No. 1: Helping Your Client Navigate an Army Audit

(Credit: freshidea - stock.adobe.com)

No. 1

Helping Your Client Navigate an Army Audit

---

By William J. Dobosh, Jr.

Although the U.S. Army Audit Agency (AAA) conducts approximately one hundred audits each fiscal year, many organizations below Headquarters, Department of the Army1 or the headquarters of an Army command (ACOM)/Army service component command (ASCC)/direct reporting unit (DRU) do not have regular contact with AAA auditors. As a result, visits from AAA audit teams may be stressful for members of an audited organization and lead to a flurry of questions for you as the organization’s uniformed judge advocate (JA) or civilian legal advisor.2

But fear not, counsel. This article will explain preliminary actions that you can take upon learning that one of your clients is going to be audited and the four steps that you can advise your client to take as the audit unfolds: 1) comprehend the fundamentals of AAA and internal audits; 2) collaborate with the audit team, so it can access requested information; 3) communicate with the audit team during fieldwork and the command-reply process; and 4) correct deficiencies that the audit team finds. The article will also present some questions you can anticipate from your client-organization’s members along the way. Armed with this knowledge, military and civilian attorneys alike will be able to assist their supported organizations capably during an audit.

Actions on Contact: Initial Responses to an Announced Audit

After learning that one of your client-organizations will be involved in an audit by AAA, you can take immediate action to enable the best possible legal support later.

First, research the program or function being audited to identify previous audit reports. A repository of published AAA reports is available on its extranet site,3 which is accessible to anyone with a Department of Defense (DoD) common access card. If you cannot reach the site or cannot find relevant reports, contact the AAA Audit Coordination and Follow-Up Office.4 Explain fully your official need for the reports in case they have been controlled. You may also search the public websites of the Government Accountability Office or the DoD Inspector General (DoDIG) for any non-Army audits on the upcoming audit’s subject.5

Second, determine the audit focal point, which is usually an individual in the supporting Internal Review (IR) Office.6 The IR program7 “provides an independent, objective audit and analysis activity” within an organization.8 Ask the audit focal point to include you on invitations and announcements for key audit events, such as the entrance conference and interim progress reviews. You will then be able to better anticipate legal support requirements. The audit focal point may also be able to provide you contact information for the audit team leadership to enable direct coordination with them.

Third, take advantage of institutional knowledge, especially from senior Army civilian attorneys, concerning audits and the audit process. Even if no one in your brigade legal shop or immediate legal office has experience with AAA, an attorney at a higher echelon likely does. Use this experience to fill in gaps in your understanding and to provide effective counsel for your client during the audit.

(Credit: Superzoom – stock.adobe.com)

Step 1: Comprehend the Fundamentals of AAA and Internal Audits

What is AAA, and what does it do?

The U.S. Army Audit Agency is a field operating agency of the Secretary of the Army (SECARMY)9 that executes SECARMY’S auditing function within the Department of the Army.10 Each fiscal year, AAA develops an Army-wide audit plan by determining areas of risk from Army corporate planning documents and soliciting input from senior leaders in HQDA, ACOMs, ASCCs, and DRUs.11 The Secretary of the Army approves the final plan,12 which AAA may modify as needed throughout the year to address emerging or high-visibility issues.

The Army Auditor General,13 an HQDA principal official,14 heads AAA. Although AAA has its headquarters at Fort Belvoir, Virginia, most of its workforce is located at seventeen field offices in the continental United States, Hawaii, Korea, and Germany.15 Auditors are task-organized into audit teams to complete audits. An audit team generally has one GS-13 auditor-in-charge (AIC) who manages the day-to-day conduct of the audit and oversees multiple staff auditors in grades GS-7 to GS-12.16 A GS-14 audit manager (AM) and a GS-15 program director (PD) supervise.17

Although many HQDA organizations rely on the Army Office of General Counsel or the Office of The Judge Advocate General for legal support, AAA receives legal advice from its own organic legal office.18 If you have a concern with an audit team’s legal conclusions, especially its interpretations of applicable statutes or regulations, you may find it helpful to raise these issues with both the audit team (AIC, AM, and PD) and the AAA Office of Counsel.

(Credit: peterschreiber.media – stock.adobe.com)

Can AAA conduct audits of issues that do not involve financial information?

