Internal Audit Charters: Building an Independent Review Function
The contractors who handle DCAA audits best aren’t the ones who prepare hardest when DCAA calls. They’re the ones who never stopped auditing themselves.
I’ve seen it play out in both directions. A contractor with a functioning internal audit program walks into a DCAA business system review with organized workpapers, documented findings, and a corrective action log showing issues identified and resolved. The auditor spends less time, asks fewer questions, and leaves with a cleaner report. The contractor on the other side — the one whose internal review function exists only on paper — gets a full examination of every system, every process, and every gap. The difference in outcome between those two engagements isn’t luck. It’s infrastructure.
For small government contractors, building a genuine internal audit function feels like an enterprise-level commitment. It doesn’t have to be. What it does have to be is formal, independent, and documented — starting with a charter that defines the function’s authority, scope, and reporting structure before a single review is conducted.
Here’s what that looks like in practice, and why it matters more than most contractors realize.
The Legal Foundation
The internal audit function in a government contracting environment isn’t simply a best practice borrowed from corporate governance. It is a compliance control that regulators and auditors look for specifically when evaluating the adequacy of your business systems.
DFARS 252.242-7006 establishes the adequacy standards for contractor accounting systems on covered DoD contracts. One of the six core areas evaluated under this standard is the existence of adequate internal controls — controls that prevent, detect, and correct errors before they reach a government billing. An internal audit function is the mechanism through which those controls are tested and validated. Without it, you’re relying on the assumption that your controls are working rather than the evidence that they are.
FAR 52.215-2, the Audit and Records — Negotiation clause, gives the government broad access to contractor records related to contract performance. Contractors with functioning internal audit programs are in a fundamentally stronger position when this clause is invoked — because they have already examined the records the government is about to review, and they know what’s in them. Contractors without that internal examination are discovering the same things DCAA discovers, at the same time, under audit conditions.
FAR 31.201-2 requires that costs charged to government contracts be adequately documented and properly authorized. Internal audit is the function that verifies those requirements are being met on a continuous basis — not just when an external audit is pending. For a deeper look at how cost documentation requirements interact with your accounting system, the DCAA Contract Audit Manual, Chapter 5 is the definitive reference.
What an Internal Audit Charter Actually Does
Here’s what contractors miss: the internal audit function only has the authority and independence it is formally granted. Without a charter — a written document approved by senior leadership that defines the function’s purpose, scope, independence, and reporting lines — the internal auditor is just someone reviewing records with no formal standing to compel access, escalate findings, or require corrective action.
The charter is what makes the function real. It establishes three things that cannot exist informally.
Independence. The internal audit function must be organizationally separated from the functions it reviews. This is where audits go sideways at small contractors: the CFO who also oversees compliance reviews is not in a position to objectively evaluate the adequacy of the financial controls they designed and manage. The charter must specify that internal audit has direct reporting access to the highest level of the organization — the CEO, the board, or the audit committee — so that findings can be escalated without passing through the functions being reviewed.
Scope of authority. The charter defines what the internal audit function has the right to examine. This includes access to all financial records, contracts, timekeeping systems, billing documentation, and personnel records relevant to government contract performance. Without a documented scope, internal auditors are dependent on the cooperation of the departments they’re reviewing — which defeats the purpose of independent oversight.
Accountability for findings. The charter should establish that findings are documented in writing, reported to senior leadership, and tracked through a corrective action process with defined resolution timelines. A finding that sits in a workpaper without a resolution path isn’t a compliance control — it’s a documented liability.
What Contractors Typically Get Wrong
The most common failure is a charter that exists but isn’t followed. The document describes an annual internal audit cycle, quarterly reviews of timekeeping, and periodic billing reconciliations — but the actual practice is a CFO spending a few hours at year-end reviewing the books. When DCAA asks for internal audit workpapers, there aren’t any. The charter becomes evidence of a commitment that wasn’t kept, which is worse than having no charter at all.
The second failure is a scope that excludes the highest-risk areas. Contractors sometimes design internal audit programs around the areas they’re most comfortable reviewing — indirect rate calculations, for example — while leaving timekeeping compliance, subcontractor oversight, and unallowable cost screening largely unexamined. DCAA’s business system reviews cover all of those areas. Your internal program should too.
