomes for all process requirements.

FAR 52.245-1 including processes specified in Para. (f), embedded processes and segregated processes

16 4 The contractor’s property management system(s) is adequate to satisfy the requirements of FAR 52.245-1 clauses.

FAR 52.245-1 (b) (1)

16 5 Contractor establishes and maintains written procedures to assess the effectiveness of their property management system(s).

FAR 52.245-1 (f) (1) (x) (3)

16 6 Significant changes to the contractor’s property management system are disclosed to the Government Property Administrator (GPA) prior to implementation.

FAR 52.245-1 (b) (1)

16 7 Contractor applies responsibility requirements to all GP under the contractor's accountability, stewardship, possession or control, including its vendors or subcontractors.

FAR 52.245-1 (b) (2) and 52.245-1 (f) (1) (v)

16 8 The Government is allowed access to the contractor's premises and all GP, at reasonable times, for the purposes of reviewing, inspecting and evaluating the contractor's property management plan, systems, procedures, records, and supporting documentation that pertains to GP.

FAR 52.245-1 (g) (1)

16 9 When determined by the Government that the contractor's property management practices are inadequate or not acceptable for the effective management and/or control of GP under contract, and/or present an undue risk to the Government, the contractor immediately takes all necessary corrective actions directed by the GPA.

FAR 52.245-1 (g) (3)

[185]

Process Segment: Contractor Self Assessments and /Audits Of Property Management System

INDEPENDENT VARIABLES THAT MAY DIFFER FOR EVERY CONTRACTOR

APPLICABLE VOLUNTARY CONSENSUS STANDARD(S) OR INDUSTRY LEADING PRACTICES

LIST ANY PROCESS, SUBPROCESS or CRITERIA contained within the Contractor’s PMS DRIVEN by a VCS and/or ILP. [Use however many rows are needed to address any evaluative criteria set forth in the VCS or ILP for this process.]

1.

2.

3.

16 11 Contractor’s procedures specify the types and/or methods to be employed to perform assessments and/or audits is sufficient detail to enable the PA to adequately evaluate compliance

16 12 Contractor performs periodic assessments, internal reviews and/or audits.

FAR 52.245-1 (f) (1) (x) (3)

16 13 Contractor makes significant findings and/or results of internal reviews and audits pertaining to GP available to the GPA.

FAR 52.245-1 (f) (1) (x) (3)

[186]

APPENDIX B

GENERAL DYNAMICS CORPORATION, Plaintiff, v. UNITED STATES of America, Defendant.

No. CV 89-6762 JGD. (Cite as: 1996 WL 200255 (C.D.Cal.))

United States District Court, C.D. California.

March 25, 1996.

Nicholas D . Chabraja, L inda L. L istrom, G regory S. Gallopoulos, R oyce R. B edward, J enner & Block, Chicago, IL, Theresa M. Marchlewski, Fulton Haight, William E. Ireland, Haight Brown & Bonesteel, Santa Monica, CA, for General Dynamics Corporation.

Diana L. Gordon, U .S. Department of Justice, Torts Branch C ivil D ivision, Washington, DC, f or U.S.

FINDINGS OF FACT AND CONCLUSIONS OF LAW

DAVIES, District Judge.

1 The C ourt, ha ving c onsidered the evidence at t rial and t he pr oposed F indings of F act and Conclusions of La w f iled o n t he one h and b y G eneral D ynamics C orporation, and on t he ot her b y the United States of America, has concluded that the plaintiff's proposed Findings of Fact and Conclusions of Law are faithful to the facts proved at trial, the Court hereby adopts said proposed Findings of Fact and Conclusions of Law and makes its findings accordingly as set forth herein.

I. INTRODUCTION

1. G eneral Dynamics br ought t his F ederal T ort C laims A ct ( "FTCA") ac tion a gainst t he U nited States alleging that the Defense Contract Audit Agency ("DCAA") committed professional malpractice in performing audit work in connection with the DIVAD prototype contract. The DCAA's audit work culminated in an audit report dated February 29, 1984. (Ex. 108; Carren, 12/7/95 Tr. at 173-74.)

2. The issue before the Court is whether the DCAA was professionally negligent in performing the audit work that culminated in the issuance of the February 29, 1984, audit report.

3. F or t he r easons di scussed bel ow, t he C ourt f inds t hat t he DCAA committed professional negligence in c onducting t he D IVAD au dit. F irst, t he C ourt f inds t hat i n performing i ts au dit work and in i ssuing the F ebruary 29, 19 84, a udit r eport, t he D CAA owed G eneral

[187]

Dynamics a duty of due professional care. Second, the Court finds that the DCAA breached this duty of due professional care. Third, t he C ourt f inds t hat G eneral D ynamics was injured as a result of the DCAA's breach of the duty of due professional care. Fourth, the Court finds that as a result of the DCAA's negligence, General Dynamics suffered monetary damages in the amount of $25,880,752. (Ex. 397; Ex. 697; Duesenberg, 12/21/95 Tr. at 15.)

II. THE DIVAD PROGRAM

A. Background Facts

4. T he D ivisional Air Defense G un System, or " DIVAD," was a t ank-like w eapon intended t o engage enemy helicopters and fixed-wing aircraft. (Ex. 20 at 20- 9; Ex. 255 at i; McPherson, 12/6/95 Tr. at 9.)

5. The Army's procurement program for DIVAD began with an open competition to choose two companies, each of which would be awarded a prototype contract. The two would then compete for a follow-on pr oduction c ontract. ( McPherson, 1 2/6/95 T r. at 19 -20.) A dopting an ac quisition s trategy known as " prototyping f or pr oduction," t he A rmy p lanned t he D IVAD pr ogram i n t hree phas es: t he prototype phase, t he i nitial pr oduction ph ase f or 200 uni ts, an d t he f ollow-on p roduction ph ase f or an additional 418 units. (Ex. 255 at ii-iv; McPherson, 12/6/95 Tr. at 18.)

6. Under prototyping for production, the Army expected the contractors selected for the prototype phase to prepare and submit their responses to the Army's Request for Proposal (RFP) for the production phase while the prototype phase was ongoing. (Ex. 255 at iii; McPherson, 12/6/95 Tr. at 21.) The Army expected the contractors to be prepared to proceed immediately into production at the conclusion of the prototype phase. (McPherson, 12/6/95 Tr. at 21.) Thus, the Army instructed the contractors to develop items r equired f or pr oduction, s uch as l ogistics s upport, dur ing t he pr ototype phase. ( Ex. 25 5 at i ii; McPherson, 12/6/95 Tr. at 60.)

B. DIVAD Prototype RFP

7. The Army's approach to procuring the DIVAD gun system was outlined in its DIVAD Prototype RFP. (Ex. 25 5; McPherson, 1 2/6/95 T r. at 2 1-23.) T he RFP d escribed the A rmy's ne w procurement strategy as f ollows: T he D IVAD gu n pr ogram w ill f eature a n ac celerated, un conventional ac quisition approach des igned t o achieve Initial O perational C apability ( IOC) in t he m inimum pos sible t ime at an affordable cost; in other words, the best value for the Government. The key to success is a concept of 'prototyping for production', where certain system elements will be emphasized, and others will not (in the Development Phase) because of the desire to reduce development time and costs. (Ex. 255 at ii.)

8. Consistent with the Army's acquisition strategy, the prototype RFP contained a limited number of firm requirements, which were basically features of the system. (McPherson, 12/6/95 Tr. at 23.) The RFP also identified forty- three cost performance trade-offs, which were not firm requirements but rather were the items that the Army considered important from a performance standpoint. (Id.) It was left to the contractor to decide which of these "trade-offs" i t would incorporate into the system and which it would not. (Id.)

9. I n Section E of t he RFP, t he A rmy d escribed the elements of t he s ystem that i t wanted t he contractors to bid on. (Id. at 25.) Contract line item No. 3 of Section E identified "options" that the Army wanted the contractor to price separately. (Id. at 26; Ex. 255 at 4.)

10. The options in the RFP were proposed activities that would not become part of the contract unless and until the Army decided to specifically fund them. (McPherson, 12/6/95 Tr. at 26.) The options included i tems (such as t raining an d logistics s upport) t hat would ultimately be r equired t o s upport t he production phase of the program. (Id.) As of the time of the RFP, the Army had not yet decided whether it would fund the RFP's options. (Ex. 255 at iv.)

11. The most important part of the RFP f rom the contractor's perspective was the s tatement of work, which described the activities for which the Army was contracting. (McPherson, 12/6/95 Tr. at 24.) In t he R FP's s tatement of w ork, t he A rmy o utlined h ow i t would ap proach pr ocurement f or t he D IVAD weapon s ystem. ( Id.) T he s tatement of work pr ovided that t he c ontractor would on ly be r equired t o

[188]

"provide his best effort[s] to develop the DIVAD Gun System." (Ex. 255 at 51; McPherson, 12/6/95 Tr. at 24.)

12. "Best efforts" meant that the contractor's obligation under the DIVAD prototype contract was limited t o us ing its b est e fforts t o m eet t he r equirements and obj ectives of t he c ontract. ( E. M iller, 12/20/95 T r. at 189. ) O nce t he c ontractor had applied i ts bes t ef forts and had ex pended t he c ontract funds, its obligations under the contract were over and it could quit work. (E. Miller, 12/20/95 Tr. at 189; McPherson, 12/6/95 Tr. at 24-25; Hansen, 12/19/95 Tr. at 176-77.)

13. Thus, to the extent that the DIVAD prototype contract specified certain attributes of a DIVAD as " required," t he c ontractor was r equired only to make i ts bes t ef forts, w ithin t he t ime an d f unding constraints of the program, to deliver a DIVAD with those attributes. (Ex. 419; E. Miller, 12/20/95 Tr. at 189; McPherson, 12/6/95 Tr. at 23.)

14. The same held true with respect to the cost-performance trade-offs contained in the DIVAD prototype contract. The contractor could choose to develop these items or not as it saw fit. Even if the contractor decided to work on a trade-off item, it was not required to deliver that item; the contractor was only required to exert its best efforts to deliver the trade-off item. (McPherson, 12/6/95 Tr. at 54-56.)

15. Frank Cassidy, who was counsel to the Army, confirmed the meaning of "best efforts" when, during c ontract ne gotiations, he as sured G eneral D ynamics t hat i t had no f inancial r isk bec ause t he DIVAD contract "certainly isn't firm fixed price where you are obligated to deliver the stuff." (Ex. 756; Ex. 298; McPherson, 12/6/95 Tr. at 401; Hansen, 12/19/95 Tr. at 180.)

16. The best efforts language in the RFP was crucial to General Dynamics' decision to bid on the DIVAD prototype contract. (McPherson, 12/6/95 Tr. at 25; Hansen, 12/19/95 Tr. at 176.) The DIVAD program held significant financial risks for General Dynamics. (E. Miller, 12/20/95 Tr. at 187-88; McPherson, 12/6/95 Tr. at 25.) Before bidding on the program General Dynamics had to be assured that its financial risks were limited. (Hansen, 12/19/95 Tr. at 178.) General Dynamics viewed the RFP's best efforts l anguage as c ritical bec ause, as Mr . C assidy later ex plained, a nd as G eneral D ynamics understood, it limited General Dynamics' financial risk. (McPherson, 12/6/95 Tr. at 25; Hansen, 12/19/95 Tr. at 176; Ex. 756; Ex. 298.)

C. Amendments To The RFP

17. A fter t he A rmy issued t he R FP i n April 1977, i t am ended i t s everal t imes. ( McPherson, 12/6/95 Tr. at 27; Hansen, 12/19/95 Tr. at 177.) In Amendment No. 5 the Army deleted the "best efforts" language from the statement of work. (Ex. 374 at 2, P 5.) General Dynamics considered this modification unac ceptable and dec ided t hat i t would not s ubmit a r esponse t o t he R FP as m odified because without "best efforts" its financial risk would be too high. (McPherson, 12/6/95 Tr. at 29; Hansen, 12/19/95 T r. at 17 7.) F rom G eneral D ynamics' per spective, t he bes t efforts l anguage was t he m ost important language in the contract. (Hansen, 12/19/95 Tr. at 177.)

18. H ansen t old C harles G uerriere, t he P rocuring C ontracting O fficer ( "PCO"), t hat without t he best efforts language he would recommend to corporate management that General Dynamics not submit a response to the DIVAD RFP. (Hansen, 12/19/95 Tr. at 178.) General Dynamics' contracts department sent the Army a letter warning that the deletion of the best efforts language: [S]ignificantly alters the basic procurement phi losophy of t he R FP, an d i s i n c onflict w ith s tatements made at t he Army po licy l evel regarding t he use of f ixed pr ice c ontracts f or s ystem dev elopment on ly w hen s pecifications or requirements are appropriately eased or qualified. Please clarify the intent of the deletion. (Ex. 375 at 3.)

19. After General Dynamics objected, the Army restored the best efforts language to t he RFP. (Ex. 376 at 2; McPherson, 12/6/95 Tr. at 30-31; Hansen, 12/19/95 Tr. at 178.)

D. Response To The RFP

20. General Dynamics and four other companies submitted responses to the RFP. (McPherson, 12/6/95 Tr. at 31; Hansen, 12/19/95 Tr. at 178-79.)

21. General Dynamics submitted its technical and cost proposals in August 1977. (McPherson, 12/6/95 T r. at 32. ) I n ac cordance with the RFP, G eneral Dynamics quot ed a price of $39 m illion f or

[189]

contract line i tems 1 and 2 and qu oted a s eparate pr ice of $10 m illion f or contract l ine i tem No. 3, the options. (McPherson, 12/6/95 Tr. at 32-33.)

22. General Dynamics conditioned its proposal on the Army's awarding a fixed price best efforts contract. (Ex. 686 at W060655.) General Dynamics included this condition because "best efforts" was a prerequisite f or the company to agree to enter into a contract w ith the Army for the DIVAD prototypes. (McPherson, 12/6/95 Tr. at 33.)

E. DIVAD Contract

23. O n J anuary 13, 1978, G eneral D ynamics and t he A rmy executed the D IVAD pr ototype contract. (Ex. 20; McPherson, 12/6/95 Tr. at 41.)

24. The best efforts concept was reflected throughout the DIVAD prototype contract. (McPherson, 12/ 6/95 T r. at 45. ) F irst, t he c ontract i tself was a "firm fixed pr ice ( best ef forts)" t ype contract. ( Ex. 2 0 at 7 ; McPherson, 1 2/6/95 T r. at 45 -46.) Second, t he c ontract's s tatement of work provided t hat G eneral D ynamics w as only r equired t o use its "best ef forts" t o m eet t he c ontract's specifications. ( Ex. 20 a t 9; McPherson, 1 2/6/95 Tr. at 47 -48.) T hird, t he c ontract r equired G eneral Dynamics to direct its best efforts toward meeting the contract's specified requirements; it did not require General Dynamics to meet the contract's specified requirements. (Ex. 20 at 10; McPherson, 12/6/95 Tr. at 49 -50.) F ourth, t he c riteria f or t he A rmy's f inal acceptance of t he pr ototype un its w ere l imited t o inspection for condition and count. (Ex. 20 at 21; McPherson, 12/6/95 Tr. at 50-51.)

25. The DIVAD prototype contract's acceptance criteria related directly to the best efforts concept in that the Army had to accept the units no matter how they performed, or even if the units did not perform at all. (McPherson, 12/6/95 Tr. at 51.) As the parties often expressed it at the time, the contractor could meet i ts contractual obligations even if i t delivered a "bucket of bol ts." (McPherson, 12/6/95 T r. at 40; Cornell, 12/20/95 Tr. at 204.)

26. The Court finds that General Dynamics understood from the beginning the true nature of the DIVAD prototype contract. General Dynamics understood the DIVAD prototype contract to have a best efforts qualification, which meant that the company was only required to exert i ts best efforts within the funding provided by the contract. (Findings of Fact & Conclusions of Law ("5/4/95 Findings") dated May 4, 1995 at P 19.)

F. The Options

27. Unlike the RFP, the DIVAD contract did not include contract line item No. 3--the options. (Ex. 20 at 17; McPherson, 12/6/95 Tr. at 42.) Thus, the options did not become a part of the final contract. (McPherson, 12/6/95 Tr. at 42.) Indeed, the options never became a part of the final contract because the Army ultimately decided not to fund them. (McPherson, 12/6/95 Tr. at 59.)

28. Despite the Army's decision not to fund the op tions, General Dynamics decided to work on the options in order to meet the Army's schedule for production and deployment and in order to support the production proposal that i t had to submit dur ing the prototype phase of the program. ( McPherson, 12/6/95 Tr. at 60.)

29. General Dynamics informed the Army that it would charge its work on the options to Bid & Proposal ("B & P") accounts. ( Id.) I t could not charge option work to the contract because that would have been i llegal g iven the Army's dec ision not to make the opt ions part of the contract. ( McPherson, 12/6/95 Tr. at 63.) General Dynamics also notified the Army that it was working on projects potentially related t o t he D IVAD pr ogram us ing I ndependent R esearch a nd Development ( "IR & D ") f unds. (McPherson, 12/6/95 Tr. at 65-68.)

G. B & P And IR & D

30. The government procurement regulations in f orce at the t ime General Dynamics per formed the DIVAD prototype contract authorized defense contractors (including General Dynamics) to pass on to the government certain costs incurred (1) in the course of preparing bids and proposals for government programs, and ( 2) in per forming i ndependent r esearch and de velopment. ( Brincefield, 1/ 11/96 T r. at 118-19.)

[190]

31. B & P costs were defined as "costs incurred in preparing, submitting, and supporting bids and proposals (whether or not solicited) on potential Government or non-Government contracts." (32 C.F.R. s 15-205.3 ( 1977).) The B & P r egulations pr ecluded c harging t o B & P ac counts t he c osts of ef fort sponsored by a grant or cooperative agreement or required in contract performance. (Id.; McPherson, 12/6/95 Tr. at 61.)

32. I R & D c osts were d efined as " the c ost of ef fort which i s n ot s ponsored b y or r equired in performance of, a contract or grant and which consists of projects within the following four areas: (i) basic research, (ii) applied research, (iii) development, and (iv) system and other concept formulation studies." (32 C.F.R. s 15-205.35 (1977); McPherson, 12/6/95 Tr. at 65.)

H. General Dynamics' Charging During The DIVAD Contract

33. Because the DIVAD prototype contract was "best efforts," after General Dynamics had made its best efforts and had expended the contract funds it was free to continue work on the DIVAD prototype units using non-contract, discretionary funds such as IR & D and B & P. (E. Miller, 12/20/95 Tr. at 191- 92; Cornell, 12/20/95 Tr. at 205-06; McPherson, 12/6/95 Tr. at 62.)

34. D uring the c ourse of w orking on t he D IVAD prototypes, G eneral D ynamics c onsidered t he effect o f "best ef forts" on ho w i t would c harge the work i t was do ing. ( McPherson, 12/ 6/95 T r. at 61. ) General Dynamics decided that once it had exceeded the contract's funding it did not matter to what cost objective it charged DIVAD work because it had satisfied its contractual obligations and the contract was over. (McPherson, 12/6/95 Tr. at 62.) General Dynamics exceeded the DIVAD prototype contract funding in the fall of 1979, but nevertheless continued to work on the DIVAD prototypes. (McPherson, 12/6/95 Tr. at 63-64.)

35. After i t s pent t he D IVAD prototype c ontract f unds, G eneral Dynamics c ontinued to c harge certain work t o t he pr ototype c ontract because: ( a) i t w as e asier f rom an adm inistrative s tandpoint t o leave the then-existing contract- charging m echanisms in place; an d (b) i t was a w ay to k eep t rack of how much it spent in a given development area, which was important information to have for future bids. (Id. at 64-65.)

I. Production RFP And Completion Of The Prototype Phase

36. In January 1980, the Army issued the RFP for the DIVAD production contract. (McPherson, 12/6/95 Tr. at 68.) Thus, General Dynamics began work on its response to the production RFP while it continued work on the prototype units. (McPherson, 12/6/95 Tr. at 68.) General Dynamics delivered two DIVAD prototypes to the Army on June 13, 1980. (Ex. 907; McPherson, 12/6/95 Tr. at 68.)

37. T he s hoot-off competition w as he ld at Ft. B liss, Texas s hortly after t he p rototypes were delivered. ( Id.) I n par allel with i ts s upport of t he uni ts at F t. B liss, G eneral D ynamics c ontinued preparation of and then submitted its initial response to the Army's RFP for the production contract. (Ex. 907; McPherson, 12/6/95 Tr. at 69.) In addition, the Army encouraged General Dynamics to demonstrate during pr ototype t esting a t F ort Bliss c ertain t hings t hat G eneral D ynamics w as working on f or t he production ph ase of t he DIVAD pr ogram bec ause, ac cording t o t he Army, General D ynamics w ould receive m ore c redit when t he A rmy evaluated i ts pr oduction proposal f or i tems t hat ha d b een demonstrated to work. (McPherson, 12/7/95 Tr. at 69.) In May, 1981, the Army awarded the production contract to Ford. (Id. at 69-70.)

J. Contract Administration

38. D uring t he t ime t he D IVAD pr ototype c ontract was nego tiated, a dministered and a udited (1977-1984), the Navy had oversight responsibilities for General Dynamics' facility at Pomona. (Ex. 912; Carren, 12/7/95 Tr. at 32-33.) The Navy maintained an office of the Naval Plant Representative ("NAVPRO") at Pomona, which was headed by an Administrative Contracting Officer ("ACO"). (Id.)

39. During the DIVAD program, the Principal ACO at Pomona was George Paynich. (Ex. 478 at 478-26.) In the normal course, the ACO would have received a broad delegation of authority from the PCO an d, t hereafter, would have b een r esponsible f or most c ontract management an d c ontract administrative functions. (Carren, 12/7/95 Tr. at 33.) Because of the uniqueness of the DIVAD contract, however, the PCO gave only a limited delegation of authority to the ACO. (Id.; Ex. 662 at 662-434.)

[191]

40. O riginally, t he P CO f or t he D IVAD prototype c ontract was C harles G uerriere. ( Hansen, 12/19/95 T r. at 1 78.) Susan C ornell r eplaced G uerriere ar ound J une 1 980. ( Cornell, 12/ 20/95 T r. at 202.)

41. The PCO had the legal responsibility for the DIVAD prototype contract and had the ultimate legal say on contract elements. (Marrella, 12/21/95 Tr. at 90-91.) Thus, the DCAA should have gone to the PCO f or an y assistance r egarding t he n ature o r i nterpretation of t he D IVAD pr ototype c ontract. (Marrella, 12/21/95 Tr. at 90-91; Brincefield, 1/11/96 Tr. 128-29; Carren, 12/7/95 Tr. at 33-34.)

III. THE DIVAD AUDITS, THE REFERRAL AND THE 1984 FINAL AUDIT REPORT

A. Introductory Facts

42. The DCAA was formed in 1965. (Carren, 12/5/95 Tr. at 63.) An independent agency within the Department of Defense ("DoD"), the DCAA performs all contract auditing for the DoD. (Id. at 65; Ex. 571(A) at P 2-S10.)

43. D uring the r elevant t ime per iod, the DCAA was o rganized i nto r egions. G eneral D ynamics' Pomona Division ("GD-P") was located within the DCAA's Los Angeles region. The DCAA maintained a Field Audit Office ("FAO") at GD-P. (Carren, 12/7/95 Tr. at 6.)

44. The FAO at GD-P consisted of a permanent cadre of auditors stationed at the facility for the purpose of conducting audits. (Carren, 12/7/95 Tr. at 6.) Between 1979 and 1983, the head of the FAO at GD-P was Rudy Tortorici, the resident auditor. (Id.) Michiro Mizutari replaced Tortorici as the Resident Auditor at the GD-P FAO in late 1983. (Carren, 12/7/95 Tr. at 10-11.)

45. The DIVAD prototype contract expressly granted the DOD audit and inspection rights. (Ex. 20; Carren, 12/5/95 Tr. at 66.) By virtue of those contractual clauses, DCAA obtained its right to perform the DIVAD audits. (Ex. 20; Carren, 12/5/95 Tr. at 66; Reed, 1/12/96 Tr. at 30.)

46. In performing their audit work DCAA auditors (like any auditors) exercise professional judgment. (Ex. 663 at s 110.04; Ex. 571(A) at 2-103; Carren, 12/5/95 Tr. at 89-91; Reed, 1/12/96 Tr. at 18.) A n aud itor us es hi s pr ofessional j udgment i n det ermining what au dit t echniques ar e m ost appropriate for the circumstances. (Carren, 12/5/95 Tr. at 89; Reed, 1/12/96 Tr. at 18.) The professional judgment an auditor exercises does not grant the auditor discretion to ignore or to depart from generally accepted au diting s tandards. ( Carren, 12 /5/95 T r. at 89; R eed D ep. at 69 -70.) R ather, the a uditor's professional j udgment m ust be ex ercised in a m anner t hat assures t hat h e m eets ge nerally ac cepted auditing standards. (Carren, 12/5/95 Tr. at 90; Reed Dep. at 70.)

47. While DCAA auditors exercise professional judgment, they do not make DCAA policy. (Reed Dep. at 7 8.) A n aud itor may n ot ba lance pol icy c oncerns aga inst t he g enerally accepted aud iting standards when he is conducting an audit pursuant to those standards. (Reed Dep. at 70, 77-78.)

48. Three DIVAD-related audits are at issue here: the Kamer audit, conducted between November 1979 and June 1980; the Hudson/Clark audit, conducted between May 1981 and April 1982; and the Hollis-Brau audit, conducted between May 1982 and February 1984. (Ex. 902.)

B. The Kamer Audit

49. George Kamer was the first auditor at the DCAA's GD-P FAO to audit charges related to the DIVAD prototype contract. (Ex. 902; Ex. 478; Carren, 12/7/95 Tr. at 6-7.) On November 6, 1979, Rudy Tortorici, t he R esident A uditor at t he G D-P F AO, a ssigned K amer t o c onduct an audi t of G eneral Dynamics' DIVAD-related charging. (Ex. 478 at 478-20; Ex. 910; Carren, 12/7/95 Tr. at 15.) Kamer's audit had t wo par ts: a p art dea ling with labor a nd a par t d ealing with G eneral D ynamics' t ransfer of material costs associated with a piece of equipment called the BITE proofing model ("BPM"). (Ex. 910; Ex. 478; Carren, 12/7/95 Tr. at 13, 46-47.)

50. At the outset of Kamer's audit, Tortorici instructed Kamer that the DIVAD contract was "fixed price," that it was "overrun," and that an overrun meant "a loss to the contractor." (Ex. 478 at 478-20.) Tortorici directed Kamer to "determine if the contractor is mischarging the DIVAD contract[.]" (Ex. 478 at 478-20; Carren, 12/7/95 Tr. at 15.)

[192]

51. T ortorici's c haracterization of t he D IVAD pr ototype c ontract was not b ased on an y audit analysis and was not correct. (Ex. 20; Ex. 478; Carren, 12/7/95 Tr. at 16.) The contract was firm fixed price ( best ef forts), not j ust f irm fixed pr ice. ( Ex. 2 0.) F or t hat v ery reason t he c ontract c ould n ot be "overrun"--by definition, a best efforts contract ends when the funding ends and hence cannot be overrun. (McPherson, 12/6/95 Tr. at 62.) Thus, Kamer began his audit based on a false premise provided by his supervisor, Tortorici.

52. After receiving h is assignment, Kamer drafted an audit program in which he stated that the purpose of hi s audi t w as: " To det ermine w hether DIVAD c ontract w ork i s bei ng m ischarged t o c ost reimbursable accounts. Due to potential for fraud, normal contact with the Kr. [contractor] are a ltered." (Ex. 478 at 478- 23; Carren, 12/7/95 Tr. at 19.)

53. Despite the fact that Kamer was assigned to audit DIVAD labor charges, he never undertook an a nalysis of t he c ontract and its t erms. ( Ex. 478; C arren, 1 2/7/95 T r. at 2 4-30.) I ndeed, t he on ly evidence in Kamer's w ork pap ers t hat h e paid any at tention t o t he c ontract i tself w as a doc ument misleadingly entitled "Brief of Contract." (Ex. 478 at 478-32.)

54. Contrary to its title, Kamer's brief had as its sole source a contract status report. Kamer did not read or brief the contract itself. (Ex. 478 at 478-32; Carren, 12/7/95 Tr. at 24.) In his brief, Kamer, apparently echoing Tortorici, described the contract as firm fixed price without any mention of best efforts. (Id.) The brief does not note any of the contract's special provisions, nor does it analyze the contract's unique nature. (Ex. 478 at 478- 32; Carren, 12/7/95 Tr. at 24-30.) Even though General Dynamics told Kamer that the DIVAD prototype contract was "best efforts" (Ex. 857), Kamer never considered that fact in performing his audit work. (Ex. 478.)

55. Almost i mmediately upon c ommencing h is au dit work, K amer r ealized t hat to a udit D IVAD labor charges properly, he would need technical assistance from the Army. (Ex. 478 at 478-26; Carren, 12/7/95 Tr. at 34-37). Kamer first took his request for technical assistance to the ACO. (Ex. 478 at 478- 26; Carren, 12/7/95 Tr. at 32-33.) But the ACO, who was with the Navy and who was not in a position to provide technical assistance on the unique DIVAD contract, referred Kamer to the PCO for any technical assistance on the DIVAD contract. (Id.)

56. Kamer never got the technical assistance he needed from the PCO because his supervisor, Tortorici, stopped him from doing so, instead instructing him not to contact the PCO "until mischarging is proved[.]" (Ex. 478 at 478-15, 478-26; Carren, 12/7/95 Tr. at 37-38.)

i. Labor Audit

57. In performing the labor portion of his audit, Kamer found evidence on the issue of mischarging that h e c onsidered t o be conflicting. ( Carren, 1 2/7/95 T r. at 39 -40.) S uggesting s ome s upport f or a mischarging allegation, he found evidence that General Dynamics' charges to indirect accounts, such as IR & D and B & P, increased at a time when charges to the DIVAD prototype contract decreased. (Ex. 478 at 478-101-02; Carren, 12/7/95 Tr. at 39.) But undermining any accusation of mischarging, Kamer also found that even after the DIVAD contract went into an "overrun" position, General Dynamics charged over $8 million to the contract. (Ex. 478 at 478-102; Carren, 12/7/95 Tr. at 39- 40.) In his work papers, Kamer concluded that General Dynamics "may not be mischarging[.]" (Ex. 478 at 478-102.)

58. T o r each a def initive c onclusion as to w hether G eneral D ynamics' charging w as proper, Kamer once again recognized a need for technical assistance. (Ex. 478 at 478-146; Carren 12/7/95 Tr. at 42-44.) He concluded, however, that neither the NAVPRO nor the local Army representatives could help hi m. ( Ex. 478 at 47 8-146.) As t he ACO ha d al ready t old h im, t he pr oper s ource f or t echnical assistance was the PCO, but Kamer never contacted the PCO. (Ex. 478 at 478- 26; Carren, 12/7/95 Tr. at 43, 44.)

59. Kamer also had the option of seeking c larification of General Dynamics' charging practices and of how those practices related to the DIVAD contract from General Dynamics. (Ex. 571B at 1225, s 12-602.2(a).) Because Kamer was instructed by his supervisor not to communicate with the contractor, he never asked General Dynamics for its explanation of the conflicting evidence he had identified relating to DIVAD labor charges. (Ex. 478 at 478-15; Carren, 12/7/95 Tr. at 43.)

[193]

60. Upon completing the labor portion of his audit, Kamer failed to draft an audit report. (Ex. 478; Carren, 12/7/95 T r. at 45-46.) Tortorici prepared a file m emorandum covering a small par t of Kamer's audit. (Ex. 478; Carren, 12/7/95 Tr. at 45-46.) The DCAA did not discuss the file memorandum or its subject matter with General Dynamics. (Ex. 571A at 321, s 3-311.5(b) and (6); Ex. 478; Carren, 12/7/95 Tr. at 46.)

ii. The BITE Proofing Model Transfer

61. T he ot her ha lf of K amer's audi t f ocused on a transfer of material c osts f rom t he D IVAD contract to B & P for the BPM. (Ex. 478; Carren, 12/7/95 Tr. at 47-48.) Kamer learned of this transfer during a meeting with General Dynamics' employees. (Ex. 478 at 478-28; Carren, 12/7/95 Tr. at 46-47.) Kamer's work papers record that he dissembled a t that m eeting in order to conceal the purpose of his audit from General Dynamics. (Ex. 478 at 478-28.)

62. After learning of the BPM cost transfer, Kamer met with General Dynamics employees who gave him their rationale for the cost transfer along with supporting documentation. (Ex. 478 at 478-29-31, 478-64-69; Carren, 12/7/95 Tr. at 47-50.) General Dynamics informed Kamer that the BPM was not a contract requirement and that it was properly charged to B & P expense. (Id.)

63. With onl y m inimal a nalysis of G eneral D ynamics' ex planation, and without r eviewing t he contract, Kamer jumped to the conclusion that the BPM was required by the DIVAD contract. (Ex. 478 at 478-64-66; Carren, 12/7/95 Tr. at 49.) Kamer recognized that this conclusion was fundamentally infirm absent technical assistance from the PCO: However, we should obtain Government technical assistance to c onfirm our c onclusions. A s t his c ontract i s " skunk w orks," s uch t echnical as sistance s hould b e obtained from the PCO. (Ex. 478 at 478-64.)

64. B ut once aga in, K amer's s upervisor, T ortorici, obs tructed t he au dit pr ocess b y i mproperly directing Kamer not to get technical assistance f rom the PCO. ( Ex. 478 at 478-64; E x. 910; C arren, 12/7/95 Tr. at 50-52.)

65. In June 1980, Kamer drafted a report on the BPM transfer, concluding that "the transfer is an attempt to recover unreimbursable costs." (Ex. 478 at 478- 12; Ex. 910.) Kamer neither requested nor received t he t echnical as sistance t hat he k new he n eeded bef ore he c ould pr operly ar rive at s uch a conclusion. (Ex. 478 at 478-15.)

66. Kamer's r eport s tates t hat, "We di d not d iscuss t he r esults of aud it with the c ontractor's representative." ( Ex. 478 at 478-15.) T he report was never issued. ( Ex. 478; C arren, 12 /7/95 T r. at 57-58.)

C. The Hudson/Clark Audit

67. A pproximately o ne year l ater, i n Ma y, 198 1, D CAA au ditor B etty H udson beg an a comprehensive review of labor charges at GD-P. (Ex. 902; Ex. 660; Carren, 12/7/95 Tr. at 7.) Eventually, she focused her audit on DIVAD labor charges. (Ex. 660; Carren, 12/7/95 Tr. at 71-74.) In December 1981, DCAA auditor Dan C lark was assigned to assist Betty Hudson. ( Ex. 660 at 660-126; Carren, 12/7/95 Tr. at 74.)

i. Hudson's Audit Work

68. With r espect t o h er r eview of en gineering l abor, H udson ex amined c harges t o i ndirect accounts to determine whether those charges should have been made to the DIVAD contract. (Ex. 660; Carren, 12/7/95 Tr. at 74.) Even though her audit focused on the DIVAD contract and charges associated with that contract, Hudson did not read or brief the contract. (Ex. 660; Carren, 12/7/95 Tr. at 74-75.)

69. During the course of her audit work, Hudson found timecard and t ravel report i rregularities, and instances where employees split their time equally between accounts. (Hudson, 1/9/96 Tr. at 166; Carren, 12/7/95 Tr. at 75-76.) To get a better understanding of why this was going on, Hudson contacted Jim Hansen of General Dynamics. (Hudson, 1/9/96 Tr. at 166, 170; Hansen, 12/20/95 Tr. at 5-8.)

70. D uring t heir m eeting i n t he F all of 19 79, H ansen t old H udson t hat t he D IVAD pr ototype contract was a best efforts c ontract, t hat un der best ef forts G eneral D ynamics had m et t he c ontract requirements, and that she should consider this information while conducting her audit. (Hansen,

[194]

12/20/95 Tr. at 6.) Hansen also told Hudson that either she or her supervisor should contact the PCO to get his opinion on how best efforts would affect her audit. (Id.)

71. At the time she was conducting her review Hudson believed that the DIVAD contract type--firm fixed pr ice (best efforts)--was not important to her audit. (Hudson, 1/9/96 Tr. at 175.) Thus, Hudson ignored Hansen's admonition and failed to write down the substance of her conversation in her work papers. (Hudson, 1/9/96 Tr. at 175-76; Hansen, 12/20/95 Tr. at 7.) Hudson never contacted the PCO and never determined the effect of best efforts on her audit work. (Ex. 660; Carren, 12/7/95 Tr. at 79.)

72. I nstead, Hudson m et w ith the R egional Audit M anager, J ames B aumgartner, and recommended that her findings on timecards be referred for investigation as suspected fraud. (Ex. 660 at 660-1174.) Baumgartner disagreed and elected not to refer the matter at that time. (Id.; Carren, 12/7/95 Tr. at 80.)

73. Hudson did not discuss her audit conclusions with General Dynamics and did not conduct an exit conference. (Ex. 660; Carren, 12/7/95 Tr. at 83-84.) Instead, Hudson prepared a draft report. (Ex. 660 at 660-37-52.) Hudson included blank spaces in the draft report for General Dynamics' comments. (Id.)

74. Tortorici approved Hudson's draft report f or submission to General Dynamics for comment. (Ex. 660 at 660 -53.) B ut (without explanation) t he r eport was n either s ent to General D ynamics nor issued in final form. (Ex. 660 at 660-37; Carren, 12/7/95 Tr. at 83.)

ii. Clark's Audit Work

75. I n late 1 981, as H udson was c ontinuing her audit, C lark r eceived a n assignment f rom Baumgartner to pursue "DIVAD potential related mischarges." (Ex. 660 at 660-125; Carren, 12/7/95 Tr. at 84.) Like Kamer before him, Clark prepared an audit program in which he erroneously characterized the DIVAD contract as a firm fixed-price contract without mentioning best efforts. (Ex. 660 at 660-149.)

76. Clark never read and briefed the DIVAD contract. (Ex. 660; Carren, 12/7/95 Tr. at 86.) His work papers do not reveal how he reached the erroneous conclusion that DIVAD was an ordinary f irm fixed-price contract. (Id.)

77. A fter preparing an aud it program, C lark proceeded to do an a nalysis of General D ynamics'

DIVAD c harging. ( Ex. 660; C arren, 12/ 7/95 T r. at 92. ) Before embarking on this analysis, Clark did not hold an entrance conference to discuss the scope and purpose of his audit with General Dynamics. (Carren, 12/ 7/95 T r. at 88 -89.) Instead, h e t old G eneral D ynamics t hat D CAA was m erely c ontinuing a s ystem-wide r eview o f engineering. ( Ex. 660 at 660-125, 660- 1248; C arren, 12 /7/95 T r. at 84, 90. ) A lthough C lark did f ind some cost charging trends, his work papers do not reflect any audit conclusions regarding those trends. (Ex. 660; Carren, 12/7/95 Tr. at 92.)

78. C lark al so r eviewed G eneral D ynamics' w ritten p olicies a nd procedures go verning i ndirect engineering labor. (Ex. 660; Carren, 12/7/95 Tr. at 92.) Clark concluded that General Dynamics had in place adequate internal controls. (Ex. 660 at 660-478.)

79. C lark al so discovered G eneral D ynamics' C ost A ccounting D irectives ( "CADs") with t he notation "cancel B=E." (Ex. 660 at 660-780.) Clark recommended that someone follow-up on this issue. (Ex. 660; Carren, 12/7/95 Tr. at 98.)