The Army Audit Agency conducts internal audits of Army organizations, programs, and activities. Department of Defense policy defines an “internal audit” as a “function that helps DoD management . . . by providing information, analyses, assessments, and recommendations.”19 Internal audits are not limited to financial statements, contract pricing, or similar fiscal areas and may instead cover any Army program, operation, or function. When conducting internal audits, “[a]uditors independently and objectively analyze, review, and evaluate existing procedures, controls, and performance” and “constructively present conditions, conclusions, and recommendations so as to stimulate or encourage corrective action.”20

Auditors from AAA primarily conduct the following types of internal audits: performance audits, financial audits, attestation engagements, and follow-up audits.21 Performance audits “provide objective analysis, findings, and conclusions to assist management . . . with . . . improving program performance and operations, reducing costs, facilitating decision making by parties responsible for . . . corrective action, and contributing to public accountability.”22 Financial audits “provide independent assessments of whether entities’ reported financial information . . . is presented fairly, in all material respects, in accordance with recognized criteria.”23 Financial audits include financial statement audits24 to achieve the statutory requirement of DoD audit readiness.25 Attestation engagements consist of reviews,26 examinations,27 and agreed-upon procedure (AUP) engagements. The AUP engagements, in which the audit team performs customer-designated analysis (i.e., “audit procedures”28) on the subject matter,29 are AAA’s most common type of attestation engagement.30 In AUP engagements, the organization that will use the audit’s results is responsible for the procedures being sufficient to achieve their intended purposes.31 Follow-up audits “verify that management officials took corrective actions” with respect to AAA’s previously issued audit recommendations. The report of a follow-up audit also contains the audit team’s “conclusions as to whether . . . the actions achieved the desired results and monetary benefits.”32

Some technical terms (italicized for quick reference) are common to all these audit types. You should understand these concepts to help your clients better understand communications and written materials received from the audit team. The audit subject matter is the program, operation, or function that an audit analyzes.33 The audit objective describes what the audit is supposed to achieve34 and raises “questions about the program that the auditors seek to answer.”35 Auditors answer these questions by assessing evidence against applicable laws, regulations, standards, or similar benchmarks,36 which are collectively called audit criteria.37 Audit teams answer the audit objective by conducting audit fieldwork, during which an audit team gathers “sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions.”38 The results of an audit are presented in a written audit report.39 As a DoD auditing organization, the AAA must conduct its audits according to generally accepted government auditing standards (GAGAS) established by the Government Accountability Office (GAO). These standards enable “high-quality audit work with competence, integrity, objectivity, and independence.”40 To comply with GAGAS, an audit’s findings and conclusions must be adequately supported41 and “valid, accurate, appropriate, and complete with respect to the audit objectives.”42

Finally, as a point of clarification, an audit is not an investigation. Nonetheless, because audits and investigations have key similarities, clients may find audits easier to understand in relation to investigations. An audit team performs tasks comparable to an Army Regulation (AR) 15-6 investigating officer with respect to collecting evidence and presenting findings, conclusions, and recommendations in a written report.43 Like an investigating officer, an audit team must analyze impartially and independently the issues it faces.44 One significant difference between audits and investigations is an audit’s official Army position (OAP). In an investigation, the approval authority approves or disapproves the investigating officer’s findings and recommendations.45 An audit does not have an approval authority per se. Instead, the OAP establishes whether the Department of the Army agrees with the findings, conclusions, recommendations, and potential monetary benefits in the audit report.46 If the OAP concurs with a recommendation, then the responsible organization must implement it before an agreed-upon completion date. If the OAP does not concur with a recommended corrective action, however, then that action is not required.47

“How does AAA relate to Internal Review? How does it relate to the Army Inspector General?”

Auditors assigned to an organization’s IR program are not part of AAA. The IR program is typically established and resourced by commanders of ACOMs, ASCCs, and DRUs; heads of HQDA activities; and U.S. property and fiscal officers.48 An IR director advises supported commanders on “internal control and audit matters” and tracks the implementation of audit recommendations.49 Thus, although a supporting IR office may facilitate and coordinate a audit that AAA performs, that office is not assigned to or controlled by AAA.

Similarly, the AAA and the Department of the Army Inspector General (DAIG) are different organizations in HQDA. Like the Army Auditor General, the Army Inspector General assists SECARMY with oversight of Army programs and activities.50 Organizational IGs conduct four functions on behalf of the Army IG: inspections, assistance, investigations, and teaching and training.51 The DAIG, however, is not part of AAA.52

(Credit: Olivier Le Moal – stock.adobe.com)

Step 2: Collaborate with the Audit Team so It Can Access Requested Information

“Do we have to provide the audit team the information it asks for?”

