Internal Control Audit Planning Summary (ICAPS)
3-400 Section 4 -Internal Control Audit Planning Summary (ICAPS)
3-401 Introduction
This section provides guidance on using the Internal Control Audit Planning Summary (ICAPS) to summarize the auditor's assessment of control risk and the impact on related contract audit effort. The ICAPS sheets are automated through the Internal Control Review System (ICRS) database. The ICRS database software should be installed and used at each FAO that performs any of the ten accounting and management system reviews listed in section 5-102....
3-402 Background Information
a. As discussed in 3-200, the auditor's assessment of control risk is a critical factor in determining the nature and extent of audit effort necessary to achieve the objectives of the individual audit assignment in an effective and efficient manner. To assess control risk, the auditor must carefully evaluate the controls over each significant contractor accounting and management system that could impact the scope of that particular audit. Due to the number of contract audits performed at some contractors, it is both impractical and inefficient to duplicate all the audit steps necessary to assess control risk as part of each individual audit assignment. Therefore, separate audit assignments are established to evaluate each significant contractor accounting and management system, and the related controls, on a periodic basis. The results of these internal control audits are used by other auditors to plan the scope of related audit effort.
b. The ICAPS is the primary means of communicating the results of the internal control audits to the auditors performing the related audit effort. It contains information pertaining to the control risk assessments resulting from the internal control audits, along with a brief description of how these assessments may impact the scope of other related contract audit effort.
The ICAPS becomes part of the FAO's permanent file for use by other auditors to quickly understand the level of control risk associated with the contractor's accounting and management systems, and the potential impact on their individual audit assignments. The auditor performing related audit effort will consider the information included in the ICAPS, along with other risk factors, in determining the scope of related audit effort.
3-403 Relationship of ICAPS and Mandatory Annual Audit Requirements (MAARs)
a. A general discussion of MAARs appears in 6-105. A tabulation of the MAARs, including title, objectives, purpose, and principle CAM reference, appears in 6-1S1.
b. Many MAARs require transaction testing and other auditing procedures that are likely to be covered during incurred cost audit assignments. The scope of such evaluations is affected by the strength of the contractor's internal controls and how current the audit experience is in the area. Internal controls affecting the MAARs are summarized in the ICAPS for each related contractor accounting and management system. For example, internal controls affecting MAAR 6, Labor Floor Checks or Interviews, are summarized in the ICAPS for the contractor's labor accounting system. It is often possible to reduce the scope of a mandatory evaluation when the contractor's internal controls in the area are strong. Conversely, it may be necessary to expand the scope of a mandatory evaluation to cover audit risks identified in the ICAPS. However, the focus of the auditor's efforts should be to work with the contractor and ACO to reduce risk ratings, rather than to continue performing expanded testing.
3-404 Audit Policy on ICAPS
a. At major contractors, a separate ICAPS will be maintained for each of the ten management and accounting systems, identified in 5-102. However, control risk should only be assessed for those systems that process a material amount of transactions that are ultimately assigned to Government contracts. ICAPS will also be maintained for nonmajor contractors when internal control audits are performed for systems processing a material amount of transactions that are ultimately assigned to Government contracts...
b. Significant information contained in the ICAPS, either positive or negative, should be communicated to the appropriate auditors immediately (e.g., risk information on the ICAPS for the estimating system should be communicated to auditors performing audits of individual price proposals).
c. Generally, since the ICAPS is intented to support the audit planning process, each ICAPS (including related continuation sheets) should stand on its own. Each ICAPS should contain sufficient information for auditors to determine the impact of the control risk assessment to properly plan the scope of other related contract audit activities. In most cases, it should not be necessary for auditors performing related audits to conduct detailed reviews of the internal control audit working papers to determine the impact of the control risk assessment to properly plan the scope of other related contract audit activities. In most cases, it should not be necessary for auditors performing related audits to conduct detailed reviews of the internal control audit working papers to determine the impact of the control risk assessment on related audit activities. While the following paragraphs provide general guidance on completing the ICAPS form, auditors should exercise professional judgment in determining the exact nature and extent of information necessary to meet the needs of the auditors performing related audit effort in their individual audit circumstances.
3-405 Preparation of the Internal Control Audit Planning Summary
Figure 3-4-1 contains a generic copy of the ICAPS form. The specific ICAPS for each of the ten systems is delivered by APPS as part of the audit summary working paper A. As discussed above, a separate ICAPS form should be maintained for each significant contractor accounting and management system. The ICAPS form is updated during the normal cyclical audit of each significant system and related internal controls.