80. Clark left the General Dynamics FAO shortly thereafter, in May of 1982. (Carren, 12/7/95 Tr. at 99; Ex. 911.)

D. The Hollis-Brau Audit

[195]

81. I n May, 1 982, Robert H ollis-Brau be gan work on an au dit f ocused o n General D ynamics' DIVAD-charging. (Hollis-Brau, 1/9/96 Tr. at 191; Carren, 12/7/95 Tr. at 105.) Hollis-Brau was assisted by Richard Wojtasiak. (Hollis-Brau, 1/9/96 Tr. at 198; Carren, 12/7/75 Tr. at 108.)

82. Hollis-Brau f ailed t o do many of t he t hings that a DCAA au ditor i s r equired to do when he begins an audit. For example, he failed to document his audit assignment. (Ex. 662; Carren, 12/7/95 Tr. at 105-06.) He also did not prepare an audit program, which would have revealed, among other things, the p urpose of hi s r eview, his a udit obj ectives, and t he s teps n ecessary t o c omplete h is aud it. (Hollis-Brau, 12/19/95 Tr. at 9, 26-27; Carren, 12/7/95 Tr. at 106.) And he did not, at the outset, read, review or brief the DIVAD contract. (Hollis-Brau, 12/19/95 Tr. at 8; Carren, 12/7/95 Tr. at 108.) Rather, he simply "assumed like everybody else" that DIVAD was an ordinary fixed-price contract. (Hollis-Brau, 12/19/95 Tr. at 11.)

83. Wojtasiak, who was as sisting Hollis-Brau, d id no thing m ore than duplicate p rior aud it work. Like Hudson and Clark, Wojtasiak reviewed travel reports and collected CAD's with the notation "cancel B=E." (Hollis-Brau, 1/9/95 Tr. at 198, 1/10/96 Tr. at 5; Carren, 12/7/95 Tr. at 108-09; Ex. 662.)

84. I n J uly 1982, H ollis-Brau pr epared a gr aph of certain l abor c harges as sociated with t he DIVAD program. (Ex. 662 at 662-549; Hollis-Brau, 1/10/96 Tr. at 11; Carren, 12/7/95 Tr. at 110.) Not surprisingly, g iven t hat t he c ontractual ef fort on the D IVAD pr ototype p hase and t he nonc ontractual proposal effort on the DIVAD production phase were proceeding in parallel, Hollis-Brau found that during testing at Fort Bliss, Texas, charges to the DIVAD contract decreased while charges to a B & P account for t he pr oduction c ontract pr oposal i ncreased. ( Ex. 662 at 662-549; C arren, 12/ 7/95 T r. at 110 -12.) General Dynamics' total effort remained relatively constant. (Ex. 662 at 662-549.)

85. I n August 19 82, G eneral D ynamics' C ontroller, J ames D ematteis, c alled a m eeting with DCAA to discuss what, if any, concerns DCAA had relative to labor charging. (Dematteis, 12/20/95 Tr. at 109.) A t t hat m eeting, D CAA as ked s ome ques tions about G eneral D ynamics' D IVAD l abor c harging. (Id. at 110.) General Dynamics asked the DCAA to put its questions in writing. (Id. at 110.)

86. By letter dated August 3, 1982, DCAA sent 14 questions to General Dynamics. (Ex. 662 at 662-149-52.) These were routine labor accounting questions. (Dematteis, 12/20/95 Tr. at 111.)

87. General Dynamics responded in writing to DCAA's questions in November, 1982. (Ex. 662 at 662-167-79.) General Dynamics answered in full each of the questions put to it by DCAA. (Id.) When General Dynamics heard nothing more, Dematteis asked Robert Morales, General Dynamics' supervisor of labor accounting, to ask the DCAA whether it needed any additional information. (Dematteis, 12/20/95 Tr. at 112.) General Dynamics heard nothing further until it got the final audit report. (Id.)

88. The DCAA auditor-in-charge, Hollis-Brau, apparently ignored General D ynamics' responses to DCAA's questions. (Ex. 662; Carren, 12/7/95 Tr. at 125-26.) Nothing in Hollis-Brau's working papers even s uggests t hat D CAA anal yzed or f ollowed-up on an y of G eneral D ynamics' ans wers. ( Ex. 662; Carren, 12/7/95 Tr. at 125-26.)

89. A fter r eceiving G eneral D ynamics' r esponse t o t he 1 4 qu estions, H ollis- Brau f inally got around to reviewing the NAVPRO f ile on the DIVAD contract. (Ex. 662 at 662-236--662-532; Ex. 904; Carren, 12/7/95 Tr. at 127.) But Hollis-Brau never prepared a proper contract brief, nor did he note, much less ana lyze, the c ontract's num erous s pecial pr ovisions p ertaining t o bes t ef forts. ( Ex. 662-236--662-532; C arren, 12/ 7/95 T r. at 12 7.) I nstead, l ike al l t he au ditors before hi m, H ollis-Brau disregarded the contract's plain language in erroneously assuming that the contract was an ordinary firm fixed price contract. (Ex. 662 at 662-244; Hollis-Brau, 12/19/95 Tr. at 11.)

90. H ollis-Brau's er ror was i nexcusable gi ven t hat his a udit work papers c ontain v oluminous material, including excerpts from the contract itself, that trumpeted the unique best efforts nature of the DIVAD c ontract. ( Ex. 1 82; Ex. 6 62 at 662-236--662-532; H ollis-Brau, 1/10/96 T r. at 4 5-60; C arren, 12/7/95 Tr. at 129-38.) Hollis-Brau simply ignored this evidence. (Hollis-Brau, 1/10/96 Tr. at 53, 59-60; Carren, 12/7/95 Tr. at 129-38.) As he admitted, Hollis-Brau paid no attention to best efforts because even before reviewing the evidence he assumed that contract type was not pertinent to his review. (Hollis-Brau, 1/10/96 Tr. at 53, 59-60.)

[196]

91. In making this assumption Hollis-Brau disregarded what General Dynamics' employees had told him about the unique nature of the DIVAD contract. Morales told both Hollis-Brau and Tortorici that DIVAD was a best ef forts contract. (Morales, 12/20/95 Tr. at 95-97.) Steve Eggen, General Dynamics' chief of c ost ac counting, t old Hollis-Brau t hat D IVAD w as a u nique k ind of c ontract, and t hat G eneral Dynamics was interested in clarifying any questions Hollis-Brau might have. (Eggen, 12/19/95 Tr. at 45.)

92. C onfronted with t his i nformation, a r easonable prudent au ditor s hould have s ought, at a minimum, assistance from the PCO in interpreting the contract. (Carren, 12/7/95 Tr. at 138.) Hollis-Brau failed to do so. (Hollis-Brau, 12/19/95 Tr. at 15.)

93. Hollis-Brau c ontinued his aud it, at tempting to de termine i f G eneral D ynamics was c harging costs required by the DIVAD contract to other accounts. (Hollis-Brau, 1/10/96 Tr. at 50, 77; Ex. 662 at 662-119.)

94. I n or der t o r each a ny aud it c onclusions a bout General D ynamics' c harging, H ollis-Brau recognized t hat he needed t echnical as sistance to det ermine w hat the D IVAD c ontract r equired. (Hollis-Brau, 12/19/95 Tr. at 12, 25, 28.) On May 6, 1983, the DCAA sent a letter requesting technical assistance t o t he Army's D IVAD pr ogram manager. ( Ex. 662 at 662 -19-20.) D CAA's l etter s ought engineering assistance, but it did not seek assistance in interpreting the DIVAD contract. (Id.; Carren, 12/7/95 Tr. at 143-44.)

95. While t he D CAA ne eded e ngineering t echnical as sistance, i t a lso ne eded c ontractual interpretation technical assistance from the PCO as to contract requirements. (Carren, 12/7/95 Tr. at 34.) Kamer acknowledged this need in his work papers. (Ex. 478 at 478-26.) And the government's expert admitted that he would have expected the DCAA to contact the PCO to determine the full ramifications of the contract's statement of work. (Brincefield, 1/11/96 Tr. at 128-29.)

96. The work papers are devoid of any indication that DCAA ever received any technical assistance regarding the Army's interpretation of the DIVAD prototype contract. (Ex. 478; Ex. 660; Ex. 662.) At trial, Baumgartner claimed that he had discussed contract interpretation, including best efforts, with the Army's DIVAD project manager, General Adsit. (1/11/96 Tr. at 155-158.) General Adsit was not the PCO and hence was not the proper source for technical assistance as to the meaning of the DIVAD contract. Mor e i mportant, t he C ourt gi ves no c redence t o B aumgartner's t estimony as t o t his al leged conversation with General Adsit. Baumgartner kept detailed logs of all of his work-related meetings and conversations, but his logs make no mention of this critical conversation. (Ex. 2822; Ex. 2083.) In his deposition Baumgartner d id n ot r ecall a ny s uch c onversation. ( Baumgartner, 1/16/96 T r. at 4 5.) And General Adsit, in hi s de position, den ied ev er ha ving had an y c onversation w ith an yone at t he D CAA regarding the DIVAD prototype contract. (Adsit Dep. at 69, 87.)

97. The Army replied to DCAA's request for technical assistance in a letter dated May 23, 1983. (Ex. 662 at 6 62-124.) T he r eply was t erse, vague and n onresponsive. ( Id.; C arren, 1 2/7/95 T r. at 148-51, 159.) As Hollis-Brau admitted, the Army's reply did not give a definitive answer to his questions. (Hollis-Brau, 12/19/95 T r. at 32. ) T his i s not s urprising g iven t hat t he D CAA f ailed t o include with t he request an y s upporting dat a: i t did n ot ev en g iven the Army c opies of t he CADs or of t he Accounting Work O rder t o which its q uestions were d irected. ( Ex. 66 2 a t 6 62-19-20.) T he r eply d id, ho wever, confirm General D ynamics' s tatement that the BITE p roofing m odel was not a c ontractual requirement. (Ex. 662 at 662-124.)

98. I n its r eply, t he Army i nvited the D CAA to c ontact i t with a ny f ollow-up q uestions. B ut t he DCAA never followed-up to get any clarification about the meaning of the response. (Ex. 662 at 662-124; Carren, 12/7/95 Tr. at 149.)

99. Recognizing that he still needed technical assistance, in June, 1983, Hollis-Brau sought that assistance through M ajor K iebler. ( Ex. 662 at 662-128- 29; H ollis-Brau, 1 /10/96 T r. at 79 -80.) Maj or Kiebler t old H ollis-Brau to submit a r equest f or t echnical as sistance i n writing, and t hat a written r eply would be provided. (Ex. 662 at 662-128-29; Hollis-Brau, 1/11/96 Tr. at 35.) Hollis-Brau did not submit a written request to Major Kiebler because that would have been too inconvenient. (Hollis-Brau, 1/11/96 Tr. at 35-36.)

E. The Referral

[197]

100. I n March, 19 83, while H ollis-Brau was i n t he midst o f hi s audi t, M aureen Mo ntgomery, Hollis-Brau's s upervisor, d rafted a r eferral memorandum r egarding s uspected irregularities i n G eneral Dynamics' D IVAD l abor c harging. ( Ex. 6 62 at 6 62-93-102; C arren, 1 2/7/95 T r. at 139. ) U ntil t hen Montgomery had played no substantive role in Hollis-Brau's audit. (Ex. 662; Carren, 12/7/95 Tr. at 139.)

101. Some months later, on May 25, 1983, the DCAA finalized its referral memorandum and sent it to DCAA headquarters via the Los Angeles region. (Ex. 202; Carren, 12/7/95 Tr. at 150.) Hollis-Brau had no involvement at any stage in the drafting or preparation of the referral memorandum. (Hollis-Brau, 12/19/95 T r. at 3 3; C arren, 12/ 7/95 T r. at 140 -41.) I ndeed, H ollis-Brau h ad n o input into t he DCAA's decision to make the referral. (Hollis-Brau, 12/19/95 Tr. at 20-21, 32-35.)

102. On this point--Hollis-Brau's involvement with the referral--the Court finds Hollis-Brau's deposition t estimony a nd the doc umentary e vidence more c redible t han H ollis-Brau's t rial t estimony. Nothing in H ollis-Brau's work paper s s upports H ollis-Brau's claim at trial t hat he w as i nvolved i n the referral. (See Ex. 662.) In addition, Hollis-Brau testified unequivocally at his deposition on two separate occasions spaced more than one year apart that he had no involvement in the referral and only learned of it well after the fact. (Hollis-Brau, 12/19/95 Tr. at 20-21, 32-35.)

103. On May 26, 1983, Patrick Mirch, the DCAA's Los Angeles Regional Director, forwarded the DCAA's May 25 referral memorandum to DCAA Headquarters. (Ex. 166.)

104. On June 14, 1983, John Quill, DCAA General Counsel, sent a memorandum to the Director of the Naval Investigative Service referring, on behalf of DCAA, the suspected labor mischarging on the DIVAD program to the Naval Investigative Service for investigation. (Ex. 215.) Copies of Quill's memorandum were also provided to representatives from the DoD Procurement Fraud Unit, the criminal division of the Department of Justice, and the Assistant Inspector General for Investigations, DoD. (Id.)

105. U nder D CAA p olicies and procedures t hen in ef fect, t he D CAA was r equired to r efer suspected l abor m ischarging f or c riminal i nvestigation. ( Ex. 571 B at 12 28, s 12-701.4.) A t t he t ime DCAA r eferred t his m atter t o t he N aval I nvestigative S ervice an d t he D epartment o f J ustice, D CAA understood that its al legations of mischarging could well result in a criminal prosecution. (Quill Dep. at 55-57.)

F. The February 29, 1984, Audit Report

106. At t he t ime of t he r eferral, Hollis-Brau's a udit work was not c omplete. ( Ex. 662; C arren, 12/7/95 T r. at 1 55.) Even t hough t he D CAA ha d r eferred t he s uspected mischarging f or c riminal prosecution, Hollis-Brau was required to complete his audit work and to draft a report. (Ex. 571A at 209, s 2-301; Ex. 571B at 1227, s 12-701.2; Baumgartner, 1/16/96 Tr. at 62-63.)

107. As Hollis-Brau and the other auditors continued their audit work, they functioned as auditors and n ot as investigators. (Baumgartner, 1/ 16/96 T r. at 59 -60; R eed D ep. at 58-59.) Even af ter t he referral, neither the auditors nor any one else at the DCAA took direction in their DIVAD audit work from either the Naval Investigative Service or the Department of Justice. (Id.) The DCAA issued its February 29, 1984 audit report because it was required to do so under the provisions of the Defense Contract Audit Manual ( DCAM), n ot because of an y direction f rom t he N aval I nvestigative Service or Department of Justice. (Baumgartner, 1/16/96 Tr. at 62-63.)

108. H ollis-Brau's pos t-referral aud it work f ocused on t hree n ew ar eas: t rainers and l ogistic support charges, BITE software charges, and proximity fuze charges. (Ex. 662; Carren, 12/7/95 Tr. at 157.) In performing this work, Hollis-Brau collected and reviewed some General D ynamics accounting records. (Carren, 12/7/95 Tr. at 157; Ex. 662.) He did not, however, do any fact-finding with General Dynamics that would ha ve gi ven General D ynamics an o pportunity to ex plain its c harging d ecisions i n these three areas. (Id.)

109. Hollis-Brau then drafted what he termed an "overhead style" report. (Hollis-Brau, 12/19/95 Tr. at 19.) An overhead style report addresses technical accounting issues and questions costs. (Carren, 12/7/95 T r. at 1 68.) N owhere i n h is dr aft r eport di d H ollis-Brau c onclude t hat G eneral D ynamics had mischarged costs. (Hollis-Brau, 12/19/95 Tr. at 35-39.)

[198]

110. A fter c ompleting h is dr aft audi t r eport, H ollis-Brau ga ve i t t o B aumgartner. ( Hollis-Brau, 12/19/95 Tr. at 24.) Baumgartner told Hollis-Brau that the draft report was not what he wanted. (Id.)

111. It is unclear who prepared the next draft of the audit report. But it is clear that Hollis-Brau had little or nothing to do with the later drafts beyond acting as a clerk-typist. (Hollis-Brau, 1/11/96 Tr. at 19-21.)

112. On these points--Hollis-Brau's involvement in the drafting of the f inal report and his never having r eached a c onclusion of mischarging--the C ourt aga in f inds H ollis-Brau's depos ition t estimony more credible than his trial testimony. The Court notes that Hollis-Brau was impeached with his deposition testimony seventeen times dur ing trial. In addition, at the time of his deposition, Hollis-Brau was unequivocal in his testimony regarding the style of his original draft report, his not having reached a conclusion of mischarging, and his minimal role in drafting the report once Baumgartner had rejected his initial draft. (Hollis-Brau, 12/19/95 Tr. at 19, 35-37, 38-39; Hollis-Brau, 1/11/96 Tr. at 19-21.)

113. Baumgartner drafted the February 29, 1984, audit report. (Hollis- Brau, 1/11/96 Tr. at 19-20; Carren, 12/ 7/95 T r. at 173. ) The r eport w as s igned b y M izutari, w ho d id no t hav e an y r ole i n t he underlying audit. (Ex. 108; Ex. 662; Carren, 12/7/95 Tr. at 173.) The report's overall conclusion is that General D ynamics mischarged a pproximately $8.4 million i n work t hat was r equired u nder t he D IVAD contract to indirect accounts such as B & P and IR & D. (Ex. 108 at 2.)

114. T he C ourt f inds t hat the a nalysis und ertaken b y the D CAA dur ing i ts audit work and t he conclusions reached by the DCAA in its audit report concerned what the DIVAD contract required. Each section of Exhibit A to the report reaches the conclusion that General Dynamics improperly charged costs to an indirect account because that work was required under the DIVAD prototype contract. (Ex. 108 at 12, 14, 1 5, 16. ) B aumgartner adm itted t hat it was i mportant f or D CAA t o det ermine w hether G eneral Dynamics' charges to B & P were for work required under the DIVAD prototype contract. (Baumgartner, 1/16/96 Tr. at 72, 74.)

115. T he r eport and Baumgartner's t estimony ar e not t he o nly evidence t hat t he D CAA w as attempting to determine what the DIVAD prototype contract required. In its one and only written request for technical assistance, the DCAA informed the Army that "[t]he objective of our review is to determine whether effort charged to overhead by the contractor as B & P/IR & D was actually work required under the scope of the DIVAD contract." (Ex. 662 at 662-119.)

116. The Court rejects the government's attempt to draw a distinction between what was "specifically i dentifiable" to t he D IVAD pr ototype c ontract an d what was r equired u nder t he contract. Relying o n t his s upposed distinction, t he government ar gued at t rial ( directly c ontradicting t he ex press admissions i t made w hen moving t o d ismiss t he i ndictment i n t he c riminal c ase ( Ex. 419) ) t hat t he conclusions in t he aud it r eport w ere correct bec ause t he questioned items w ere a ll "specifically identifiable" to the DIVAD prototype contract even if they were not required. The Court is not persuaded.

117. In rejecting the government's "specifically identifiable" theory, the Court makes the following findings.

118. F irst, as d emonstrated ab ove, t he audit r eport and t he und erlying au dit work s how unequivocally that the DCAA was attempting to determine what the contract required.

119. S econd, t he I R & D and B & P regulations themselves state t hat work r equired in t he performance of a contract cannot be charged to IR & D and B & P. (32 C.F.R. ss 15-205.35, 15-205.3 (1977) (emphasis added).) The IR & D and B & P regulations never use the term "specifically identifiable," nor do they in any way suggest that the term has s ignificance with respect to what is and what is not IR & D and B & P. Indeed, Brincefield, the government's IR & D and B & P expert, testified that in order to determine whether something was more appropriately charged to the DIVAD contract or, rather, to IR & D or B & P, the proper inquiry was to determine what was required under the contract's statement of work. (Brincefield, 1/11/96 Tr. at 125-26.)

120. Third, the Department of Justice's Application For Leave to File A Voluntary Dismissal of the Indictment, filed on June 19, 1987, states that: Under the applicable DoD regulations, B & P and IR & D charges that are not required by the contract may be charged to those overhead accounts. (Ex. 419 at 4, P d.)

[199]

121. Fourth, the government's "specifically identifiable" test makes no sense in the context of the Army's pr ototyping f or pr oduction ac quisition s trategy. U nder t hat s trategy, D IVAD prototype c ontract work w ent on i n par allel with b id a nd pr oposal work for t he D IVAD pr oduction ph ase. U nder t he government's test there is no way to distinguish between what should have been charged to the prototype contract and what should have been charged to B & P and IR & D for the production effort because any DIVAD program work is just as identifiable to the former cost objective as to the latter.

122. In sum, the Court rejects the government's attempt to justify the conclusions in the DIVAD audit report based on its "specifically identifiable" theory as an after-the-fact rationalization without support in the work papers, the report, or the regulations.

123. The audit report states that the audit was "performed in accordance with generally accepted auditing standards." (Ex. 108 at 2.) The DCAA thus represented that in conducting the DIVAD audit the auditors followed and met generally accepted auditing standards. (Carren, 12/7/95 Tr. at 174-75; Reed, 1/12/96 Tr. at 34-35.) Accordingly, as DCAA director Reed admitted, the auditors were bound by those standards. (Reed, 1/12/96 Tr. at 34-35; Reed Dep. at 67-70.) It follows that the Court must measure the sufficiency of t he audit r eport a nd t he c onduct of t he a uditors ag ainst ge nerally accepted a uditing standards.

124. The Court addresses the conduct of the auditors in the next section of these findings. As to the report itself, the Court makes the following findings.

125. B oth G eneral D ynamics ( in t his s tage of t he c ase) and t he go vernment ( in t he s tatute of limitations stage of the case) have presented ample evidence that the DCAA's audit report was flawed. (See 5/ 4/95 F indings at P 18. ) T he r eport's most g laring er ror i s t hat it m ischaracterized t he D IVAD prototype contract as a firm fixed price contract without mentioning, much less attributing significance to, the best efforts terms that permeate the contract. (Ex. 108 at 7; Ex. 20.) This error fundamentally tainted all of t he D CAA's aud it c onclusions: w orking f rom t he f alse pr emise t hat t he DIVAD c ontract was a garden variety fixed price contract, the DCAA just assumed that all the work performed with respect to the prototype units had to be charged to the contract. (Ex. 108; McPherson, 12/7/95 Tr. at 73.)

126. T he r eport c ontains another b latant er ror in its t reatment of c ontract op tions as c ontract requirements. (McPherson, 12/7/95 Tr. at 73; Ex. 108 at 12.) For example, the report concluded that a classroom trainer and a crew proficiency trainer were required under the contract. (Ex. 108 at 12.) But both of these trainers were never made part of the contract--they were options, identified as such in the RFP a nd never ex ercised by t he A rmy. ( Ex. 255 at 48; Mc Pherson, 12 /6/95 T r. 74 -76.) Moreover, McPherson s pecifically i nformed C ol. M arrella t hat despite t he A rmy's d ecision not t o f und t he t rainer work, General Dynamics had to do that work to support its production proposal and that it would therefore charge the work to B & P. (McPherson, 12/6/95 Tr. at 74-77.)

127. T he au dit r eport a lso f ailed t o d istinguish b etween c ontract effort and pr oduction effort. Thus, f or ex ample, t he r eport er roneously c oncluded t hat BITE s oftware work, w hich r elated t o t he production proposal, was contract required and therefore should have been charged to the contract. (Ex. 108 at 14; McPherson, 12/7/95 Tr. at 78-79.) In addition, the DCAA's failure to understand the difference between contract effort and production effort caused it to erroneously conclude that the modifications to the pr ototype u nits at D T/OT s hould h ave b een c harged t o t he c ontract when, i n f act, t he appropriate charge was to B & P. (Ex. 108 at 16; McPherson, 12/6/95 Tr. at 81-82.)

IV. DCAA'S NEGLIGENCE

A. Standards And Procedures Applicable To DCAA Audits

128. DCAA auditors are professional auditors; they must adhere to the standards of the auditing profession when performing their audit work. (Reed, 1/12/96 Tr. at 33; Carren, 12/9/95 Tr. at 65.) As the current di rector of t he D CAA, William R eed, ex plained, when t he D CAA issues an audi t r eport representing that the audit was performed in accordance with generally accepted auditing standards, the DCAA auditors are bound by those audit standards in performing their work. (Reed, 1/12/96 Tr. at 34-35; Reed Dep. at 67-70.)

129. T he D IVAD au dit r eport r epresented t hat t he D IVAD a udit h ad be en " performed i n accordance with generally accepted auditing standards." (Ex. 108 at 2.)

[200]

130. G enerally A ccepted Auditing Standards ( "GAAS") ar e pr omulgated in written f orm b y t he American Institute of Certified Public Accountants. (Reed, 1/12/96 Tr. at 34; Carren, 12/5/95 Tr. at 77.) The General Accounting Office promulgates very similar standards, known as Generally Accepted Government Auditing Standards, which apply by executive order to a ll federal auditors including DCAA auditors. ( Carren, 12/5/95 T r. at 77; R eed, 1 /12/96 Tr. at 34. ) D CAA auditors are also bound b y the auditing standards set forth in Chapter 2 of the Defense Contract Audit Manual ("DCAM"), which essentially recapitulates generally accepted auditing standards. (Reed, 1/12/96 Tr. at 35; Reed Dep. at 69; Carren, 12/5/95 Tr. at 76-77.)

131. By D CAA pol icy, D CAA a uditors m ust adher e t o al l t hree s ets of s tandards--GAAS a s promulgated by the AICPA, GAGAS as promulgated by the GAO, and GAAS as recapitulated in Chapter 2 of the DCAM--when performing their audit work. (Reed, 1/12/96 Tr. at 34-35; Carren, 12/5/95 Tr. at 74-78.) The DCAM is the primary source for the DCAA auditor to consult in performing his audit work. (Reed, 1/12/96 Tr. at 35.)

132. As set forth in the DCAM, generally accepted auditing standards fall into three categories: general standards; field work standards; reporting standards. (Ex. 571A at 202-213, Chapter 2.)

133. G eneral s tandards c omprise: ( 1) due pr ofessional c are; ( 2) qua lifications; ( 3) independence. (Ex. 571A at 202-04, s 2-101, s 2-102, s 2- 103.)

134. The due professional care standard is the ultimate, umbrella standard by which the auditor's work must be j udged. (Ex. 57 1A at 204, s 2 - 103; Carren, 12/5/95 T r. at 8 3-84.) T he other ge neral standards-- qualifications and independence--are pr erequisites t o c omplying with t he s tandard of due professional care, and in o rder f or an auditor to meet the due professional care s tandard he must f irst satisfy the standards of field work and reporting. (Id. at 84.)

135. The i ndependence s tandard r equires, am ong o ther t hings, t hat t he au ditor maintain a n "independent and objective mental a ttitude" with respect to a ll aspects of his audit work. ( Ex. 571A at 203, s 2-102.) He is to approach the audit with "judicial impartiality," and is not to assume the "attitude of a prosecutor." (Ex. 663 at 31, AU Section 220.02.)

136. T hus, un der t he independence s tandard, the D CAA au ditors were r equired to be f air a nd impartial i n their audit of GD-P. ( Id.; Ex. 571A at 203, s 2 - 102; C arren, 12/5/95 T r. at 84-86.) T his obligation continued even after the r eferral was m ade and the criminal i nvestigation commenced. ( Ex. 571B at 1227, s 12-701.3(a); Ex. 108 at 2; Carren, 12/7/95 Tr. at 10; Weikel, 1/9/96 Tr. at 34, 40-41.) As DCAA policy recognizes, auditors are not to assume the role of prosecutors or criminal investigators, and even when supporting a criminal investigation, must continue to audit in accordance with generally accepted auditing standards. (Ex. 571B at 1227, s 12-701.3(a); Ex. 663 at 31, AU Section 220.02; Reed Dep. at 58-59.) In no event do DCAA auditors report to or receive direction from prosecutors or criminal investigators: even when providing support to prosecutors auditors remain in the DCAA chain of command and m ust c ontinue to c omply with ge nerally accepted a uditing s tandards in t heir audit work. (Reed Dep. at 58-59; Ex. 571B at 1227, s 12-701.3(a).)

137. T he t hird ge neral s tandard, q ualifications, r equires t hat a uditors ha ve t he pr ofessional training an d s kills r equired to c arry out t heir audit as signments. ( Ex. 571A at 202-03, s 2 -101.) As a corollary to this r equirement, t he qu alifications s tandard r ecognizes that a udits f requently require s kills from non-auditing disciplines such as law and engineering. (Id.; Carren, 12/5/95 Tr. at 87; Reed Dep. at 83.) When an auditor encounters an issue whose resolution is beyond his professional competence, he must seek technical assistance from the appropriate discipline. (Id.)

138. T he f ield work s tandards r equire t hat t he au ditor dev elop s ufficient, c ompetent, r elevant evidence to provide a factual basis for his conclusions and recommendations and that the audit work be properly planned. (Ex. 571A at 204- 09, ss 2-202, 2-206.)

139. T he r eporting s tandards r equire t hat t he au dit r eport pr esent t he a uditor's findings and conclusions objectively, accurately, and fairly. (Ex. 571A at 209-13, ss 2-303(b) and (c) and (i), 2-304.)

140. All of the standards set forth in Chapter 2 of the DCAM are mandatory: DCAA auditors must comply with each and every standard in performing their audit work. (Reed, 1/12/96 Tr. at 34-35; Carren, 12/5/95 Tr. at 89; Ex. 527 at 11; Reed Dep. at 131-32; Weikel, 12/21/95 Tr. at 127-30.)

[201]

141. The DCAM, however, is not limited to auditing standards. It also provides direction to DCAA auditors on what auditing procedures a nd t echniques to em ploy a nd h ow to perform those procedures and techniques. (Ex. 571A at 101, s 1-101; Reed Dep. at 73; Carren, 12/5/95 Tr. at 76.) The purpose of the procedures is to insure that the auditing standards are met. (Carren, 12/5/95 Tr. at 90-92, 12/8/95 Tr. at 26-27.)

142. The government characterizes the DCAM's auditing procedures as "guidance," which DCAA auditors are free to follow or not as they deem fit. Indeed, the government's expert, Weikel, went so far as to testify that in the "real world" it is "common practice" for DCAA auditors to ignore the standards and teachings of the DCAM. (Weikel, 1/5/96 Tr. at 95.)

143. But W eikel also admitted that the procedures specified in the DCAM represent "best practices." ( Id. a t 4 4.) DCAA r esident a uditor Michiro Mizutari described t he D CAM as the D CAA auditor's "bible." (Mizutari Dep. at 39.) Many of the DCAM procedures are stated in the imperative and so constitute required procedures as a matter of DCAA policy. (Carren, 12/5/95 Tr. at 90.) At a minimum, the DCAM procedures, whether r equired or suggested, constitute persuasive evidence of what a reasonable prudent auditor would do and how he would do it.

144. O f c ourse, aud itors m ust ex ercise t heir pr ofessional j udgment i n d etermining what audit steps ar e nec essary a nd appropriate i n par ticular c ircumstances. (Carren, 12/ 5/95 T r. at 89. ) B ut contrary t o t he government's v iew, t hey ar e not t hereby granted l icense to b lithely d isregard t he a udit procedures s et f orth in t he D CAM or t o s ubstitute idiosyncratic pr actices of t heir o wn de vising f or t he DCAM's "best practices."

145. A DCAA auditor's professional judgment does not translate into unbridled discretion, whim, or c aprice. F irst, and m ost i mportant, hi s j udgment i s c ircumscribed b y t he absolute a nd o verriding requirement that he meet generally accepted auditing standards, particularly the standard of due professional care. (Carren, 12/5/95 Tr. at 89-90; Reed, 1/12/95 Tr. at 34-35.)

146. Moreover, as par t of due pr ofessional c are, a reasonable prudent a uditor us es " unusual care" in selecting and performing audit procedures. (Ex. 571A at 204, s 2-103(c); Carren, 12/5/95 Tr. at 90.) While c ircumstances might arise that would lead a reasonable pr udent auditor to make a professional judgment not to follow a procedure suggested by the DCAM, a reasonable prudent auditor would doc ument s uch a j udgment and t he r ationale f or t hat j udgment in hi s w ork paper s. ( Carren, 12/8/95 Tr. at 26-27.)

147. T o t he extent that an auditor c hooses n ot t o f ollow a D CAM pr ocedure, whether recommended or r equired, he r uns the r isk t hat his audit will n ot c omply with t he s tandards. ( Carren, 12/5/95 Tr. at 88-89.) A reasonable prudent auditor would not run that risk absent compelling reasons clearly documented in his work papers. (Id.; Carren, 12/8/95 Tr. at 26-27.)

B. The Elements Of Due Professional Care

148. Ultimately, the procedures an auditor employs must be sufficient to meet the standard of due professional c are: as D CAA D irector R eed ac knowledged, no ex ercise of j udgment c an ex cuse an auditor's failure to meet that standard. (Reed Dep. at 131-32.)

149. I n order t o s atisfy t he due pr ofessional c are s tandard, a n aud itor m ust first meet t he f ield work standard in performing his audit work and must then meet the reporting standards in producing his audit report. (Carren, 12/5/95 Tr. at 84.)

150. While the exact steps that an auditor should take to meet these s tandards may vary from audit to audit, a reasonable prudent auditor performing the DIVAD audit would have at a minimum taken the steps identified in the chart admitted as exhibit 901. These critical steps--discussed in detail below--were r equired b y t he D CAM e ither as par t of t he m andatory s tandards i n C hapter 2 or as procedures which, by their plain language, are mandatory. (Carren, 12/5/95 Tr. at 90-91, 93-95.)

151. With r espect t o t he f ield work s tandards, t he m ore c ritical s teps include: (1) U nderstand purpose of audit. (Ex. 571A at 204, s 2-202(a).) (2) Review and brief contract. (Id.; Ex. 571B at 1213, s 12-301.1.) (3) Prepare audit program. (Ex. 571A at 205, s 2-202(c); Id. at 303, s 3- 203.) (4) Conduct entrance c onference. ( Ex. 571B at 1 224, s 12 -601.) ( 5) P repare work paper s. ( Ex. 571A at 20 8, s

[202]

2-206(a); Id. at 329, s 3- 402.) (6) Obtain technical assistance. (Id. at 202-03, s 2-101; Id. at 205-06, s 2-204(b); Id. at 212, s 2-304(f).) (7) Talk with contractor during audit. (Ex. 571B at 1225, s 12-602.2; Ex. 571A at 321, s 3-311.5(b).) (8) Resolve conflicts in the evidence. (Id. at 208, s 2-206(b).)

152. A reasonable prudent auditor would have followed these steps in the DIVAD audit to insure that h is au dit work w ould satisfy t he f ield work s tandards b y pr oducing s ufficient, c ompetent, r elevant evidence to provide a factual basis for his conclusions and recommendations. (Ex. 571A at 208, s 2-206; Ex. 901; Carren, 12/5/95 Tr. at 94-95.)

153. With r espect t o the r eporting s tandards, t he m ore c ritical s teps include: (1) D raft r eport based on work papers. (Ex. 571A at 210, s 2-303(d).) (2) Discuss conclusions at exit conference. (Ex. 571B at 1225, s 1 2-603.) (3) I nclude c ontractor's r eaction. ( Ex. 571A a t 21 1, s 2 -303(i); I d. at 321, 3-311.5(b).) (4) Issue report promptly. ( Id. at 209, s 2-301(a), 2-302.) (Ex. 901; Carren, 12/5/95 Tr. at 94.)

154. A reasonable prudent auditor would have followed these steps in the DIVAD audit to insure that he ac hieved t he reporting standards b y producing a r eport t hat o bjectively, accurately, an d f airly presented his findings, conclusions and recommendations. (Ex. 901; Carren, 12/5/95 Tr. at 94; Carren, 12/6/95 Tr. at 193.)

155. R eview of t he D IVAD aud it r eport and D IVAD audi t work paper s s hows t hat t he D CAA auditors failed to perform these critical audit steps and that, as a consequence, they failed to achieve the field work and reporting standards and failed to meet the umbrella standard of due professional care.

C. The DCAA's Failure To Employ Procedures And To Achieve Standards

156. Mor eover, instead of aud iting with u nusual c are as r equired b y the d ue professional c are standard, the DCAA auditors on the DIVAD matter audited with such a lack of care that their work failed to meet even minimal professional standards. (Carren, 12/5/95 Tr. at 73.)

157. The result was an audit report whose findings, conclusions, and recommendations were not supported b y evidence in t he work papers even though, in the op inion of the government's expert, the single most important aspect of due professional care is that the work papers contain sufficient evidential matter to support the report. (Weikel, 12/21/95 Tr. at 132; Carren, 12/7/95 Tr. at 183.)

158. The failure of the DCAA auditors to follow the steps that reasonable prudent auditors would have followed, to meet the various auditing standards, to audit with unusual care, and to ground the audit report's c onclusions i n t he ev idence c ontained in t he work paper s w ere d etailed by plaintiff's ex pert Carren. Some of the more salient examples of the DCAA's professional negligence with respect to the DIVAD audit are set forth below.

D. Negligence In Understanding The Purpose Of The DIVAD Audit As Part Of Planning

In c onnection with t he f ield w ork standards' r equirement t hat aud its be a dequately planned, DCAA aud itors are a dmonished that " [b]efore beg inning an a udit, i t is es sential to und erstand f ully t he purpose of the audit[.]" (Ex. 571A at 204, s 2-202(a).) An auditor cannot hope to satisfy the field work standard un less he has , at t he b eginning of hi s audit, a c lear understanding of t he s cope of and objectives f or h is au dit work. ( Carren, 12/ 5/95 T r. 9 9-100.) T hese s hould be documented in an au dit assignment contained in the work papers. (Id. at 99.)

159. The DIVAD audit suffered from a lack of proper audit planning. When the first DCAA auditor to audit DIVAD labor charges, Kamer, began his work, his supervisor gave him an objective: to audit for mischarging. ( Ex. 47 8 at 478 - 20.) T his, however, w as not a pr oper au dit obj ective: under t he independence standard, audits cannot be planned in terms of presumed conclusions. (Reed Dep. at 91; Carren, 12/5/95 Tr. at 86, 12/7/95 Tr. at 15, 19-20.) A proper audit objective would have been to review the charging to the DIVAD contract to be sure that it was appropriate. (Carren, 12/7/95 Tr. at 15.)

160. Tortorici's instruction to look for mischarging, which was not based on any prior audit work, constituted a n ex ternal impairment t o K amer's i ndependence a nd objectivity in v iolation of gener ally accepted auditing standards. (Id. at 15-17, 19-20; Ex. 663 at 31, AU 220.) Thus, Kamer's understanding of the purpose of his audit--to find mischarging--in itself violated auditing standards. (Id.)

[203]

161. Later, when Hollis-Brau took over the audit, he did so with no defined audit objectives. (Ex. 662; Carren, 12/7/95 Tr. at 105-06.) The work papers indicate that Hollis-Brau just appeared and began auditing without h aving an y documented s cope or o bjectives f or hi s work. ( Id.) S uch a d hoc a uditing directly contravenes the field work standard on planning. (Ex. 571A at 204, s 2-202(a).)