Auditors may seem to be constantly asking your client for information during audit fieldwork, but this is a normal part of the audit process. As previously discussed, during audit fieldwork auditors gather evidence to answer audit objectives and support the audit’s findings and conclusions.53 Evidence may include physical evidence that the team obtains by “direct inspection or observation”; testimonial evidence through oral or written statements from members of the audited organization; and documentary evidence, such as command policies and guidance, emails, and electronic and hardcopy records.54 In addition, sometimes an audit team identifies additional information requirements weeks or months after the initial site visit, as the team conducts additional fieldwork and learns more about the audit subject matter.

(Credit: z_amir – stock.adobe.com)

Department of Defense policy requires that, subject to limitations imposed by law or regulation, audit teams “must have full and unrestricted access” to all personnel, facilities, and information “related to accomplishing an announced audit objective when requested by an auditor with proper security clearances.”55 Access includes “the authority to make and retain copies of . . . information or material until no longer required for official use.”56 Army policy reiterates and refines this requirement as follows: “Audit organizations will have full access to all personnel, facilities, records, reports, databases, and documents. Audited activities will make all accounts, books, records, documents, papers, facilities, equipment, and other assets available for examination and observation by auditors and make available knowledgeable personnel who can discuss the information.”57

Granting access to information also involves responding to requests for information (RFIs) from the audit team. As a legal matter, Army policy requires organizations to cooperate fully with audit teams. Army Regulation 36-2 forbids an audited activity from “unreasonably delay[ing] the progress of the audit” when providing requested information.58 As a practical matter, promptly addressing RFIs expedites an audit’s progress. The sooner an audit team receives the information it needs, the sooner the team can complete its fieldwork and provide audit results to all stakeholders.

In summary, auditors have the authority to access nearly all information relevant to their audit. You can save your client precious time and effort by encouraging organizations to facilitate this access.

“Are audit teams allowed to receive information prepared by attorneys, such as internal legal reviews? What about information subject to the Privacy Act?”

Attorney-Client Confidentiality and Privilege

Neither attorney-client confidentiality nor attorney-client privilege prevents you or your client-organization from complying with an audit team’s request for any relevant legal opinions that the organization received.

With respect to confidentiality, when an Army organization’s legal advisor is providing advice to organizational officials on matters within the scope of the organization’s official business, the advisor’s actual client is the Department of the Army.59 Therefore, because the audit team is acting in an official capacity, and the audit relates to your representation of the Army, you may provide the audit team with memoranda, emails, or other records that contain your legal advice relevant to the audit without violating attorney-client confidentiality, even if that advice was initially provided to specific individuals in the command.60 With respect to attorney-client privilege, your client-organization’s sharing such materials with the team, which has an official need to know the information, does not waive the privilege in other contexts or proceedings.61

Privacy Act

Auditors may also access personally identifying information or other materials protected by the Privacy Act of 1974 without first obtaining the consent of the subject of the information.62 As explained in DoD policy, records pertaining to an individual may be disclosed to a DoD employee without the individual’s consent when: (1) the DoD employee has a need for the record to perform assigned official duties; (2) the intended use of the record generally relates to the purpose for which the record is maintained; and (3) only the minimum amount of records or portions of records required to accomplish the intended use are disclosed.63 In most audits, disclosures to an audit team will clearly satisfy these criteria. You and your client should raise specific concerns, especially the extent of the disclosure that the team has requested, with the AIC and the AAA Office of Counsel.

Step 3: Communicate with the Audit Team During Audit Fieldwork and in the Command-Reply Process

“The audit team invited us to an ‘entrance conference.’ What’s the purpose, and what should we try to accomplish there?”

Before fieldwork begins, the audit team conducts an entrance conference with the audited organization.64 At this conference, the team explains the audit’s objective, scope, and potential benefits and proposes fieldwork sites.65 The organization may then raise additional issues for the team to consider or may suggest changes to the audit objective.66 Because the members of the organization probably have more knowledge of the audit subject matter than the audit team does, reasonable and well supported suggestions to the team will likely by adopted.67

As legal advisor, you should either attend the entrance conference or review the conference presentation afterwards to ensure that the audit team has identified all legal authorities relevant to the organization’s mission and the audit subject. Helping the audit team start its fieldwork with accurate and complete audit criteria will prevent erroneous conclusions and ill-conceived recommendations in the draft audit report.

“What is our responsibility for explaining the audited subject to the audit team? Isn’t the team a group of subject matter experts?”