3-405.1 Materiality and Sensitivity
As discussed above, DCAA is only concerned with assessing the adequacy of internal controls for those contractor accounting and management systems that may significantly impact the pricing, administration, or settlement of Government contracts. This section of the ICAPS provides information concerning the significance of each system for each Contractor Fiscal Year (CFY). In addition, it provides a brief summary of any sensitivities that may impact the scope of other related audit effort.
a. Materiality is determined based on the importance of the contractor accounting or management system relative to Government contracts. While all major contractors generally accomplish the functions associated with the ten accounting and management systems identified in 5-102, the materiality/significance of these systems will vary from contractor to contractor. Therefore, it is important for the auditor to understand the dollar value of transactions processed by the system and assigned to Government contracts, both flexible and fixed price, and their significance in relation to:
(1) the total dollar value of transactions processed by the system, (2) total Government contract costs, and (3) total contractor operations. To illustrate, the auditor's determination of materiality for a contractor's labor system should consider the total dollar value (order of magnitude) of labor transactions (e.g., $100 million) processed by the system, in relation to the order of magnitude of the con-tractor's total operation (e.g., $1 billion cost of sales). The auditor should also consider the Government's participation, both flexible and fixed price, in the system's transactions, as well as within the contractor's total operations. For example: System Contractor Total Dollars $100 million $1,000 million Gov't Flexibly Priced Dollars $ 20 million $ 80 million Gov't Fixed Price Dollars $ 25 million $ 170 million
b. Sensitivity is determined based on how given matters will impact the judgment of the users of contract information. For example, inclusion of some unallowable costs (e.g., luxury yachts, dog kennels) have a more significant impact on users of contract information than clerical errors or inadvertent mistakes. In addition, some costs may be more sensitive than others due to congressional interest or other internal and external factors. The emphasis placed on consultant costs during the late nineteen eighties is an example of an external factor. Internal factors include events such as changes in the contractor’s corporate structure and implementation of major new software packages, such as ERP. Section I.2 of the ICAPS is designed to summarize any unusual or unique sensitivities applicable to the system in question.
c. The auditor should carefully consider the system materiality and sensitivity in determining the timing, nature, and extent of internal control audit effort. If a particular system is not considered material for the current year, there is no need to assess control risk further. The basis for this assessment should be documented on the ICAPS and filed in the permanent files for reference and review/update in future years.
3-405.2 Control Risk Assessment
This section of the ICAPS is designed to summarize the auditor's assessment of control risk for each relevant control objective based on the results of the system audit. 5-109 contains detailed guidance on assessing control risk. a. The auditor should first identify each of the relevant control objectives for the system being summarized. 5-300 through 5-1200 contains details regarding the relevant con-trol objectives for each contractor accounting and management system. For example, the relevant control objectives for labor accounting are covered in 5-900, and are summarized as follows: (1) Management Reviews (2) Employee Awareness Training (3) Labor Authorization and Approvals (4) Timekeeping (5) Labor Distribution (6) Labor Cost Accounting (7) Payroll Preparation and Payment (8) Labor Transfers and Adjustments
b. For each relevant control objective, the auditor should summarize the control risk assessment (low, moderate, or high) contained in the detailed working papers for the system audit (see 5-109).
c. The auditor should also indicate the system audit report number and date in which the control risk assessment for any control objective was most recently updated. As more current information becomes available, the auditor's assessment of control risk may change. For example, the contractor may correct a previously reported deficiency, or subsequent system audit effort may indicate failures to comply with established policies and procedures. In these instances, the auditor should update the ICAPS upon issuance of the system audit report that resulted in the change in the control risk assessment. Under no circumstances should the ICAPS be updated for potential changes in the control risk assessment that have not been formally reported.
d. The last section of the control risk assessment requires the auditor to explain on continuation sheets all moderate or high risk assessment ratings. Ratings of moderate or high risk should be supported by significant reported deficiencies. The auditor should provide sufficient information regarding the deficiencies to facilitate the planning of other related audit effort. Sufficient information should be provided for the auditor performing related audit effort to understand the nature of the deficiency that resulted in the moderate or high risk assessment.
3-405.3 Overall System
a. In addition to assessing control risk for each of the relevant control objectives, the auditor should determine whether the system is adequate to reasonably assure proper pricing, administration, and settlement of Government contracts. The determination as to whether the overall system is adequate or inadequate should be based on the significance of the deficiencies and the extent of reliance, if any, that can be placed on information coming out of the system. Making such a determination requires the exercise of considerable audit judgment. A single significant deficiency/material weakness or the contractor's failure to accomplish a single control objective would render the entire system inadequate (see 5-109).
b. The auditor's assessment of the overall system should be consistent with the audit opinion contained in the most current report on the system in question, and with the risk ratings assigned to the relevant control objectives. For example, in the case of a labor system audit, if high risk ratings have been assigned to labor cost accounting and labor transfers and adjustments, it would be expected that the overall system opinion would be inadequate or inadequate in part. Although flash reports may be used as a basis for increased substantive testing recommendations for related audits, they should not be used as a basis for revising the control risk assessment or revising the assessment of the overall system. Any change in the auditor’s assessment of the overall system must be based on a written report on the audit of the internal control.
