Contract audits are common in both the public and private sectors. There are many reasons for conducting contract audits, all related to risk management. Contract risks include: cost overruns; fraud; duplicate billing or billing of unrelated costs; compliance with government regulatory agencies; and many more. There are two general types of contract audits: control audits and recovery audits. Control audits are conducted either prior to the spending period or early in the spending period. The purpose is to gain an understanding of the contractors systems, controls and supporting documentation. Recovery audits are conducted near the end of the spending period. The purpose is to determine if any costs charged to the contract are not valid and if there are any regulatory or contract noncompliance issues to be resolved.
Develop a strategy for conducting contract audits. Decide who will conduct the audits: internal auditors or an outside firm? Determine criteria for which type of audit to conduct. For example, first-time contractors conduct control audits to learn their systems, controls and documentation and also conduct a recovery audit. All other contractors only perform recovery audits.
Perform risk analysis of contracts to determine which ones to audit. Because of limited resources, it may be impractical or impossible to audit all contracts. Resources may need to be concentrated on new contractors and contracts over a certain amount. Other factors to consider may be the complexity of the contract, type of project, importance or sensitivity of the project and regulatory issues. The organisation should consider using the COSO Enterprise Risk Management frame work for the risk analysis.
Assign specific contracts to specific auditors or audit groups. Organizations may use internal auditors or outside firms. Government agencies also may have the option of using the Defense Contract Audit Agency (DCAA). If requested, the DCAA will conduct audits for other government agencies besides the Defense Department.
Obtain information to plan specific audits. Auditors should obtain contract files, budgets, project and/or engineering plans, accounting records and any other documents they need to plan the specific audits. These documents are usually obtained from the organisation commissioning the audit. They should review these documents to become familiar with the contract and to develop the audit procedures.
Contact the contractor to establish a time and place for the audit and provide information as to the records needed for the audit. Auditors will need to obtain documentation of direct costs and indirect costs charged to the contract and records documenting compliance with contract provisions, regulatory matters and contract deliverables.
Auditors visit the contractor and execute the audit procedures. Auditors will verify billings from the contractor by examining the contract costs incurred by the contractor. Auditors will select samples of direct and indirect costs and test those costs to determine if they are allowable to the contract in accordance with applicable criteria. For government agencies, the criteria will include government cost principles and the terms of the contract; for companies the criteria will be the terms of the contract.
Auditors conduct an exit conference at the end of their fieldwork. They present the contractor with a list of findings and issues to be resolved. The contractor should be provided a reasonable amount of time to review the list and produce any additional evidence or information applicable to resolving the issues. The auditors review the additional information and revise their list of findings and issues for any that are resolved.
Auditors write the audit report, which may or may not include a response from the contractor. After the report is issued, the contractor will agree or disagree with the audit findings. The organisation commissioning the audit will then negotiate with the contractor to resolve the audit findings and issues.