E. Negligence In Reviewing And Briefing The Contract

162. Among the most important aspects of audit planning as mandated by the field work standards i s t hat t he a uditors " be a ware of c ontractual, r egulatory, or ot her f actors per tinent t o t he review." (Ex. 571A at 204, s 2-202(a); Carren, 12/5/95 Tr. at 100.) To insure that this aspect of the field work standards is met, the DCAM provides that when an audit concerns a particular contract, the "auditor shall review the contract and prepare a brief of al l pertinent contract provisions." (Ex. 571B at 1213, s 12-301.1; Carren, 12/5/95 Tr. at 100-101.)

163. The DCAA instructs its auditors to pay particular attention to the statement of work and to any special provisions when reviewing and briefing a contract. (Carren, 12/5/95 Tr. at 103-107; Ex. 524; Ex. 525.) Special provisions, which are by definition out of the ordinary, often require special accounting treatment ( Carren, 12/ 5/95 T r. at 108; E x. 52 5) an d ar e t herefore of c rucial i mportance t o an audit. (Carren, 12/5/95 Tr. at 107-109.)

164. As D CAA D irector R eed explained, a c ontracting pr ovision des ignating c ontract t ype as something other than one of the standard contract types listed in the procurement regulations is a special provision. (Reed Dep. at 115.) The procurement regulations in effect at the time of the DIVAD contract did not identify Firm Fixed Price (Best Efforts) as a standard contract type. (Ex. 4510 at 3-404.1.) Hence, Section E.1 of DIVAD prototype contract, which defined contract type as Firm Fixed Price (Best Efforts), was a s pecial pr ovision t hat t he auditors s hould have br iefed. ( Id.; Ex. 20; R eed D ep. at 1 15.) Moreover, " best ef forts" per meated t he c ontract's l anguage, c ritically m odifying c ontractual pr ovisions including the statement of work. (McPherson, 12/6/95 Tr. at 49-50.)

165. A r easonable pr udent aud itor per forming t he D IVAD aud it would ha ve c arefully r ead t he DIVAD prototype contract; would have briefed the contract including the statement of work and the best efforts special pr ovisions; would h ave doc umented and a nalyzed those provisions in his work papers; and would ha ve o btained the technical as sistance n ecessary t o u nderstand the s ignificance of t hose provisions. But here the auditors did none of that.

166. The DIVAD audit began with the false and wholly unsupported assumption that the DIVAD prototype contract was an ordinary Firm F ixed Price contract instead of F irm Fixed Price (Best Efforts) contract. (Ex. 478 at 478- 20; Carren, 12/7/95 Tr. at 15.) None of the numerous auditors who worked in succession on t he D IVAD aud it f or o ver 3 1 /2 years ques tioned t his assumption. N one r eviewed a nd briefed t he c ontract as r equired b y t he D CAM. N one n oted t he c ritical bes t ef forts l anguage t hat permeates the contract. None analyzed the ef fect of best efforts on the statement of work. And none considered t he s ignificance o f c ontract t ype as a s pecial pr ovision. T he onl y auditor who g ave ev en cursory r eview t o t he c entral pr ovisions of t he c ontract was H ollis- Brau, and he simply i gnored " best efforts" despite the fact that (as he admitted on cross-examination) that term made the contract unique. (Hollis- Brau, 1/11/96 Tr. at 62.)

F. Negligence In Preparing The Audit Program

167. Also as par t of p lanning un der t he f ield work s tandards, a r easonable pr udent au ditor prepares a written audit program. (Ex. 571A at 205; s 2- 202(c); Carren, 12/5/95 Tr. at 110.) The audit program details t he procedures and t echniques that t he aud itor will em ploy i n d oing hi s au dit. ( Id.) I t provides a blueprint t o i nsure t hat t he a uditor d evelops s ufficient, c ompetent, r elevant evidence a nd serves as the basis for supervisory review. (Id.; Ex. 571A at 305, s 3-203.)

168. Kamer prepared a written audit program for his work on the DIVAD audit, but that program directly c ontravened the auditing s tandards b y directing t hat "due to p otential for f raud, normal c ontact with the Kr. [contractor] are altered." (Ex. 478 at 478-23; Carren, 12/17/95 Tr. at 19.) In assuming at the outset of his audit without supporting evidence that General Dynamics had potentially engaged in fraud, the au ditor v iolated t he i ndependence s tandard b y adopting a pr osecutorial a pproach where h e was required to exhibit judicial impartiality. (Ex. 663 at 31, AU 220.2; Carren, 12/7/95 Tr. at 19-21.) Moreover,

[204]

as par t of due pr ofessional c are, a r easonable prudent a uditor maintains op en an d c omprehensive communication with the contractor (Carren, 12/5/95 Tr. at 117-18; Ex. 571A at 320, s 3-311.5(b); Ex. 571B at 1225, s 12- 602.2). Here the DCAA planned to and did do exactly the opposite.

169. Later, when Hollis-Brau began his audit, he failed to prepare a written audit program. (Ex. 662; Hollis-Brau, 12/19/95 Tr. at 9, 26-27; Carren, 12/7/95 Tr. at 106.) Nothing in his work papers set forth the required blueprint for the audit work that he did or intended to do. (Ex. 662; Carren, 12/7/95 Tr. at 106.) Hollis-Brau's lack of planning led to ad hoc auditing. (Carren, 12/7/95 Tr. at 158.)

G. Negligence In Not Conducting Entrance Conferences

170. A reasonable prudent auditor, as part of achieving the field work standards, communicates regularly with the contractor: since it is the contractor's books and records which are the subject of audit, the contractor's input is essential to obtaining sufficient, competent, relevant evidence. (Carren, 12/5/95 Tr. at 117-18; Ex. 571A at 320, s 3-311.5(b); Ex. 571B at 1225, s 12-602.2.) The entrance conference, which t he D CAM r equires D CAA a uditors t o hol d a t t he s tart of eac h audi t assignment, beg ins t his process. ( Ex. 5 71B a t 1 224, s 12-601; C arren, 12/5/95 T r. at 1 11-12.) As the D CAM instructs, a reasonable prudent aud itor uses the ent rance conference to explain the purpose of and t o plan for the audit, thus insuring that the audit begins without confusion or false assumptions. (Id.)

171. H ere, ho wever, t he D CAA never he ld an entrance c onference as r equired b y t he D CAM. (Ex. 571B at 1224, s 12-601.) Worse yet, in the first meeting that the DCAA held with General Dynamics regarding the DIVAD audit, the DCAA auditor deliberately misled General Dynamics as to the purpose of the audit. (PX 478-28, Weikel, 1/5/96 Tr. at 54-55.)

172. Hollis-Brau never held any form of entrance conference when he began his audit work, but in an inexplicable and even bizarre twist held an "entrance conference" immediately prior to the issuance of the final DIVAD audit report, long after he had prepared his initial draft audit report. (Ex. 662 at 662- 4099.)

H. Negligence In Preparing Work Papers

173. A reasonable prudent auditor documents his audit work papers. (Carren, 12/5/95 Tr. at 112; Reed Dep. at 98, 120-21; Ex. 571 A a t 20 8, s 2 -206(a).) T he D CAM pr ovides s pecific i nstructions t o D CAA auditors as t o t he minimal requirements for work papers. (Ex. 571A at 329-30, s 3-402, s 3-402.1.) Among other things, work papers must show who prepared the work paper, the date of preparation, the purpose of the work paper, the analysis done, the source of any data or information relied upon, and any conclusions reached. (Id.; Carren, 12/5/95 Tr. at 114-16.)

174. The creation and maintenance of proper work papers is critical to achieving the field work standards because the work papers document the details of the evidence upon which the auditor has relied to support his conclusions. (Ex. 571A at 208, s 2-206(a); Carren, 12/5/95 Tr. at 112-16.)

175. Here, the work papers were woefully inadequate, failing in many instances to meet the minimal requirements for work paper contents set forth in the DCAM and ultimately failing to

[205]

provide evidence or analysis supporting the recommendations and conclusions of the final audit report. (Ex. 662; Ex. 571A at 208, s 2-206(a); Carren, 12/7/95 Tr. at 160-68.)

176. T he work paper f ile contains num erous ex amples of undat ed work paper s, w ork paper s reaching conclusions without supporting analysis, work papers with no conclusions, and work papers that are simply incomprehensible. (Ex. 662; Carren, 12/7/95 Tr. at 160-68.)

177. More important, t he work paper f ile c ontains n o s upport f or t he c entral conclusions an d recommendations i n t he f inal a udit r eport. ( Carren, 12/7/95 T r. at 160 -168.) I n t he m ost obv ious example, the final audit report erroneously concluded that the DIVAD prototype contract was Firm Fixed Price instead of Firm Fixed Price (Best Efforts). (Ex. 108 at 7.) The audit work papers provide no support or analysis for this conclusion.

178. D uring t rial, the go vernment at tempted t o c ompensate f or def iciencies in the ac tual work papers by offering testimony from one auditor, Hollis-Brau, as to analyses he claimed to have done and conclusions he claimed to have reached but, for reasons he never tried to explain, failed to document in his work papers. H ollis-Brau of fered a det ailed reconstruction of undocumented audit work despite h is claim to have little or no recollection of his DIVAD audit work performed about 13 years ago. (Hollis-Brau, 1/10/96 Tr. at 165.) As defendant's expert Weikel testified, the "most important thing is the work papers ... what somebody tried to remember 10 years later ... wasn't really useful." (Weikel, 1/5/96 Tr. at 36.) The Court as signs little c redibility t o H ollis-Brau's t estimony of hav ing performed un documented audit work. Instead, as suggested by the DCAM's requirement that all audit work be documented in the work papers, the Court places primary reliance on the contemporaneous record provided by the work papers to determine what work actually was and was not done as part of the DIVAD audit.

179. The Court also notes that at several points during the trial it became apparent that the DCAA had either lost or destroyed critical audit work papers including, most notably, draft audit reports. (E.g., Hollis-Brau, 1/11/96 Tr. at 11-13; Baumgartner, 1/16/96 Tr. at 46-47.) The DCAA's document retention policy required the DCAA to preserve these documents. (Ex. 665.) Their loss or destruction is particularly troubling gi ven that i t oc curred during the pen dency of the un derlying criminal investigation and prosecution. ( Hollis-Brau, 1/11/96 T r. at 11 -13.) Under t hese c ircumstances, t he C ourt infers t hat t he documents l ost or d estroyed b y t he D CAA would n ot ha ve r eflected well on the D CAA's c onduct i n connection with its DIVAD audit work.

I. Negligence In Not Obtaining Technical Assistance

180. In performing their audit work auditors sometimes encounter issues that are not within their professional c ompetence. F or ex ample, al though auditors ar e no t pr ofessionally q ualified t o m ake engineering det erminations or t o i nterpret c ontractual pr ovisions, D CAA a udits of ten t urn o n i ssues of technical engineering j udgment or c ontractual interpretation. ( Carren, 1 2/5/95 Tr. at 116 -117; D CAM 2-101.) I n t hese c ircumstances, a r easonably pr udent au ditor obt ains t echnical as sistance f rom t he appropriate discipline. (Id.; Reed Dep. at 82-83; DCAM 2-204(b); 2-304(f)).

181. Here, the DCAA auditors f ailed to obtain the technical assistance they needed in order to determine what was r equired un der t he DIVAD prototype c ontract as a m atter of bot h en gineering judgment and contractual interpretation.

182. From the outset DCAA auditors recognized that they needed technical assistance in connection with their DIVAD audit work. Kamer, for example, sought technical assistance early on in his audit from the ACO. (Ex. 478 at 478-26.) But the ACO referred him instead to the PCO. (Id.) Kamer apparently intended to go to the PCO until his supervisor improperly instructed him "not to contact PCO until mischarging is proved." (Id.)

183. This instruction was improper on two grounds. First, in direct contravention of the DCAM, it prevented Kamer from obtaining the technical assistance that he knew he needed in order to comply with the field work standards' fundamental tenet that auditors must obtain sufficient evidence to support their

[206]

conclusions. (Carren, 12/7/95 Tr. at 37-38.) Second, it violated the independence standard by directing Kamer to abandon objectivity in favor of adopting the role of a prosecutor building a case of mischarging. (Id.; Ex. 663 at 31, AU 220.02.) Compounding the problem, later in his audit Kamer was again instructed not to contact the PCO. (Ex. 478 at 478-64.)

184. Years l ater, when H ollis-Brau was w orking on t he D IVAD audit, it a gain occurred t o t he DCAA auditors that they needed technical assistance in order to determine what was required under the DIVAD contract. (Hollis-Brau, 12/19/95 Tr. at 12, 25, 28.) In May 1983, the DCAA sent a written request for technical assistance to the Army's DIVAD project manager. (Ex. 662 at 662-12-20.) The Army duly replied, but as Hollis-Brau r ecognized, t he r eply was i nadequate for t he purposes of hi s aud it work. Indeed, on its face the Army's reply was nonresponsive, vague, and virtually incomprehensible. (Ex. 662 at 662-124; Carren, 12/7/95 Tr. at 148-51, 159; Hollis-Brau, 12/19/95 Tr. at 32; Hollis- Brau, 1/10/96 Tr. at 80.)

185. Confronted with a m aterially inadequate r esponse to a r equest f or t echnical as sistance, a reasonable prudent auditor would have followed-up with the author of the response to obtain clarification. (Carren, 12/7/95 Tr. at 149.) But Hollis-Brau never did that. (Id.; Ex. 662.) He did request that the Army provide on-site technical assistance, b ut when t he A rmy instead of fered t o r espond t o an y written requests f or t echnical as sistance, H ollis- Brau s imply dropped t he m atter as presenting t oo gr eat a n inconvenience. Hollis-Brau, 1/11/96 Tr. at 35-36; Ex. 662 at 662-128-29. In the end, the DCAA never obtained the technical assistance it required to satisfy the field work standards.

186. At t rial, t he go vernment at tempted t o ex cuse D CAA's f ailure to o btain ad equate t echnical assistance by pointing to a boiler-plate qualification in the final audit report. (Weikel, 1/9/96 Tr. at 139.) But as B aumgartner adm itted, t he r eport's c entral c onclusions of mischarging were c ompletely unqualified. (Baumgartner, 1/16/96 Tr. at 90.)

J. Negligence In Failing To Resolve Conflicts In The Evidence

187. A r easonable pr udent aud itor, when c onfronted w ith c onflicting ev idence, does not j ust ignore t he c onflict: r ather, he r esolves i t b y ob taining al l per tinent f acts and making an " impartial judgment" as to the weight of the evidence. (Ex. 571A at 208, s 2-206(b); Carren, 12/5/95 Tr. at 118-19.)

188. But in t his c ase t he DCAA au ditors c oncluded that t he D IVAD prototype contract was an ordinary f irm fixed pr ice contract, c ontaining f irm r equirements w holly un affected b y t he "best ef forts" provisions of the contract, without even considering, much less resolving, the voluminous evidence to the contrary.

189. F or ex ample, t he a uditors paid no attention to t he warnings t hey r eceived f rom G eneral Dynamics' personnel regarding the importance of best efforts and its potential significance to their audit work. Kamer admitted that a General Dynamics' employee told him that DIVAD was "a firm, fixed-price, best-efforts" contract. (Weikel, 1/5/96 Tr. at 37.) Kamer, however, never considered that fact in his audit analysis. Similarly, Hansen told Hudson that the DIVAD was "best efforts" and that she should consider that in c onducting h er au dit. ( Hudson, 1 /9/96 T r. at 175 -76; H ansen, 1 2/20/95 T r. at 7. ) E ggen t old Hollis- Brau that the DIVAD contract was unique and Morales told him that it was best efforts. (Eggen, 12/19/95 Tr. at 45; Morales, 12/20/95 Tr. at 95-97.) But Hollis-Brau paid no attention.

190. Nor did the auditors pay any attention to the documentary evidence, including the contract itself, w hich illuminated t he uni que b est ef forts nat ure of t he c ontract. H ollis-Brau's work paper s, f or example, c ontain c opies of doc uments and r eferences t o num erous N AVPRO contract f ile doc uments, such as the Post Negotiation Memorandum, that expressly refer to the best-efforts nature of the DIVAD contract. (Ex. 182; Ex. 662 at 662-419, 434; Hollis- Brau, 1/10/96 Tr. at 55, 66; Carren, 12/7/95 Tr. at 129-38.) Yet Hollis-Brau simply ignored this evidence when "assuming" that the contract was firm fixed price.

K. Negligence In Failing To Draft The Audit Report Based On The Work Papers

191. In the opinion of the government's expert, Weikel, the most important aspect of due professional care is that the audit report be fully supported by the evidence in the work papers. (Weikel, 12/21/95 Tr. at 132.) The reporting standards require that all findings and conclusions in the audit report be supported b y sufficient competent, relevant evidence. ( Carren, 12/6/95 T r. at 196-97; Ex. 571 A at

[207]

210, s 2-303(d).) That evidence, developed during the course of the audit, must be documented in the work papers. (Carren, 12/6/95 Tr. at 196-97; Ex. 571A at 208, s 2-206(a).) Accordingly, a reasonable prudent auditor drafts his audit report based on his work papers. (Carren, 12/6/95 Tr. at 196-98.)

192. The February 29, 1984, audit report issued by the DCAA on the DIVAD audit, however, was not based on the work papers. (Carren, 12/7/95 Tr. at 201- 02.)

193. F irst o f a ll, H ollis-Brau's work paper s were themselves d eficient i n b oth f orm and substance--they d id not meet t he f ield work s tandards. ( Carren, 12/7/95 T r. at 15 8-59.) Ma ny of Hollis-Brau's work papers contain no audit conclusions. (Id. at 159-60; Ex. 662.) Others have conclusions but lack any indication of the basis for the conclusions and are devoid of audit analysis. (Id. at 160; e.g., Ex. 662 at 662-716, 662-720, 662-2460.)

194. Further, as discussed above, Hollis-Brau knew that he lacked the technical assistance that he needed in order to come to audit conclusions. (Hollis-Brau, 12/19/95 Tr. at 12, 25, 28.)

195. Recognizing these weaknesses, Hollis-Brau drafted an equivocal, highly qualified "overhead style" report. (Hollis-Brau, 12/19/95 Tr. at 19.) In his overhead style report, Hollis-Brau questioned costs without concluding that General Dynamics had mischarged. (Hollis-Brau, 12/19/95 Tr. at 35-37, 38-39.) Indeed, he had reached no such conclusion. (Id.)

196. Baumgartner rewrote the audit report (Hollis-Brau, 1/11/96 Tr. at 19) to reach a conclusion not supported by the work papers and not reached by Hollis- Brau--that General Dynamics was guilty of mischarging. (Ex. 108.)

197. A t t rial, bot h B aumgartner and H ollis-Brau c ontradicted t heir s worn d eposition t estimony (and each other) regarding the preparation of the final audit report. (E.g. Hollis-Brau, 1/11/96 Tr. at 5-7; Baumgartner, 1 /16/96 T r. at 57. ) T he C ourt f inds H ollis-Brau and B aumgartner's depos ition testimony more credible than their trial testimony.

198. The failure of the DCAA auditors to prepare a draft audit report cross- referenced to the work papers, as required by the DCAM, is further evidence that the work papers do not support the final audit report. ( Ex. 571A at 3 30- 31, s 3 -404.2(a)(11).) B aumgartner c laimed t hat a c ross-referenced r eport existed, but offered no explanation for why that document cannot now be found. (Baumgartner, 1/11/96 Tr. at 215. ) I n ac cordance w ith t he D CAM ( s 3 - 404.2(a)(5)) and p ursuant t o t he D CAA's doc ument retention policy, if the document existed, DCAA was required to retain it. (Ex. 665.) The Court infers that no cross-referenced audit report was prepared.

199. D efendant's expert, Weikel, at tempted t o r econstruct a cr oss- referenced a udit r eport. (Weikel, 1/9/96 Tr. at 86.) When he was unable to do so, he enlisted Hollis-Brau to complete the task. (Id.) But even working together, Weikel and Hollis-Brau failed. (E.g. Id. at 103-04.) Tellingly, defendant did not pr esent t he r esults of Weikel's at tempt t o c ross-reference t he au dit report dur ing his d irect examination.

200. Moreover, c ritical f indings and conclusions in the audit report have no support in the work papers. (Carren, 12/7/95 Tr. at 160-71; Weikel, 1/9/96 Tr. at 110.) For example, the report concluded that General Dynamics mischarged costs associated with the BITE proofing model. (Ex. 108.) The work papers, however, reveal that the DCAA was still auditing this issue after the final audit report was issued. (Ex. 662 at 662-3856; Hollis-Brau, 1/11/96 Tr. at 90-91.)

201. Another example of the DCAA's failure to ground its conclusions in the work papers concerns option items from the RFP never funded by the Army and, hence, never incorporated into the DIVAD prototype contract. Although the work papers contained no analysis of this issue, the audit report mistakenly c oncluded t hat the unf unded o ptions w ere ac tually c ontract r equirements. ( Ex. 108 at 1 2; Carren, 12/7/95 Tr. at 178-79; McPherson, 12/6/95 Tr. at 74-76.)

L. N egligence In F ailing T o D iscuss C onclusions At Exit C onference A nd I nclude C ontractor's Reaction In Report

202. In order to insure that his audit report meets the reporting standards for objectivity, accuracy, and fairness (Ex. 571A at 210, s 2-303), a reasonable prudent auditor holds an exit conference with the contractor at w hich he pr esents hi s t entative f indings and s olicits t he c ontractor's r eaction. ( Carren,

[208]

12/6/95 Tr. at 198.) To the extent that the contractor's reaction differs from the conclusions in the final report, the audit report should include those reactions. (Carren, 12/6/95 Tr. at 202-03; Ex. 571A at 211, s 2-303(i) and 320 at s 3-311.5; Ex. 571B at 1225 at s 12-603.)

203. T hese pr ocedures, which ar e m andated b y DCAA p olicy ( Carren, 12/ 6/95 T r. at 198 -99; Reed Dep. at 118-20; Ex. 466; Ex. 571A at 211, s 2-303(i) and 320 at s 3-311.5; Ex. 571B at 1225 at s 12-603), s erve as t he f inal qual ity c ontrol c heck on t he aud it ( Carren, 12 /6/95 T r. at 198 -99) and , b y identifying any disagreements, gives the report the balance required for fairness and objectivity. (Id. at 203.)

204. Here, the D CAA held no exit c onference, d id not d isclose its f indings and c onclusions t o General Dynamics prior to the issuance of the report, and, worse yet, completely excluded from the final report the contractor reaction that it had obtained even though that reaction was in direct conflict with the audit report's central findings. (Ex. 108.)

205. At trial, the government attempted to excuse this negligence by claiming that it was DCAA policy not t o h old a n ex it conference o nce t here had b een a r eferral. (Weikel, 1/9/96 T r. at 5 0.) T he Court rejects this excuse. Weikel's claim that the DCAA had a policy of not holding exit conferences after a referral had been made is simply false: the government expressly admitted the contrary in response to a formal request to admit served upon it by General Dynamics in this matter. (Ex. 839.) Moreover, the DCAA could have held an exit conference while still honoring a request not to disclose the existence or status of any referral or investigation.

206. Although the government's expert conceded that a report issued under generally accepted auditing s tandards must be fair and objective (Weikel, 1/9/96 Tr. at 34, 41), the government of fered no credible explanation for the DCAA's failure to include General Dynamics' comments--including the answers t o the " 14 Q uestions"--in t he f inal au dit r eport. Weikel's t estimony that application of t he standards was somehow suspended during the DIVAD audit is not credible and is flatly contradicted by the DCAM and by the fact that the audit report itself states that the audit was performed in accordance with g enerally ac cepted au diting s tandards. ( Ex. 571B at 12 27, s 12 -791.3(a); Ex. 108 at 2; Weikel, 1/9/96 Tr. at 43-44.)

207. In sum, the DCAA auditors on the DIVAD matter did not act as reasonable prudent auditors would h ave ac ted i n per forming t heir a udit work, but i nstead c ommitted pr ofessional m alpractice b y negligently failing to perform appropriate and required audit procedures, by negligently failing to comply with the field work, reporting, and due professional care standards, by auditing in violation of the independence and qualification standards, and by auditing without due professional care.

V. THE INDICTMENT AND DISMISSAL

A. The Indictment

208. On March 13, 1984, the Department of Justice sent General Dynamics a grand jury subpoena seeking all documents from the Pomona Division relating to the DIVAD program. On the same date, the ACO sent General D ynamics a c opy of the DCAA's February 29, 1984, audit r eport. (5/4/95 Findings at P 10.)

209. An extensive investigation ensued, with the prosecution subpoenaing millions of documents and interviewing numerous witnesses. (5/4/95 Findings at P 28.)

210. On December 2, 1985, the grand jury returned an indictment charging General Dynamics, James M. Beggs, Ralph E. Hawes, Jr., David L. McPherson, and James C. Hansen, Jr. with one count of conspiracy and six counts of making false statements to the United States. (Ex. 218.)

211. The indictment alleged, among other things, that the DIVAD prototype contract was a "firm fixed price" contract with specific mandatory requirements. (Id.)

B. The Dismissal

212. In May 1987, the Department of Justice filed a pleading to correct its misstatements about contract type, conceding that the DIVAD prototype contract was "best efforts." (Ex. 231.)

[209]

213. On June 19, 1987, the prosecutors filed a motion to voluntarily dismiss the indictment. (Ex. 419.)

214. In i ts motion, the United States admitted: a. That the best ef forts provision of the contract was deliberately included by DOD as an important factor in the DIVAD acquisition strategy and modified the performance requirements of General Dynamics; b. That the contract was viewed by negotiators on both s ides as r equiring G eneral D ynamics onl y to u se i ts bes t ef forts t o per form w ithin t he t ime and funding provisions of t he c ontact; *32 c. T hat af ter G eneral D ynamics had ex pended its bes t ef forts t o perform and had exhausted the contract funds, there was no obligation by General Dynamics to further perform under the contract; d. Under the applicable DOD regulations, B & P and IR & D charges that are not r equired b y t he c ontract may be c harged t o t hese o verhead accounts; and e. T hat t he labor a nd material costs which are alleged to be charged fraudulently to IR & D and B & P accounts because they are not legitimate B & P and IR & D are, in fact, labor and material costs which, but for the existence of the contract, constitute legitimate B & P and IR & D. (Ex. 419 at 4.)

215. In July 1987, af ter the indictment had been dismissed, Assistant Attorney General William Weld t estified bef ore C ongress about t he c ritical nexus bet ween t he D CAA an d t he i ndictment. Weld testified: "The audit report and the advice of DCAA personnel in connection therewith were critical to the prosecution's early understanding of the contract as a firm fixed price type. This understanding formed the premise upon which t he en tire i nvestigation was conducted a nd indictment presented t o t he gr and jury." (Ex. 250 at 9.)

216. In 1988, Attorney General Edwin Meese sent letters to the individual defendants apologizing, on be half of t he D epartment of J ustice, f or t he br inging of a " wrongful" indictment. ( Ex. 3 68A, 36 8B.) Thereafter, t he c riminal t rial c ourt e ntered an or der ex punging t he r ecord of t he indictment and arraignment of the individual defendants. (Ex. 849; McPherson, 12/6/95 Tr. at 14; Hansen, 12/19/95 Tr. at 175.)

VI. FACTS REGARDING DAMAGES

217. G eneral Dynamics' damages are $25,880,752, representing the legal fees and other litigation expenses that General Dynamics incurred and pa id in defending the criminal litigation and the related civil False Claim Act litigation. (Exs. 397 and 697.)

218. G eneral D ynamics' ex penditures f or l egal f ees w ere r easonable. T his was a b et your company case. (Findings of Fact & Conclusions of Law ("5/4/95 Findings") dated May 4, 1995, at P 55.) General D ynamics hi red t op-flight attorneys with ex pertise i n c riminal l aw a nd gov ernment c ontracting matters (5/4/95 Findings at P 11-12)--the very counsel one would expect the company to turn to in such a high-stakes matter.

CONCLUSIONS OF LAW

VII. PROFESSIONAL NEGLIGENCE

219. C alifornia l aw c ontrols t his ac tion b ecause t he DCAA's negl igence oc curred i n C alifornia. (Order Den.Def.'s Renewed Motion for Summ. J. dated 10/21/92 ("Order") at 16.)

220. U nder C alifornia l aw, a c laim f or pr ofessional m alpractice r equires: ( a) a d uty of t he professional t o us e s uch s kill, pr udence and d iligence as ot her m embers of hi s pr ofession c ommonly possess and ex ercise; ( b) a br each of t hat d uty; ( c) a pr oximate c ausal c onnection b etween t he negligent conduct and the resulting injury; and (d) actual loss or damage resulting from the professional's negligence. (Order at 16-17, citing Budd v. Nixen, 6 Cal.3d 195, 200, 98 Cal.Rptr. 849, 852 (1971).)

221. In conducting its audits regarding the DIVAD prototype contract, the DCAA was required to use s uch s kill, prudence a nd d iligence as other professional a uditors. I n p articular, t he D CAA, h aving represented that its audit was conducted in accordance with generally accepted auditing standards, was required to comply with generally accepted auditing standards. Bradford-White Corp. v. Ernst & Whinney, 872 F.2d 1153 (3rd Cir.), cert. denied, 493 U.S. 993 (1989).

222. The DCAA's conduct is also properly measured against the Defense Contract Audit Manual (DCAM), which in addition to recapitulating the generally accepted auditing standards, prescribes auditing procedures f or us e b y D CAA auditors. Bily v. A rthur Young & C o., 7 C al.App.4th 1 636, 16 48-49, 2 71

[210]

Cal.Rptr. 470 , 474 -6 ( 1990) r ev'd on ot her gr ounds, 3 C al.4th 370, 8 34 P.2d 745, 1 1 C al.Rptr.2d 51 (1992) (Internal auditing manual, along with GAAS and GAAP define standard of case).

223. Because t he DCAA d id no t m eet t he s tandards discussed abo ve in p erforming i ts D IVAD audit work, and because General Dynamics has satisfied each of the other elements enumerated above, the Court finds that DCAA was negligent and committed professional malpractice in auditing the DIVAD prototype contract.

Duty

224. Whether a def endant ow es a dut y t o a t hird p arty de pends on t he ba lancing of several factors, i ncluding: ( a) t he ex tent t o which t he t ransaction was i ntended t o af fect t he pl aintiff; ( b) t he foreseeability of harm to the plaintiff; (c) the degree of certainty that the plaintiff suffered injury; (d) the proximity between the defendant's conduct and the plaintiff's injury; (e) the moral blame attached to the defendant's c onduct; and ( f) t he po licy of pr eventing f uture h arm. ( Order at 17 -18, c iting Biakanja v . Irving, 49 Cal.2d 647, 320 P.2d 16, 19 (1958).)

225. In applying the Biakanja f actors to the instant c ase, the Court t akes par ticular note of the following facts established at trial: (a) The DIVAD contract authorized the DCAA to audit General Dynamics, and the DIVAD audit report expressly represented that DCAA's audit had been conducted in accordance with ge nerally ac cepted au diting s tandards. Thus, t he D CAA's ac tions were i ntended t o affect General D ynamics and i t was reasonably f oreseeable that if the DCAA was negl igent i n aud iting General Dynamics, and failed to comply with generally accepted auditing standards, General Dynamics would be harmed thereby. (b) General Dynamics certainly suffered injury when it was required to defend itself ag ainst t he c riminal indictment. T here i s a c lose pr oximity between t he D CAA's c onduct an d General Dynamics' injury, as evidenced by the fact that the government dismissed the indictment upon learning that the DCAA's audit conclusions were wrong. (c) Finally, the policy of preventing future harm applies to the DCAA, which like any professional organization should be held accountable for its negligent acts.

226. Upon application of the B iakanja factors to the facts described above, the Court finds that the DCAA owed a duty to General Dynamics to conduct its audits of the DIVAD prototype contract with such skill, prudence and diligence as other professional auditors. (See Order at 18.)

227. I n addition, d uty m ay be es tablished b y privity of c ontract. B ily v. Arthur Young & C o., 3 Cal.4th 37 0, 83 4 P .2d 745 , 11 C al.Rptr.2d 51 ( 1992). H ere, General D ynamics w as i n pr ivity with t he DCAA through the D IVAD contract (Ex. 20) an d, ac cordingly, DCAA's du ty of c are ex tends to General Dynamics.

Breach of Duty

228. In c onducting its a udits of t he D IVAD pr ototype c ontract, t he D CAA br eached t he duty it owed to General Dynamics by failing to audit in accordance with the standards and procedures set forth in t he D CAM, an d b y f ailing t o au dit w ith s uch s kill, pr udence, and diligence as r easonably pr udent professional auditors.

Proximate Cause

229. The DCAA's negligence was the proximate cause of General Dynamics' injury. The evidence at trial showed that DCAA's audit work set into motion the chain of events that culminated in the indictment of General Dynamics and four of its employees.

230. In addition, it was reasonably foreseeable that the DCAA's negligent audit work would cause the Department of Justice to bring an indictment against General Dynamics and so directly injure General Dynamics. Thus, contrary to the government's assertion, the grand jury's indictment and the Department of Justice's prosecution did not break the chain of causation and do not constitute a superseding cause. Weaver v. Bank of America, 59 Cal.2d 428, 433-34, 380 P.2d 644, 30 Cal.Rptr. 4 (1963); Jackson v. City of San Diego, 121 Cal.App.3d 579, 584, 175 Cal.Rptr. 395, 398 (1981).

231. As this Court has already determined, "a superseding intervening act is one that is unforeseeable." ( Order. at 21. ) I n t he instant c ase, t he c riminal prosecution was ent irely f oreseeable. (Order at 21.) ("The DCAA had every reason to know that a negligent audit would directly injure General

[211]

Dynamics.") The DIVAD contract authorized the DCAA to audit General Dynamics. The DCAA expressly represented that i t had conducted its DIVAD audit work in accordance with generally accepted auditing standards. If the DCAA audit work disclosed that General Dynamics was not properly recording its costs, then t he D CAA was a uthorized t o bring a number of pos sible s anctions aga inst G eneral D ynamics, including referral for criminal investigation. In fact, the DCAM requires the DCAA to refer suspected fraud to the Justice Department. (Ex. 571B at 1228, s 12-701.4.) As a result, it was foreseeable that a referral by t he D CAA w ould r esult i n an i ndictment. The criminal i nvestigation an d gr and j ury indictment, therefore, did not break the chain of causation.

232. Moreover, the evidence at trial was that the decision of the Justice Department to prosecute and of the grand jury to indict were not made independently of the DCAA. Particularly compelling in this regard was Assistant Attorney General Weld's congressional testimony that the prosecutors relied on the DCAA's conclusions regarding the DIVAD prototype contract in deciding to indict General Dynamics. (Ex. 250.)

Damages

233. Compensation for the loss of money or for expenditures is a proper measure of damages in an action for professional malpractice. Electronic Equipment Express, Inc. v. Donald H. Seiler & Co., 122 Cal.App.3d 8 34, 1 76 C al.Rptr. 239 ( 1981). A ccordingly, m oney ex pended on at torneys' f ees due t o a defendant's negligence is a recoverable damage. Budd v. Nixen, 6 Cal.3d 195, 201-02, 98 Cal.Rptr. 849, 853 (1971).

234. The actual loss General Dynamics suffered is the money it expended in attorneys' fees and other defense expenses. General Dynamics was forced to expend this money as a result of the DCAA's professional negligence. In addition, such expenses are "money damages" for injury or loss of property within the context of the FTCA because General Dynamics expended its own money to protect itself from injury resulting from the prosecution. (Order at 15.)

235. General Dynamics is entitled to a rebuttable presumption that its specific litigation expenses, actually incurred and paid, are reasonable. (Order Den. Pl.'s Rule 16 Mot. to Define the Proof Req'd to Establish Damages dated 6/9/93.) General Dynamics actually incurred and paid the attorneys' fees and expenses f or w hich i t i s s eeking r ecovery. T he gov ernment has f ailed t o r ebut the pr esumption of reasonableness. Thus, the attorneys' fees and expenses for which General Dynamics is seeking recovery are reasonable.

VIII. THE DISCRETIONARY FUNCTION EXCEPTION

236. T he di scretionary f unction exception to t he F TCA b ars s uits "based u pon t he ex ercise or performance or the failure to exercise or perform a discretionary function or duty on the part of a federal agency or an em ployee of t he gov ernment." 28 U.S.C. s 268 0(a). F or t he di scretionary f unction exception to apply, the acts at issue must involve (a) an element of judgment or choice, and (b) must be grounded in s ocial, ec onomic and pol itical p olicy. Berkovitz v. U nited States, 486 U .S. 531, 10 8 S .Ct. 1954, 195 8, 10 0 L. Ed.2d 531 ( 1988). T he pur pose of t his ex ception t o liability is t o " prevent j udicial 'second gu essing' of l egislative a nd a dministrative decisions gr ounded in s ocial, ec onomic or pol itical policy t hrough t he m edium of an ac tion i n t ort." U nited States v . S .A. Empresa de V iaco Aerea R io Grandense, 467 U.S. 797, 813, 104 S.Ct. 2755, 81 L.Ed.2d 660 (1984).

237. T he d iscretionary function exception does not apply her e because t he DCAA, as a professional auditing organization, is he ld t o t he s ame mandatory au diting s tandards t hat apply to a ll professional auditors. Failure to meet those standards constitutes professional malpractice. DCAA had no discretion to disregard generally accepted auditing standards.

238. I n p erforming t heir a udit work as pr ofessional aud itors, D CAA auditors ex ercise pur ely professional judgment: under generally accepted auditing standards, an auditor's judgment "is required to be the informed judgment of a qualified professional person." (Ex. 663 at 20, AU 110.04.) Like any other auditor, a DCAA auditor makes judgments grounded in his professional training and in auditing standards; he does not make judgments grounded in social, economic or political policy. The professional judgment of auditors is not the type of policy-based discretion that the discretionary function exception was designed to protect. See Sutton v. Earles, 26 F.3d 903, 910 (9th Cir.); Lather v. Beadle County, 879 F.2d

[212]

365, 368 (8th Cir.1989) ("Where only professional, nongovernmental discretion is at issue, discretionary function exception does not apply.").

239. Nor can the DCAA avail itself of the discretionary function immunity enjoyed by the prosecutors. The DCAA auditors were acting at all times as professional auditors, not as prosecutors or investigators. T hey reported to DCAA supervisors, not to prosecutors, and they per formed audit work, not investigative work. In this, the DCAA's negligence is completely separate and independent from the government's prosecutorial function. (Order at 9-11.)

IX. THE MALICIOUS PROSECUTION EXCEPTION

240. As this Court has al ready held in t his case, General D ynamics' c laim is not bar red b y t he malicious prosecution exception to the FTCA. (Order at 12.) General Dynamics does not claim that the DCAA conducted its audits maliciously to procure initiation of criminal proceedings. (Order at 12.) Nor does General Dynamics claim that the Department of Justice acted maliciously in instituting the criminal proceedings. (Id.)

241. General Dynamics' claim is for professional malpractice, not malicious prosecution. (Order at 12.)

X. THE MISREPRESENTATION EXCEPTION

242. In determining whether a claim falls within an exception to the FTCA, the critical inquiry is "whether the conduct upon which the claim is based falls within the definition of a tort enumerated in s 2680(h) t hat was ' traditional,' ' commonly un derstood' or ' established' when t he F TCA w as en acted." Sheehan v. United States, 896 F.2d 1168, 1170 (9th Cir.), amended, reh'g denied, en banc, 917 F.2d 424 (1990). General Dynamics' claim is not barred because the conduct of which General Dynamics complains do es n ot m eet t he t raditional e lements of a c laim f or negl igent m isrepresentation. S ee Mt . Homes Inc. v . United States, 912 F .2d 352, 3 55 (9th C ir.1990) ( court m ust "analyze the c onduct u pon which the cause[ ] of action alleged rests").