3-405.4 Impact on the Scope of Other Audits
a. The audit planning process involves not only assessing control risk, but also identifying the potential impact of these risk assessments on other related audit effort. Section IV of the ICAPS is designed to highlight the impact that the auditor's control risk assessment has on related audit areas. These audit areas are summarized as follows: (1) Contract Pricing (2) Defective Pricing (3) Incurred Material Costs (4) Incurred Labor Costs (5) Incurred Indirect/ODC Costs (6) Contract Reporting (7) Billings (8) Closeouts (9) Financial Capability (10) CAS
b. The impact on the audit scope section should identify the general level (minimum or increased) and nature of substantive testing needed as a result of the control risk assessments. The minimum level of substantive testing is the level required when the auditor can be expected to rely on the contractor’s system for that particular audit area. The minimum level of substantive testing varies depending on the nature of the audit. Accordingly, the auditor performing the related audit must determine the minimum level of substantive testing (i.e., analytical procedures and/or transaction tests) for each related audit based on the particular circumstances of that audit. A recommendation for increased substantive testing in this section means substantive testing over and above the minimum level (not the level historically performed at the contractor) that may be required because a deficiency in the system results in an increased risk of material errors or misstatements. The extent of increased testing required for a particular related audit area will vary depending on the nature of the audit, and materiality and sensitivity considerations. Generally, assessments of low control risk should result in minimum substantive testing and assessments of moderate and high risk will result in increased testing.
c. When increased substantive testing is recommended, sufficient information should be included on continuation sheets regarding the impact on the scope of other related audits. The amount of information required will vary depending on the nature of the deficiency resulting in the increased testing recommendation. The information should be sufficient to enable the auditor performing other related audit effort to determine the nature and extent of substantive testing required, including to the extent practical, information regarding: the types of errors that could occur as a result of the deficiency; the types or classes of transactions that could be impacted by the deficiency; the circumstances under which the errors are likely to occur; and the types of substantive tests that could be used to detect the errors.
d. Generally, assessments of low risk should result in recommended reductions in the scope of related audits, unless the scope has previously been appropriately reduced, which should be documented and explained. Section IV of the ICAPS should also be used to communicate any additional information considered necessary to ensure proper consideration of control risk assessments in related audit effort. For example, this section should identify any flash reports that have been issued since the last full system audit was performed, and note the impact that the deficiencies in the flash report would have on related audits. This section should then be updated when the system audit following up these deficiencies is completed (5-110c(3)).
3-406 Updates and Revisions --ICAPS
a. Changes to the control risk assessments in the ICAPS should be based on reported conditions in system audits or follow-up system audits. Prior versions of the ICAPS should be retained in the permanent file for reference. In no circumstances should the control risk assessment (Section II) or overall system opinion (Section III) be updated unless there is a system audit report supporting the change. Flash reports, that disclaim an opinion (10-413.3b), should not be used as a basis for updating Sections II or III of the ICAPS.
b. Since contractor internal controls are audited on a cyclical basis, it may become necessary to update Section IV of the ICAPS, Impact on the Scope of Other Audits, prior to the next scheduled system audit. For example, audits of individual pricing proposals may identify deficiencies in the contractor's estimating system that did not exist or were not identified at the time of the last system audit. In these instances, Section IV of the ICAPS should be updated to note/reference the reported deficiencies (e.g., flash reports) and reflect the impact on other related audit effort. The control risk assessment and the impact on other related audit sections should be updated when the FAO completes the internal control audit following up the deficiencies (5-110c(3)).
c. Auditors should also be alert for factors that may indicate the current control risk assessment may be invalid. These factors may include: (1) material amounts of questioned cost in individual audit assignments, (2) recurring questioned costs of an immaterial amount, (3) significant turnover in contractor personnel, (4) contractor reorganizations, and (5) flash reports. In these instances, it may be necessary to increase the scope of related audit effort. However, the auditor should also consider performing a system audit (5-103a) to reevaluate the contractor's internal controls and encourage contractor corrective action for any identified deficiencies. Getting the contractor to correct the system is generally a more effective and efficient way to protect the Government's interest in the long run[1].
References
- ↑ Defense Contract Audit Manual (DCAM) 3-400 Section 4 - Internal Control Audit Planning Summary (ICAPS); August 14, 2014