In preparing for an audit, the audit team researches governing law, regulation, and policy to determine the audit criteria. The audit team members, however, are not everyday practitioners in the subject of the audit. Consequently, the team often relies on the insight of the audited organization to understand the program or function at issue.

Encourage members of your client-organization to explain fully to the audit team how they execute their missions concerning the audit subject. Such dialogue will ensure the team understands how a program operates and might prevent the team from recommending corrective actions that would be infeasible, impractical, or otherwise undesirable.

“At the entrance conference, the audit team mentioned ‘PMBs.’ What are they, and why are they important to the audit?”

In a performance audit, which is the most common type of audit that AAA conducts,68 auditors try to make recommendations that will result in both potential monetary benefits (PMBs) and nonmonetary benefits for the Army.69 Potential monetary benefits arise from eliminating questioned costs and from identifying “funds put to better use.”70 A questioned cost involves an “alleged violation of a provision of a law, regulation, contract, grant, cooperative agreement, or other agreement or document”; is “not supported by adequate documentation”; or is for an “unnecessary or unreasonable” purpose.71

Just as important as PMBs, however, are nonmonetary benefits. These benefits improve such areas as “operational readiness, personnel safety, data accuracy, internal controls, compliance with laws and regulations, or streamlining of organizations or processes.”72 Nonmonetary benefits often have Army-wide impacts that transcend concerns of resource management or fiscal prudence.

Encourage subject matter experts in your client-organization to suggest monetary and nonmonetary benefits during the audit. The audit gives these practitioners an opportunity both to point out shortcomings in current policy or guidance from HQDA organizations or ACOM/ASCC/DRU headquarters and to suggest viable solutions. The audit report may make recommendations to members of the Army Secretariat, Army Staff, and senior Army commanders, so it can quickly elevate operational-level concerns and proposed improvements. Simply put, audits provide a powerful forum for your client to trigger significant, Army-wide change.

“We’re concerned that the audit report might make findings, conclusions, or recommendations that are inaccurate or unworkable. Will we have a chance to review the report before it is published?”

The findings and conclusions that appear in a draft audit report should never surprise an audited organization. Army Audit Agency policy requires the audit team to routinely present this information to the organization as the audit progresses.73 These updates confirm that the audit team understands the audit subject and that the team’s tentative results are reasonable.

Audited organizations may also use the command-reply process at the conclusion of fieldwork to shape the final audit report. In this process, each organization to which a draft finding, conclusion, recommendation, or PMB is addressed has the opportunity to concur or non-concur with these items and to submit comments and responses.74 As a result, a command reply may formally disagree with recommendations that the organization believes are infeasible or impossible.75 The organization may also propose alternatives to the recommended actions that will produce the desired results. Command comments are critical to the success and usefulness of an audit, and the OAP official must consider them before issuing the Army’s position.76 The audit report summarizes applicable comments immediately following each recommendation and reprints command replies in their entirety in one of the report’s standard annexes.77

If you are reviewing your client’s command comments prior to submission, ensure subject matter experts have thoroughly, clearly explained objections to any aspect of the report and have proposed reasonable revisions. Advise your client to avoid unhelpful criticism of the audit team and find another way to raise these issues, such as direct communication with the audit manager, program director, or other AAA official. Finally, help your client justify any legal objections to a tentative finding or recommendation. The audit team will send these objections to the AAA Office of Counsel for review. The better organized and articulated a legal argument is, the more effectively that AAA attorneys can analyze it and give appropriate feedback to the audit team.

(Credit: Wolfilser – stock.adobe.com)

Step 4: Correct Deficiencies that the Audit Team Finds

The audit process does not necessarily end when the audit report is published. If an audit team identifies a deficiency that is not fixed during the audit, the team should recommend corrective action. Once the OAP approves such a recommendation, responsible HQDA principal officials and commanders must implement it by performing the actions they have agreed to take.78 The AAA Audit Coordination and Follow-up Office tracks this implementation regularly. As required by DoD policy, AAA reports to the DoDIG twice per fiscal year on “the status of management’s corrective actions on [AAA] audit reports.”79 The DoDIG, in turn, reports this data to Congress.