243. B lock v . N eal, 460 U .S. 289 , 103 S .Ct. 108 9, 75 L. Ed.2d 6 7 ( 1983), go verns t he i nstant case. I n B lock, t he C ourt r ejected t he defendant's argument t hat t he p laintiff's negl igence c laim w as barred by the misrepresentation exception to the FTCA. The Court stated: Common to both the misrepresentation and t he negl igence c laim w ould b e c ertain f actual and legal ques tions . .. B ut t he partial overlap b etween t hese t wo t ort actions do es not s upport the c onclusion t hat i f on e i s excepted under the Tort Claims Act, the other must be as well. Neither the language nor history of the Act suggest that when one aspect of the Government's conduct is not actionable under the misrepresentation exception, a claimant is barred from pursuing a distinct claim arising out of other aspects of the Government's conduct. Id. at 298, 103 S.Ct. at 1094, 75 L.Ed.2d at 75.

244. As in Block, this case is not a claim for negligent misrepresentation. General Dynamics is not challenging the DCAA's referral of General D ynamics' suspected mischarging to the Department of Justice. C ontrary t o t he g overnment's arguments, t he es sence of G eneral D ynamics' c laim i s t hat the DCAA negligently audited the DIVAD contract not that the DCAA communicated erroneous information. Because General Dynamics does not challenge any communication by the DCAA, the misrepresentation exception to the FTCA is not applicable to the instant case.

XI. THE INTERFERENCE WITH CONTRACT RIGHTS EXCEPTION

245. T he el ements of a claim for t ortious i nterference w ith a c ontract r ight ar e " (1) a v alid contract, (2) knowledge of the contract and intent to induce its breach; (3) breach; (4) causation, and (5) damage." JBL Enters., Inc. v. Jhirmack Enters., Inc., 698 F.2d 1011, 1019 (9th Cir.), cert. denied, 464 U.S. 829, 104 S.Ct. 106, 78 L.Ed.2d 109 (1983).

246. General Dynamics has not alleged that the DCAA intended to induce a breach of the DIVAD contract or that there was a breach of the DIVAD contract. Thus, General Dynamics' claim is not a claim for interference with contract rights and is not barred by the interference with contract rights exception to the FTCA.

XII. BREACH OF CONTRACT

[213]

247. As t his C ourt has a lready he ld in t his c ase, G eneral D ynamics' c laim i s for pr ofessional malpractice, which sounds in tort, not contract. (Order at 16.)

248. G eneral D ynamics makes no c laim t hat t he D CAA br eached a ny c ontract. T hus, G eneral Dynamics' claim is not barred as a claim for breach of contract.

XIII. CALIFORNIA STATUTORY PRIVILEGE

249. Under Cal.Civ.Code s 47(b) and (c), a communication i s pr ivileged i f i t: ( a) was m ade i n j udicial or q uasi-judicial pr oceedings; ( b) i nvolved l itigants or ot her participants authorized by law; (c) was made to achieve its objects of the litigation; and (d) had some connection or logical relation to the action. Silberg v. Anderson, 50 Cal.3d 205, 786 P.2d 365, 369, 266 Cal.Rptr. 638, 642 (1990). 250. T he government f ails t o s atisfy t he f irst pr ong of t his t est. T he F ebruary 29, 1984, a udit report was not made in a judicial or quasi-judicial proceeding, as it was prepared more than a year and one-half prior to the criminal indictment. (Order at 23.) Accordingly, Cal.Civ.Code ss 47(b) and (c) do not apply and the conduct of the DCAA in auditing the DIVAD prototype contract is not privileged. (Id.)

251. Also, the 47(b) and (c) privileges protect communications, not conduct. Kimmel v. Goland, 51 Cal.3d 202, 209, 271 Cal.Rptr. 191, 195, 793 P.2d 524, 528 (1990). As this Court has already held, the gravamen of General Dynamics' claim is for professional negligence based on the DCAA's auditing conduct. (Order at 16; 5/4/95 Findings at P 2.) Because the DCAA's conduct is at issue in this case, the s 47(b) and (c) privileges do not apply. Trenfel v. Jasper, 13 Cal.App.4th 1694, 1713, 16 Cal.Rptr.2d 913, 924 (1993) ("inquiry should be whether conduct or communication predominates plaintiff's various causes of action as pled.").

252. A t t rial, the government argued that i ts conduct should be pr ivileged because the DCAA's issuance of its audit report was akin to a "911 telephone call" by a neighbor observing a burglary. This is a false analogy. After years of audit work the DCAA--a professional auditing organization--issued to the ACO an audit report expressly prepared pursuant to generally accepted auditing standards. The DCAA's audit work w as authorized b y the D IVAD c ontract. H ence, unlike a 91 1 c all, t he audit r eport was governed by professional standards and was subject to a duty of due care owed to General Dynamics.

Based on the foregoing findings of fact and conclusions of law, the Court finds for plaintiff General Dynamics C orporation and aga inst d efendant t he United S tates of A merica and a wards G eneral Dynamics Corporation damages in the amount of $25,880,752.

JUDGMENT

The action having been tried by the Court, and the Court having considered all of the evidence introduced at t rial, t he M emorandum of P oints a nd Authorities f iled b y c ounsel, and t he ar gument of counsel and the proposed Findings of Fact and Conclusions of Law presented by each party, the Court hereby finds for the plaintiff General Dynamics Corporation and against the defendant the United States of America, and assesses damages in the sum of

$25,880,752.

Uhhhh, but there is more to the STORY!!! But to find out WHAT, you will have to ASK!

[214]

BIBLIOGRAPHY

GOVERNMENT REGULATIONS AND REFERENCES

United States Government Accountability Office, Government Auditing Standards, July 2007 Revision, GAO-07-731G, Referred to as “The Yellow Book.” http://www.gao.gov/govaud/govaudhtml/index.html

Defense Contract Audit Agency Audit Manual, DCAAM 7640.1, July 2008. http://www.dcaa.mil/cam.htm

CITED TEXTS

Atkisson, R.M., Brink, V.Z., and Witt, H. (1986). Modern Internal Auditing, Continuing Professional Education Edition. New York: Wiley and Sons.

Brink, V.Z., and Witt, H. (1982). Modern Internal Auditing, Appraising Operations And Controls. New York: Wiley and Sons.

Arens, A.A., and Loebbecke, J.K. (1988). Auditing An Integrated Approach. New York: Prentice-Hall.

Auditing Concepts Committee, "Report of the Committee on basic auditing Concepts," The Accounting Review, Vol. 47, Supp. 1972, p. 18.

Berenson, M.L., Levine, D.M., and Rindskopf, D. (1988). Applied Statistics A First Course. Englewood Cliffs, New Jersey, Prentice Hall.

Carmichael, D.R., and Willingham, J.J. (1989). Auditing Concepts And Methods. New York, McGraw-Hill.

Chambers, A.D., Selim, G.M., and Vinten, G. (1987). Internal Auditing. Chicago, Commerce Clearing House.

Flesher, D.l. (1996). Internal Auditing Standards and Practices. The Institute of Internal Auditors. Altamonte Springs, FL.

Jaeger, R.M. (1983). Statistics A Spectator Sport. Newbury Park, New Jersey, Sage Publications.

Ramos, J. Michael (2008). Pracitioner’s Guide to GAAS – 2008. Hoboken, NJ, John Wiley and Sons, Inc.

[215]

Sawyers, L.B. (1981). The Practice Of Modern Internal Auditing. Altamonte Springs, Florida: Institute of Internal Auditors.

Swanson, G.A., and Marsh, H.L. (1991). Internal Auditing Theory-- A Systems View. New York, Quorom Books.

Talley, D.J., (1988). Management Audits For Excellence. Milwaukee, ASQC Quality Press.

Tierney, C.E., (1989). Governmental Auditing. Chicago, Commerce Clearing House.

Vance, L.L., and Neter, J. (1956). Statistical Sampling For Auditors And Accountants. New York, Wiley and Sons.

OTHER RECOMMENDED TEXTS

Arkin, H. (1984). Handbook of sampling for auditing and accounting. New York: McGraw-Hill.

Barefield, R.M. (1975). Studies in Accounting Research #11. The impact of audit frequency on the quality of internal control. American Accounting Association.

Berry, L.E., (1983). Coordinating Total Audit Coverage: Trends and Practices. Altamonte Springs, Florida: Institute of Internal Auditors.

Casler, D.J. and Crokett, J.R. (1982). Operational Auditing: an introduction. Altamonte Springs, Florida: Institute of Internal Auditors.

Computer Assisted Audit Techniques. (1979). New York: American Institute of Certified Public Accountants.

Hill, H.P., Roth, J.L., and Arkin, H. (1962) Sampling in auditing. New York: Ronald Press.

Kropatkin, P. (1984). Audit logic, a guide to successful audits. New York: Wiley and Sons.

Reider, H.R. (1994). The Complete Guide To Operational Auditing. New York: Wiley and Sons.

Thierauf, R.J. (1980). Management Auditing, a questionnaire approach. New York: American Management Association.

THIS PAGE INTENTIONALLY BLANK

THIS PAGE INTENTIONALLY BLANK

GAO

United States Government Accountability Office

By the Comptroller General of the United States

July 2007 Government Auditing Standards

July 2007 Revision

a

GAO-07-731G

GAO

United States Government Accountability Office

By the Comptroller General of the United States

July 2007 Government Auditing Standards

July 2007 Revision

The July 2007 revision of Government Auditing Standards supersedes the 2003 revision and updates the January 2007 revision. The July 2007 revision represents the complete 2007 revision of Government Auditing Standards, and is the version that should be used by government auditors until further updates and revisions are made. An electronic version of this document can be accessed on GAO's Yellow Book Web page at http://www.gao.gov/govaud/ybk01.htm.

The July 2007 revision of Government Auditing Standards will be effective for financial audits and attestation engagements for periods beginning on or after January 1, 2008, and for performance audits beginning on or after January 1, 2008. Early implementation is permissible and encouraged. For financial audits, certain standards of the Auditing Standards Board (ASB) that affect Government Auditing Standards become effective prior to these dates.

Contents

1 Letter

Use of Terminology to Define Professional

Chapter 1 5 Introduction 5

Use and Purpose and Applicability of GAGAS 5

Application of Requirements in GAGAS 7

GAGAS Stating Compliance with GAGAS in the Auditors’ Report 9

Relationship between GAGAS and Other Professional Standards 10

Types of GAGAS Audits and Attestation Engagements 12

Chapter 2 24 Introduction 24

Ethical Ethical Principles 25

Principles in Government Auditing

Chapter 3 29 Introduction 29

General Independence 29

Standards Competence 51 Professional Judgment 48

Quality Control and Assurance 55

Page i GAO-07-731G Government Auditing Standards

Contents

Chapter 4 64 Introduction 64

Field Work AICPA Field Work Standards 65 Additional Government Auditing Standards 65Standards for Additional Considerations for GAGAS Financial

Financial Audits 74

Chapter 5 78 Introduction 78

Audits

Reporting AICPA Reporting Standards 78 Additional Government Auditing Standards 79Standards for

Financial Audits

General, Field

Reporting Standards for Attestation Engagements 109

Engagements Additional Government Auditing Standards 111 Attestation

AICPA Reporting Standards for Attestation Engagements 110

Work, and Attestation Engagements 98 Additional Government Auditing Standards 99

Chapter 6 98 Introduction 98 AICPA General and Field Work Standards for

Additional Considerations for GAGAS

Chapter 7 122 Introduction 122

Field Work Reasonable Assurance 122

Standards for Significance in a Performance Audit 123 Audit Risk 123

Performance Planning 124 Supervision 147 Audits Obtaining Sufficient, Appropriate Evidence 147 Audit Documentation 156

Page ii GAO-07-731G Government Auditing Standards

Contents

Chapter 8 160 Introduction 160

Reporting Reporting 160 Report Contents 161 Standards for Distributing Reports 172

Performance Audits

Appendixes

Appendix I: Supplemental Guidance 174 Introduction 174 Overall Supplemental Guidance 174 Information to Accompany Chapter 1 180 Information to Accompany Chapter 3 185 Information to Accompany Chapter 7 192 Information to Accompany Chapter 8 195

Government Auditing Standards 199 Advisory Council Members 199

Appendix II: Comptroller General’s Advisory Council on

GAO Project Team 202

Index 203

Page iii GAO-07-731G Government Auditing Standards

Contents

Abbreviations

AICPA American Institute of Certified Public Accountants

AU AICPA Codification of Statements on

Auditing Standards

CPA certified public accountant CPE continuing professional education COSO Committee of Sponsoring Organizations of

the Treadway Commission GAAP generally accepted accounting principles GAGAS generally accepted government auditing

standards GAO U.S. Government Accountability Office IAASB International Auditing and Assurance

Standards Board IIA Institute of Internal Auditors ISA International Statements on Auditing ISACA Information Systems Audit and Control

Association MD&A management’s discussion and analysis OMB U.S. Office of Management and Budget PCAOB Public Company Accounting Oversight

Board SAS Statements on Auditing Standards SSAE Statements on Standards for Attestation

Engagements

This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

Page iv GAO-07-731G Government Auditing Standards

Comptroller General of the United States

United States Government Accountability Office Washington, D.C. 20548

Letter

The principles of transparency and accountability for the use of public resources are key to our nation’s governing processes. Government officials and recipients of federal moneys are responsible for carrying out public functions efficiently, economically, effectively, ethically, and equitably, while achieving desired program objectives. High-quality auditing is essential for government accountability to the public and transparency regarding linking resources to related program results. Auditing of government programs should provide independent, objective, fact-based, nonpartisan assessments of the stewardship, performance, and cost of government policies, programs, and operations. Government audits also provide key information to stakeholders and the public to maintain accountability; help improve program performance and operations; reduce costs; facilitate decision making; stimulate improvements; and identify current and projected crosscutting issues and trends that affect government programs and the people those programs serve.

The professional standards presented in this document provide a framework for performing high-quality audit work with competence, integrity, objectivity, and independence. I firmly believe that government auditors should lead by example in the areas of transparency, performance, accountability, and quality through the audit process.

Current trends and longer-range fiscal challenges make auditor oversight especially important to help improve government operations and services today and position them for a better tomorrow. Government auditing plays a major role in improving government operations and services, and in the important dialogue on the future of government programs by providing the objective analysis and information needed to make the decisions necessary to help create a better future. GAO will continue its efforts to lead by example in all of these areas.

Page 1 GAO-07-731G Government Auditing Standards

The July 2007 revision of Government Auditing

Standards supersedes the 2003 revision and updates the January 2007 revision. This revision contains the January 2007 revision plus updated quality control and peer review sections in chapter 3 which were exposed in January 2007. The July 2007 revision represents the completed 2007 revision of Government Auditing

Standards, and is the version that should be used by government auditors until further updates and revisions are made. An electronic version of this document can be accessed on the Web at http://www.gao.gov/govaud/ ybk01.htm.

This revision contains the following fundamental changes from the 2003 revision that reinforce the principles of transparency and accountability and provide the framework for high-quality government audits that add value.

• Heightened the emphasis on ethical principles as the foundation, discipline, and structure behind the implementation of the standards, including a description of five key ethical principles that should guide the work of those who audit government programs and operations.

• Clarified and streamlined the discussion of the impact of professional services other than audits or attestation engagements (nonaudit services) and their impact on auditor independence.

• Enhanced and clarified the requirements for an audit organization’s system of quality control by specifying the elements of quality that an organization’s policies and procedures should collectively address.

• Added a requirement that external audit organizations make their most recent peer review reports publicly available.

Page 2 GAO-07-731G Government Auditing Standards

• Updated the financial auditing standards based on recent developments in financial auditing and internal control, increased transparency surrounding restatements, and significant concerns, uncertainties, or other unusual events that could have a significant impact on the financial condition or operations of a government entity or program.

• Enhanced performance auditing standards that elaborate on the overall framework for high-quality performance auditing, including the concepts of reasonable assurance and its relationship to audit risk, significance, and the levels of evidence used to support audit findings and conclusions.

• Clarified the standards through standardized language to define the auditor’s level of responsibility and distinguish between auditor requirements and additional guidance.

• Reinforced the key role of auditing in maintaining accountability and providing information for making improvements in government operations.

This revision of the standards has gone through an extensive deliberative process, including public comments and input from the Comptroller General’s Advisory Council on Government Auditing Standards. The Advisory Council generally consists of about 25 experts in financial and performance auditing and reporting drawn from federal, state, and local government; the private sector; and academia. The views of all parties were thoroughly considered in finalizing the standards.

The July 2007 revision of Government Auditing

Standards will be effective for financial audits and attestation engagements for periods beginning on or after January 1, 2008, and for performance audits beginning on or after January 1, 2008. Early

Page 3 GAO-07-731G Government Auditing Standards

implementation is permissible and encouraged. For financial audits, certain standards of the Auditing Standards Board (ASB) that affect Government

Auditing Standards become effective prior to these dates. We encourage audit organizations to implement the relevant sections of the 2007 revision for financial audits concurrent with the implementation of the related ASB standards.

I extend special thanks to the members of the Advisory Council for their extensive input and feedback through the entire process of developing and finalizing the standards.

David M. Walker Comptroller General of the United States

July 2007

Page 4 GAO-07-731G Government Auditing Standards

Chapter 1

Chapter 1Use and Application of GAGAS

Introduction 1.01 Auditing is essential to government accountability to the public. Audits and attestation engagements provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Government officials entrusted with public resources are responsible for carrying out public functions legally, effectively, efficiently, economically, ethically, and equitably.1

Government managers are responsible for providing reliable, useful, and timely information for accountability of government programs and their operations. (See appendix I paragraph A1.08 for additional information on management’s responsibility.) Legislators, government officials, and the public need to know whether (1) government manages public resources and uses its authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; (3) government services are provided effectively, efficiently, economically, ethically, and equitably; and (4) government managers are held accountable for their use of public resources.

Purpose and 1.03 The professional standards and guidance contained

Applicability of in this document, commonly referred to as generally accepted government auditing standards (GAGAS), GAGAS provide a framework for conducting high quality

1The term “equity” in this context refers to the approaches used by a government, nonprofit, or other organizations that manage or carry out government programs to provide services to the public in a fair manner within the context of the statutory boundaries of the specific government programs.

Page 5 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

government audits and attestation engagements with competence, integrity, objectivity, and independence. These standards are for use by auditors2 of government entities and entities that receive government awards and audit organizations3 performing GAGAS audits and attestation engagements. GAGAS contain requirements and guidance dealing with ethics, independence, auditors’ professional competence and judgment, quality control, the performance of field work, and reporting. Audits and attestation engagements performed under GAGAS provide information used for oversight, accountability, and improvements of government programs and operations. GAGAS contain requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability for resources and results.

1.04 Laws, regulations, contracts, grant agreements, or policies frequently require audits in accordance with GAGAS. Many auditors and audit organizations also voluntarily choose to perform their work in accordance with GAGAS. The requirements and guidance in this document apply to audits and attestation engagements of government entities, programs, activities, and functions, and of government assistance administered by contractors, nonprofit entities, and other

2The term “auditor” throughout this document includes individuals performing work under GAGAS (including audits and attestation engagements) and, therefore, individuals who may have the titles auditor, analyst, evaluator, inspector, or other similar titles.

3The term “audit organization” is used throughout the standards to refer to government audit organizations as well as public accounting firms that perform audits using GAGAS.

Page 6 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

nongovernmental entities when the use of GAGAS is required or is voluntarily followed.

Use of Terminology to Define Professional Requirements in GAGAS

1.05 GAGAS contain professional requirements together with related guidance in the form of explanatory material.4 Auditors have a responsibility to consider the entire text of GAGAS in carrying out their work and in understanding and applying the professional requirements in GAGAS.

1.06 Not every paragraph of GAGAS carries a professional requirement that auditors and audit organizations are expected to fulfill. Rather, the professional requirements are identified through use of specific language.

1.07 GAGAS use two categories of professional requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations, as follows:

a. Unconditional requirements: Auditors and audit organizations are required to comply with an unconditional requirement in all cases in which the circumstances exist to which the unconditional requirement applies. GAGAS use the words must or is

required to specify an unconditional requirement.

b. Presumptively mandatory requirements: Auditors and audit organizations are also required to comply with a presumptively mandatory requirement in all cases in which the circumstances exist to which the

4The terminology used in GAGAS to designate professional requirements and explanatory material is intended to be consistent with the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standard No. 102, Defining Professional Requirements in Statements on Auditing Standards.

Page 7 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

presumptively mandatory requirement applies; however, in rare circumstances, auditors and audit organizations may depart from a presumptively mandatory requirement provided they document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. GAGAS use the word should to specify a presumptively mandatory requirement.

1.08 Explanatory material is defined as the text within GAGAS (including appendix I) other than the requirements defined in paragraph 1.07. Explanatory material uses the words may, might, and could to describe explanatory information and is provided to

a. provide further explanation and guidance on the professional requirements or

b. identify and describe other procedures or actions relating to auditors’ or audit organizations’ activities.

1.09 Explanatory material is intended to be descriptive rather than required. This material is intended, for example, to explain the objective of a requirement where it would be useful to do so; explain why particular procedures may be considered or employed under certain circumstances; or provide additional information to consider in exercising professional judgment.

1.10 Explanatory material that identifies and describes other procedures or actions does not impose a professional requirement on the auditor or audit organization to perform the suggested procedures or actions. How and whether to carry out such procedures or actions depends on the exercise of professional judgment consistent with the objective of the standard.

Page 8 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

Stating Compliance with GAGAS in the Auditors’ Report

1.11 When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors’ report as set forth in paragraphs 1.12 and 1.13.

1.12 Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate.5

a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means.

b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals

5For financial audits and attestation engagements, AICPA reporting standards provide additional guidance when some or all of the standards are not followed.

Page 9 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided.

1.13 When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement.6 The auditors’ determination will depend on the significance of the requirements not followed in relation to the audit objectives.

Relationship between GAGAS and Other Professional Standards

1.14 Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results.

1.15 The relationship between GAGAS and other professional standards for financial audits and attestation engagements is as follows:

a. The American Institute of Certified Public Accountants (AICPA) has established professional standards that apply to financial audits and attestation

6See footnote 35 for applicability of peer review and quality assurance requirements in this assessment.

Page 10 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

engagements for nonissuers7 performed by certified public accountants (CPA). For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS)8 unless specifically excluded or modified by GAGAS. For attestation engagements, GAGAS incorporate the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE) unless specifically excluded or modified by GAGAS. GAGAS describe ethical principles, and establish independence and other general standards, and additional field work and reporting standards beyond those provided by the AICPA for performing financial audits and attestation engagements.

b. The Public Company Accounting Oversight Board (PCAOB) has established professional standards that apply to financial audits and attestation engagements for issuers. Auditors may use GAGAS in conjunction with the PCAOB standards.

c. The International Auditing and Assurance Standards Board (IAASB) has established professional standards that apply to financial audits and attestation engagements. Auditors may use GAGAS in conjunction

7Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), audits of issuers (generally, publicly traded companies with a reporting obligation under the Securities Exchange Act of 1934) are subject to rules and standards established by the Public Company Accounting Oversight Board. The term “nonissuer” refers to any entity other than an issuer under the Sarbanes-Oxley Act of 2002, such as privately held companies, nonprofit entities, and government entities.

8Because GAGAS incorporate the field work and reporting standards of the AICPA for financial audits performed in which U.S. auditing standards are to be followed, auditors are not required to cite compliance with the AICPA standards when citing compliance with GAGAS, although auditors may cite both sets of standards.

Page 11 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

with the IAASB standards and the related statements on International Statements on Auditing (ISA).

1.16 For performance audits, auditors may use other professional standards in conjunction with GAGAS, such as the following:

a. International Standards for the Professional

Practice of Internal Auditing, The Institute of Internal Auditors, Inc.;

b. Guiding Principles for Evaluators, American Evaluation Association;

c. The Program Evaluation Standards, Joint Committee on Standards for Education Evaluation; and

d. Standards for Educational and Psychological

Testing, American Psychological Association.

Types of GAGAS Audits and Attestation Engagements

1.17 This section describes the types of audits and attestation engagements that audit organizations may perform under GAGAS. This description is not intended to limit or require the types of audits or attestation engagements that may be performed under GAGAS.

1.18 All audits and attestation engagements begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed. The types of audits that are covered by GAGAS, as defined by their objectives, are classified in this document as financial audits, attestation engagements, and performance audits.

1.19 In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent. For example, if the audit objective is to express an opinion on financial statements, the

Page 12 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

standards for financial audits apply. However, some engagements may have multiple or overlapping objectives. For example, if the objectives are to determine the reliability of performance measures, this work can be done in accordance with either the standards for attestation engagements or for performance audits. In cases in which there is a choice between applicable standards, auditors should evaluate users’ needs and the auditors’ knowledge, skills, and experience in deciding which standards to follow.

1.20 GAGAS requirements apply to the types of audit and attestation engagements that may be performed under GAGAS as follows:

a. Financial audits: chapters 1 through 5 apply.

b. Attestation engagements: chapters 1 through 3 and 6 apply.

c. Performance audits: chapters 1 through 3 and 7 and 8 apply.

1.21 Appendix I includes supplemental guidance for auditors and the audited entities to assist in the implementation of GAGAS. Appendix I does not establish auditor requirements but instead is intended to facilitate auditor implementation of the standards contained in chapters 1 through 8.

Financial Audits 1.22 Financial audits provide an independent assessment of and reasonable assurance about whether an entity’s reported financial condition, results, and use of resources are presented fairly in accordance with recognized criteria. Reporting on financial audits performed in accordance with GAGAS also includes reports on internal control, compliance with laws and regulations, and provisions of contracts and grant

Page 13 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

agreements as they relate to financial transactions, systems, and processes. Financial audits performed under GAGAS include financial statement audits and other related financial audits:

a. Financial statement audits: The primary purpose of a financial statement audit is to provide reasonable assurance through an opinion (or disclaim an opinion) about whether an entity’s financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP),9

or with a comprehensive basis of accounting other than GAAP.

b. Other types of financial audits: Other types of financial audits under GAGAS provide for different levels of assurance and entail various scopes of work, including: (1) providing special reports, such as for specified elements, accounts, or items of a financial statement;10(2) reviewing interim financial information;11

(3) issuing letters for underwriters and certain other requesting parties; (4) reporting on the controls over

9The three U.S.-based authoritative bodies for establishing accounting principles and financial reporting standards are the Federal Accounting Standards Advisory Board (federal government), the Governmental Accounting Standards Board (state and local governments), and the Financial Accounting Standards Board (nongovernmental entities).

10Special reports are auditors’ reports issued in connection with the following: (1) financial statements that are prepared in conformity with a comprehensive basis of accounting other than generally accepted accounting principles; (2) specified elements, accounts, or items of a financial statement; (3) compliance with aspects of contractual agreements or regulatory requirements related to audited financial statements; (4) financial presentations to comply with contractual agreements or regulatory requirements; or (5) financial information presented in prescribed forms or schedules that require a prescribed form of auditors’ report. (See AU Section 623, Special Reports.)

11See AU Section 722, Interim Financial Information.

Page 14 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

processing of transactions by service organizations;12

and (5) auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by-product of a financial statement audit.

Attestation Engagements

1.23 Attestation engagements can cover a broad range of financial or nonfinancial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users’ needs. Attestation engagements result in an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter that is the responsibility of another party. The three types of attestation engagements are:

a. Examination: Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria.

b. Review: Consists of sufficient testing to express a conclusion about whether any information came to the auditors’ attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. As stated in the AICPA SSAE, auditors should not perform review-level work for reporting on internal control or compliance with laws and regulations.

12A service organization is the entity or a segment of an entity that provides services to a user organization that are part of the user organization’s information system. A user organization is an entity that has engaged a service organization. (See AU Section 324, Service Organizations.)

Page 15 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

c. Agreed-Upon Procedures: Consists of specific procedures performed on a subject matter.

1.24 The subject matter of an attestation engagement may take many forms. Possible subjects of attestation engagements include reporting on

a. prospective financial or performance information;

b. management’s discussion and analysis (MD&A) presentation;

c. an entity’s internal control over financial reporting;

d. the effectiveness of an entity’s internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts;

e. an entity’s compliance with requirements of specified laws, regulations, policies, contracts, or grants;

f. the accuracy and reliability of reported performance measures;

g. incurred final contract costs are supported with required evidence and in compliance with the contract terms;

h. the allowability and reasonableness of proposed contract amounts that are based on detailed costs;

i. the quantity, condition, or valuation of inventory or assets; and

j. specific procedures performed on a subject matter (agreed-upon procedures).

Page 16 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

Performance Audits 1.25 Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program13 performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. Reporting information without following GAGAS is not a performance audit but a nonaudit service provided by an audit organization.

1.26 Performance audits that comply with GAGAS provide reasonable assurance that the auditors have obtained sufficient, appropriate evidence to support the conclusions reached. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives and conclusions.

1.27 A performance audit is a dynamic process that includes consideration of the applicable standards throughout the course of the audit. An ongoing assessment of the objectives, audit risk, audit procedures, and evidence during the course of the audit facilitates the auditors’ determination of what to report and the proper context for the audit conclusions, including discussion about the sufficiency and appropriateness of evidence being used as a basis for the audit conclusions. Performance audit conclusions logically flow from all of these elements and provide an assessment of the audit findings and their implications.

13The term “program” is used in this document to include government entities, organizations, programs, activities, and functions.

Page 17 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

1.28 Performance audit objectives may vary widely and include assessments of program effectiveness, economy, and efficiency; internal control;14 compliance; and prospective analyses. These overall objectives are not mutually exclusive. Thus, a performance audit may have more than one overall objective. For example, a performance audit with an initial objective of program effectiveness may also involve an underlying objective of evaluating internal controls to determine the reasons for a program’s lack of effectiveness or how effectiveness can be improved.

1.29 Program effectiveness and results audit objectives are frequently interrelated with economy and efficiency objectives. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results. Examples of audit objectives in these categories include

a. assessing the extent to which legislative, regulatory, or organizational goals and objectives are being achieved;

b. assessing the relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness;

14In the context of performance audits, the term “internal control” in this document is synonymous with the term management control and covers all aspects of an entity’s operations (programmatic, financial, and compliance).

Page 18 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

c. analyzing the relative cost-effectiveness of a program or activity;15

d. determining whether a program produced intended results or produced results that were not consistent with the program’s objectives;

e. determining the current status or condition of program operations or progress in implementing legislative requirements;

f. determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters;

g. assessing the extent to which programs duplicate, overlap, or conflict with other related programs;

h. evaluating whether the audited entity is following sound procurement practices;

i. assessing the reliability, validity, or relevance of performance measures concerning program effectiveness and results, or economy and efficiency;

j. assessing the reliability, validity, or relevance of financial information related to the performance of a program;

k. determining whether government resources (inputs) are obtained at reasonable costs while meeting timeliness and quality considerations;

15These objectives focus on combining cost information with information about outputs or the benefit provided or with outcomes or the results achieved.

Page 19 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

l. determining whether appropriate value was obtained based on the cost or amount paid or based on the amount of revenue received;

m. determining whether government services and benefits are accessible to those individuals who have a right to access those services and benefits;

n. determining whether fees assessed cover costs;

o. determining whether and how the program’s unit costs can be decreased or its productivity increased; and

p. assessing the reliability, validity, or relevance of budget proposals or budget requests to assist legislatures in the budget process.

1.30 Internal control audit objectives relate to an assessment of the component of an organization’s system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control comprises the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include an assessment of the extent to which internal control provides reasonable assurance about whether

a. organizational missions, goals, and objectives are achieved effectively and efficiently;

Page 20 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

b. resources are used in compliance with laws, regulations, or other requirements;

c. resources, including sensitive information accessed or stored outside the organization’s physical perimeter, are safeguarded against unauthorized acquisition, use, or disposition;

d. management information, such as performance measures, and public reports are complete, accurate, and consistent to support performance and decision making;

e. the integrity of information from computerized systems is achieved; and

f. contingency planning for information systems provides essential back-up to prevent unwarranted disruption of the activities and functions that the systems support.

1.31 Compliance audit objectives relate to compliance criteria established by laws, regulations, contract provisions, grant agreements, and other requirements16

that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance objectives include determining whether

a. the purpose of the program, the manner in which it is to be conducted, the services delivered, the outcomes, or the population it serves is in compliance with laws, regulations, contract provisions, grant agreements, and other requirements;

16Compliance requirements can be either financial or nonfinancial.

Page 21 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

b. government services and benefits are distributed or delivered to citizens based on the individual’s eligibility to obtain those services and benefits;

c. incurred or proposed costs are in compliance with applicable laws, regulations, and contracts or grant agreements; and

d. revenues received are in compliance with applicable laws, regulations, and contract or grant agreements.

1.32 Prospective analysis audit objectives provide analysis or conclusions, about information that is based on assumptions about events that may occur in the future along with possible actions that the audited entity may take in response to the future events. Examples of objectives pertaining to this work include providing conclusions based on

a. current and projected trends and future potential impact on government programs and services;

b. program or policy alternatives, including forecasting program outcomes under various assumptions;

c. policy or legislative proposals, including advantages, disadvantages, and analysis of stakeholder views;

d. prospective information prepared by management;

e. budgets and forecasts that are based on (1) assumptions about expected future events and (2) management’s expected reaction to those future events; and

f. management’s assumptions on which prospective information is based.

Page 22 GAO-07-731G Government Auditing Standards

Chapter 1

Use and Application of GAGAS

Professional Services 1.33 GAGAS do not cover professional services other Other Than Audits than audits or attestation engagements (nonaudit (Nonaudit Services) Provided by Audit Organizations

services). (See paragraphs 3.25 through 3.30 for additional discussion of nonaudit services.) Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS.

1.34 Audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment either in fact or appearance with respect to the entities they audit. (See paragraph 3.02.)

Page 23 GAO-07-731G Government Auditing Standards

Chapter 2

Chapter 2Ethical Principles in Government Auditing

Introduction 2.01 Because auditing is essential to government accountability to the public, the public expects audit organizations and auditors who conduct their work in accordance with generally accepted government auditing standards (GAGAS) to follow ethical principles. Management of the audit organization sets the tone for ethical behavior throughout the organization by maintaining an ethical culture, clearly communicating acceptable behavior and expectations to each employee, and creating an environment that reinforces and encourages ethical behavior throughout all levels of the organization. The ethical tone maintained and demonstrated by management and staff is an essential element of a positive ethical environment for the audit organization.

2.02 The ethical principles presented in this chapter provide the foundation, discipline, and structure as well as the climate which influence the application of GAGAS. Because the information presented in this chapter deals with fundamental principles rather than specific requirements, this chapter does not contain additional requirements.

2.03 Conducting audit work in accordance with ethical principles is a matter of personal and organizational responsibility. Ethical principles apply in preserving auditor independence,17 taking on only work that the auditor is competent to perform, performing high-quality work, and following the applicable standards cited in the audit report. Integrity and objectivity are maintained when auditors perform their work and make decisions that are consistent with the broader interest of those relying on the auditors’ report, including the public.

17Independence requirements are discussed in chapter 3.

Page 24 GAO-07-731G Government Auditing Standards

Chapter 2

Ethical Principles in Government

Auditing

Ethical Principles 2.04 The ethical principles contained in the following sections provide the overall framework for application of GAGAS, including general standards, field work standards, and reporting standards. Each principle is described, rather than set forth as a series of requirements, so that auditors can consider the facts and circumstances of each situation within the framework of these ethical principles. Other ethical requirements or codes of professional conduct may also be applicable to auditors who conduct audits in accordance with GAGAS. 18

2.05 The ethical principles that guide the work of auditors who conduct audits in accordance with GAGAS are

a. the public interest;

b. integrity;

c. objectivity;

d. proper use of government information, resources, and position; and

e. professional behavior.

The Public Interest 2.06 The public interest is defined as the collective well­being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional

18Individual auditors who are members of professional organizations or are licensed or certified professionals may also be subject to ethical requirements of those professional organizations or licensing bodies. Auditors in government entities may also be subject to government ethics laws and regulations.

Page 25 GAO-07-731G Government Auditing Standards

Chapter 2

Ethical Principles in Government

Auditing

responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. These principles are fundamental to the responsibilities of auditors and critical in the government environment.

2.07 A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embody the concept of accountability for public resources, which is fundamental to serving the public interest.

Integrity 2.08 Public confidence in government is maintained and strengthened by auditors’ performing their professional responsibilities with integrity. Integrity includes auditors’ conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports. Within the constraints of applicable confidentiality laws, rules, or policies, communications with the audited entity, those charged with governance, and the individuals contracting for or requesting the audit are expected to be honest, candid, and constructive.

2.09 Making decisions consistent with the public interest of the program or activity under audit is an important part of the principle of integrity. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to violate ethical principles to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.

Page 26 GAO-07-731G Government Auditing Standards

Chapter 2

Ethical Principles in Government

Auditing

Objectivity 2.10 The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes being independent in fact and appearance when providing audit and attestation engagements, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. Avoiding conflicts that may, in fact or appearance, impair auditors’ objectivity in performing the audit or attestation engagement is essential to retaining credibility. Maintaining objectivity includes a continuing assessment of relationships with audited entities and other stakeholders in the context of the auditors’ responsibility to the public.19

Proper Use of Government

2.11 Government information, resources, or positions are to be used for official purposes and not

Information, Resources, and Position

inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

2.12 In the government environment, the public’s right to the transparency of government information has to be balanced with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors’ duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.

19The concepts of objectivity and independence are very closely related. Problems with independence or conflicts of interest may impair objectivity. (See independence standards at paragraphs 3.02 through 3.30.)

Page 27 GAO-07-731G Government Auditing Standards

Chapter 2

Ethical Principles in Government

Auditing

2.13 As accountability professionals, accountability to the public for the proper use and prudent management of government resources is an essential part of auditors’ responsibilities. Protecting and conserving government resources and using them appropriately for authorized activities is an important element in the public’s expectations for auditors.

2.14 Misusing the position of an auditor for personal gain violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment. (See paragraphs 3.07 through 3.09 for further discussion of personal impairments to independence.)

Professional Behavior

2.15 High expectations for the auditing profession include compliance with laws and regulations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient. Professional behavior includes auditors’ putting forth an honest effort in performance of their duties and professional services in accordance with the relevant technical and professional standards.

Page 28 GAO-07-731G Government Auditing Standards

Chapter 3

Chapter 3General Standards

Introduction 3.01 This chapter establishes general standards and provides guidance for performing financial audits, attestation engagements, and performance audits under generally accepted government auditing standards (GAGAS). (See chapter 6 for an additional general standard applicable only to attestation engagements.) These general standards, along with the overarching ethical principles presented in chapter 2, establish a foundation for credibility of auditors’ work. These general standards emphasize the independence of the audit organization and its individual auditors; the exercise of professional judgment in the performance of work and the preparation of related reports; the competence of audit staff; audit quality control and assurance; and external peer reviews.

Independence 3.02 In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence.

3.03 Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.

3.04 When evaluating whether independence impairments exist either in fact or appearance with

Page 29 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence— personal, external, and organizational.20 If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work—except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement. (See paragraphs 1.12 and 1.13.)

3.05 When auditors use the work of a specialist,21

auditors should assess the specialist’s ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist’s independence is impaired, auditors should not use the work of that specialist.