The third failure is treating corrective actions as optional. Internal audit findings that aren’t resolved create cumulative risk. Each unresolved gap is a finding that DCAA could independently discover — and when they do, the existence of an internal audit record showing the issue was previously identified but not corrected is a significant aggravating factor.
Five Steps to Build a Functioning Internal Audit Program
Step 1: Draft and adopt a formal internal audit charter. The charter should define the mission, independence requirements, organizational reporting structure, scope of authority, and the process for documenting and resolving findings. It should be approved in writing by your CEO or board and reviewed annually. Keep it to two or three pages — the goal is clarity and commitment, not volume.
Step 2: Establish an annual audit plan with specific review areas and timelines. The plan should cover, at minimum, timekeeping compliance, labor distribution and charging, unallowable cost identification, billing system reconciliation, and subcontract oversight. Assign each review area to a named individual with a scheduled completion date. A compliance calendar that ties audit activities to your contract performance cycle keeps the function active year-round rather than reactive at year-end. For guidance on what a compliant timekeeping review should examine, see our post on DCAA timekeeping requirements.
Step 3: Produce written workpapers for every review conducted. Workpapers are the evidence that your internal audit function is operating as described in the charter. They should document the scope of the review, the procedures performed, the population examined, the findings identified, and the conclusions reached. DCAA auditors reviewing your internal controls will ask to see these documents. If they don’t exist, the internal audit function doesn’t exist in any meaningful sense.
Step 4: Implement a formal corrective action tracking process. Every finding documented in internal audit workpapers should have a corresponding corrective action entry showing the root cause, the planned resolution, the responsible owner, and the target completion date. Track open items monthly and close them with documented evidence of resolution. A DCAA-compliant accounting and tracking system that integrates corrective action management keeps this process organized without adding administrative burden.
Step 5: Report internal audit results to senior leadership in writing. At least quarterly, the internal audit function should provide a written summary of completed reviews, open findings, and corrective action status to the CEO or equivalent. This reporting requirement does two things: it keeps leadership accountable for resolving issues, and it creates a documented record showing that internal audit findings receive appropriate management attention — which is exactly what DCAA looks for when evaluating the effectiveness of your internal control environment.
The Cost Comparison
A formal internal audit program at a small government contractor — a part-time internal auditor or a shared compliance resource, a documented charter, written workpapers, and a corrective action log — typically costs between $20,000 and $50,000 annually depending on contract volume and complexity.
A business system deficiency finding under DFARS 252.242-7006 for inadequate internal controls can trigger payment withholding of up to five percent of billings on affected contracts. For a contractor billing several million dollars annually across cost-reimbursement contracts, that withholding can represent hundreds of thousands of dollars in suspended cash flow — sustained over the months required to develop, implement, and validate a corrective action plan under DCAA oversight.
The internal audit program doesn’t just reduce audit risk. It reduces the cost of the audit itself, because contractors who arrive at a DCAA review with organized workpapers and a documented control environment spend significantly less time and legal expense managing the process than those who are reconstructing records under audit conditions.
Jurisdictional Notes
The business system adequacy requirements under DFARS 252.242-7006 apply specifically to DoD contractors on covered cost-reimbursement, incentive, time-and-material, and labor-hour contracts above established thresholds. Civilian agency contractors are not subject to DFARS business system oversight, but FAR 52.215-2 audit rights and FAR 31.201-2 cost documentation requirements apply across all federal agencies. An internal audit function built to the DFARS standard will satisfy both frameworks and will position your firm well for any agency’s audit scrutiny.
An internal audit charter is a one-time investment of a few hours of drafting time that defines the authority and independence of a function that will protect your firm for as long as you hold government contracts. Write it, adopt it, and then actually follow it — and you will have built the single most effective DCAA audit preparation tool available to a small contractor.
Hour Timesheet provides government contractors with the timekeeping and cost tracking infrastructure that makes internal audit reviews faster, cleaner, and more defensible. See how our platform supports your internal control environment.