Advise your client that unimplemented recommendations in high-profile audits sometimes generate congressional interest and action. For example, in April 2018, AAA issued an audit report80 on the Army’s Marketing and Advertising Program.81 The objective of the audit was to “verify that the Army’s investments in marketing and advertising generated a positive return” for recruiting.82 The audit report concluded that the Army Marketing and Research Group (AMRG) had to “refine its measurement and goal development to ensure programs are demonstrating a positive return based on their intended purpose(s).”83 The audit report then made seven recommendations, which AMRG agreed to implement at various points between 30 June 2018 and 30 September 2020.84 In August 2018, however, the National Defense Authorization Act for Fiscal Year 2019 required SECARMY to submit to the House and Senate Armed Services Committees a report on the status of the recommendations contained in the AAA audit.85 The National Defense Authorization Act further stated that until the Secretary submitted this report, AMRG was not permitted to obligate or expend more than 60 percent of the amounts appropriated to it for FY 2019.86

Although the AMRG audit situation was unusual, you can cite it as a cautionary tale. Advise your clients that audit recommendations matter, their implementation is tracked, and unreasonable implementation delays can create embarrassing consequences for an organization and its senior officials.

Conclusion

An audit can be a stressful event for the members of an audited organization, but as a legal advisor, you can reduce this stress for your client. By researching previous audits in the relevant area, coordinating with audit focal points, and using institutional knowledge, you will be able to provide relevant assistance when the audit team starts its work. Your legal analysis and practical advice during the audit process can help your client efficiently endure and successfully navigate an Army audit. TAL

---

Mr. Dobosh is the Deputy Counsel (Audits) for the U.S. Army Audit Agency at Fort Belvoir, Virginia.

---

Notes

1. These organizations comprise the Army Secretariat and the Army Staff. The Army Secretariat advises and assists the Secretary of the Army in exercising authority to conduct Army matters. The Secretariat consists of the Under Secretary of the Army, Deputy Under Secretary of the Army; Assistant Secretary of the Army (Manpower and Reserve Affairs); Assistant Secretary of the Army (Civil Works); Assistant Secretary of the Army (Financial Management and Comptroller); Assistant Secretary of the Army (Acquisition, Logistics and Technology); Assistant Secretary of the Army (Installations, Energy and Environment); and a number of functional officials, including Army General Counsel; Administrative Assistant to the Secretary of the Army; Chief Information Officer; the Inspector General; and the Army Auditor General. The Army Staff reports to the Chief of Staff of the Army and provides professional, independent military advice and assistance to the Secretariat in developing policies and programs and supports the Army Chief of Staff in executing responsibilities as a member of the Joint Chiefs of Staff. Headquarters, Department of the Army, Gen. Order No. 2020-01, Assignment of Functions and Responsibilities within Headquarters, Department of the Army paras. 7–24 (6 Mar. 2020) [hereinafter AGO 2020-01].

2. “Audited organization” in this article means an organization whose programs, operations, or functions are the subject of an audit, especially those organizations selected as audit fieldwork sites. The article uses “organization” rather than “command” to apply broadly to all types of Army entities, even those without a “commander.”

3. The United States Army Audit Agency (AAA) extranet site may be reached at https://armyeitaas.sharepoint-mil.us/sites/HQDA-AAA-extranet.

4. The Audit Coordination and Follow-up Office’s email address is usarmy.pentagon.hqda-aaa.mbx.acfo@army.mil, and its entry in the Outlook Address Book is USARMY Pentagon HQDA AAA Mailbox ACFO.

5. GAO reports may be found at https://www.gao.gov. DoDIG reports may be found at https://www.dodig.mil/Reports/Audits-and-Evaluations.

6. For more information on the Internal Review (IR) program, see infra Section “How does the Army Audit Agency relate to Internal Review? How does it relate to the Army Inspector General?”

7. The Assistant Secretary of the Army (Financial Management & Comptroller) manages and oversees the IR program. U.S. Dep’t of Army, Reg. 11-7, Internal Review Program para. 1-4a (29 Mar. 2017) [hereinafter AR 11-7].

8. Id. para. 2-3a (noting that “IR helps an organization accomplish its objectives by bringing a systematic, disciplined approach to foster a positive and strong management control environment and to evaluate and improve effectiveness of risk management and governance processes”).

9. AGO 2020-01, supra note 1, para. 19a; U.S. Dep’t of Army, Reg. 36-2, Audit Services in the Department of the Army para. 2-1a (30 Oct. 2015) [hereinafter AR 36-2] (“[AAA] is a field operating agency that reports to The Army Auditor General . . . .”).

10. 10 U.S.C. § 7014(c)(1)(B) (2022) (establishing the Secretary of the Army’s auditing function); AR 36-2, supra note 9, para. 1-5a (“[AAA] is the Army’s internal audit organization.”).