3.06 If an impairment to independence is identified after the audit report is issued, the audit organization should assess the impact on the audit. If the audit organization concludes that it did not comply with GAGAS, it should determine the impact on the auditors’ report and notify entity management, those charged with governance, the requesters, or regulatory agencies that have jurisdiction over the audited entity and persons known to be using the audit report about the independence impairment and

20Awareness and compliance with other independence standards and applicable ethics laws and regulations associated with their activities may also be required for auditors performing work in accordance with GAGAS.

21Specialists to whom this section applies include, but are not limited to, actuaries, appraisers, attorneys, engineers, environmental consultants, medical professionals, statisticians, and geologists.

Page 30 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

the impact on the audit. The audit organization should make such notifications in writing.

Personal Impairments

3.07 Auditors participating on an audit assignment must be free from personal impairments to independence.22

Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence. Examples of personal impairments of individual auditors include, but are not limited to, the following:

a. immediate family or close family member23 who is a director or officer of the audited entity, or, as an employee of the audited entity, is in a position to exert direct and significant influence over the entity or the program under audit;

b. financial interest that is direct, or is significant/material though indirect, in the audited entity or program;24

22This includes those who review the work or the report, and all others within the audit organization who can directly influence the outcome of the audit. The period covered includes the period covered by the audit and the period in which the audit is being performed and reported.

23Immediate family member is a spouse, spouse equivalent, or dependent (whether or not related). A close family member is a parent, sibling, or nondependent child.

24Auditors are not precluded from auditing pension plans that they participate in if (1) the auditor has no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditor belongs to such pension plan as part of his/her employment with the audit organization, provided that the plan is normally offered to all employees in equivalent employment positions.

Page 31 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

c. responsibility for managing an entity or making decisions that could affect operations of the entity or program being audited; for example, serving as a director, officer, or other senior position of the entity, activity, or program being audited, or as a member of management in any decision making, supervisory, or ongoing monitoring function for the entity, activity, or program under audit;

d. concurrent or subsequent performance of an audit by the same individual who maintained the official accounting records when such services involved preparing source documents or originating data, in electronic or other form; posting transactions (whether coded by management or not coded); authorizing, executing, or consummating transactions (for example, approving invoices, payrolls, claims, or other payments of the entity or program being audited); maintaining an entity’s bank account or otherwise having custody of the audited entity’s funds; or otherwise exercising authority on behalf of the entity, or having authority to do so;

e. preconceived ideas toward individuals, groups, organizations, or objectives of a particular program that could bias the audit;

f. biases, including those resulting from political, ideological, or social convictions that result from membership or employment in, or loyalty to, a particular type of policy, group, organization, or level of government; and

g. seeking employment during the conduct of the audit with an audited organization.

3.08 Audit organizations and auditors may encounter many different circumstances or combinations of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that

Page 32 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

could result in a personal impairment. Accordingly, audit organizations should include as part of their quality control system procedures to identify personal impairments and help ensure compliance with GAGAS independence requirements. At a minimum, audit organizations should

a. establish policies and procedures to identify, report, and resolve personal impairments to independence,

b. communicate the audit organization’s policies and procedures to all auditors in the organization and promote understanding of the policies and procedures,

c. establish internal policies and procedures to monitor compliance with the audit organization’s policies and procedures,

d. establish a disciplinary mechanism to promote compliance with the audit organization’s policies and procedures,

e. stress the importance of independence and the expectation that auditors will always act in the public interest, and

f. maintain documentation of the steps taken to identify potential personal independence impairments.

3.09 When the audit organization identifies a personal impairment to independence prior to or during an audit, the audit organization should take action to resolve the impairment in a timely manner. In situations in which the personal impairment is applicable only to an individual auditor or a specialist on a particular audit, the audit organization may be able to eliminate the personal impairment. For example, the audit organization could remove that auditor or specialist from any work on that audit or require the auditor or

Page 33 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

specialist to eliminate the cause of the personal impairment. If the personal impairment cannot be eliminated, the audit organization should withdraw from the audit. In situations in which auditors employed by government entities cannot withdraw from the audit, they should follow paragraph 3.04.

External Impairments

3.10 Audit organizations must be free from external impairments to independence. Factors external to the audit organization may restrict the work or interfere with auditors’ ability to form independent and objective opinions, findings, and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. For example, under the following conditions, auditors may not have complete freedom to make an independent and objective judgment, thereby adversely affecting the audit:

a. external interference or influence that could improperly limit or modify the scope of an audit or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees;

b. external interference with the selection or application of audit procedures or in the selection of transactions to be examined;

c. unreasonable restrictions on the time allowed to complete an audit or issue the report;

d. externally imposed restriction on access to records, government officials, or other individuals needed to conduct the audit;

Page 34 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

e. external interference over the assignment, appointment, compensation, and promotion of audit personnel;

f. restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization’s ability to carry out its responsibilities;

g. authority to overrule or to inappropriately influence the auditors’ judgment as to the appropriate content of the report;

h. threat of replacing the auditors over a disagreement with the contents of an audit report, the auditors’ conclusions, or the application of an accounting principle or other criteria; and

i. influences that jeopardize the auditors’ continued employment for reasons other than incompetence, misconduct, or the need for audits or attestation engagements.

3.11 Audit organizations should include policies and procedures for identifying and resolving external impairments as part of their quality control system for compliance with GAGAS independence requirements.

Organizational Independence

3.12 The ability of audit organizations in government entities to perform work and report the results objectively can be affected by placement within government, and the structure of the government entity being audited. Whether reporting to third parties externally or to top management within the audited entity internally, audit organizations must be free from organizational impairments to independence with respect to the entities they audit. Impairments to organizational independence result when the audit function is organizationally located within the reporting

Page 35 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Organizational Independence for External Audit Organizations

line of the areas under audit or when the auditor is assigned or takes on responsibilities that affect operations of the area under audit.

3.13 External audit organizations can be presumed to be free from organizational impairments to independence when the audit function is organizationally placed outside the reporting line of the entity under audit and the auditor is not responsible for entity operations. Audit organizations in government entities can meet the requirement for organizational independence in a number of ways and may be presumed to be free from organizational impairments to independence from the audited entity if the audit organization is

a. at a level of government other than the one to which the audited entity is assigned (federal, state, or local); for example, federal auditors auditing a state government program; or

b. in a different branch of government within the same level of government as the audited entity; for example, legislative auditors auditing an executive branch program.

3.14 Audit organizations in government entities may also be presumed to be free from organizational impairments if the head of the audit organization meets any of the following criteria:

a. directly elected by voters of the jurisdiction being audited;

b. elected or appointed by a legislative body, subject to removal by a legislative body, and reports the results of audits to and is accountable to a legislative body;

c. appointed by someone other than a legislative body, so long as the appointment is confirmed by a legislative

Page 36 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

body and removal from the position is subject to oversight or approval by a legislative body,25 and reports the results of audits to and is accountable to a legislative body; or

d. appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and come from outside the organization being audited.

3.15 In addition to the presumptive criteria in paragraphs 3.13 and 3.14, GAGAS recognize that there may be other organizational structures under which audit organizations in government entities could be considered to be free from organizational impairments and thereby be considered organizationally independent for reporting externally. These structures provide safeguards to prevent the audited entity from interfering with the audit organization’s ability to perform the work and report the results impartially. For an external audit organization to be considered free from organizational impairments under a structure different from the ones listed in paragraphs 3.13 and 3.14, the audit organization should have all of the following safeguards. In such situations, the audit organization should document how each of the following safeguards were satisfied and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met.

25Legislative bodies may exercise their confirmation powers through a variety of means so long as they are involved in the approval of the individual to head the audit organization. This involvement can be demonstrated by approving the individual after the appointment or by initially selecting or nominating an individual or individuals for appointment by the appropriate authority.

Page 37 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Organizational Independence for Internal Audit Functions

a. statutory protections that prevent the audited entity from abolishing the audit organization;

b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency report this fact and the reasons for the removal to the legislative body;

c. statutory protections that prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit;

d. statutory protections that prevent the audited entity from interfering with audit reporting, including the findings and conclusions or the manner, means, or timing of the audit organization’s reports;

e. statutory protections that require the audit organization to report to a legislative body or other independent governing body on a recurring basis;

f. statutory protections that give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff; and

g. statutory access to records and documents related to the agency, program, or function being audited and access to government officials or other individuals as needed to conduct the audit.26

3.16 Certain federal, state, or local government entities employ auditors to work for management of the audited entities. These auditors may be subject to administrative direction from persons involved in the entity management process. Such audit organizations are

26Statutory authority to issue a subpoena to obtain the needed records is one way to meet the requirement for statutory access to records.

Page 38 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

internal audit functions and are encouraged to use the Institute of Internal Auditors (IIA) International

Standards for the Professional Practice of Internal

Auditing in conjunction with GAGAS. Under GAGAS, a government internal audit function can be presumed to be free from organizational impairments to independence for reporting internally if the head of the audit organization meets all of the following criteria:

a. is accountable to the head or deputy head of the government entity or to those charged with governance;

b. reports the audit results both to the head or deputy head of the government entity and to those charged with governance;

c. is located organizationally outside the staff or line-management function of the unit under audit;

d. has access to those charged with governance; and

e. is sufficiently removed from political pressures to conduct audits and report findings, opinions, and conclusions objectively without fear of political reprisal.

3.17 The internal audit organization should report regularly to those charged with governance.

3.18 When internal audit organizations that are free of organizational impairments perform audits of external parties such as auditing contractors or outside party agreements, and no personal or external impairments exist, they may be considered independent of the audited entities and free to report objectively to the heads or deputy heads of the government entities to which they are assigned, to those charged with governance, and to parties outside the organizations in accordance with applicable law, rule, regulation, or policy.

Page 39 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Organizational Independence When Performing Nonaudit Services

3.19 The internal audit organization should document the conditions that allow it to be considered free of organizational impairments to independence for internal reporting and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met.

3.20 Audit organizations at times may perform other professional services (nonaudit services) that are not performed in accordance with GAGAS. Audit organizations that provide nonaudit services must evaluate whether providing the services creates an independence impairment either in fact or appearance

27with respect to entities they audit. Based on the facts and circumstances, professional judgment is used in determining whether a nonaudit service would impair an audit organization’s independence with respect to entities it audits.

3.21 Audit organizations in government entities generally have broad audit responsibilities and, therefore, should establish policies and procedures for accepting engagements to perform nonaudit services so that independence is not impaired with respect to entities they audit. (See appendix I, paragraphs A3.02 and A3.03 for examples of nonaudit services that are generally specific to audit organizations in government entities that generally do not impair the organizations’ independence with respect to the entities it audits and, therefore, do not require compliance with the supplemental safeguards described in paragraph 3.30.)

27The Government Accountability Office (GAO) has issued further guidance in the form of questions and answers to assist in implementation of the standards associated with nonaudit services. This guidance, Government Auditing Standards: Answers to Independence Standard Questions, GAO-02-870G (Washington, D.C.: June 2002), can be found on GAO’s Government Auditing Standards Web page (http://www.gao.gov/govaud/ybk01.htm).

Page 40 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Independent public accountants may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and should determine whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits.

Overarching Independence Principles

3.22 The following two overarching principles apply to auditor independence when assessing the impact of performing a nonaudit service for an audited program or entity: (1) audit organizations must not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits.28

3.23 In considering whether audits performed by the audit organization could be significantly or materially affected by the nonaudit service, audit organizations should evaluate (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services.

3.24 If requested29 to perform nonaudit services that would impair the audit organization’s ability to meet either or both of the overarching independence

28The concepts of significance and materiality include quantitative as well as qualitative measures in relation to the subject matter of the audit.

29The requestor of nonaudit services could be the management of the audited entity or a third party such as a legislative oversight body.

Page 41 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

principles for certain types of audit work, the audit organization should inform the requestor and the audited entity that performing the nonaudit service would impair the auditors’ independence with regard to subsequent audit or attestation engagements.

Types of Nonaudit Services

3.25 Nonaudit services generally fall into one of the following categories (see appendix I, paragraphs A3.02 and A3.03 for examples of nonaudit services that are generally unique to audit organizations in government entities):

a. Nonaudit services that do not impair the audit organization’s independence with respect to the entities it audits and, therefore, do not require compliance with the supplemental safeguards in paragraph 3.30. (See paragraphs 3.26 and 3.27.)

b. Nonaudit services that would not impair the audit organization’s independence with respect to the entities it audits as long as the audit organization complies with the supplemental safeguards in paragraph 3.30. (See paragraph 3.28.)

c. Nonaudit services that do impair the audit organization’s independence. Compliance with the supplemental safeguards will not overcome this impairment. (See paragraph 3.29.)

Nonaudit Services That Do Not Impair Auditor

Independence

3.26 Nonaudit services in which auditors provide technical advice based on their technical knowledge and expertise do not impair auditor independence with respect to entities they audit and do not require the audit organization to apply the supplemental safeguards.

Page 42 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

However, auditor independence would be impaired if the extent or nature of the advice resulted in the auditors’ making management decisions or performing management functions.

3.27 Examples of the types of services considered as providing technical advice include the following:

a. participating in activities such as commissions, committees, task forces, panels, and focus groups as an expert in a purely advisory, nonvoting capacity to

(1) advise entity management on issues based on the auditors’ knowledge or

(2) address urgent problems;

b. providing tools and methodologies, such as guidance and good business practices, benchmarking studies, and internal control assessment methodologies that can be used by management; and

c. providing targeted and limited technical advice to the audited entity and management to assist them in activities such as (1) answering technical questions or providing training, (2) implementing audit recommendations, (3) implementing internal controls, and (4) providing information on good business practices.

Nonaudit Services That Would Not Impair

Independence if Supplemental Safeguards Are

Implemented

3.28 Services that do not impair the audit organization’s independence with respect to the entities they audit so long as they comply with supplemental safeguards include the following:

Page 43 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

a. providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management’s chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; preparing a trial balance based on management’s chart of accounts; maintaining depreciation schedules for which management has determined the method of depreciation, rate of depreciation, and salvage value of the asset (If the audit organization has prepared draft financial statements and notes and performed the financial statement audit, the auditor should obtain documentation from management in which management acknowledges the audit organization’s role in preparing the financial statements and related notes and management’s review, approval, and responsibility for the financial statements and related notes in the management representation letter. The management representation letter that is obtained as part of the audit may be used for this type of documentation.);

b. providing payroll services when payroll is not material to the subject matter of the audit or to the audit objectives. Such services are limited to using records and data that have been approved by entity management;

c. providing appraisal or valuation services limited to services such as reviewing the work of the entity or a specialist employed by the entity where the entity or specialist provides the primary evidence for the balances recorded in financial statements or other information that will be audited; valuing an entity’s pension, other post-employment benefits, or similar liabilities provided management has determined and taken responsibility for all significant assumptions and data;

Page 44 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

d. preparing an entity’s indirect cost proposal30 or cost allocation plan provided that the amounts are not material to the financial statements and management assumes responsibility for all significant assumptions and data;

e. providing advisory services on information technology limited to services such as advising on system design, system installation, and system security if management, in addition to the safeguards in paragraph 3.30, acknowledges responsibility for the design, installation, and internal control over the entity’s system and does not rely on the auditors’ work as the primary basis for determining (1) whether to implement a new system, (2) the adequacy of the new system design, (3) the adequacy of major design changes to an existing system, and (4) the adequacy of the system to comply with regulatory or other requirements;

f. providing human resource services to assist management in its evaluation of potential candidates when the services are limited to activities such as serving on an evaluation panel of at least three individuals to review applications or interviewing candidates to provide input to management in arriving at a listing of best qualified applicants to be provided to management; and

g. preparing routine tax filings based on information provided by the audited entity.

30The Office of Management and Budget (OMB) prohibits an auditor who prepared the entity’s indirect cost proposal from conducting the required audit when indirect costs recovered by the entity during the prior year exceeded $1 million under OMB Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, Subpart C.305(b), revised June 27, 2003.

Page 45 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Nonaudit Services That Impair Independence

3.29 Compliance with supplemental safeguards will not overcome independence impairments in this category. By their nature, certain nonaudit services directly support the entity’s operations and impair the audit organization’s ability to meet either or both of the overarching independence principles in paragraph 3.22 for certain types of audit work. Examples of the types of services under this category include the following:

a. maintaining or preparing the audited entity’s basic accounting records or maintaining or taking responsibility for basic financial or other records that the audit organization will audit;

b. posting transactions (whether coded or not coded) to the entity’s financial records or to other records that subsequently provide input to the entity’s financial records;

c. determining account balances or determining capitalization criteria;

d. designing, developing, installing, or operating the entity’s accounting system or other information systems that are material or significant to the subject matter of the audit;

e. providing payroll services that (1) are material to the subject matter of the audit or the audit objectives, and/or (2) involve making management decisions;

f. providing appraisal or valuation services that exceed the scope described in paragraph 3.28 c;

g. recommending a single individual for a specific position that is key to the entity or program under audit, otherwise ranking or influencing management’s

Page 46 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

selection of the candidate, or conducting an executive search or a recruiting program for the audited entity;

h. developing an entity’s performance measurement system when that system is material or significant to the subject matter of the audit;

i. developing an entity’s policies, procedures, and internal controls;

j. performing management’s assessment of internal controls when those controls are significant to the subject matter of the audit;

k. providing services that are intended to be used as management’s primary basis for making decisions that are significant to the subject matter under audit;

l. carrying out internal audit functions, when performed by external auditors; and

m. serving as voting members of an entity’s management committee or board of directors, making policy decisions that affect future direction and operation of an entity’s programs, supervising entity employees, developing programmatic policy, authorizing an entity’s transactions, or maintaining custody of an entity’s assets.31

Supplemental Safeguards for Maintaining Auditor

Independence When Performing Nonaudit Services

3.30 Performing nonaudit services described in paragraph 3.28 will not impair independence if the

31Entity assets are intended to include all of the entity’s property including bank accounts, investment accounts, inventories, equipment, or other assets owned, leased, or otherwise in the entity’s possession, and financial records, both paper and electronic.

Page 47 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

overarching independence principles stated in paragraph 3.22 are not violated. For these nonaudit services, the audit organization should comply with each of the following safeguards:

a. document its consideration of the nonaudit services, including its conclusions about the impact on independence;

b. establish in writing an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service; and management’s responsibility for (1) the subject matter of the nonaudit services, (2) the substantive outcomes of the work, and (3) making any decisions that involve management functions related to the nonaudit service and accepting full responsibility for such decisions;

c. exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit service;32 and

d. do not reduce the scope and extent of the audit work below the level that would be appropriate if the nonaudit service were performed by an unrelated party.

Professional Judgment

3.31 Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results.

3.32 Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care concerns acting diligently in

32Personnel who provided the nonaudit service are permitted to convey to the audit team the documentation and knowledge gained about the audited entity and its operations.

Page 48 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty. Believing that management is honest is not a reason to accept less than sufficient, appropriate evidence.

3.33 Using the auditors’ professional knowledge, skills, and experience to diligently perform, in good faith and with integrity, the gathering of information and the objective evaluation of the sufficiency and appropriateness of evidence is a critical component of audits. Professional judgment and competence are interrelated because judgments made are dependent upon the auditors’ competence.

3.34 Professional judgment represents the application of the collective knowledge, skills, and experiences of all the personnel involved with an assignment, as well as the professional judgment of individual auditors. In addition to personnel directly involved in the audit, professional judgment may involve collaboration with other stakeholders, outside experts, and management in the audit organization.

3.35 Using professional judgment in all aspects of carrying out their professional responsibilities, including following the independence standards, maintaining objectivity and credibility, assigning competent audit staff to the assignment, defining the scope of work, evaluating and reporting the results of the work, and maintaining appropriate quality control over the assignment process is essential to performing and reporting on an audit.

Page 49 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

3.36 Using professional judgment is important in determining the required level of understanding of the audit subject matter and related circumstances. This includes consideration about whether the audit team’s collective experience, training, knowledge, skills, abilities, and overall understanding are sufficient to assess the risks that the subject matter under audit may contain a significant inaccuracy or could be misinterpreted.

3.37 Considering the risk level of each assignment, including the risk that they may come to an improper conclusion is another important issue. Within the context of audit risk, exercising professional judgment in determining the sufficiency and appropriateness of evidence to be used to support the findings and conclusions based on the audit objectives and any recommendations reported is an integral part of the audit process.

3.38 Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment.

3.39 While this standard places responsibility on each auditor and audit organization to exercise professional judgment in planning and performing an audit or attestation engagement, it does not imply unlimited responsibility, nor does it imply infallibility on the part of either the individual auditor or the audit organization. Absolute assurance is not attainable because of the nature of evidence and the characteristics of fraud. Professional judgment does not mean eliminating all possible limitations or weaknesses associated with a specific audit, but rather identifying, considering, minimizing, mitigating, and explaining them.

Page 50 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

Competence 3.40 The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required.

3.41 The audit organization’s management should assess skill needs to consider whether its workforce has the essential skills that match those necessary to fulfill a particular audit mandate or scope of audits to be performed. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its structure, and its work.

3.42 Competence is derived from a blending of education and experience. Competencies are not necessarily measured by years of auditing experience because such a quantitative measurement may not accurately reflect the kinds of experiences gained by an auditor in any given time period. Maintaining competence through a commitment to learning and development throughout an auditor’s professional life is an important element for auditors. Competence enables an auditor to make sound professional judgments.

Technical Knowledge and Competence

3.43 The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess

a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and

Page 51 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

experience to apply this knowledge to the work being performed;

b. general knowledge of the environment in which the audited entity operates and the subject matter under review;

c. skills to communicate clearly and effectively, both orally and in writing; and

d. skills appropriate for the work being performed. For example, staff or specialist skills in

(1) statistical sampling if the work involves use of statistical sampling;

(2) information technology if the work involves review of information systems;

(3) engineering if the work involves review of complex engineering data;

(4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or

(5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise.

Additional 3.44 Auditors performing financial audits should be Qualifications for knowledgeable in generally accepted accounting Financial Audits and principles (GAAP), the American Institute of Certified Attestation Public Accountants (AICPA) generally accepted auditing Engagements standards for field work and reporting and the related

Statements on Auditing Standards (SAS), and the

Page 52 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government auditing organization.33

3.45 Similarly, for attestation engagements, GAGAS incorporate the AICPA attestation standards. Auditors should be knowledgeable in the AICPA general attestation standard related to criteria, the AICPA attestation standards for field work and reporting, and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAE to the task assigned. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards.

Continuing Professional Education

3.46 Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20

33Public accountants licensed on or before December 31, 1970, or persons working for a public accounting firm licensed on or before December 31, 1970, are also considered qualified under this standard.

Page 53 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2- year period) that enhances the auditor’s professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period.

3.47 CPE programs are structured educational activities with learning objectives designed to maintain or enhance participants’ knowledge, skills, and abilities in areas applicable to performing audits or attestation engagements. Determining what subjects are appropriate for individual auditors to satisfy both the 80-hour and the 24-hour requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organizations. Among the considerations in exercising that judgment are the auditors’ experience, the responsibilities they assume in performing GAGAS assignments, and the operating environment of the audited entity.

3.48 Improving their own competencies and meeting CPE requirements are primarily the responsibilities of individual auditors. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed. The Government Accountability Office (GAO) has developed guidance pertaining to CPE requirements to assist auditors and audit organizations in exercising professional judgment in complying with the CPE requirements.34

34This guidance, Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education, GAO­05-568G (Washington, D.C.: April 2005), can be found on GAO’s Government Auditing Standards Web page (http://www.gao.gov/ govaud/ybk01.htm).

Page 54 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

3.49 External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements.

Quality Control and Assurance

3.50 Each audit organization performing audits or attestation engagements in accordance with GAGAS must:

a. establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and

b. have an external peer review at least once every 3 years.35

System of Quality 3.51 An audit organization’s system of quality control Control encompasses the audit organization’s leadership,

emphasis on performing high quality work, and the organization’s policies and procedures designed to

35An audit organization’s noncompliance with the peer review requirements (paragraph 3.50b and 3.55 through 3.60) results in a modified GAGAS compliance statement. The audit organization’s compliance (or noncompliance) with the requirements for a system of quality control in paragraphs 3.50a and 3.51 through 3.54 are tested and reported on as part of the peer review process and do not impact the GAGAS compliance statement. (See chapter 1, paragraphs 1.11 through 1.13.)

Page 55 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements.36 The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as the audit organization’s size, number of offices and geographic dispersion, the knowledge and experience of its personnel, the nature and complexity of its audit work, and cost-benefit considerations.

3.52 Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization’s compliance with its quality control policies and procedures. The form and content of such documentation are a matter of professional judgment and will vary based on the audit organization’s circumstances.

3.53 An audit organization should include policies and procedures in its system of quality control that collectively address:

a. Leadership responsibilities for quality within the audit organization: Policies and procedures that designate responsibility for quality of audits and attestation engagements performed under GAGAS and

36The system of quality control discussed in this section is consistent with the AICPA proposed statement on Quality Control Standards, A Firm’s System of Quality Control, except that the GAGAS requirements in paragraph 3.54 state that reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone.

Page 56 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

communication of policies and procedures relating to quality. Such policies and communications encourage a culture that recognizes that quality is essential in performing GAGAS audits.

b. Independence, legal, and ethical requirements: Policies and procedures designed to provide reasonable assurance that the audit organization and its personnel maintain independence, and comply with applicable legal and ethical requirements.37

c. Initiation,38 acceptance, and continuance of audit and attestation engagements: Policies and procedures for the initiation, acceptance, and continuance of audit and attestation engagements, designed to provide reasonable assurance that the audit organization will undertake audit engagements only if it can comply with professional standards and ethical principles and is acting within the legal mandate or authority of the audit organization.

d. Human resources: Policies and procedures designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits in accordance with

37See paragraphs 3.02 through 3.30 for GAGAS dealing with independence. See chapter 2 for GAGAS ethical principles. Individual auditors who are members of professional organizations or are licensed or certified professionals may also be subject to ethical requirements of those professional organizations or licensing bodies. Auditors in government entities may also be subject to government ethics laws and regulations.

38Government audit organizations initiate audit and attestation engagements as a result of (1) the audit organization’s discretion, (2) requests from legislative bodies or oversight bodies, and (3) legal mandates. In the case of requests and legal mandates, a government audit organization may be required to do the work. See paragraph 3.04 for requirements where an audit organization in a government entity is not independent and, because of a legislative requirement or for other reasons, cannot decline to perform the work.

Page 57 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

professional standards and legal and regulatory requirements.39

e. Audit and attestation engagement performance, documentation, and reporting: Policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements. (For financial audits, chapters 1 through 5 apply; for attestation engagements, chapters 1 through 3 and 6 apply; for performance audits, chapters 1 through 3 and 7 and 8 apply.)

f. Monitoring of quality: An ongoing, periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice. The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation of (1) adherence to professional standards and legal and regulatory requirements, (2) whether the quality control system has been appropriately designed, and (3) whether quality control policies and procedures are operating effectively and complied with in practice. Monitoring procedures will vary based on the audit organization’s facts and circumstances. The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role.

39See paragraphs 3.40 through 3.49 for requirements dealing with professional competence.

Page 58 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.)

External Peer Review 3.55 Audit organizations performing audits and attestation engagements in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.40

3.56 The audit organization should obtain an external peer review sufficient in scope to provide a reasonable basis for determining whether, for the period under review,41 the reviewed audit organization’s system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards.

3.57 The peer review team should include the following elements in the scope of the peer review:

40The external peer review requirement is effective within 3 years from the date an audit organization begins field work on its first assignment in accordance with GAGAS for both financial audit practices and performance audit practices. Generally, the deadlines for peer review reports are established by the entity that administers the peer review program. Extensions of the deadlines for submitting the peer review report exceeding 3 months beyond the due date are granted by the entity that administers the peer review program and GAO.

41The period under review generally covers 1 year. Peer review programs and audit organizations may choose a longer period to be covered by the peer review.

Page 59 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

a. review of the audit organization’s quality control policies and procedures;

b. consideration of the adequacy and results of the audit organization’s internal monitoring procedures;

c. review of selected audit and attestation engagement reports and related documentation;

d. review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and

e. interviews with a selection of the reviewed audit organization’s professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures.

3.58 The peer review team should perform a risk assessment to help determine the number and types of engagements to select. Based on the risk assessment, the team should use one or a combination of the following approaches to selecting individual audits and attestation engagements for review: (1) select GAGAS audits and attestation engagements that provide a reasonable cross-section of the GAGAS assignments performed by the reviewed audit organization or (2) select audits and attestation engagements that provide a reasonable cross-section from all types of work subject to the reviewed audit organization’s quality control system, including one or more assignments performed in accordance with GAGAS.42

42The second approach is generally applicable to audit organizations that perform only a small number of GAGAS audits in relation to other types of audits. In these cases, one or more GAGAS audits may represent more than what would be selected when looking at a cross-section of the audit organization’s work as a whole.

Page 60 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

3.59 The peer review team should prepare one or more written reports communicating the results of the peer review, including the following:

a. description of the scope of the peer review, including any limitations;

b. an opinion on whether the system of quality control of the reviewed audit organization’s audit and/or attestation engagement practices was adequately designed and complied with during the period reviewed to provide the audit organization with reasonable assurance of conforming with applicable professional standards;

c. specification of the professional standards to which the reviewed audit organization is being held;

d. for modified or adverse opinions,43 a description of reasons for the modification or adverse opinion, along with a detailed description of the findings and recommendations, in the peer review report, to enable the reviewed audit organization to take appropriate actions; and

e. reference to a separate letter of comments, if such a letter is issued.

3.60 The peer review team should meet the following criteria:

43A modified opinion is an opinion in which the peer reviewer concludes that except for the effects of deficiencies described in the eport, the system of quality control was adequately designed and complied with during the period. An adverse opinion is a conclusion that the system of quality control was not adequately designed and complied with to provide reasonable assurance of conforming with professional standards.

Page 61 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

a. The review team collectively has current knowledge of GAGAS and government auditing.

b. The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the peer review.

c. The review team collectively has sufficient knowledge of how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. Having personnel on the peer review team with prior experience on a peer review or internal inspection team is desirable.

3.61 An external audit organization44 should make its most recent peer review report45 publicly available; for example, by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request. Internal audit organizations that report internally to management should provide a copy of the external peer review report to those charged with governance. Government audit organizations should also communicate the overall results and the availability of their external peer review reports to appropriate oversight bodies.

3.62 Information in external peer review reports and letters of comment may be relevant to decisions on

44An external audit organization is defined in paragraphs 3.13 through 3.15.

45This requirement does not include the letter of comment.

Page 62 GAO-07-731G Government Auditing Standards

Chapter 3

General Standards

procuring audit or attestation engagements. Therefore, audit organizations seeking to enter into a contract to perform an audit or attestation engagement in accordance with GAGAS should provide the following to the party contracting for such services:

a. the audit organization’s most recent peer review report and any letter of comment, and

b. any subsequent peer review reports and letters of comment received during the period of the contract.

3.63 Auditors who are using another audit organization’s work should request a copy of the audit organization’s latest peer review report and any letter of comment, and the audit organization should provide these documents when requested. (See paragraphs 3.05 and 7.41 through 7.43 for further requirements and guidance on using the work of others.)

Page 63 GAO-07-731G Government Auditing Standards

Chapter 4

Chapter 4Field Work Standards for Financial Audits

Introduction 4.01 This chapter establishes field work standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). This chapter identifies the American Institute of Certified Public Accountants (AICPA) field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS.

a. For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS.46

b. Under AICPA standards and GAGAS, auditors must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in their professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by auditors is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.

4.02 For financial audits performed in accordance with GAGAS, chapters 1 through 5 apply.

46To date, the Comptroller General has not excluded any field work standards or SAS.

Page 64 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

AICPA Field Work Standards

4.03 The three AICPA generally accepted standards of field work are as follows:47

a. The auditor must adequately plan the work and must properly supervise any assistants.

b. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

c. The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.

Additional Government Auditing Standards

4.04 GAGAS establish field work standards for financial audits in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to:

a. auditor communication during planning (see paragraphs 4.05 through 4.08);

b. previous audits and attestation engagements (see paragraph 4.09);

c. detecting material misstatements resulting from violations of provisions of contracts or grant

47See AU Section 150, Generally Accepted Auditing Standards.

Page 65 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

agreements, or from abuse (see paragraphs 4.10 through 4.13);

d. developing elements of a finding (see paragraphs 4.14 through 4.18); and

e. audit documentation (see paragraphs 4.19 through 4.24).

Auditor Communication During Planning

4.05 Under AICPA standards and GAGAS, auditors should communicate with the audited entity their understanding of the services to be performed for each engagement and document that understanding through a written communication.48 GAGAS broaden the parties included in the communication and the items for the auditors to communicate.

4.06 Under GAGAS, when planning the audit, auditors should communicate certain information in writing to management of the audited entity, those charged with governance,49 and to the individuals contracting for or requesting the audit. When auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, auditors should document the process

48See AICPA Statement on Auditing Standard No. 108, Planning and Supervision.

49Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity’s fulfillment of its obligations related to the accountability of the entity. (See appendix I, paragraphs A1.05 through A1.07 for additional information.)

Page 66 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS:

a. The nature of planned work and level of assurance to be provided related to internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements.

b. Any potential restriction on the auditors’ reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted.

4.07 Under AICPA standards and GAGAS, tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements in a financial statement audit contribute to the evidence supporting the auditors’ opinion on the financial statements or other conclusions regarding financial data. However, such tests generally are not sufficient in scope to provide an opinion on the effectiveness of internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant agreements. To meet the needs of certain audit report users, laws and regulations sometimes prescribe supplemental testing and reporting on internal control over financial reporting and

Page 67 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

compliance with laws, regulations, and provisions of contracts and grant agreements.50

4.08 If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.

Previous Audits and Attestation Engagements

4.09 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the

50For example, when engaged to perform audits under the Single Audit Act, as amended, for state and local government entities and nonprofit entities that receive federal awards, auditors follow Office of Management and Budget (OMB) Circular No. A-133. The act and circular include specific audit requirements, mainly in the areas of compliance with laws and regulations and internal control over compliance that go beyond the requirements in chapters 4 and 5 of GAGAS. Audits performed pursuant to the Chief Financial Officers Act of 1990, as expanded by the Government Management Reform Act of 1994 and the Accountability of Tax Dollars Act of 2002, also have specific audit requirements prescribed by OMB in the areas of internal control and compliance. In addition, some state and local governments may have additional audit requirements that the auditors would need to follow in planning the audit.

Page 68 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

corrective actions is applicable to the current audit objectives.

Detecting Material Misstatements

4.10 Auditors should design the audit to provide reasonable assurance of detecting misstatements that

Resulting from Violations of

result from violations of provisions of contracts or grant agreements and could have a direct and material effect

Provisions of on the determination of financial statement amounts or Contracts or Grant other financial data significant to the audit objectives. Agreements or from Abuse 4.11 If specific information comes to the auditors’

attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether such violations have occurred . When the auditors conclude that a violation of provisions of contracts or grant agreements has or is likely to have occurred, they should determine the effect on the financial statements as well as the implications for other aspects of the audit.

4.12 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.

4.13 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically

Page 69 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.

Developing Elements of a Finding

4.14 Audit findings may involve deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. The elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied. When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the audit objectives. The elements of an audit finding are discussed in paragraphs 4.15 through 4.18.

4.15 Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings.

4.16 Condition: Condition is a situation that exists. The condition is determined and documented during the audit.

4.17 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for

Page 70 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference.

4.18 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, “effect” is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.

Audit Documentation 4.19 Under AICPA standards and GAGAS, auditors must prepare audit documentation in connection with each audit in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached.51 Under AICPA standards and GAGAS, auditors should prepare audit documentation

51See AU Section 339.03 for the AICPA standard on audit documentation.

Page 71 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

that enables an experienced auditor,52 having no previous connection to the audit, to understand

a. the nature, timing, and extent of auditing procedures performed to comply with GAGAS and other applicable standards and requirements;

b. the results of the audit procedures performed and the audit evidence obtained;

c. the conclusions reached on significant matters; and

d. that the accounting records agree or reconcile with the audited financial statements or other audited information.

4.20 Under GAGAS, auditors also should document, before the audit report is issued, evidence of supervisory review of the work performed that supports findings, conclusions, and recommendations contained in the audit report.

4.21 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors’ conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements where alternative procedures performed

52An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the audit. These competencies and skills include an understanding of (1) audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the environment in which the entity operates, and (4) auditing and financial reporting issues relevant to the audited entity’s environment.

Page 72 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)

4.22 Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for record retention. Whether audit documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge, or if the documentation is lost or damaged. For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation.

4.23 Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform a financial audit in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others’ work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals, as well as audit documentation.

4.24 Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In

Page 73 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

developing such policies, audit organizations should determine what laws and regulations apply, if any.

Additional Considerations for GAGAS Financial Audits

4.25 Due to the audit objectives and public accountability of GAGAS audits, there may be additional considerations for financial audits completed in accordance with GAGAS. These considerations relate to

a. materiality in GAGAS financial audits (see paragraph 4.26);

b. consideration of fraud and illegal acts (see paragraphs 4.27 and 4.28); and

c. ongoing investigations or legal proceedings (see paragraph 4.29).

Materiality in GAGAS Financial Audits

4.26 Under both AICPA standards and GAGAS, the auditors’ responsibility is to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by errors or fraud, are detected.53 The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of financial statements in conformity with generally accepted accounting principles, while other matters are not important. In performing the audit, matters that, either individually or in the aggregate, could be material to the financial statements are a primary consideration.54 Additional considerations may apply to GAGAS financial audits of government entities or entities that receive government

53See AU Section 110, Responsibilities and Functions of the Independent Auditor.

54See AICPA Statement on Auditing Standards No. 107, Audit Risk and Materiality in Conducting an Audit.

Page 74 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

awards. For example, in audits performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.55

Consideration of Fraud and Illegal Acts

4.27 Under both the AICPA standards56 and GAGAS, auditors should plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.57 Recognizing the possibility that a material misstatement due to fraud could be present is important for achieving this objective. However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud.

55In accordance with AICPA Statement on Auditing Standards No. 107, Audit Risk and Materiality in Conducting an Audit, the auditor’s consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users of financial statements. The Financial Accounting Standards Board defined materiality in its Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information as “the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.”

56See AU Section 316, Consideration of Fraud in a Financial Statement Audit.

57Two types of misstatements are relevant to the auditors’ consideration of fraud in an audit of financial statements-­misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional.

Page 75 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

4.28 Under both the AICPA standards58 and GAGAS, auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from illegal acts that could have a direct and material effect on the financial statements.59 If specific information comes to the auditors’ attention that provides evidence concerning the existence of possible illegal acts60 that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred. When an illegal act has or is likely to have occurred, auditors should determine the effect on the financial statements as well as the implications for other aspects of the audit.

Ongoing Investigations or Legal Proceedings

4.29 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional audit procedures. When investigations or legal proceedings are initiated or in

58See AU Sections 317.02, 317.05, and 316.01 for AICPA standards and guidance related to auditors’ responsibilities when a possible illegal act is detected.

59Illegal acts are violations of laws or government regulations that have a direct and material effect on the determination of financial statement amounts. For example, applicable laws and regulations may affect the amount of revenue accrued under government contracts. However, the auditor considers such laws or regulations from the perspective of their known relation to audit objectives derived from financial statement assertions rather than from the perspective of legality per se.

60Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.

Page 76 GAO-07-731G Government Auditing Standards

Chapter 4

Field Work Standards for Financial

Audits

process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit engagement or a portion of the engagement to avoid interfering with an investigation.