11. AR 36-2, supra note 9, para. 2-3. The process of briefing the tentative plan to Army senior officials for their input is informally called the “Road Show.” This statement is based on the author’s professional experiences as Deputy Counsel (Audits) for the Army Audit Agency from 6 April 2015 to the present [hereinafter Professional Experiences].

12. AR 36-2, supra note 9, para. 2-3.

13. The Army Auditor General is a level three senior executive service official. By statute, the Auditor General must have “at least five years of professional experience in auditing or accounting.” 10 U.S.C. § 7014(c)(5). The Army Auditor General is a career reserved position. Id. Consequently, the position must be filled by a “career appointee,” which is an individual in a senior executive service position whose executive qualifications have been approved by the Office of Personnel Management. 5 U.S.C. §§ 3132(a)(4), 3132(a)(8).

14. AGO 2020-01, supra note 1, paras. 5a (stating that HQDA principal officials are “responsible to the SECARMY” and must “advise and assist SECARMY” by executing their assigned duties and responsibilities), 19a (designating the Army Auditor General as SECARMY’s principal advisor “for all audit matters”).

15. U.S. Army Audit Agency, 2016 Performance Report 1–2 (n.d.).

16. U.S. Army Audit Agency, Reg. 36-3, Audit Execution paras. 1.5 (“Auditors-in-Charge”), 1.6 (“Staff Auditors”) (30 June 2021) [hereinafter AAA Reg. 36-3]; Professional Experiences, supra note 11.

17. AAA Reg. 36-3, supra note 16, paras. 1.3 (“Program Directors”), 1.4 (“Audit Managers”).

18. The AAA Office of Counsel consists of one GS-15 chief counsel, two GS-14 deputy counsels, and one GS-12 paralegal. Pers., Plans & Training Off., JAGC Personnel Directory 103 (2022).

19. U.S. Dep’t of Def., Instr. 7600.02, Audit Policies 12 (16 Oct. 2014) (C1, 15 Mar. 2016) [hereinafter DoDI 7600.02]. By contrast, the Department of Defense (DoD) definition of “audit” is circular and unhelpful. DoD policy defines “audit” as performance audits, financial audits, and attestation engagements. Id.; U.S. Dep’t of Def., Manual 7600.07, DoD Audit Manual at 53 (3 Aug 15) [hereinafter DoDM 7600.07]. To compound the problem, DoD policy fails to define those individual categories. Army policy does not define “audit” at all. Even AAA’s internal guidance adopts a circular definition, explaining that “‘audit’ includes performance, financial, and followup [sic] audits.” U.S. Army Audit Agency, Reg. 36-2, Planning and Survey para. F.3 (30 June 2021) [hereinafter AAA Reg. 36-2]. Unfortunately, these definitions are consistent with GAO’s definition of “audit” as “a financial audit or performance audit conducted in accordance with GAGAS (generally accepted government audit standards).” U.S. Gov’t Accountability Off., GAO-21-368G, Government Auditing Standards para. 1.27b (2021) [hereinafter GAO Yellow Book].

20. DoDI 7600.02, supra note 19, at 13.

21. Professional Experiences, supra note 11.

22. GAO Yellow Book, supra note 19, para. 1.21; accord AAA Reg. 36-2, supra note 19, para. 3.4.

23. GAO Yellow Book, supra note 19, para. 1.17.

24. GAO Yellow Book, supra note 19, para. 1.17a.

25. National Defense Authorization Act for Fiscal Year 2010, Pub. L. No. 111-84, § 1003(a)(2)(A)(ii), 123 Stat. 2190, 2439–40 (2009) (requiring the DoD Chief Management Officer, in consultation with the Under Secretary of Defense (Comptroller), to develop a plan for “ensuring the financial statements of the DoD are validated as ready for [a financial] audit by not later than September 30, 2017”).

26. In a review, an auditor “obtains limited assurance . . . about the measurement or evaluation of [the] subject matter against criteria” GAO Yellow Book, supra note 19, para. 1.18b. For example, in 2019 AAA conducted a review of an independent outside audit of American Red Cross financial statements for the organization’s most recent fiscal year. U.S. Dep’t of Army, Rep. A-2019-0036-FMF, U.S. Army Audit Agency Independent Review of the Independent Auditor’s Report of the American Red Cross FY 18 Financial Statements 1 (16 Jan. 2019). The review analyzed the methodology used to conduct the audit and determined that the independent auditor’s conclusions were reasonably reliable. Id. at 2.