Page 77 GAO-07-731G Government Auditing Standards

Chapter 5

Chapter 5Reporting Standards for Financial Audits

Introduction 5.01 This chapter establishes reporting standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). For financial audits, GAGAS incorporate the American Institute of Certified Public Accountants (AICPA) field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS.61 This chapter identifies the AICPA reporting standards and prescribes additional standards for financial audits performed in accordance with GAGAS.

5.02 For financial audits performed in accordance with GAGAS, chapters 1 through 5 apply.

AICPA Reporting Standards

5.03 The four AICPA generally accepted standards of reporting62 are as follows:

a. The auditor must state in the auditor’s report whether the financial statements are presented in accordance with generally accepted accounting principles (GAAP).

b. The auditor must identify in the auditor’s report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.

61To date, the Comptroller General has not excluded any reporting standards or SAS.

62See AU Section 150, Generally Accepted Auditing Standards. Under AU Section 150, when an auditor reports on financial statements prepared in accordance with a comprehensive basis of accounting other than GAAP, the first standard of reporting is satisfied by stating in the auditor’s report that the basis of presentation is a comprehensive basis of accounting other than GAAP and by expressing an opinion (or disclaiming an opinion) on whether the financial statements are presented in conformity with the comprehensive basis of accounting used.

Page 78 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

c. When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor’s report.

d. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed, in the auditor’s report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefor in the auditor’s report. In all cases where an auditor’s name is associated with financial statements, the auditor should clearly indicate the character of the auditor’s work, if any, and the degree of responsibility the auditor is taking in the auditor’s report.

Additional Government Auditing Standards

5.04 GAGAS establish reporting standards for financial audits in addition to the standards contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to

a. reporting auditors’ compliance with GAGAS (see paragraphs 5.05 and 5.06);

b. reporting on internal control and compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.07 through 5.09);

c. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.10 through 5.22);

d. communicating significant matters in the auditors’ report (see paragraphs 5.23 through 5.25);

Page 79 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

e. reporting on the restatement of previously-issued financial statements (see paragraphs 5.26 through 5.31);

f. reporting views of responsible officials (see paragraphs 5.32 through 5.38);

g. reporting confidential or sensitive information (see paragraphs 5.39 through 5.43); and

h. distributing reports (see paragraph 5.44).

Reporting Auditors’ Compliance with GAGAS

5.05 When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors’ report that they performed the audit in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.)

5.06 An audited entity receiving a GAGAS audit report may also request auditors to issue a financial audit report for purposes other than complying with requirements for a GAGAS audit. For example, the audited entity may need audited financial statements to issue bonds or for other financing purposes. GAGAS do not prohibit auditors from issuing a separate report conforming only to AICPA or other standards.

Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements

5.07 When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements.

5.08 Auditors should include either in the same or in separate report(s) a description of the scope of the auditors’ testing of internal control over financial reporting and compliance with laws, regulations, and

Page 80 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

provisions of contracts or grant agreements. If the auditors issue separate reports, they should include a reference to the separate reports in the report on financial statements. Auditors should state in the reports whether the tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. The internal control reporting standard under GAGAS differs from the objective of an examination of internal control in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE), which is to express an opinion on the design or the design and operating effectiveness of an entity’s internal control, as applicable. To form a basis for expressing such an opinion, the auditor must plan and perform the examination to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of a point in time or for a specified period of time.

5.09 When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, they should state in the financial statement audit report that they are issuing those additional reports. They should include a reference to the separate reports63 and also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and important for assessing the results of the audit. If auditors issued or intend to issue a management letter,

63This requirement applies to financial statement audits described in paragraph 1.22a. It does not apply to other types of financial audits described in paragraph 1.22b.

Page 81 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

they should refer to that management letter in the reports.

Reporting Deficiencies in

5.10 For financial audits, including audits of financial statements in which auditors provide an opinion or

Internal Control, Fraud, Illegal Acts, Violations of

disclaimer, auditors should report, as applicable to the objectives of the audit, and based upon the audit work performed, (1) significant deficiencies in internal

Provisions of control, identifying those considered to be material Contracts or Grant weaknesses; (2) all instances of fraud and illegal acts Agreements, and Abuse

unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the financial statements.64

Deficiencies in Internal Control

5.11 For all financial audits, auditors should report the following deficiencies in internal control:

a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote65 likelihood that a misstatement of the entity’s financial statements that is

64If the auditor is performing an audit in accordance with Office of Management and Budget (OMB) Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, the thresholds for reporting are defined in the circular. Those reporting thresholds satisfy GAGAS.

65The term “more than remote” used in the definitions for significant deficiency and material weakness means “at least reasonably possible.” The following definitions apply: (1) Remote—The chance of the future events occurring is slight. (2) Reasonably possible—The chance of the future events or their occurrence is more than remote but less than likely. (3) Probable—The future events are likely to occur.

Page 82 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

more than inconsequential66 will not be prevented or detected.67

b. Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

5.12 Assessing the significance of control deficiencies includes qualitative considerations such as public accountability of the audited entity, legal and regulatory requirements, the visibility and sensitivity of the entity or program, the needs of users and concerns of oversight officials, and current and emerging risks and uncertainties facing the government entity or entity that receives government funding. The significance of a deficiency in internal control also is influenced by

a. the likelihood that a deficiency, or combination of deficiencies, could fail to prevent or detect a material misstatement of an account balance or disclosure; and

b. the magnitude of the potential misstatement.

66The phrase “more than inconsequential” as used in the definition of significant deficiency describes the magnitude of potential misstatement that could occur as a result of a significant deficiency and serves as a threshold for evaluating whether a control deficiency or combination of control deficiencies is a significant deficiency. A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person would not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.

67See appendix I, paragraph A.04 for examples of control deficiencies. AU Section 325, Communicating Internal Control Related Matters Identified in an Audit, also provides guidance on evaluating potential control deficiencies and examples.

Page 83 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

5.13 Auditors should include all significant deficiencies in the auditors’ report on internal control over financial reporting and indicate those that represent material weaknesses. If (1) a significant deficiency is remediated before the auditors’ report is issued and (2) the auditors obtain sufficient, appropriate evidence supporting the remediation of the significant deficiency, then the auditors should report the significant deficiency and the fact that it was remediated before the auditors’ report was issued.

5.14 Determining whether and how to communicate to officials of the audited entity internal control deficiencies that have an inconsequential effect on the financial statements is a matter of professional judgment. Auditors should document such communications.

5.15 Under AICPA standards and GAGAS, auditors have responsibilities for detecting fraud and illegal acts that have a material effect on the financial statements and determining whether those charged with governance are adequately informed about fraud and illegal acts. GAGAS include additional reporting standards. When auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their audit report the relevant information about

a. fraud and illegal acts68 that have an effect on the financial statements that is more than inconsequential,

b. violations of provisions of contracts or grant agreements that have a material effect on the

68Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.

Page 84 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Reporting Findings Directly to Parties Outside the Audited Entity

determination of financial statement amounts or other financial data significant to the audit, and

c. abuse that is material, either quantitatively or qualitatively. (See paragraphs 4.12 and 4.13 for a discussion of abuse.)

5.16 When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the financial statements that is less than material but more than inconsequential, they should communicate those findings in writing to officials of the audited entity. Determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications.

5.17 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings, and for example, report only on information that is already a part of the public record.

5.18 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.69

69Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. (See paragraph 5.44b for reporting standards for internal audit organizations when reporting externally.)

Page 85 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.

b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the financial statements and (2) involves funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the entity’s failure to take timely and appropriate steps directly to the funding agency.

5.19 The reporting in paragraph 5.18 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion.

5.20 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When

Page 86 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Presenting Findings in the Auditors’ Report

auditors are unable to do so, they should report such information directly as discussed in paragraph 5.18.

5.21 In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives. Clearly developed audit findings, as discussed in paragraphs 4.14 through 4.18, assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.

5.22 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.

Communicating Significant Matters in the Auditors’ Report

5.23 Under AICPA standards, auditors may emphasize in the auditors’ report significant matters regarding the financial statements.70 Due to the public interest in the operations of government entities and entities that receive or administer government awards, there may be situations in GAGAS audits in which certain types of information would help facilitate the readers’

70AU Section 508.19 establishes standards and provides guidance on emphasis of a matter in an auditors’ report.

Page 87 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

understanding of the financial statements and the auditors’ report. These situations may be in addition to the examples presented in AICPA standards.

5.24 Examples of matters that auditors may communicate in a GAGAS audit include the following:

a. Significant concerns or uncertainties about the fiscal sustainability of a government or program or other matters that could have a significant impact on the financial condition or operations of the government entity beyond 1 year of the financial statement date.71

Such concerns or uncertainties may arise due to revenue or expenditure trends; economic dependency on other governments or entities; the government’s current commitments, responsibilities, liabilities, or promises to citizens for future benefits that are not sustainable over the long term; deficit trends; the relationship between the financial information and other key indicators; and other significant risks and uncertainties that raise doubts about the long-term sustainability of current government programs in relation to the resources expected to be available. However, auditors are not responsible for designing audit procedures to detect such concerns or uncertainties, and any judgment about the future is based on information that is available at the time the judgment is made.

b. Unusual or catastrophic events that will likely have a significant ongoing or future impact on the entity’s financial condition or operations.

71AU Section 341, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern, establishes standards and provides guidance on auditor responsibilities with regard to an entity’s ability to continue as a going concern for a reasonable period of time, not to exceed 1 year beyond the date of the financial statements being audited.

Page 88 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

c. Significant uncertainties surrounding projections or estimations in the financial statements.

d. Any other matter that the auditors consider significant for communication to users and oversight bodies in the auditors’ report.

5.25 Determining whether to communicate such information in the auditors’ report is a matter of professional judgment. The communication may be presented in a separate paragraph or separate section of the auditors’ report and may include information that is not disclosed in the financial statements.

Reporting on Restatement of Previously-Issued Financial Statements

5.26 AICPA Professional Standards, AU Section 561, Subsequent Discovery of Facts Existing at the Date of

the Auditor’s Report, establish standards and provide guidance for situations when auditors become aware of new information that could have affected their report on previously-issued financial statements.72 Under AU Section 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s) of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial

72AU Section 420, Consistency of Application of GAAP, and AU Section 508, Reports on Audited Financial Statements, provide guidance on when to reissue auditors’ reports on restated financial statements.

Page 89 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Evaluate the Timeliness and Appropriateness of Management’s Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements

statements to those who are likely to rely on the financial statements.73

5.27 Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that the following conditions exist: (1) it is likely that previously-issued financial statements are misstated and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements:74

a. evaluate the timeliness and appropriateness of management’s disclosure and actions to determine and correct misstatements in previously-issued financial statements (see paragraph 5.28),

b. report on restated financial statements (see paragraphs 5.29 and 5.30), and

c. report directly to appropriate officials when the audited entity does not take the necessary steps (see paragraph 5.31).

5.28 Auditors should evaluate the timeliness and appropriateness of management’s disclosure to those who are likely to rely on the financial statements and management’s actions to determine and correct misstatements in previously-issued financial statements in accordance with AU Sections 561.06 through 561.08. Under GAGAS, auditors also should evaluate whether management

73In GAGAS audits, those likely to rely on the financial statements include, at a minimum, those charged with governance, appropriate oversight bodies, and funding agencies.

74These additional GAGAS requirements also apply to other financial information on which auditors opine, such as schedules of expenditures of federal awards.

Page 90 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Report on Restated Financial Statements

a. acted in an appropriate time frame after new information was available to (1) determine the financial statement effects of the new information and (2) notify those who are likely to rely on the financial statements;

b. disclosed the nature and extent of the known or likely material misstatements on Web pages where management has published the auditors’ report on the previously-issued financial statements; and

c. disclosed the following information in the entity’s restated financial statements: (1) the nature and cause(s) of the misstatement(s) that led to the need for restatement, (2) the specific amount(s) of the material misstatement(s), and (3) the related effect(s) on the previously-issued financial statement(s) (e.g., year(s) being restated, specific financial statement(s) affected and line items restated, actions the agency’s management took after discovering the misstatement), and (4) the impact on the financial statements as a whole (e.g., change in overall net position, change in the audit opinion) and on key information included in the Management Discussion & Analysis.

5.29 When management restates financial statements, auditors should perform audit procedures sufficient to reissue or update the auditors’ report on the restated financial statements regardless of whether the restated financial statements are separately issued or presented on a comparative basis with those of a subsequent period.75 Auditors should include the following in an explanatory paragraph in the reissued or updated auditors’ report:

75AU Section 9561.02 provides guidance on auditor association with subsequently discovered information when the auditor has resigned or been discharged. AU Sections 508.70 through 508.73 discusses reissuing predecessor auditors’ reports.

Page 91 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Report Directly to Appropriate Officials When the Audited Entity Does Not Take the Necessary Steps

a. a statement disclosing that the previously-issued financial statements have been restated;

b. a statement that (1) the previously-issued auditors’ report (identified by report date) is not to be relied on because the previously-issued financial statements were materially misstated and (2) the previously-issued auditors’ report is replaced by the auditors’ report on the restated financial statements;

c. a reference to the note(s) to the restated financial statements that discusses the restatement; and

d. if applicable, a reference to the report on internal control containing a discussion of any significant internal control deficiency identified by the auditors as having failed to prevent or detect the misstatement and any corrective action taken by management to address the deficiency.

5.30 Management’s failure to include appropriate disclosures, as discussed in paragraph 5.28c, in restated financial statements may have implications for the audit. In addition, auditors should include the omitted disclosures in the auditors’ report, if practicable.

5.31 Auditors should notify those charged with governance if entity management (1) does not act in an appropriate time frame after new information was available to determine the financial statement effects of the new information and take the necessary steps to timely inform those who are likely to rely on the financial statements and the related auditors’ reports of the situation or (2) does not restate with reasonable timeliness the financial statements under circumstances in which auditors believe they need to be restated. Auditors should inform those charged with governance that the auditors will take steps to prevent further reliance on the auditors’ report and advise them to

Page 92 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

notify oversight bodies and funding agencies that rely on the financial statements. If those charged with governance do not notify appropriate oversight bodies and funding agencies, then the auditors should do so.76

Reporting Views of Responsible Officials

5.32 If the auditors’ report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.

5.33 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.

5.34 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.

76The steps taken will depend on the facts and circumstances, including legal considerations.

Page 93 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

5.35 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.

5.36 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’s needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.

5.37 When the audited entity’s comments are inconsistent or in conflict with findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.

5.38 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

Page 94 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

Reporting Confidential or Sensitive Information

5.39 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.

5.40 Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing the information and distribute the report only to persons authorized by law or regulation to receive it.

5.41 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.

5.42 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.

Page 95 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

5.43 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditors may consult with legal counsel regarding applicable public records laws.

Distributing Reports 5.44 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:

a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports.

b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice

of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should

Page 96 GAO-07-731G Government Auditing Standards

Chapter 5

Reporting Standards for Financial

Audits

communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report.

c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.

Page 97 GAO-07-731G Government Auditing Standards

Chapter 6

Chapter 6

General, Field Work, and Reporting Standards for Attestation Engagements

Introduction 6.01 This chapter establishes standards and provides guidance for attestation engagements conducted in accordance with generally accepted government auditing standards (GAGAS). For attestation engagements, GAGAS incorporate the American Institute of Certified Public Accountants (AICPA) general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE), unless specifically excluded or modified by GAGAS.77,78 This chapter identifies the AICPA general standard on criteria79 and the field work and reporting standards for attestation engagements and prescribes additional standards for attestation engagements performed in accordance with GAGAS.

6.02 For attestation engagements performed in accordance with GAGAS, chapters 1 through 3 and 6 apply.

AICPA General and Field Work Standards for Attestation Engagements

6.03 The AICPA general standard related to criteria is as follows:

The practitioner [auditor] must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.

6.04 The two AICPA field work standards for attestation engagements are as follows:

77To date, the Comptroller General has not excluded any field work standards, reporting standards, or SSAE.

78See AT Section 50, SSAE Hierarchy.

79GAGAS incorporate only one of the AICPA general standards for attestation engagements.

Page 98 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

a. The practitioner [auditor] must adequately plan the work and must properly supervise any assistants.

b. The practitioner [auditor] must obtain sufficient evidence to provide a reasonable basis for the conclusion that is expressed in the report.

Additional Government Auditing Standards

6.05 GAGAS establish attestation engagement field work standards in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to

a. auditor communication during planning (see paragraphs 6.06 through 6.08);

b. previous audits and attestation engagements (see paragraph 6.09);

c. internal control (see paragraphs 6.10 through 6.12);

d. fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that could have a material effect on the subject matter (see paragraphs 6.13 and 6.14);

e. developing elements of a finding (see paragraphs 6.15 through 6.19); and

f. documentation (see paragraphs 6.20 through 6.26).

Auditor Communication During Planning

6.06 Under AICPA standards and GAGAS, auditors should establish an understanding with the entity regarding the services to be performed for each engagement. Auditors also should obtain written acknowledgment or other evidence of the entity’s

Page 99 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

responsibilities for the subject matter or the written assertion as it relates to the objectives of the engagement. GAGAS broaden the parties included in the communications during planning and contain additional items in the communications.

6.07 Under GAGAS, when planning the engagement, auditors should communicate certain information, including their understanding of the services to be performed for each engagement, in writing to entity management, those charged with governance,80 and to the individuals contracting for or requesting the engagement. When auditors perform the engagement pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, the auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS:

a. the nature, timing, and extent of planned testing and reporting;

b. the level of assurance the auditor will provide; and

80Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity’s fulfillment of its obligations related to accountability. (See appendix I, paragraph A1.05 through A1.07 for additional information.)

Page 100 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

c. any potential restriction on the auditors’ reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted.

6.08 If an engagement is terminated before it is completed and a report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. Determining whether and how to communicate the reason for terminating the engagement to those charged with governance, appropriate officials of the entity, the entity contracting for or requesting the engagement, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.

Previous Audits and Attestation Engagements

6.09 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the subject matter. When planning the engagement, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter of the attestation engagement being undertaken, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current engagement objectives.

Internal Control 6.10 In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter in order to plan the engagement and design procedures to achieve the objectives of the attestation engagement.

Page 101 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

6.11 In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control as it relates to the subject matter to which the auditors are attesting. The subject matter may be financial or nonfinancial. (See paragraph 1.23 for a discussion of possible attestation engagement subject matters.)

6.12 A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct errors in assertions made by management on a timely basis. A deficiency in design exists when (1) a control necessary to meet the control objective is missing or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

Page 102 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

Fraud, Illegal Acts, Violations of

6.13 The auditors’ responsibility with regard to fraud,81

illegal acts, violations of provisions of contracts or grant Provisions of agreements, or abuse for attestation engagements Contracts or Grant performed in accordance with GAGAS is as follows: Agreements, or Abuse That Could Have a Material Effect on the Subject Matter

a. Examination-level engagements: In planning, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter of the attestation engagement. Thus, auditors should assess the risk and possible effects of material fraud, illegal acts, or violations of provisions of contracts or grant agreements on the subject matter of the attestation engagement. When risk factors are identified, auditors should document the risk factors identified, the auditors’ response to those risk factors individually or in combination, and the auditors’ conclusions.

b. Review-level and agreed-upon-procedures-level engagements: If during the course of the engagement, information comes to the auditors’ attention indicating that fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter may have occurred, auditors should perform procedures as necessary to (1) determine if fraud, illegal acts, or violations of provisions of contracts or grant agreements are likely to have occurred and, if so, (2) determine their effect on the results of the attestation engagement. Auditors are not expected to provide assurance of detecting potential fraud, illegal acts, or violations of provisions of

81Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Although not applicable to attestation engagements, the AICPA Statements on Auditing Standards (SAS) may provide useful guidance related to fraud for auditors performing attestation engagements in accordance with GAGAS.

Page 103 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

contracts or grant agreements for these types of engagements unless it is specified in the procedures.

c. For all levels of attestation engagements: If during the course of the engagement, auditors become aware of abuse that could be quantitatively or qualitatively material, auditors should apply procedures specifically directed to ascertain the potential effect on the subject matter or other data significant to the engagement objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse in attestation engagements.

6.14 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.

Developing Elements of a Finding

6.15 Audit findings may involve deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. The elements needed for a finding depend entirely on the engagement objectives. Thus a finding or set of findings is complete to the extent that the engagement objectives are satisfied. When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the engagement objectives. The elements of a finding are discussed in paragraphs 6.16 through 6.19.

Page 104 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

6.16 Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings.

6.17 Condition: Condition is a situation that exists. The condition is determined and documented during the engagement.

6.18 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference.

6.19 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the engagement objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the engagement, “effect” is a measure of those consequences. Effect or potential effect may be used to

Page 105 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

demonstrate the need for corrective action in response to identified problems or relevant risks.

Attest Documentation

6.20 Under GAGAS, auditors must prepare attest documentation in connection with each engagement in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of engagement procedures performed); the evidence obtained and its source; and the conclusions reached. Documentation provides the principal support for

a. the statement in the engagement report that the auditors performed the attestation engagement in accordance with GAGAS and any other standards cited and

b. the auditors’ conclusion.

6.21 Auditors should prepare attest documentation in sufficient detail to enable an experienced auditor,82

having no previous connection to the attestation engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. Auditors should prepare attest documentation that contains support for findings,

82An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the attestation engagement. These competencies and skills include an understanding of (1) attestation engagement processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter that the auditor is engaged to report on, (4) the suitability and availability of criteria, and (5) issues related to the audited entity’s environment.

Page 106 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

conclusions, and recommendations before they issue their report.

6.22 Auditors also should document the following for attestation engagements performed under GAGAS:

a. the objectives, scope, and methodology of the attestation engagement;

b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;83

c. evidence of supervisory review, before the engagement report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the engagement report; and

d. the auditors’ consideration that the planned procedures be designed to achieve objectives of the attestation engagement when (1) evidence obtained is dependent on computerized information systems, (2) such evidence is material to the objective of the engagement, and (3) the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the evidence. Auditors should document (1) the rationale for determining the nature, timing, and extent of planned procedures; (2) the kinds and competence of available evidence produced outside a computerized information system, or plans for direct testing of data produced from a computerized information system; and (3) the effect on the attestation engagement report if evidence to be

83Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the attest documentation, nor are they required to list detailed information from those documents.

Page 107 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

gathered does not afford a reasonable basis for achieving the objectives of the engagement.

6.23 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the engagement, the auditors should document the departure, the impact on the engagement and on the auditors’ conclusions. This applies to departures from mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)

6.24 Audit organizations should establish policies and procedures for the safe custody and retention of documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether engagement documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge, or if the documentation is lost or damaged. For attest documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the attest documentation.

6.25 Underlying GAGAS engagements is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform an engagement in accordance with GAGAS cooperate in performing attestation engagements of programs of common interest so that auditors may use others’ work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as attest documentation,

Page 108 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS engagements that provide for full and timely access to appropriate individuals, as well as attest documentation.

6.26 Audit organizations should develop policies to deal with requests by outside parties to obtain access to attest documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.

Additional Considerations for GAGAS Attestation Engagements

6.27 Due to the engagement objectives and public accountability of GAGAS engagements, there may be additional considerations for attestation engagements completed in accordance with GAGAS. These considerations relate to

a. materiality in GAGAS attestation engagements (see paragraph 6.28) and

b. ongoing investigations or legal proceedings (see paragraph 6.29).

Materiality in GAGAS Attestation Engagements

6.28 The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of a subject matter or an assertion about a subject matter, while other matters are not important. In performing the engagement, matters that, either individually or in the aggregate, could be material to the subject matter are a primary consideration. In engagements performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the

Page 109 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

materiality levels used in non-GAGAS engagements because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Ongoing Investigations or Legal Proceedings

6.29 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current engagement. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an investigation.

AICPA Reporting Standards for Attestation Engagements

6.30 The four AICPA reporting standards that apply to all levels of attestation engagements are as follows:84

a. The practitioner [auditor] must identify the subject matter or the assertion being reported on and state the character of the engagement in the report.

b. The practitioner [auditor] must state the practitioner’s [auditor’s] conclusion about the subject matter or the

84Under AT Section 50, SSAE Hierarchy, the reporting standards apply when the practitioner issues a report. The reporting standards do not apply when the practitioner declines to issue a report as a result of the engagement.

Page 110 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

assertion in relation to the criteria against which the subject matter was evaluated in the report.

c. The practitioner [auditor] must state all of the practitioner’s [auditor’s] significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto in the report.

d. The practitioner [auditor] must state in the report that the report is intended for use by specified parties under the following circumstances:

(1) When the criteria used to evaluate the subject matter are determined by the practitioner [auditor] to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria.

(2) When the criteria used to evaluate the subject matter are available only to specified parties.

(3) When reporting on subject matter and a written assertion has not been provided by the responsible party.

(4) When the report is on an attest engagement to apply agreed-upon procedures to the subject matter.

Additional Government Auditing Standards

6.31 GAGAS establish reporting standards for attestation engagements in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to

a. reporting auditors’ compliance with GAGAS (see paragraph 6.32);

Page 111 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

b. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 6.33 through 6.43);

c. reporting views of responsible officials (see paragraphs 6.44 through 6.50);

d. reporting confidential or sensitive information (see paragraphs 6.51 through 6.55); and

e. distributing reports (see paragraph 6.56).

Reporting Auditors’ Compliance with GAGAS

6.32 When auditors comply with all applicable GAGAS requirements, they should include a statement in the attestation report that they performed the engagement in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.) GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of other standards.

Reporting 6.33 For attestation engagements, auditors should Deficiencies in report, as applicable to the objectives of the Internal Control, engagement, and based upon the work performed, Fraud, Illegal Acts, (1) significant deficiencies in internal control, Violations of identifying those considered to be material weaknesses; Provisions of (2) all instances of fraud and illegal acts unless Contracts or Grant inconsequential; and (3) violations of provisions of Agreements, and contracts or grant agreements and abuse that could have Abuse a material effect on the subject matter of the

engagement.

Deficiencies in Internal 6.34 For all attestation engagements, auditors should Control report the following deficiencies in internal control:

Page 112 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report data reliably in accordance with the applicable criteria or framework such that there is more than a remote85 likelihood that a misstatement of the subject matter that is more than inconsequential86 will not be prevented or detected.

b. Material weakness: a significant deficiency or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the subject matter will not be prevented or detected.

6.35 Determining whether and how to communicate to entity officials internal control deficiencies that have an inconsequential effect on the subject matter is a matter of professional judgment. Auditors should document such communications.

6.36 Under GAGAS, when auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their report the relevant information about

85The term “more than remote” used in the definitions for significant deficiency and material weakness means “at least reasonably possible.” The following definitions apply: (1) Remote—The chance of the future events occurring is slight. (2) Reasonably possible—The chance of the future events or their occurrence is more than remote but less than likely. (3) Probable—The future events are likely to occur.

86“More than inconsequential” indicates an amount that is less than material, yet has significance. A misstatement is “inconsequential” if a reasonable person would conclude that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the subject matter. If a reasonable person would not reach such a conclusion, that misstatement is “more than inconsequential.”

Page 113 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

a. fraud and illegal acts87 that have an effect on the subject matter that is more than inconsequential,

b. violations of provisions of contracts or grant agreements that have a material effect on the subject matter, and

c. abuse that is material to the subject matter, either quantitatively or qualitatively. (See paragraphs 6.13 and 6.14 for a discussion of abuse.)

6.37 When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the subject matter that is less than material but more than inconsequential, they should communicate those findings in writing to entity officials. Determining whether and how to communicate to entity officials fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications.

6.38 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.

87Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.

Page 114 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

Reporting Findings Directly to Parties Outside the Entity

6.39 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.88

a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.

b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the entity’s failure to take timely and appropriate steps directly to the funding agency.

6.40 The reporting in paragraph 6.39 is in addition to any legal requirements to report such information directly to parties outside the entity. Auditors should

88Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. (See paragraph 6.56b for reporting standards for internal audit organizations when reporting externally.)

Page 115 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

Presenting Findings in the Auditors’ Report

comply with these requirements even if they have resigned or been dismissed from the engagement prior to its completion.

6.41 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by entity management that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 6.39.

6.42 In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the engagement objectives. Clearly developed findings, as discussed in paragraphs 6.15 through 6.19, assist management or oversight officials in understanding the need for taking corrective action. If auditors are able to sufficiently develop the elements of a finding, they may provide recommendations for corrective action.

6.43 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.

Reporting Views of 6.44 If the attestation engagement report discloses Responsible Officials deficiencies in internal control, fraud, illegal acts,

Page 116 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.

6.45 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.

6.46 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.

6.47 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.

6.48 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’s needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings

Page 117 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.

6.49 When the entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.

6.50 If the entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

Reporting Confidential or Sensitive Information

6.51 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.

6.52 Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate classified or limited use report containing such information and

Page 118 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

distribute the report only to persons authorized by law or regulation to receive it.

6.53 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.

6.54 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the engagement results or conceal improper or illegal practices.

6.55 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditor may consult with legal counsel regarding applicable public records laws.

Page 119 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

Distributing Reports 6.56 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:

a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports.

b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice

of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report.

c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report

Page 120 GAO-07-731G Government Auditing Standards

Chapter 6

General, Field Work, and Reporting

Standards for Attestation

Engagements

distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public.

Page 121 GAO-07-731G Government Auditing Standards

Chapter 7

Chapter 7

Field Work Standards for Performance Audits

Introduction 7.01 This chapter establishes field work standards and provides guidance for performance audits conducted in accordance with generally accepted government auditing standards (GAGAS). The field work standards for performance audits relate to planning the audit; supervising staff; obtaining sufficient, appropriate evidence; and preparing audit documentation. The concepts of reasonable assurance, significance, and audit risk form a framework for applying these standards and are included throughout the discussion of performance audits.

7.02 For performance audits performed in accordance with GAGAS, chapters 1 through 3 and 7 and 8 apply.

Reasonable Assurance

7.03 Performance audits that comply with GAGAS provide reasonable assurance that evidence is sufficient and appropriate to support the auditors’ findings and conclusions. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives, findings, and conclusions. Objectives for performance audits range from narrow to broad and involve varying types and quality of evidence. In some engagements, sufficient, appropriate evidence is available, but in others, information may have limitations. Professional judgment assists auditors in determining the audit scope and methodology needed to address the audit objectives, while providing the appropriate level of assurance that the obtained evidence is sufficient and appropriate to address the audit objectives. (See paragraphs 7.55 through 7.71 for a discussion about assessing the sufficiency and appropriateness of evidence.)

Page 122 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

Significance in a Performance Audit

7.04 The concept of significance89 assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the impact of the matter to the audited program or activity. Professional judgment assists auditors when evaluating the significance of matters within the context of the audit objectives.

Audit Risk 7.05 Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient and/or appropriate, an inadequate audit process, or intentional omissions or misleading information due to misrepresentation or fraud. The assessment of audit risk involves both qualitative and quantitative considerations. Factors such as the time frames, complexity, or sensitivity of the work; size of the program in terms of dollar amounts and number of citizens served; adequacy of the audited entity’s systems and processes to detect inconsistencies, significant errors, or fraud; and auditors’ access to records, also impact audit risk. Audit risk includes the risk that

89In the performance audit standards, the term “significant” is comparable to the term “material” as used in the context of financial statement audits.

Page 123 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

auditors will not detect a mistake, inconsistency, significant error, or fraud in the evidence supporting the audit. Audit risk can be reduced by taking actions such as increasing the scope of work; adding experts, additional reviewers, and other resources to the audit team; changing the methodology to obtain additional evidence, higher quality evidence, or alternative forms of corroborating evidence; or aligning the findings and conclusions to reflect the evidence obtained.

Planning 7.06 Auditors must adequately plan and document the planning of the work necessary to address the audit objectives.

7.07 Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions. This determination is a matter of professional judgment. In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives.90

Planning is a continuous process throughout the audit. Therefore, auditors may need to adjust the audit objectives, scope, and methodology as work is being completed.

7.08 The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can

90In situations where the audit objectives are established by statute or legislative oversight, auditors may not have latitude to define the audit objectives or scope.

Page 124 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

be thought of as questions about the program91 that the auditors seek to answer based on evidence obtained and assessed against criteria.

7.09 Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.

7.10 The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors will carry out to address the audit objectives. Auditors should design the methodology to obtain sufficient, appropriate evidence to address the audit objectives, reduce audit risk to an acceptable level, and provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions. Methodology includes both the nature and extent of audit procedures used to address the audit objectives.

7.11 Auditors should assess audit risk and significance within the context of the audit objectives by gaining an understanding of the following:

a. the nature and profile of the programs and the needs of potential users of the audit report (see paragraphs 7.13 through 7.15);

91The term “program” is used in this document to include government entities, organizations, programs, activities, and functions.

Page 125 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

b. internal control as it relates to the specific objectives and scope of the audit (see paragraphs 7.16 through 7.22);

c. information systems controls for purposes of assessing audit risk and planning the audit within the context of the audit objectives (see paragraphs 7.23 through 7.27);

d. legal and regulatory requirements, contract provisions or grant agreements, potential fraud, or abuse that are significant within the context of the audit objectives (see paragraphs 7.28 through 7.35); and

e. the results of previous audits and attestation engagements that directly relate to the current audit objectives (see paragraph 7.36).

7.12 During planning, auditors also should

a. identify the potential criteria needed to evaluate matters subject to audit (see paragraphs 7.37 and 7.38);

b. identify sources of audit evidence and determine the amount and type of evidence needed given audit risk and significance (see paragraphs 7.39 and 7.40);

c. evaluate whether to use the work of other auditors and experts to address some of the audit objectives (see paragraphs 7.41 through 7.43);

d. assign sufficient staff and specialists with adequate collective professional competence and identify other resources needed to perform the audit (see paragraphs 7.44 and 7.45);

e. communicate about planning and performance of the audit to management officials, those charged with

Page 126 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

governance, and others as applicable (see paragraphs 7.46 through 7.49); and

f. prepare a written audit plan (see paragraphs 7.50 and 7.51).

Nature and Profile of the Program and User Needs

7.13 Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include

a. visibility, sensitivity, and relevant risks associated with the program under audit;

b. age of the program or changes in its conditions;

c. the size of the program in terms of total dollars, number of citizens affected, or other measures;

d. level and extent of review or other forms of independent oversight;

e. program’s strategic plan and objectives; and

f. external factors or conditions that could directly affect the program.

7.14 One group of users of the auditors’ report is government officials who may have authorized or requested the audit. Other important users of the auditors’ report are the entity being audited, those responsible for acting on the auditors’ recommendations, oversight organizations, and legislative bodies. Other potential users of the auditors’ report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual

Page 127 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users’ interests and influence can help auditors judge whether possible findings could be significant to relevant users.

7.15 Obtaining an understanding of the program under audit helps auditors to assess the relevant risks associated with the program and the impact on the audit objectives, scope, and methodology. The auditors’ understanding may come from knowledge they already have about the program or knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following.

a. Laws, regulations, and provisions of contracts or grant agreements: Government programs are usually created by law and are subject to specific laws and regulations. Laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and related funding guidelines or restrictions. Government programs may also be subject to provisions of contracts and grant agreements. Thus, understanding the laws and legislative history establishing a program and the provisions of any contracts or grant agreements can be essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying the provisions of laws, regulations, contracts, or grant agreements that are significant within the context of the audit objectives.

b. Purpose and goals: Purpose is the result or effect that is intended or desired from a program’s operation. Legislatures usually establish the program’s purpose

Page 128 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

when they provide authority for the program. Entity officials may provide more detailed information on the program’s purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria to use when assessing performance.

c. Internal control: Internal control, sometimes referred to as management control, in the broadest sense includes the plan, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; violations of laws, regulations, and provisions of contracts and grant agreements; or abuse. Paragraphs 7.16 through 7.22 contain guidance pertaining to internal control.

d. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars spent, employee-hours expended, and square feet of building space.

e. Program operations: Program operations are the strategies, processes, and activities management uses to convert efforts into outputs. Program operations may be subject to internal control.

Page 129 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

f. Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed.

g. Outcomes: Outcomes are accomplishments or results of a program. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work place after a specified period of time. An example of an outcome measure for an aviation safety inspection program could be the percentage reduction in safety problems found in subsequent inspections or the percentage of problems deemed corrected in follow-up inspections. Such outcome measures show the progress made in achieving the stated program purpose of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to isolate the effects of the program from these other influences. Outcomes also include unexpected and/or unintentional effects of a program, both positive and negative.

Page 130 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

Internal Control 7.16 Auditors should obtain an understanding of internal control92 that is significant within the context of the audit objectives. For internal control that is significant within the context of the audit objectives, auditors should assess whether internal control has been properly designed and implemented. For those internal controls that are deemed significant within the context of the audit objectives, auditors should plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Information systems controls are often an integral part of an entity’s internal control. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. (See paragraphs 7.23 through 7.27 for additional discussion on evaluating the effectiveness of information systems controls.)

7.17 Auditors may modify the nature, timing, or extent of the audit procedures based on the auditors’ assessment of internal control and the results of internal

92Refer to the internal control guidance contained in Internal Control-­Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As discussed in the COSO framework, internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The objectives of internal control relate to (1) financial reporting, (2) operations, and (3) compliance. Safeguarding of assets is a subset of these objectives. In that respect, management designs internal control to provide reasonable assurance that unauthorized acquisition, use, or disposition of assets will be prevented or timely detected and corrected. In addition to the COSO document, the publication, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), which incorporates the relevant guidance developed by COSO, provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to other auditors at any level of government. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure.

Page 131 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

control testing. For example, poorly controlled aspects of a program have a higher risk of failure, so auditors may choose to focus their efforts in these areas. Conversely, effective controls at the audited entity may enable the auditors to limit the extent and type of audit testing needed.

7.18 Auditors may obtain an understanding of internal control through inquiries, observations, inspection of documents and records, review of other auditors’ reports, or direct tests. The procedures auditors perform to obtain an understanding of internal control may vary among audits based on audit objectives and audit risk. The extent of these procedures will vary based on the audit objectives, known or potential internal control risks or problems, and the auditors’ knowledge about internal control gained in prior audits.

7.19 The following discussion of the principal types of internal control objectives is intended to help auditors better understand internal controls and determine whether or to what extent they are significant to the audit objectives.

a. Effectiveness and efficiency of program operations: Controls over program operations include policies and procedures that the audited entity has implemented to provide reasonable assurance that a program meets its objectives, while considering cost-effectiveness and efficiency. Understanding these controls can help auditors understand the program operations that convert inputs and efforts to outputs and outcomes.

b. Relevance and reliability of information: Controls over the relevance and reliability of information include policies, procedures, and practices that officials of the audited entity have implemented to provide themselves reasonable assurance that operational and financial information they use for decision making and reporting

Page 132 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

externally is relevant and reliable and fairly disclosed in reports. Understanding these controls can help auditors (1) assess the risk that the information gathered by the entity may not be relevant or reliable and (2) design appropriate tests of the information considering the audit objectives.

c. Compliance with applicable laws and regulations and provisions of contracts or grant agreements: Controls over compliance include policies and procedures that the audited entity has implemented to provide reasonable assurance that program implementation is in accordance with laws, regulations, and provisions of contracts or grant agreements. Understanding the relevant controls concerning compliance with those laws and regulations and provisions of contracts or grant agreements that the auditors have determined are significant within the context of the audit objectives can help them assess the risk of illegal acts, violations of provisions of contracts or grant agreements, or abuse.

7.20 A subset of these categories of internal control objectives is the safeguarding of assets and resources. Controls over the safeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources.

7.21 In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct (1) impairments of effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations, on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is

Page 133 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

7.22 Internal auditing93 is an important part of overall governance, accountability, and internal control. A key role of many internal audit organizations is to provide assurance that internal controls are in place to adequately mitigate risks and achieve program goals and objectives. When an assessment of internal control is needed, the auditor may use the work of the internal auditors in assessing whether internal controls are effectively designed and operating effectively, and to prevent duplication of effort. (See paragraphs 7.41 through 7.43 for standards and guidance for using the work of other auditors.)

Information Systems Controls

7.23 Understanding information systems controls is important when information systems are used extensively throughout the program under audit and the fundamental business processes related to the audit objectives rely on information systems. Information systems controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. Information systems general controls are the policies and procedures that apply to all or a large segment of an entity’s information systems. General controls help

93Many government entities identify these internal auditing activities by other names, such as inspection, appraisal, investigation, organization and methods, or management analysis. These activities assist management by reviewing selected functions.

Page 134 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces.

7.24 An organization’s use of information systems controls may be extensive; however, auditors are primarily interested in those information systems controls that are significant to the audit objectives. Information systems controls are significant to the audit objectives if auditors determine that it is necessary to evaluate the effectiveness of information systems controls in order to obtain sufficient, appropriate evidence. When information systems controls are determined to be significant to the audit objectives, auditors should then evaluate the design and operating effectiveness of such controls. This evaluation would include other information systems controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives.94

94Refer to additional criteria and guidance in Federal Information Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6 (Washington, D.C.: January 1999) and IS Standards, Guidelines and Procedures for Auditing and Control Professionals, published by the Information Systems Audit and Control Association (ISACA).

Page 135 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

7.25 Audit procedures to evaluate the effectiveness of significant information systems controls include (1) gaining an understanding of the system as it relates to the information and (2) identifying and evaluating the general controls and application controls that are critical to providing assurance over the reliability of the information required for the audit.

7.26 The evaluation of information systems controls may be done in conjunction with the auditors’ consideration of internal control within the context of the audit objectives (see paragraphs 7.16 through 7.22), or as a separate audit objective or audit procedure, depending on the objectives of the audit. Depending on the significance of information systems controls to the audit objectives, the extent of audit procedures to obtain such an understanding may be limited or extensive. In addition, the nature and extent of audit risk related to information systems controls are affected by the nature of the hardware and software used, the configuration of the entity’s systems and networks, and the entity’s information systems strategy.

7.27 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The following factors may assist auditors in making this determination:

a. The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems.

b. The availability of evidence outside the information system to support the findings and conclusions: It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls.

Page 136 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

For example, if information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems.

c. The relationship of information systems controls to data reliability: To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data.

d. Evaluating the effectiveness of information systems controls as an audit objective: When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations.

Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse

Legal and Regulatory Requirements, Contracts, and Grants

7.28 Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant within the context of the audit objectives and assess the risk that violations of those laws, regulations, and provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors

Page 137 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

should design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives.

7.29 The auditors’ assessment of audit risk may be affected by such factors as the complexity or newness of the laws, regulations, and provisions of contracts or grant agreements. The auditors’ assessment of audit risk also may be affected by whether the entity has controls that are effective in preventing or detecting violations of laws, regulations, and provisions of contracts or grant agreements. If auditors obtain sufficient, appropriate evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance.

Fraud 7.30 In planning the audit, auditors should assess risks of fraud95 occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions. For example, auditors may obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of the program to fraud, the status of internal controls the entity has

95Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional responsibility.

Page 138 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

established to detect and prevent fraud, or the risk that officials of the audited entity could override internal control. An attitude of professional skepticism in assessing these risks assists auditors in assessing which factors or risks could significantly affect the audit objectives.

7.31 When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that they believe are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud. Assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the audit but also to evaluating evidence obtained during the audit.

7.32 When information comes to the auditors’ attention indicating that fraud that is significant within the context of the audit objectives may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. If the fraud that may have occurred is not significant within the context of the audit objectives, the auditors may conduct additional audit work as a separate engagement, or refer the matter to other parties with oversight responsibility or jurisdiction.

Abuse 7.33 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.

Page 139 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

Ongoing Investigations or Legal Proceedings

7.34 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.

7.35 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional audit procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit or a portion of the audit to avoid interfering with an investigation.

Previous Audits and Attestation Engagements

7.36 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, performance audits, or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors

Page 140 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.

Identifying Audit Criteria

7.37 Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter.

7.38 The following are some examples of criteria:

a. purpose or goals prescribed by law or regulation or set by officials of the audited entity,

b. policies and procedures established by officials of the audited entity,

c. technically developed standards or norms,

d. expert opinions,

e. prior periods’ performance,

f. defined business practices,

g. contract or grant terms, and

Page 141 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

h. performance of other entities or sectors used as defined benchmarks.

Identifying Sources of Evidence and the

7.39 Auditors should identify potential sources of information that could be used as evidence. Auditors

Amount and Type of Evidence Required

should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work.

7.40 If auditors believe that it is likely that sufficient, appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional evidence or other forms of evidence to address the current audit objectives. Auditors should also evaluate whether the lack of sufficient, appropriate evidence is due to internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. (See paragraphs 7.55 through 7.71 for standards concerning evidence.)

Using the Work of Others

7.41 Auditors should determine whether other auditors have conducted, or are conducting, audits of the program that could be relevant to the current audit objectives. The results of other auditors’ work may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further audit work or follow-up, their work may influence the auditors’ selection of objectives, scope, and methodology.

7.42 If other auditors have completed audit work related to the objectives of the current audit, the current auditors may be able to use the work of the other auditors to support findings or conclusions for the current audit and, thereby, avoid duplication of efforts.

Page 142 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors’ qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance in the context of the current audit objectives. Procedures that auditors may perform in making this determination include reviewing the other auditors’ report, audit plan, or audit documentation, and/or performing tests of the other auditors’ work. The nature and extent of evidence needed will depend on the significance of the other auditors’ work to the current audit objectives and the extent to which the auditors will use that work.

7.43 Some audits may necessitate the use of specialized techniques or methods that require the skills of a specialist. If auditors intend to use the work of specialists, they should obtain an understanding of the qualifications and independence of the specialists. (See paragraph 3.05 for independence considerations when using the work of others.) Evaluating the professional qualifications of the specialist involves the following:

a. the professional certification, license, or other recognition of the competence of the specialist in his or her field, as appropriate;

b. the reputation and standing of the specialist in the views of peers and others familiar with the specialist’s capability or performance;

c. the specialist’s experience and previous work in the subject matter; and

d. the auditors’ prior experience in using the specialist’s work.

Page 143 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

Assigning Staff and Other Resources

7.44 Audit management should assign sufficient staff and specialists with adequate collective professional competence to perform the audit. (See paragraph 3.43 for a discussion of using specialists in a GAGAS audit.) Staffing an audit includes, among other things:

a. assigning staff and specialists with the collective knowledge, skills, and experience appropriate for the job,

b. assigning a sufficient number of staff and supervisors to the audit,

c. providing for on-the-job training of staff, and

d. engaging specialists when necessary.

7.45 If planning to use the work of a specialist, auditors should document the nature and scope of the work to be performed by the specialist, including

a. the objectives and scope of the specialist’s work,

b. the intended use of the specialist’s work to support the audit objectives,

c. the specialist’s procedures and findings so they can be evaluated and related to other planned audit procedures, and

d. the assumptions and methods used by the specialist.

Communicating with 7.46 Auditors should communicate an overview of the Management, Those objectives, scope, and methodology, and timing of the Charged with Governance, and Others

Page 144 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

performance audit96 and planned reporting (including any potential restrictions on the report) to the following, as applicable:

a. management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited;

b. those charged with governance;97

c. the individuals contracting for or requesting audit services, such as contracting officials, grantees; and

d. when auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee.

7.47 In situations in which those charged with governance are not clearly evident, auditors should document the process followed and conclusions reached for identifying those charged with governance.

7.48 Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate the information. Auditors should document this communication.

96This does not apply when an element of surprise is critical to the audit objective, such as surprise audits, cash counts, or fraud-related procedures.

97Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity’s fulfillment of its obligations related to accountability. (See appendix I, paragraphs A1.05 through A1.07.)

Page 145 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

7.49 If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.

Preparing the Audit Plan

7.50 Auditors must prepare a written audit plan for each audit. The form and content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors’ basis for those decisions. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.

7.51 A written audit plan provides an opportunity for the audit organization management to supervise audit planning and to determine whether

a. the proposed audit objectives are likely to result in a useful report,

b. the audit plan adequately addresses relevant risks,

c. the proposed audit scope and methodology are adequate to address the audit objectives,

d. available evidence is likely to be sufficient and appropriate for purposes of the audit, and

Page 146 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

e. sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to perform the audit and to meet expected time frames for completing the work.

Supervision 7.52 Audit supervisors or those designated to supervise auditors must properly supervise audit staff.

7.53 Audit supervision involves providing sufficient guidance and direction to staff assigned to the audit to address the audit objectives and follow applicable standards, while staying informed about significant problems encountered, reviewing the work performed, and providing effective on-the-job training.

7.54 The nature and extent of the supervision of staff and the review of audit work may vary depending on a number of factors, such as the size of the audit organization, the significance of the work, and the experience of the staff.

Obtaining Sufficient, Appropriate Evidence

7.55 Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions.

7.56 The concept of sufficient, appropriate evidence is integral to an audit. Appropriateness is the measure of the quality of evidence that encompasses its relevance, validity, and reliability in providing support for findings and conclusions related to the audit objectives. In assessing the overall appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. Sufficiency is a measure of the quantity of evidence used to support the findings and conclusions related to the audit objectives. In assessing the sufficiency of evidence, auditors should determine whether enough evidence has been obtained to

Page 147 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

persuade a knowledgeable person that the findings are reasonable.

7.57 In assessing evidence, auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing the audit objectives and supporting findings and conclusions. Audit objectives may vary widely, as may the level of work necessary to assess the sufficiency and appropriateness of evidence to address the objectives. For example, in establishing the appropriateness of evidence, auditors may test its reliability by obtaining supporting evidence, using statistical testing, or obtaining corroborating evidence. The concepts of audit risk and significance assist auditors with evaluating the audit evidence.

7.58 Professional judgment assists auditors in determining the sufficiency and appropriateness of evidence taken as a whole. Interpreting, summarizing, or analyzing evidence is typically used in the process of determining the sufficiency and appropriateness of evidence and in reporting the results of the audit work. When appropriate, auditors may use statistical methods to analyze and interpret evidence to assess its sufficiency.

Appropriateness 7.59 Appropriateness is the measure of the quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions. (See appendix I, paragraph A7.03 for additional guidance regarding assessing the appropriateness of evidence in relation to the audit objectives.)

a. Relevance refers to the extent to which evidence has a logical relationship with, and importance to, the issue being addressed.

Page 148 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

b. Validity refers to the extent to which evidence is based on sound reasoning or accurate information.

c. Reliability refers to the consistency of results when information is measured or tested and includes the concepts of being verifiable or supported.

7.60 There are different types and sources of evidence that auditors may use, depending on the audit objectives. Evidence may be obtained by observation, inquiry, or inspection. Each type of evidence has its own strengths and weaknesses. (See appendix I, paragraph A7.02 for additional guidance regarding the types of evidence.) The following contrasts are useful in judging the appropriateness of evidence. However, these contrasts are not adequate in themselves to determine appropriateness. The nature and types of evidence to support auditors’ findings and conclusions are matters of the auditors’ professional judgment based on the audit objectives and audit risk.

a. Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent.

b. Evidence obtained through the auditors’ direct physical examination, observation, computation, and inspection is generally more reliable than evidence obtained indirectly.

c. Examination of original documents is generally more reliable than examination of copies.

d. Testimonial evidence obtained under conditions in which persons may speak freely is generally more reliable than evidence obtained under circumstances in which the persons may be intimidated.

Page 149 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

e. Testimonial evidence obtained from an individual who is not biased and has direct knowledge about the area is generally more reliable than testimonial evidence obtained from an individual who is biased or has indirect or partial knowledge about the area.

f. Evidence obtained from a knowledgeable, credible, and unbiased third party is generally more reliable than evidence from management of the audited entity or others who have a direct interest in the audited entity.

7.61 Testimonial evidence may be useful in interpreting or corroborating documentary or physical information. Auditors should evaluate the objectivity, credibility, and reliability of the testimonial evidence. Documentary evidence may be used to help verify, support, or challenge testimonial evidence.

7.62 Surveys generally provide self-reported information about existing conditions or programs. Evaluation of the survey design and administration assists auditors in evaluating the objectivity, credibility, and reliability of the self-reported information.

7.63 When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques. When a representative sample is not needed, a targeted selection may be effective if the auditors have isolated certain risk factors or other criteria to target the selection.

7.64 When auditors use information gathered by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. The auditor may find it

Page 150 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

necessary to perform testing of management’s procedures to obtain assurance or perform direct testing of the information. The nature and extent of the auditors’ procedures will depend on the significance of the information to the audit objectives and the nature of the information being used.

7.65 Auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it. The nature, timing, and extent of audit procedures to assess sufficiency and appropriateness is affected by the effectiveness of the entity’s internal controls over the information, including information systems controls, and the significance of the information and the level of detail presented in the auditors’ findings and conclusions in light of the audit objectives. (See paragraphs 7.23 through 7.27 for additional discussion on assessing the effectiveness of information systems controls.)

Sufficiency 7.66 Sufficiency is a measure of the quantity of evidence used for addressing the audit objectives and supporting findings and conclusions. Sufficiency also depends on the appropriateness of the evidence. In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions.

7.67 The following presumptions are useful in judging the sufficiency of evidence. The sufficiency of evidence required to support the auditors’ findings and conclusions is a matter of the auditors’ professional judgment.

Page 151 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

a. The greater the audit risk, the greater the quantity and quality of evidence required.

b. Stronger evidence may allow less evidence to be used.

c. Having a large volume of audit evidence does not compensate for a lack of relevance, validity, or reliability.

Overall Assessment of Evidence

7.68 Auditors should determine the overall sufficiency and appropriateness of evidence to provide a reasonable basis for the findings and conclusions, within the context of the audit objectives. Professional judgments about the sufficiency and appropriateness of evidence are closely interrelated, as auditors interpret the results of audit testing and evaluate whether the nature and extent of the evidence obtained is sufficient and appropriate. Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments conducted to conclude on the validity and reliability of specific evidence.

7.69 Sufficiency and appropriateness of evidence are relative concepts, which may be thought of in terms of a continuum rather than as absolutes. Sufficiency and appropriateness are evaluated in the context of the related findings and conclusions. For example, even though the auditors may have some limitations or uncertainties about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence to support the findings and conclusions.

7.70 When assessing the sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions, available

Page 152 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

corroborating evidence, and the level of audit risk. The steps to assess evidence may depend on the nature of the evidence, how the evidence is used in the audit or report, and the audit objectives.

a. Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives.

b. Evidence is not sufficient or not appropriate when (1) using the evidence carries an unacceptably high risk that it could lead to an incorrect or improper conclusion, (2) the evidence has significant limitations, given the audit objectives and intended use of the evidence, or (3) the evidence does not provide an adequate basis for addressing the audit objectives or supporting the findings and conclusions. Auditors should not use such evidence as support for findings and conclusions.

7.71 Evidence has limitations or uncertainties when the validity or reliability of the evidence has not been assessed or cannot be assessed, given the audit objectives and the intended use of the evidence. Limitations also include errors identified by the auditors in their testing. When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should apply additional procedures, as appropriate. Such procedures include

a. seeking independent, corroborating evidence from other sources;

b. redefining the audit objectives or limiting the audit scope to eliminate the need to use the evidence;

c. presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and

Page 153 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

describing in the report the limitations or uncertainties with the validity or reliability of the evidence, if such disclosure is necessary to avoid misleading the report users about the findings or conclusions (see paragraph 8.15 for additional reporting requirements when there are limitations or uncertainties with the validity or reliability of evidence); or

d. determining whether to report the limitations or uncertainties as a finding, including any related, significant internal control deficiencies.

Developing Elements of a Finding

7.72 Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives. In addition, if auditors are able to sufficiently develop the elements of a finding, they should develop recommendations for corrective action if they are significant within the context of the audit objectives. The elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are addressed and the report clearly relates those objectives to the elements of a finding. For example, an audit objective may be limited to determining the current status or condition of program operations or progress in implementing legislative requirements, and not the related cause or effect. In this situation, developing the condition would address the audit objective and development of the other elements of a finding would not be necessary.

7.73 The element of criteria is discussed in paragraphs 7.37 and 7.38, and the other elements of a finding— condition, effect, and cause--are discussed in paragraphs 7.74 through 7.76.

Page 154 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

7.74 Condition: Condition is a situation that exists. The condition is determined and documented during the audit.

7.75 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference. When the audit objectives include explaining why a particular type of positive or negative program performance, output, or outcome identified in the audit occurred, they are referred to as “cause.” Identifying the cause of problems may assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors or multiple causes, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they have identified as the cause or causes. Auditors may identify deficiencies in program design or structure as the cause of deficient performance. Auditors may also identify deficiencies in internal control that are significant to the subject matter of the performance audit as the cause of deficient performance. In developing these types of findings, the deficiencies in program design or internal control would be described as the “cause.” Often the causes of deficient program performance are complex and involve multiple factors, including fundamental, systemic root causes. Alternatively, when the audit objectives include estimating the program’s effect on changes in physical,

Page 155 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

social, or economic conditions, auditors seek evidence of the extent to which the program itself is the “cause” of those changes.

7.76 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, “effect” is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. When the audit objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, “effect” is a measure of the impact achieved by the program. In this case, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to the program.

Audit 7.77 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Documentation Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor,98

having no previous connection to the audit, to

98An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the performance audit. These competencies and skills include an understanding of (1) the performance audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit objectives, and (4) issues related to the audited entity’s environment.

Page 156 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. Auditors should prepare audit documentation that contains support for findings, conclusions, and recommendations before they issue their report.

7.78 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors’ professional judgment.

7.79 Audit documentation is an essential element of audit quality. The process of preparing and reviewing audit documentation contributes to the quality of an audit. Audit documentation serves to (1) provide the principal support for the auditors’ report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality.

7.80 Under GAGAS, auditors should document the following:

a. the objectives, scope, and methodology of the audit;

Page 157 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;99 and

c. evidence of supervisory review, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report.

7.81 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors’ conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements when alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)

7.82 Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether audit documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge, or if the documentation is lost or damaged. For audit documentation that is retained electronically, the audit

99Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the audit documentation, nor are they required to list detailed information from those documents.

Page 158 GAO-07-731G Government Auditing Standards

Chapter 7

Field Work Standards for

Performance Audits

organization should establish information systems controls concerning accessing and updating the audit documentation.

7.83 Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform audits in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others’ work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals, as well as audit documentation.

7.84 Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.

Page 159 GAO-07-731G Government Auditing Standards

Chapter 8

Chapter 8

Reporting Standards for Performance Audits

Introduction 8.01 This chapter establishes reporting standards and provides guidance for performance audits conducted in accordance with generally accepted government auditing standards (GAGAS). The reporting standards for performance audits relate to the form of the report, the report contents, and report issuance and distribution.

8.02 For performance audits performed in accordance with GAGAS, chapters 1 through 3 and 7 and 8 apply.

Reporting 8.03 Auditors must issue audit reports communicating the results of each completed performance audit.

8.04 Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form. (See paragraph 8.42 for situations when audit organizations are subject to public records laws.) For example, auditors may present audit reports using electronic media that are retrievable by report users and the audit organization. The users’ needs will influence the form of the audit report. Different forms of audit reports include written reports, letters, briefing slides, or other presentation materials.

8.05 The purposes of audit reports are to (1) communicate the results of audits to those charged with governance, the appropriate officials of the audited entity, and the appropriate oversight officials; (2) make the results less susceptible to misunderstanding; (3) make the results available to the public, as applicable (see paragraph 8.39 for additional guidance on classified or limited use reports and paragraph 8.43b for distribution of reports for internal auditors); and (4) facilitate follow-up to determine whether appropriate corrective actions have been taken.

Page 160 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

8.06 If an audit is terminated before it is completed and an audit report is not issued, auditors should follow the guidance in paragraph 7.49.

8.07 If after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate with those charged with governance, the appropriate officials of the audited entity, and the appropriate officials of the organizations requiring or arranging for the audits, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors’ publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to conduct additional audit work necessary to reissue the report with revised findings or conclusions.

Report Contents 8.08 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a statement about the auditors’ compliance with GAGAS; (4) a summary of the views of responsible officials; and (5) if applicable, the nature of any confidential or sensitive information omitted.

Objectives, Scope, and Methodology

8.09 Auditors should include in the report a description of the audit objectives and the scope and methodology used for addressing the audit objectives. Report users need this information to understand the purpose of the audit, the nature and extent of the audit work performed, the context and perspective regarding what is reported, and any significant limitations in audit objectives, scope, or methodology.

Page 161 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

8.10 Audit objectives for performance audits may vary widely. Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions, including why the audit organization undertook the assignment and the underlying purpose of the audit and resulting report. When audit objectives are limited and broader objectives can be inferred by users, stating in the audit report that certain issues were outside the scope of the audit can avoid potential misunderstanding.

8.11 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that they could reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of access to certain records or individuals.

8.12 In describing the work conducted to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors’ overall assessment of the sufficiency and appropriateness of the evidence in the aggregate.

8.13 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. When the auditors used extensive or multiple sources of

Page 162 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

information, the auditors may include a description of the procedures performed as part of their assessment of the sufficiency and appropriateness of information used as audit evidence. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when sampling significantly supports the auditors’ findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population.

Reporting Findings 8.14 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Clearly developed findings, as discussed in paragraphs 7.72 through 7.76, assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors are able to sufficiently develop the elements of a finding, they should provide recommendations for corrective action if they are significant within the context of the audit objectives. However, the extent to which the elements for a finding are developed depends on the audit objectives. Thus, a finding or set of findings is complete to the extent that the auditors address the audit objectives.

8.15 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. As discussed in chapter 7, even though the auditors may have some uncertainty about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence given the findings and

Page 163 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. Additionally, this description provides report users with a clear understanding regarding how much responsibility the auditors are taking for the information.

8.16 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value, or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.

8.17 Auditors may provide selective background information to establish the context for the overall message and to help the reader understand the findings and significance of the issues discussed.100 When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices.

100Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, impact, purposes, and past audit work, if relevant); a description of the audited entity’s responsibilities; and explanation of terms, organizational structure, and the statutory basis for the program and operations.

Page 164 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

Deficiencies in Internal Control

8.18 Auditors should report deficiencies101 in internal control that are significant within the context of the objectives of the audit, all instances of fraud, illegal acts102 unless they are inconsequential within the context of the audit objectives, significant violations of provisions of contracts or grant agreements, and significant abuse that have occurred or are likely to have occurred.

8.19 Auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. When auditors detect deficiencies in internal control that are not significant to the objectives of the audit, they may include those deficiencies in the report or communicate those deficiencies in writing to officials of the audited entity unless the deficiencies are inconsequential considering both qualitative and quantitative factors. Auditors should refer to that written communication in the audit report, if the written communication is separate from the audit report. Determining whether or how to communicate to officials of the audited entity deficiencies that are inconsequential within the context of the audit objectives is a matter of professional judgment. Auditors should document such communications.

101As discussed in paragraph 7.21, in performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect (1) misstatements in financial or performance information, (2) violations of laws and regulations, or (3) impairments of effectiveness or efficiency of operations, on a timely basis.

102Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.

Page 165 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

8.20 In a performance audit, auditors may conclude that identified deficiencies in internal control that are significant within the context of the audit objectives are the cause of deficient performance of the program or operations being audited. In reporting this type of finding, the internal control deficiency would be described as the cause.

8.21 When auditors conclude, based on sufficient, appropriate evidence, that fraud, illegal acts, significant violations of provisions of contracts or grant agreements, or significant abuse either has occurred or is likely to have occurred, they should report the matter as a finding.

8.22 When auditors detect violations of provisions of contracts or grant agreements, or abuse that are not significant, they should communicate those findings in writing to officials of the audited entity unless the findings are inconsequential within the context of the audit objectives, considering both qualitative and quantitative factors. Determining whether or how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of the auditors’ professional judgment. Auditors should document such communications.

8.23 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings, and for example, report only on information that is already a part of the public record.

Page 166 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

Reporting Findings Directly to Parties Outside the Audited Entity

8.24 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.103

a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.

b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is significant to the findings and conclusions, and (2) involves funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the entity’s failure to take timely and appropriate steps directly to the funding agency.

8.25 The reporting in paragraph 8.24 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors

103Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. (See paragraph 8.43b for reporting standards for internal audit organizations when reporting externally.)

Page 167 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion.

8.26 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 8.24.

Conclusions 8.27 Auditors should report conclusions, as applicable, based on the audit objectives and the audit findings. Report conclusions are logical inferences about the program based on the auditors’ findings, not merely a summary of the findings. The strength of the auditors’ conclusions depends on the sufficiency and appropriateness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are stronger if they lead to the auditors’ recommendations and convince the knowledgeable user of the report that action is necessary.

Recommendations 8.28 Auditors should recommend actions to correct problems identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified problems, and clearly state the actions recommended.

8.29 Effective recommendations encourage improvements in the conduct of government programs and operations. Recommendations are effective when

Page 168 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

they are addressed to parties that have the authority to act and when the recommended actions are specific, practical, cost effective, and measurable.

Reporting Auditors’ Compliance with GAGAS

8.30 When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they performed the audit in accordance with GAGAS. (See paragraphs 1.12 and 1.13.)

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

8.31 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in 8.30, modified to indicate the standards that were not followed or (2) language that the auditor did not follow GAGAS. (See paragraphs 1.12 and 1.13 for additional standards on citing compliance with GAGAS.)

Reporting Views of Responsible Officials

8.32 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations, but also the perspectives of the

Page 169 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.

8.33 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.

8.34 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.

8.35 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’s needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.

8.36 When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should

Page 170 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.

8.37 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

Reporting Confidential or Sensitive Information

8.38 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that makes the omission necessary.

8.39 Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.

8.40 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the

Page 171 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

auditors’ recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.

8.41 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.

8.42 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditor may consult with legal counsel regarding applicable public records laws.

Distributing Reports

8.43 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. (See paragraphs 8.38 through 8.42 for additional guidance on limited report distribution.) Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:

Page 172 GAO-07-731G Government Auditing Standards

Chapter 8

Reporting Standards for Performance

Audits

a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports.

b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice

of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users of the report.

c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.

Page 173 GAO-07-731G Government Auditing Standards

Appendix I

Appendix ISupplemental Guidance

Introduction A.01 The following sections provide supplemental guidance for auditors and the audited entities to assist in the implementation of generally accepted government auditing standards (GAGAS). The guidance does not establish additional requirements but instead is intended to facilitate auditor implementation of GAGAS in chapters 1 through 8. The supplemental guidance in the first section may be of assistance for all types of audits and engagements covered by GAGAS. Subsequent sections provide supplemental guidance for specific chapters of GAGAS, as indicated.

Overall Supplemental Guidance

A.02 Chapters 4 through 8 discuss the field work and reporting standards for financial audits, attestation engagements, and performance audits. The identification of significant deficiencies in internal control, significant abuse, fraud risks, illegal acts, and significant violations of provisions of contracts or grant agreements are important aspects of government auditing. The following discussion is provided to assist auditors in identifying significant deficiencies in internal control, abuse, and indicators of fraud risk and to assist auditors in determining whether illegal acts and violations of provisions of contracts or grant agreements are significant within the context of the audit objectives.

Examples of Deficiencies in Internal Control

A.03 GAGAS contain requirements for reporting identified deficiencies in internal control.

• For financial audits, see paragraphs 5.10 through 5.14.

• For attestation engagements, see paragraphs 6.33 through 6.35.

• For performance audits, see paragraphs 8.18 through 8.20.

Page 174 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

A.04 The following are examples of control deficiencies:

a. Insufficient control consciousness within the organization, for example the tone at the top and the control environment. Control deficiencies in other components of internal control could lead the auditor to conclude that weaknesses exist in the control environment.

b. Ineffective oversight by those charged with governance of the entity’s financial reporting, performance reporting, or internal control, or an ineffective overall governance structure.

c. Control systems that did not prevent or detect material misstatements so that it was later necessary to restate previously issued financial statements or operational results. Control systems that did not prevent or detect material misstatements in performance or operational results so that it was later necessary to make significant corrections to those results.

d. Control systems that did not prevent or detect material misstatements identified by the auditor. This includes misstatements involving estimation and judgment for which the auditor identifies potential material adjustments and corrections of the recorded amounts.

e. An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for a very large or highly complex entity.

f. Identification of fraud of any magnitude on the part of senior management.

Page 175 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

g. Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either to correct it or to conclude that it will not be corrected.

h. Inadequate controls for the safeguarding of assets.

i. Evidence of intentional override of internal control by those in authority to the detriment of the overall objectives of the system.

j. Deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements, fraud, or abuse having a direct and material effect on the financial statements or the audit objective.

k. Inadequate design of information systems general and application controls that prevent the information system from providing complete and accurate information consistent with financial or performance reporting objectives and other current needs.

l. Failure of an application control caused by a deficiency in the design or operation of an information systems general control.

m. Employees or management who lack the qualifications and training to fulfill their assigned functions.

Examples of Abuse A.05 GAGAS contain requirements for responding to indications of material abuse and reporting abuse that is material to the audit objectives.

• For financial audits, see paragraphs 4.12 and 4.13 and paragraphs 5.15 through 5.17.

Page 176 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

• For attestation engagements, see paragraphs 6.13c and 6.14 and paragraphs 6.36c through 6.38.

• For performance audits, see paragraphs 7.33 and 7.34 and paragraphs 8.21 through 8.23.

A.06 The following are examples of abuse, depending on the facts and circumstances:

a. Creating unneeded overtime.

b. Requesting staff to perform personal errands or work tasks for a supervisor or manager.

c. Misusing the official’s position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).

d. Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive.

e. Making procurement or vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.

Examples of A.07 GAGAS contain requirements relating to Indicators of Fraud evaluating fraud risk. Risk

• For financial audits, see paragraphs 4.27 and 4.28 and paragraphs 5.15 through 5.17.

Page 177 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

• For attestation engagements, see paragraphs 6.13a and b and paragraphs 6.36 through 6.38.

• For performance audits, see paragraphs 7.30 through 7.32 and paragraphs 8.21 through 8.23.

A.08 In some circumstances, conditions such as the following might indicate a heightened risk of fraud:

a. the entity’s financial stability, viability, or budget is threatened by economic, programmatic, or entity operating conditions;

b. the nature of the audited entity’s operations provide opportunities to engage in fraud;

c. inadequate monitoring by management for compliance with policies, laws, and regulations;

d. the organizational structure is unstable or unnecessarily complex;

e. lack of communication and/or support for ethical standards by management;

f. management has a willingness to accept unusually high levels of risk in making significant decisions;

g. a history of impropriety, such as previous issues with fraud, waste, abuse, or questionable practices, or past audits or investigations with findings of questionable or criminal activity;

h. operating policies and procedures have not been developed or are outdated;

i. key documentation is lacking or does not exist;

Page 178 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

j. lack of asset accountability or safeguarding procedures;

k. improper payments;

l. false or misleading information;

m. a pattern of large procurements in any budget line with remaining funds at year end, in order to “use up all of the funds available”; and

n. unusual patterns and trends in contracting, procurement, acquisition, and other activities of the entity or program under audit.

Determining Whether Laws, Regulations, or Provisions of

A.09 GAGAS contain requirements for determining whether laws, regulations, or provisions of contracts or grant agreements are significant within the context of

Contracts or Grant the audit objectives. Agreements Are Significant within the Context of the Audit

• For financial audits, see paragraphs 4.10 and 4.11.

Objectives • For attestation engagements, see paragraphs 6.13a and b.

• For performance audits, see paragraphs 7.28 and 7.29.

A.10 Government programs are subject to many laws, regulations, and provisions of contracts or grant agreements. At the same time, their significance within the context of the audit objectives varies widely, depending on the objectives of the audit. Auditors may find the following approach helpful in assessing whether laws, regulations, or provisions of contracts or grant agreements are significant within the context of the audit objectives:

Page 179 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

a. Express each audit objective in terms of questions about specific aspects of the program being audited (that is, purpose and goals, internal control, inputs, program operations, outputs, and outcomes).

b. Identify laws, regulations, and provisions of contracts or grant agreements that directly relate to specific aspects of the program within the context of the audit objectives.

c. Determine if the audit objectives or the auditors’ conclusions could be significantly affected if violations of those laws, regulations, or provisions of contracts or grant agreements occurred. If the audit objectives or audit conclusions could be significantly affected, then those laws, regulations, and provisions of contracts or grant agreements are likely to be significant to the audit objectives.

A.11 Auditors may consult with either their own or management’s legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, or (3) evaluate the results of those tests. Auditors also may consult with either their own or management’s legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may consult with others, such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or applicable law enforcement authorities, to obtain information on compliance matters.

Information to A1.01 Chapter 1 discusses the use and application of

Accompany GAGAS and the role of auditing in government accountability. Those charged with governance and Chapter 1

Page 180 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

management of audited organizations also have roles in government accountability. The discussion that follows is provided to assist auditors in understanding the roles of others in accountability. The following section also contains background information on the laws, regulations, and guidelines that require the use of GAGAS. This information is provided to place GAGAS within the context of overall government accountability.

Laws, Regulations, and Guidelines That Require Use of GAGAS

A1.02 Laws, regulations, contracts, grant agreements, or policies frequently require the use of GAGAS. (See paragraph 1.04.) The following are among the laws, regulations, and guidelines that require the use of GAGAS:

a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs, activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS.

b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments’ and agencies’ financial statements. The Accountability of Tax Dollars Act of 2002 (Public Law 107-289) extends this requirement to most executive agencies not subject to the Chief Financial Officers Act unless they are exempted for a given year by the Office of Management and Budget (OMB).

c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities

Page 181 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

that receive federal awards.104 OMB Circular No. A-133, Audits of States, Local Governments, and Non-Profit

Organizations, which provides the governmentwide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS.

A1.03 Other laws, regulations, or other authoritative sources may require the use of GAGAS. For example, auditors at the state and local levels of government may be required by state and local laws and regulations to follow GAGAS. Also, auditors may be required by the terms of an agreement or contract to follow GAGAS. Auditors may also be required to follow GAGAS by federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs. Being alert to such other laws, regulations, or authoritative sources may assist auditors in performing their work in accordance with the required standards.

A1.04 Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as in performing audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS.

104Under the Single Audit Act, as amended, federal awards include federal financial assistance (grants, loans, loan guarantees, property, cooperative agreements, interest subsidies, insurance, food commodities, direct appropriations, or other assistance) and cost-reimbursement contracts.

Page 182 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

The Role of Those Charged with Governance in

A1.05 During the course of GAGAS audits, auditors communicate with those charged with governance.

Accountability • For financial audits, see paragraphs 4.05 and 4.06.

• For attestation engagements, see paragraphs 6.06 through 6.08.

• For performance audits, see paragraphs 7.46 through 7.49.

A1.06 Those charged with governance have the duty to oversee the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process, subject matter, or program under audit including related internal controls. In certain entities covered by GAGAS, those charged with governance also may be part of the entity’s management. In some audit entities, multiple parties may be charged with governance, including oversight bodies, members or staff of legislative committees, boards of directors, audit committees, or parties contracting for the audit.

A1.07 Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. In these situations, auditors evaluate the organizational structure for directing and controlling operations to achieve the entity’s objectives. This evaluation also includes how the government entity delegates authority and establishes accountability for its management personnel.

Management’s Role A1.08 Government managers have fundamental in Accountability responsibilities for carrying out government functions.

(See paragraph 1.02.) Management of the audited entity is responsible for

Page 183 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

a. using government resources legally, effectively, efficiently, economically, ethically, and equitably to achieve the purposes for which the resources were furnished or the program was established;105

b. complying with applicable laws and regulations (including identifying the requirements with which the entity and the official are responsible for compliance);

c. implementing systems designed to achieve compliance with applicable laws and regulations;

d. establishing and maintaining effective internal control to help ensure that appropriate goals and objectives are met; using resources efficiently, economically, effectively, and equitably, and safeguarding resources; following laws and regulations; and ensuring that management and financial information is reliable and properly reported;

e. providing appropriate reports to those who oversee their actions and to the public in order to demonstrate accountability for the resources and authority used to carry out government programs and the results of these programs;

f. addressing the findings and recommendations of auditors, and for establishing and maintaining a process to track the status of such findings and recommendations;

g. following sound procurement practices when contracting for audits and attestation engagements,

105This responsibility applies to all resources, both financial and physical, as well as informational resources, whether entrusted to public officials or others by their own constituencies or by other levels of government.

Page 184 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

including ensuring procedures are in place for monitoring contract performance; and

h. taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to it.

Information to Accompany Chapter 3

A3.01 Chapter 3 discusses the general standards applicable to financial audits, attestation engagements, and performance audits under GAGAS. Auditors may also provide professional services, other than audits and attestation engagements, which are sometimes referred to as nonaudit services or consulting services. GAGAS do not cover nonaudit services since such services are not audits or attestation engagements. If an audit organization decides to perform nonaudit services, their independence for performing audits or attestation engagements may be impacted. Nonaudit services which may impair or do impair auditor independence are discussed in chapter 3. (See paragraphs 3.20 through 3.30.) The following supplemental guidance is provided to assist auditors and audited entities in identifying nonaudit services that are often provided by audit organizations in government entities without impairing their independence with respect to entities for which they provide audits or attestation engagements.

Nonaudit Services A3.02 Audit organizations in government entities frequently provide nonaudit services that differ from the traditional professional services provided by an accounting or consulting firm to or for the audited entity. These types of nonaudit services are often performed in response to a statutory requirement, at the discretion of the authority of the audit organization, or for a legislative oversight body or an independent external organization and do not impair auditor independence. (See paragraphs 3.20 through 3.30 for the

Page 185 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

requirements for evaluating whether nonaudit services impair auditor independence.)

A3.03 Examples of these types of services include the following:

a. providing information or data to a requesting party without auditor evaluation or verification of the information or data;

b. developing standards, methodologies, audit guides, audit programs, or criteria for use throughout the government or for use in certain specified situations;

c. collaborating with other professional organizations to advance auditing of government entities and programs;

d. developing question and answer documents to promote understanding of technical issues or standards;

e. providing assistance and technical expertise to legislative bodies or independent external organizations and assisting legislative bodies by developing questions for use at a hearing;

f. providing training, speeches, and technical presentations;

g. developing surveys, collecting responses on behalf of others, and reporting results as “an independent third party”;

h. providing oversight assistance in reviewing budget submissions;

i. contracting for audit services on behalf of an audited entity and overseeing the audit contract, as long as the overarching principles are not violated and the auditor

Page 186 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

under contract reports to the audit organization and not to management;

j. identifying good business practices for users in evaluating program or management system approaches, including financial and information management systems; and

k. providing audit, investigative, and oversight-related services that do not involve a GAGAS audit (but which could be performed as an audit, if the audit organization elects to do so), such as

(1) investigations of alleged fraud, violation of contract provisions or grant agreements, or abuse;

(2) review-level work such as sales tax reviews that are designed to review whether governmental entities receive from businesses, merchants, and vendors all of the sales taxes to which they are entitled;

(3) periodic audit recommendation follow-up engagements and reports;

(4) identifying best practices or leading practices for use in advancing the practices of government organizations;

(5) analyzing cross-cutting and emerging issues; and

(6) providing forward-looking analysis involving programs.