27. In an examination, an auditor obtains reasonable assurance by drawing reasonable conclusions about “whether the subject matter is in accordance with (or based on) criteria” and whether the assertion being tested “is fairly stated, in all material respects.” GAO Yellow Book, supra note 19, para. 1.18a. An examination has a substantially broader scope than a review and, unlike a review, expresses an opinion on the subject matter. GAO Yellow Book, supra note 19, para. 7.76. For example, in FY 2019, USAA conducted an examination to independently validate the assertion by the HQDA Deputy Chief of Staff, G-4, that the Logistics Modernization Program (LMP) satisfied the requirements for certification as an accountable property system of record in accordance with DoD Instruction 5000.64, Accountability and Management of DoD Equipment and Other Accountable Property. U.S. Army Audit Agency, Rep. A-2019-0101-BOZ, Independent Auditor’s Report on the Examination of the Logistics Modernization Program 3 (4 Sept. 2019). The review concluded that the LMP did not satisfy all requirements for a system of record. Id. at 3-4.

28. Audit procedures are “specific steps and tests auditors perform to address the audit objectives.” GAO Yellow Book, supra note 19, at 212.

29. GAO Yellow Book, supra note 19, para. 1.18c.

30. Professional Experiences, supra note 11.

31. GAO Yellow Book, supra note 19, para. 1.18c.

32. AR 36-2, supra note 9, para. 2-20.

33. Professional Experiences, supra note 11.

34. GAO Yellow Book, supra note 19, at 211 (defining “audit objectives”). In this regard, the audit objective functions like the appointment memorandum for an administrative investigation. See, e.g., U.S. Dep’t of Army, Reg. 15-6, Procedures for Administrative Investigations and Boards of Officers para. C-5a(2) (1 Apr. 2016) (requiring the appointment memorandum to “clearly state the purpose and scope of the investigation”); U.S. Dep’t of Army, Reg. 735-5, Property Accountability Policies para. 13-24a (9 Nov. 2016) (stating that the “appointment of a financial liability officer is accomplished by using a memorandum”), fig.13-12 (showing sample appointment memorandum) [hereinafter AR 735-5].

35. GAO Yellow Book, supra note 19, at 211 (defining “audit objectives”).

36. GAO Yellow Book, supra note 19, at 211, 213 (showing the interplay between “audit objectives” and “criteria”).

37. GAO Yellow Book, supra note 19, at 213 (stating that audit criteria “identify the required or desired state . . . with respect to the program or operation” being audited).

38. GAO Yellow Book, supra note 19, para. 8.01.

39. DoDM 7600.07, supra note 19, encl. 11, para. 3b(3); AR 36-2, supra note 9, fig.2-1.

40. GAO Yellow Book, supra note 19, at 1.

41. GAO Yellow Book, supra note 19, para. 8.06 (requiring auditors to “obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives”).

42. GAO Yellow Book, supra note 19, para. 8.12.

43. AR 15-6, supra note 34, paras. 3-10 to 3-12; GAO Yellow Book, supra note 19, paras. 8.90 (obtaining evidence), 9.10 (audit report contents).

44. AR 15-6, supra note 34, para. 1-8 (requiring the IO to “thoroughly and impartially ascertain and consider the evidence”); GAO Yellow Book, supra note 19, para. 3.11 (requiring auditors to have “objectivity in discharging their professional responsibilities,” which includes “independence of mind and appearance when conducting engagements, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest”).

45. AR 15-6, supra note 34, para. 2-8b(3)(a).

46. At the start of an audit, the audit team determines which HQDA principal official has “primary responsibility for the program, process, or policy” being audited and asks that individual to provide the OAP. AR 36-2, supra note 9, para. 2-12c(1).

47. AR 36-2 establishes a resolution process if AAA and the OAP official cannot agree. AR 36-2, supra note 9, paras. 2-14a–b. Ultimately, the Under Secretary of the Army or Vice Chief of Staff of the Army adjudicate disagreements that cannot be resolved. Id. para. 2-14c. As a practical matter, OAP officials can often avoid the dispute resolution process by agreeing to a modified recommendation amendable to the responsible audited organization that addresses the underlying identified condition. Professional Experiences, supra note 11.