System of Quality Control

A3.04 Chapter 3 discusses the elements of an audit organization’s system of quality control. The following supplemental guidance is provided to assist auditors and audit organizations in establishing policies and procedures in its system of quality control to address the

Page 187 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

following elements from paragraph 3.53: (1) audit and attestation engagement performance, documentation, and reporting and (2) monitoring of quality.

a. GAGAS standards for audit and attestation engagement performance, documentation, and reporting are in chapters 4 and 5 for financial audits, chapter 6 for attestation engagements, and chapters 7 and 8 for performance audits. Chapter 3 specifies that an audit organization’s quality control system include policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements. (See paragraph 3.52) Examples of such policies and procedures include the following:

(1) communication provided to team members so that they sufficiently understand the objectives of their work and the applicable professional standards;

(2) audit and attestation engagement planning and supervision;

(3) appropriate documentation of the work performed;

(4) review of the work performed, the significant judgments made, and the resulting audit documentation and report;

(5) review of the independence and qualifications of any outside experts or contractors used, as well as a review of the scope and quality of their work;

(6) procedures for resolving difficult or contentious issues or disagreements among team members, including specialists;

Page 188 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

(7) obtaining and addressing comments from the audited entity on draft reports; and

(8) reporting supported by the evidence obtained, and in accordance with applicable professional standards and legal and regulatory requirements.

b. Monitoring is an ongoing, periodic assessment of audit and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitability designed and operating effectively in practice. (See paragraph 3.53f) The following guidance is provided to assist audit organizations with implementing and continuing its monitoring of quality:

(1) Who: Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored (e.g., for specific engagements or specific centralized processes). The staff member or team of staff members assigned with responsibility for the monitoring process collectively need sufficient and appropriate competence and authority in the audit organization to assume that responsibility. Generally the staff member or the team of staff members performing the monitoring are apart from the normal audit supervision associated with individual audits.

(2) How much: The extent of monitoring procedures varies based on the audit organization’s circumstances to enable the audit organization to assess compliance with applicable professional standards and the audit organization’s quality control policies and procedures. Examples of specific monitoring procedures include

(a) examination of selected administrative and personnel records pertaining to quality control;

Page 189 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

(b) review of selected audit and attest documentation, and reports;

(c) discussions with the audit organization’s personnel (as applicable and appropriate);

(d) periodic summarization of the findings from the monitoring procedures in writing, (at least annually), and consideration of the systematic causes of findings that indicate improvements are needed;

(e) determination of any corrective actions to be taken or improvements to be made with respect to the specific audits and attestation engagements reviewed or the audit organization’s quality control policies and procedures;

(f) communication of the identified findings to appropriate audit organization management with subsequent follow-up; and

(g) consideration of findings by appropriate audit organization management personnel who also determine whether actions necessary, including necessary modifications to the quality control system, are performed on a timely basis.

(3) Review of selected administrative and personnel records: The review of selected administrative and personnel records pertaining to quality control may include tests of

(a) compliance with policies and procedures on independence;

(b) compliance with continuing professional development policies, including training;

Page 190 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

(c) procedures related to recruitment and hiring of qualified personnel, including hiring of specialists or consultants when needed;

(d) procedures related to performance evaluation and advancement of personnel;

(e) procedures related to initiation, acceptance, and continuance of audit and attestation engagements;

(f) audit organization personnel’s understanding of the quality control policies and procedures, and implementation of these policies and procedures; and

(g) audit organization’s process for updating its policies and procedures.

(4) Follow-up on previous findings: Monitoring procedures include an evaluation of whether the audit organization has taken appropriate corrective action to address findings and recommendations from previous monitoring and peer reviews. Personnel involved in monitoring use this information as part of the assessment of risk associated with the design and implementation of the audit organization’s quality control system and in determining the nature, timing, and extent of monitoring procedures.

(5) Written report: The audit organization communicates the results of the monitoring of its quality control systems in a written report that allows the audit organization to take prompt and appropriate action where necessary. Information included in this report includes:

(a) a description of the monitoring procedures performed;

Page 191 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

(b) the conclusions drawn from the monitoring procedures; and

(c) where relevant, a description of the systemic, repetitive, or other significant deficiencies and of the actions taken to resolve those deficiencies.

A3.05 As discussed in paragraph 3.61, an external audit organization should make its most recent peer review report publicly available. Examples of how to achieve this transparency requirement include posting the peer review report on an external Web site or to a publicly available file. To help the public understand the peer review reports, an audit organization may also include a description of the peer review process and how it applies to its organization. The following provides examples of additional information that audit organizations may include to help users understand the meaning of the peer review report.

a. Explanation of the peer review process.

b. Description of the audit organization’s system of quality control.

c. Explanation of the relationship of the peer review results to the audited organization’s work.

d. If the peer review report is modified, explanation of the reviewed audit organization’s plan for improving quality controls and the status of the improvements.

Information to Accompany Chapter 7

A7.01 Chapter 7 discusses the field work standards for performance audits. An integral concept for performance auditing is the use of sufficient, appropriate evidence based on the audit objectives to support a sound basis for audit findings, conclusions, and recommendations. The following discussion is

Page 192 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

provided to assist auditors in identifying the various types of evidence and assessing the appropriateness of evidence in relation to the audit objectives.

Types of Evidence A7.02 In terms of its form and how it is collected, evidence may be categorized as physical, documentary, or testimonial. Physical evidence is obtained by auditors’ direct inspection or observation of people, property, or events. Such evidence may be documented in summary memos, photographs, videos, drawings, charts, maps, or physical samples. Documentary evidence is obtained in the form of already existing information such as letters, contracts, accounting records, invoices, spreadsheets, database extracts, electronically stored information, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, focus groups, public forums, or questionnaires. Auditors frequently use analytical processes including computations, comparisons, separation of information into components, and rational arguments to analyze any evidence gathered to determine whether it is sufficient and appropriate. (See paragraphs 7.66 and 7.59 for definitions of sufficient and appropriate.) The strength and weakness of each form of evidence depends on the facts and circumstances associated with the evidence and professional judgment in the context of the audit objectives.

Appropriateness of Evidence in Relation

A7.03 One of the primary factors influencing the assurance associated with a performance audit is the

to the Audit appropriateness of the evidence in relation to the audit Objectives objectives. For example:

a. The audit objectives might focus on verifying specific quantitative results presented by the audited entity. In these situations, the audit procedures would likely focus on obtaining evidence about the accuracy of the specific

Page 193 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

amounts in question. This work may include the use of statistical sampling.

b. The audit objectives might focus on the performance of a specific program or activity in the agency being audited. In these situations, the auditor may be provided with information compiled by the agency being audited in order to answer the audit objectives. The auditor may find it necessary to test the quality of the information, which includes both its validity and reliability.

c. The audit objectives might focus on information that is used for widely accepted purposes and obtained from sources generally recognized as appropriate. For example, economic statistics issued by government agencies for purposes such as adjusting for inflation, or other such information issued by authoritative organizations, may be the best information available. In such cases, it may not be practical or necessary for auditors to conduct procedures to verify the information. These decisions call for professional judgment based on the nature of the information, its common usage or acceptance, and how it is being used in the audit.

d. The audit objectives might focus on comparisons or benchmarking between various government functions or agencies. These types of audits are especially useful for analyzing the outcomes of various public policy decisions. In these cases, auditors may perform analyses, such as comparative statistics of different jurisdictions or changes in performance over time, where it would be impractical to verify the detailed data underlying the statistics. Clear disclosure as to what extent the comparative information or statistics were evaluated or corroborated will likely be necessary to place the evidence in proper context for report users.

Page 194 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

e. The audit objectives might focus on trend information based on data provided by the audited entity. In this situation, auditors may assess the evidence by using overall analytical tests of underlying data, combined with a knowledge and understanding of the systems or processes used for compiling information.

f. The audit objectives might focus on the auditor identifying emerging and cross-cutting issues using information compiled or self-reported by agencies. In such cases, it may be helpful for the auditor to consider the overall appropriateness of the compiled information along with other information available about the program. Other sources of information, such as inspector general reports or other external audits, may provide the auditors with information regarding whether any unverified or self-reported information is consistent with or can be corroborated by these other external sources of information.

Information to A8.01 Chapter 8 discusses the reporting standards for

Accompany performance audits. The following discussion is provided to assist auditors in developing and writing Chapter 8 their audit report for performance audits.

Report Quality Elements

A8.02 The auditor may use the report quality elements of timely, complete, accurate, objective, convincing, clear, and concise when developing and writing the auditor’s report as the subject permits.

a. Accurate: An accurate report is supported by sufficient, appropriate evidence with key facts, figures, and findings being traceable to the audit evidence. Reports that are fact-based, with a clear statement of sources, methods, and assumptions so that report users can judge how much weight to give the evidence reported, assist in achieving accuracy. Disclosing data

Page 195 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

limitations and other disclosures also contribute to producing more accurate audit reports. Reports also are more accurate when the findings are presented in the broader context of the issue. One way to help audit organizations prepare accurate audit reports is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit checks that statements of facts, figures, and dates are correctly reported, that the findings are adequately supported by the evidence in the audit documentation, and that the conclusions and recommendations flow logically from the evidence.

b. Objective: Objective means that the presentation of the report is balanced in content and tone. A report’s credibility is significantly enhanced when it presents evidence in an unbiased manner and in the proper context. This means presenting the audit results impartially and fairly. The tone of reports may encourage decision makers to act on the auditors’ findings and recommendations. This balanced tone can be achieved when reports present sufficient, appropriate evidence to support conclusions while refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. The objectivity of audit reports is enhanced when the report explicitly states the source of the evidence and the assumptions used in the analysis. The report may recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Audit reports are more objective when they demonstrate that the work has been performed by professional, unbiased, independent, and knowledgeable staff.

c. Complete: Being complete means that the report contains sufficient, appropriate evidence needed to satisfy the audit objectives and promote an understanding of the matters reported. It also means the

Page 196 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

report states evidence and findings without omission of significant relevant information related to the audit objectives. Providing report users with an understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity’s operations. Being complete also means clearly stating what was and was not done and explicitly describing data limitations, constraints imposed by restrictions on access to records, or other issues.

d. Convincing: Being convincing means that the audit results are responsive to the audit objectives, that the findings are presented persuasively, and that the conclusions and recommendations flow logically from the facts presented. The validity of the findings, the reasonableness of the conclusions, and the benefit of implementing the recommendations are more convincing when supported by sufficient, appropriate evidence. Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action.

e. Clear: Clarity means the report is easy for the intended user to read and understand. Preparing the report in language as clear and simple as the subject permits assists auditors in achieving this goal. Use of straightforward, nontechnical language is helpful to simplify presentation. Defining technical terms, abbreviations, and acronyms that are used in the report is also helpful. Auditors may use a highlights page or summary within the report to capture the report user’s attention and highlight the overall message. If a summary is used, it is helpful if it focuses on the specific answers to the questions in the audit objectives, summarizes the audit’s most significant findings and the report’s principal conclusions, and prepares users to anticipate the major recommendations. Logical

Page 197 GAO-07-731G Government Auditing Standards

Appendix I

Supplemental Guidance

organization of material, and accuracy and precision in stating facts and in drawing conclusions assist in the report’s clarity and understanding. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) may clarify and summarize complex material.

f. Concise: Being concise means that the report is not longer than necessary to convey and support the message. Extraneous detail detracts from a report, may even conceal the real message, and may confuse or distract the users. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve results.

g. Timely: To be of maximum use, providing relevant evidence in time to respond to officials of the audited entity, legislative officials, and other users’ legitimate needs is the auditors’ goal. Likewise, the evidence provided in the report is more helpful if it is current. Therefore, the timely issuance of the report is an important reporting goal for auditors. During the audit, the auditors may provide interim reports of significant matters to appropriate entity officials. Such communication alerts officials to matters needing immediate attention and allows them to take corrective action before the final report is completed.

Page 198 GAO-07-731G Government Auditing Standards

Appendix II

Appendix II

Comptroller General’s Advisory Council on Government Auditing Standards

Advisory Council Members

Mr. Jack R. Miller, Chair KMPG LLP (Retired) (member 1997-1998; chair 2001-2008)

The Honorable Ernest A. Almonte Office of the Auditor General State of Rhode Island (member 2001-2008)

Dr. Paul A. Copley James Madison University (member 2005-2008)

Mr. David Cotton Cotton & Co. LLP (member 2006-2009)

The Honorable Debra K. Davenport Office of the Auditor General State of Arizona (member 2002-2005)

Ms. Kristine Devine Deloitte & Touche, LLP (member 2005-2008)

Dr. John H. Engstrom Northern Illinois University (member 2002-2005)

The Honorable Richard L. Fair Office of the State Auditor State of New Jersey (member 2002-2005)

Dr. Ehsan Feroz University of Minnesota Duluth (member 2002-2009)

Page 199 GAO-07-731G Government Auditing Standards

Appendix II

Comptroller General’s Advisory

Council on Government Auditing

Standards

The Honorable Phyllis Fong U.S. Department of Agriculture (member 2004-2006)

Mr. Alex Fraser Standard & Poor’s (member 2006-2009)

The Honorable Gregory H. Friedman U.S. Department of Energy (member 2002-2005)

Mr. Mark Funkhouser Office of City Auditor (Retired) Kansas City, Missouri (member 2005-2008)

Dr. Michael H. Granof University of Texas at Austin (member 2005-2008)

Mr. Jerome Heer Office of the County Auditor Milwaukee, Wisconsin (member 2004-2006)

Ms. Marion Higa Office of State Auditor State of Hawaii (member 2006-2009)

The Honorable John P. Higgins, Jr. U.S. Department of Education (member 2005-2008)

Mr. Russell Hinton Office of the State Auditor State of Georgia (member 2004-2006)

Page 200 GAO-07-731G Government Auditing Standards

Appendix II

Comptroller General’s Advisory

Council on Government Auditing

Standards

Mr. Richard A. Leach United States Navy (member 2005-2008)

Mr. Patrick L. McNamee PricewaterhouseCoopers, LLP (member 2005-2008)

Mr. Rakesh Mohan Office of Performance Evaluations Idaho State Legislature (member 2004-2006)

The Honorable Samuel Mok U.S. Department of Labor (member 2006-2009)

Mr. Harold L. Monk Davis Monk & Company, CPAs (member 2002-2009)

Mr. William Monroe Office of Auditor General State of Florida (member 2004-2006)

Mr. Stephen L. Morgan Office of the City Auditor Austin, Texas (member 2001-2008)

Mr. Robert M. Reardon, Jr. State Farm Insurance Companies (member 2002-2005)

Mr. Brian A. Schebler McGladrey & Pullen, LLP (member 2005-2008)

Page 201 GAO-07-731G Government Auditing Standards

Appendix II

Comptroller General’s Advisory

Council on Government Auditing

Standards

Mr. Gerald Silva Office of the City Auditor San Jose, California (member 2002-2009)

Mr. Barry R. Snyder Federal Reserve Board (Retired) (member 2001-2008)

Dr. Daniel Stufflebeam Western Michigan University (member 2002-2009)

The Honorable Nikki Tinsley U.S. Environmental Protection Agency (member 2002-2005)

Mr. George Willie Bert Smith & Co. (member 2004-2006)

GAO Project Team Jeffrey C. Steinhoff, Managing Director Jeanette M. Franzel, Project Director Robert F. Dacey, Chief Accountant Abraham D. Akresh, Senior Level Expert for

Auditing Standards Marcia B. Buchanan, Specialist, Auditing Standards Michael C. Hrapsky, Specialist, Auditing Standards Heather I. Keister, Specialist, Auditing Standards Gail Flister Vallieres, Specialist, Auditing Standards Maxine L. Hattery, Senior Communications Analyst Margaret A. Mills, Senior Communications Analyst Jennifer V. Allison, Council Administrator

Page 202 GAO-07-731G Government Auditing Standards

Index

abuse (see also attestation engagements, field work standards; attestation engagements, reporting standards; financial audits, field work standards; financial audits, reporting standards; performance audits, reporting standards; performance audits, field work standards) A.05–A.06

examples of A.06

accountability

governance, role of those charged with A1.05–A1.07

government 1.01–1.02

government managers and officials, responsibilities of 1.02, A1.08

accurate, as report quality element A8.02

Advisory Council on Government Auditing Standards, members of Appendix II

agreed-upon procedures (see attestation engagements, field work standards)

AICPA standards

for attestation engagements 1.15a, 3.45, 6.01, 6.03–6.04, 6.06, 6.30

for financial audits 1.15a, 3.44, 4.01, 4.03, 4.05, 4.19, 4.26–4.28, 5.01, 5.03, 5.15, 5.23, 5.26

relationship to GAGAS 1.15a

American Evaluation Association 1.16

American Institute of Certified Public Accountants (see also AICPA standards) 1.15a

American Psychological Association 1.16

appropriateness of evidence 7.59–7.65, A7.03

assurance (see quality control and assurance; reasonable assurance)

attestation engagements (see also GAGAS)

types of 1.23

subject matter 1.24

qualifications for auditors, additional 3.45

attestation engagements, field work standards 6.01–6.29

abuse 6.13c–6.14

agreed-upon-procedures–level engagement 1.23c, 6.13b

AICPA standards 6.01, 6.03–6.06

cause 6.18

communication, auditor 6.06–6.08

condition 6.17

corrective actions 6.09, 6.18–6.19

criteria 6.16

documentation 6.07–6.08, 6.13a, 6.17, 6.20–6.26

effect 6.19

evidence 6.04b, 6.16, 6.18, 6.20–6.22

examination-level engagements 1.23a, 6.10, 6.13a

Page 203 GAO-07-731G Government Auditing Standards

Index

findings, developing elements of 6.15–6.19

fraud and illegal acts 6.13

internal control 6.10–6.12

materiality 6.28

planning 6.04, 6.06–6.10, 6.13a, 6.15

previous engagements 6.09

review-level engagements 1.23b, 6.13b

risk, assessing 6.09, 6.13a

termination before engagement completed 6.08

violations of contracts or grant agreements 6.13, 6.29

work of others, using 6.25

attestation engagements, reporting standards 6.30–6.56

abuse 6.33, 6.36–6.42

AICPA standards 6.30

risk, assessing 6.56b

classified information 6.52, 6.55–6.56

confidential or sensitive information 6.51–6.56

corrective actions 6.42, 6.44–6.45, 6.49

direct reporting to outside parties 6.39–6.41

distribution 6.56

findings 6.42–6.43

fraud and illegal acts 6.33, 6.36–6.40, 6.42, 6.44

GAGAS, reporting auditors’ compliance with 1.11–1.13, 6.32

internal control 6.33–6.35, 6.42, 6.44

investigations or legal proceedings, compromising 6.38

limited official use 6.52–6.53, 6.55

material weakness in internal control 6.33, 6.34b

recommendations 6.42

significant deficiency in internal control 6.33, 6.34

views of responsible officials 6.44–6.50

violations of contracts or grant agreements 6.33, 6.36–6.40, 6.42, 6.44

audit objective (see objective, audit)

audit risk 7.01, 7.05, 7.07, 7.10–7.11, 7.24, 7.26, 7.28–7.29, 7.57

auditors, qualifications of (see competence)

auditors’ responsibility 3.39, 4.26

audits and attestation engagements, types of 1.17–1.21

Page 204 GAO-07-731G Government Auditing Standards

Index

cause (see attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards)

classified information (see limited official use under attestation engagements, reporting standards; financial audits, reporting standards; performance audits, reporting standards)

clear, as report quality element A8.02e

comments (see views of responsible officials under attestation engagements, reporting standards; financial audits, reporting standards; performance audits, reporting standards)

competence 3.33, 3.40–3.49

attestation engagements, additional qualifications for 3.45

continuing professional education 3.46–3.49

education and experience 3.42

financial audits, additional qualifications for 3.44

and professional judgment 3.33, 3.42

skill needs, assessing and staffing for 3.41

specialists 3.43d, 3.49

technical knowledge and skills required 3.43

complete, as report quality element A8.02c

compliance audits (see performance audits)

compliance with GAGAS statement 1.11–1.13

modified 1.12b

unmodified 1.12a

computer-based information systems (see information)

conclusions 8.16, 8.27

condition (see attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards)

conflict of interest, avoiding (see also independence) 2.10

concise, as report quality element A8.02f

consulting services (see nonaudit services)

continuing professional education (CPE) 3.46–3.49

hours 3.46

guidance 3.48

responsibility for 3.48

for specialists 3.49

subjects, determining appropriate 3.47

timing 3.46

COSO framework footnote 92

convincing, as report quality element A8.02d

Page 205 GAO-07-731G Government Auditing Standards

Index

criteria (see attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards)

data reliability (see information)

definitions (see terms)

documentation (see also attestation engagements, field work standards; financial audits, field work standards; financial audits, reporting standards; performance audits, field work standards)

of continuing professional education 3.48–3.49

of decisions using professional judgment 3.38

GAGAS, departure from 1.07b

GAGAS, significance of not complying with 1.12a

of independence 3.08f, 3.15, 3.19, 3.30

of quality control system 3.52–3.53

economy and efficiency audits (see performance audits)

effect (see attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards)

ethical principles 2.01–2.15

conflicts, avoiding 2.10

as framework 2.04

and independence 2.03

information, use of government 2.11–2.12

integrity 2.03, 2.05b, 2.08–2.09

objectivity 2.03, 2.05c, 2.10

position, use of government 2.05d, 2.11, 2.14

professional behavior 2.05e, 2.15

public interest 2.03, 2.05a, 2.06–2.07

resources, use of government 2.05d, 2.11, 2.13

responsibility for, personal and organizational 2.03

tone 2.01

transparency 2.12

explanatory material 1.08–1.10

external quality control review (see peer review, external)

evidence (see also attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards; performance audits, reporting standards; information) 1.25–1.27, 7.55–7.71

amount and type required, identifying 7.40

appropriateness 7.56, 7.59–7.65, A7.01–A7.03

Page 206 GAO-07-731G Government Auditing Standards

Index

audit plan 7.51

of cause 7.75

documentation of 7.77

insufficient 8.07

sources, identifying 7.39

sufficiency of 7.56, 7.66–7.67

sufficiency and appropriateness of, uncertain or limited 8.14-8.15

sufficient and appropriate 7.55–7.71, 8.14–8.15, 8.26, A7.01–A.7.02

types of 7.60–7.65, A7.02

financial audits (see also GAGAS)

qualifications for, additional 3.44

types of 1.22

financial audits, field work standards 4.01–4.29

abuse 4.12–4.13

AICPA standards 4.01, 4.03

cause 4.17

communication, auditor 4.05–4.08

compliance with laws, regulations, and provisions of contracts or grant agreements 4.06–4.07

condition 4.16

corrective action 4.09, 4.17–4.18

criteria 4.15

definition 1.22

documentation 4.05–4.06, 4.08, 4.16, 4.19–4.24

effect 4.18

evidence 4.03c, 4.07, 4.15, 4.17, 4.19

findings, developing elements of 4.14–4.18

fraud and illegal acts 4.27–4.28

GAGAS, departure from 4.21

governance, identifying those charged with 4.06

internal control 4.03b, 4.06–4.07

materiality 4.26

misstatements, material 4.03b, 4.10–4.13, 4.27–4.28

misstatements, types of footnote 57

planning 4.03a, 4.05–4.09, 4.14, 4.26–4.28

previous engagements, use of 4.09

Page 207 GAO-07-731G Government Auditing Standards

Index

risk, assessing 4.03b, 4.09

reasonable assurance 4.01b

supervision 4.03a

supervisory review 4.20

termination before audit completed 4.08

violations of contracts or grant agreements 4.10–4.11

work of others, use of 4.23

financial audits, reporting standards 5.01–5.44

abuse 5.10, 5.15–5.21

AICPA standards 5.01, 5.03, 5.06, 5.15, 5.23, 5.26

classified information 5.40, 5.43–5.44

compliance with laws, regulations, contracts, and grants 5.07–5.09

communication, auditor 5.14, 5.16, 5.18, 5.23–5.25, 5.43, 5.44b

confidential or sensitive information 5.39–5.44

corrective actions 5.21, 5.29d, 5.32–5.33, 5.37

direct reporting to outside parties 5.18–5.20, 5.31

distribution 5.40–5.41, 5.44

documentation 5.14, 5.16, 5.44

financial statements, previously-issued 5.26–5.30

findings, presenting 5.21–5.22

fraud and illegal acts 5.10, 5.15–5.18

GAGAS, reporting auditors’ compliance with 1.11–1.13, 5.05–5.06

internal control deficiencies 5.10–5.14, 5.29d

internal control, material weakness in 5.10, 5.11b, 5.13

internal control, reporting on 5.07–5.14, 5.29d

investigative or legal proceedings, limiting reporting to matters that would not compromise 5.17

limited use report 5.40–5.41, 5.43

misstatements 5.26–5.29

recommendations 5.21

restatement 5.26–5.31

significance, assessing 5.12

significant matters, communicating 5.23–5.25

views of responsible officials 5.32–5.38

violations of contracts or grant agreements 5.10, 5.15–5.18

Page 208 GAO-07-731G Government Auditing Standards

Index

fraud and illegal acts, indicators of risk of (see also attestation engagements, field work standards; attestation engagements, reporting standards; financial audits, field work standards; financial audits, reporting standards; performance audits, field work standards; performance audits, reporting standards) A.07–A.08

GAGAS (see also attestation engagement, reporting standards; financial audits, field work standards; financial audits, reporting standards; performance audits, field work standards; performance audits, reporting standards) 1.01–1.34, A1.02-A1.04

application 1.03–1.04, A1.02–A1.04

for attestation engagements 1.03-1.04, 1.23–1.24

audits and attestation engagements, types of 1.17–1.20

compliance statements 1.11–1.13

departure from 1.07b, 1.12b–1.13, 4.21, 7.81

explanatory material 1.08–1.10

for financial audits 1.22

guidance, supplemental 1.21, A.01–A8.02

laws, regulations, and guidelines that require A1.02–A1.04

and nonaudit services 1.33–1.34

nongovernmental entities, applicability to 1.04

for performance audits 1.25–1.32

purpose 1.03

relationship to other standards 1.14–1.16

requirements, categories of 1.07

terminology, use of 1.05–1.10

governance, role of those charged with A1.05–A1.07

government information, resources, and position, proper use of 2.11–2.14

guidance, supplemental A.01–A8.02

abuse, examples of A.05–A.06

evidence in relation to audit objectives, appropriateness of A7.03

evidence, types of A7.01–A7.02

fraud risk indicators, examples of A.07–A.08

governance, role of those charged with A1.05–A1.07

government accountability, GAGAS in context of A1.01–A1.08

internal control deficiencies, examples of A.03–A.04

laws, regulations, and guidelines that require GAGAS A1.02–A1.04

laws, regulations, and provisions of contracts or grant agreements, significance to audit objectives A.09–A.11

management, role of A1.08

Page 209 GAO-07-731G Government Auditing Standards

Index

nonaudit services A3.01–A3.03

reporting, performance audit A8.01–A8.02

report quality elements A8.02

illegal acts (see fraud and illegal acts)

independence (see also objectivity) 3.01–3.30

declining work due to impaired independence 3.04

and ethical principles 3.01

external impairments 3.10–3.11

external audit organizations 3.13–3.15

impairments identified after report 3.04

internal audit functions 3.16–3.19

nonaudit services and 3.20–3.30

nonaudit services and overarching principles 3.22–3.24

nonaudit services, types of 3.25–3.30

organizational independence 3.12–3.21

personal impairments 3.07–3.09

principles of, overarching 3.22–3.23

safeguards, supplemental 3.30

of specialist 3.05

information (see also evidence, internal control)

computer-processed 7.65

from officials of audited entity 7.64

self-reported 7.62

Institute of Internal Auditors (IIA) 1.16a, 3.16, 5.44b, 6.56b, 8.43b

integrity 2.08–2.09

internal auditing 1.16a, 7.22, 8.43b

independence 3.16-3.19

as nonaudit service 3.29l,

peer review report 3.61

performance audit 7.22, 8.43b

reporting externally footnotes 69, 88, 103; 5.44b, 6.56b, 8.43b

internal control (see also attestation engagements, field work standards; attestation engagements, reporting standards; financial audits, field work standards; financial audits, reporting standards; performance audits, field work standards; performance audits, reporting standards)

as audit objective 1.28, 1.30

definition of footnote 14, 7.15c

Page 210 GAO-07-731G Government Auditing Standards

Index

deficiencies, examples of A.03–A.04

in financial audits 1.22

for information systems 1.30f, 4.22, 6.24, 7.16, 7.23–7.27, 7.65

nonaudit service 3.27–3.29

objectives, types of 7.19–7.20

in performance audits 1.28, 1.30, 7.16–7.27

as subject matter 1.24

supplemental testing and reporting 4.07

internal quality control system (see quality control and assurance)

International Auditing and Assurance Standards Board 1.15c

Joint Committee on Standards for Education Evaluation 1.16c

laws, regulations, and provisions of contracts or grant agreements

determining significance to objectives of A.09–A.11

that require GAGAS A1.02–A1.04

in performance audits 7.15a

limited-official-use reports (see attestation engagements, reporting standards; financial audits, reporting standards; performance audits, reporting standards)

management role in accountability A1.08

management audit (see performance audit)

management controls (see internal control)

managers and officials, responsibilities of government 1.02

nonaudit services 1.33–1.34, 3.20–3.30, A3.01–A3.03

examples for audit organizations in government A3.03

and independence 3.20–3.30

overarching principles 3.22–3.24

safeguards, supplemental 3.28

types of 3.25–3.30, A3.03

nongovernmental entities, applicability of GAGAS to audits of 1.04, A1.04

objectives, audit (see also performance audits, field work standards; performance audits, reporting standards; subject matter) 1.13, 1.18–1.19, 1.23, 1.28–1.32

attestation engagement 1.23

compliance 1.31

Page 211 GAO-07-731G Government Auditing Standards

Index

economy and efficiency 1.29

information appropriate to A7.03

internal control 1.28, 1.30

multiple or overlapping 1.19

performance audit 1.28–1.31, 7.03, 7.07–7.08

program effectiveness and results 1.29

prospective analysis 1.32

types of 1.28–1.32

objectives, as report quality element A8.02b

objectives, scope, and methodology (see also performance audit, field work standards and performance audit, reporting standards) 8.09–8.13

objectivity (see also auditors’ responsibilities; independence) 2.10

operational audits (see performance audits)

peer review, external 3.50b, 3.55–3.63

adverse opinion footnote 43

contract, audit organizations seeking to enter into a 3.62

modified opinion footnote 43

public transparency 3.61

reports footnote 40, 3.59, 3.61-3.36

risk assessment 3.58

scope 3.56-3.57

selecting engagements 3.58

team criteria 3.54

work of another audit organization, using 3.63

performance audits (see also evidence)

audit objectives, types of 1.27–1.32

definition 1.25

evidence 1.25–1.27

GAGAS and other standards 1.16

performance audits, field work standards 7.01–7.84

abuse 7.33–7.34

audit plan, preparing 7.50–7.51

audit risk 7.01, 7.05, 7.07, 7.10–7.11, 7.29, 7.36

cause 7.75

communication, auditor 7.46–7.49

compliance objectives 7.19c

Page 212 GAO-07-731G Government Auditing Standards

Index

condition 7.74

corrective actions 7.36

criteria 1.25, 7.37–7.38

effect 7.76

documentation 7.06, 7.45, 7.47–7.49, 7.74, 7.77–7.84

effectiveness and efficiency objectives 7.19a

engagement letter 7.48

evidence 7.03, 7.05, 7.07, 7.10, 7.27, 7.37, 7.39–7.40, 7.55–7.71, A7.01–A7.03

findings, developing elements of 7.72–7.76

fraud and illegal acts 7.30–7.32

GAGAS, departure from 1.07b, 1.12–1.13, 7.81

information systems controls 7.23–7.27

internal control 7.15c, 7.16–7.27

internal control deficiency 7.21

internal control, types of 7.19–7.20

laws, regulations, contracts, and grant agreements 7.15a, 7.28–7.29

methodology (see also planning) 7.07, 7.10

objectives, audit 7.07–7.08, A7.03

outcomes 7.15g

outputs 7.15f

planning 7.06–7.12, 7.16, 7.30, 7.36, 7.41, 7.50–7.51

previous engagements 7.36

program, definition of footnote 91

program operations 7.15e

program, understanding the 7.13, 7.15

reasonable assurance 4.01b, 7.01, 7.03

relevance and reliability 7.19b

safeguarding assets and resources 7.20

scope (see also planning) 7.07, 7.09

significance 7.01, 7.04, 7.07, 7.11

staff, assigning 7.44

specialists, using the work of 7.45

supervision 7.52–7.54

termination before audit completed 7.49

users of the audit report 7.14

violations of contracts or grant agreements 7.21, 7.28–7.29

Page 213 GAO-07-731G Government Auditing Standards

Index

work of others, using 7.41–7.43

performance audits, reporting standards 8.01–8.43

abuse 8.18, 8.21–8.25

classified information 8.39, 8.42–8.43

communication, auditor 8.07, 8.19, 8.22

confidential or sensitive information 8.38–8.42

conclusions 8.27

corrective actions 8.05, 8.14, 8.28, 8.32, 8.36

direct reporting to outside parties 8.24–8.26

distribution 8.43

evidence 8.12–8.15, 8.26

findings 8.14–8.26

form of audit report 8.04

fraud and illegal acts 8.18, 8.21–8.24

GAGAS, reporting auditors’ compliance with 1.11–1.13, 8.30–8.31

internal auditors 8.43b

internal control deficiencies 8.18–8.20

investigations or legal proceedings, compromising 8.23

limited-official-use report 8.39–8.40, 8.42

methodology 8.09, 8.13

objectives, audit 8.10

objectives, scope, and methodology 8.09–8.13

public records laws 8.42

purposes 8.05

quality, elements of report A8.02

recommendations 8.28–8.29

scope 8.11

views of responsible officials 8.08, 8.32–8.37

violations of contracts or grant agreements 8.18, 8.21–8.25

professional behavior 2.15

professional judgment 3.20, 3.31–3.39

auditor responsibility 3.39

collective knowledge 3.34

competence and 3.33, 3.42

documentation of decisions using 3.38

independence, determining impairment of 3.20

Page 214 GAO-07-731G Government Auditing Standards

Index

risk level, considering 3.37

understanding, determining required level of 3.36

professional requirements, use of terminology in 1.05–1.10

categories of 1.07

explanatory material 1.05, 1.08–1.10

presumptively mandatory requirements 1.07b

unconditional requirements 1.07a

program audits or evaluations (see performance audits)

program effectiveness and results audits (see performance audits)

proper use of government information, resources, and position 2.11–2.14

Public Company Accounting Oversight Board 1.15b

public interest 2.03, 2.06–2.07

public need to know 1.02

quality control and assurance (see also peer review, external) 3.50–3.63, A3.04-A3.05

documentation of 3.52

monitoring 3.53f–3.54, A3.04b

peer review 3.55–3.63, A3.05

system of 3.51–3.54, A3.04-A3.05

reasonable assurance 4.01b, 7.01, 7.03, 7.07, 7.10

recommendations 8.28–8.29

report quality, elements of A8.02

reporting standards (see attestation engagements, reporting; financial audits, reporting; performance audits, reporting)

requirements, use of terminology in professional (see professional requirements, use of terminology in)

scope 7.09

significance footnote 28, 7.01, 7.04, 7.07, 7.11, 7.57, 7.70

significant deficiency (see attestation engagements, reporting standards)

specialists

qualifications 3.49

independence of 3.05

using 7.45

standard-setters, financial accounting and reporting footnote 8

standards, choice between applicable 1.19

Page 215 GAO-07-731G Government Auditing Standards

Index

standards of other authoritative bodies (see also entries for individual standard-setting bodies) 3.16

state governments footnote 9

sufficiency 7.66–7.67

supplemental guidance (see guidance, supplemental)

terms 1.05–1.10

adverse peer review opinion footnote 43

abuse 4.12, 6.14, 7.33

accountability 1.02

appropriateness 7.56, 7.59

attestation engagement 1.23

audit organization footnote 3

audit procedures 7.10

audit risk 7.05

auditing 1.01

auditor footnote 2

competence 3.40–3.42

equity footnote 1

experienced auditor footnotes 52, 82, 98

explanatory material 1.08–1.10

financial audit 1.22

fraud footnotes 57, 81, 95

illegal acts footnote 59

inconsequential footnotes 66, 86

independence 3.03

integrity 2.08–2.09

internal control footnote 14, 1.30, 7.15c, footnote 92

material weakness 5.11b, 6.34b

materiality footnote 28, 4.26

may, might, and could 1.08

methodology 7.10

misstatements footnote 57

modified GAGAS compliance statement 1.12b

modified peer review opinion footnote 43

more than inconsequential footnotes 66, 86

more than remote footnotes 65, 85

Page 216 GAO-07-731G Government Auditing Standards

Index

must and is required 1.07a

objectivity 2.10

outcomes 7.15g

outputs 7.15f

performance audit 1.25–1.28

presumptively mandatory requirement 1.07b

probable footnotes 65, 85

professional behavior 2.15

professional judgment 3.32–3.34

professional skepticism 3.32

program footnote 13

program operations 7.15e

proper use of government information, resources, and position 2.11–2.14

public interest 2.06–2.07

quality control, system of 3.51

reasonable assurance 4.01b, 7.03

reasonably possible footnotes 65, 85

relevance 7.59a

reliability 7.59c

remote footnotes 65, 85

requirement 1.05–1.07

unconditional requirement 1.07a

scope 7.09

should 1.07b

significance footnote 28, 7.04

significant footnote 89

significant deficiency 5.11a, 6.34a

specialist footnote 21

subject matter 1.23–1.24

sufficiency 7.56, 7.66–7.67

sufficient, appropriate evidence 7.56

those charged with governance footnotes 49, 80, 97; A1.06–A1.07

unmodified GAGAS compliance statement 1.12a

validity 7.59

those charged with governance, in accountability communications A1.05–A1.07

attestation engagements 6.07–6.08

Page 217 GAO-07-731G Government Auditing Standards

Index

definition footnotes 49, 80, 97; A1.06–A1.07

financial audits 4.06–4.08

performance audits 7.46–7.49

timely, as report quality element A8.02g

value-for-money audits (see performance audits)

views of responsible officials (see attestation engagements, reporting standards; financial audits, reporting standards; performance audits, reporting standards)

violations of contracts or grant agreements (see attestation engagements, field work standards; attestation engagements, reporting standards; financial audits, field work standards; financial audits, reporting standards; performance audits, field work standards; performance audits, reporting standards)

work of others, using (see also attestation engagements, field work standards; financial audits, field work standards; performance audits, field work standards) 3.63

Page 218 GAO-07-731G Government Auditing Standards

(194652)

The Government Accountability Office, the audit, evaluation and GAO’s Mission investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select “Subscribe to Updates.”

Ordering Printed Copies The printed version of the July 2007 revision of Government Auditing Standards can be ordered through the Government Printing Office (GPO) online or by calling 202-512-1800 or 1-866-512-1800 toll free.

Contact:To Report Fraud, Web site: www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: fraudnet@gao.gov

Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 Congressional U.S. Government Accountability Office, 441 G Street NW, Room 7125

Relations Washington, D.C. 20548

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548