48. AR 11-7, supra note 7, para. 1-6a.

49. AR 11-7, supra note 7, paras. 1-7a (principal advisor function), 1-7o (recommendation tracking function).

50. 10 U.S.C. § 7020(b)(1) (requiring the Army Inspector General, “when directed by the Secretary or the Chief of Staff” of the Army, to “inquire into and report upon the discipline, efficiency, and economy of the Army”). The Inspector General function within HQDA is the sole responsibility of the Office of the Secretary of the Army. Id. § 7014(c)(1)(E).

51. U.S. Dep’t of Army, Reg. 20-1, Inspector General Activities and Procedures paras. 1-4a(8)–(11) (23 Mar. 2020).

52. Although the Department of the Army uses separate organizations to perform the auditing and IG functions, the DoD does not. Consequently, the DoDIG has the mission to “conduct and supervise audits, investigations, evaluations, and inspections relating to the programs and operations of the DoD” and, as relevant here, to establish DoD audit policy and to monitor AAA and other internal DoD audit organizations. U.S. Dep’t of Def., Dir. 5106.01, Inspector General of the Department of Defense (IG DoD) paras. 3, 5c, 5m (20 Apr. 2012) (C2, 29 May 2020).

53. AAA Reg. 36-3, supra note 16, paras. 5.1–5.2.

54. AAA Reg. 36-3, supra note 16, para. 5.2.

55. DoDI 7600.02, supra note 19, encl. 3, para. 2. All AAA auditors have at least a Secret security clearance, and auditors assigned to intelligence-related audits have Top Secret clearances. Professional Experiences, supra note 11.

56. DoDI 7600.02, supra note 19, encl. 3, para. 2.

57. AR 36-2, supra note 9, para. 1-6c.

58. AR 36-2, supra note 9, para. 1-6c.

59. U.S. Dep’t of Army, Reg. 27-26, Rules of Professional Conduct for Lawyers r. 1.13(a)(1) (26 June 2018) [hereinafter AR 27-26].

60. Id., r. 1.13, cmt. 2 (explaining that an attorney-client communication concerning Army official business “is protected by Rule 1.6 from disclosure to anyone outside the Department of the Army and to anyone inside the Army who does not have an official need to know”) (emphasis added).

61. Id., r. 1.6, cmt. 14 (explaining that when the Department of the Army is the client, if:

client information covered by the attorney-client privilege or client-lawyer confidentiality is properly disclosed to the Army’s authorized officials who have an official need to know the information, whether the disclosure is made under implied or express authority, those officials are considered privileged persons and no waiver of privilege or confidentiality has occurred).

62. Privacy Act of 1974, 5 U.S.C. § 552a (2018).

63. U.S Dep’t of Def., 5400.11-R, Dep’t of Defense Privacy Program paras. C4.2.1.1.1–.3 (14 May 2007).

64. AAA Reg. 36-2, supra note 19, para. 15.1. The designated audit focal point, who is often a member of the command’s internal review office, coordinates this meeting. AR 36-2, supra note 9, para. 3-2a.

65. AAA Reg. 36-2, supra note 19, para. 15.3.

66. AAA Reg. 36-2, supra note 19, para. 15.3.

67. An internal review office can provide similar suggestions even before the entrance conference, during the pre-planning phase. Internal review cooperation with an audit team from the outset can help identify known problem areas for the team to analyze. Professional Experiences, supra note 11.

68. Professional Experiences, supra note 11.

69. The recommendations resulting from financial statement audits, follow-up audits, and attestation engagements are much narrower. A financial statement audit yields an opinion of whether “financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework” and, if necessary, makes recommendations to improve the statements. GAO Yellow Book, supra note 19, para. 1.17a. A follow-up audit recommends either additional implementation of agreed-to corrective actions or, if implementation is complete, no further action. AR 36-2, supra note 9, para. 2-20. Among attestation engagements, only examinations may produce recommendations. GAO Yellow Book, supra note 19, paras. 7.04 (no recommendations from review engagements), 7.84 (no recommendations from AUP engagements). An examination’s recommendations provide actions to help attain a favorable opinion on the subject matter or to address deficiencies identified during the engagement concerning internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud. GAO Yellow Book, supra note 19, para. 7.21.

70. DoDM 7600.07, supra note 19, encl. 13, para. 3a. Funds may be “put to better use” when they “could be used more efficiently” for other purposes. Id. at 53.

71. DoDM 7600.07, supra note 19, at 54.

72. DoDM 7600.07, supra note 19, encl. 13, para. 3b(1).

73. AAA Reg. 36-2, supra note 19, para. 15.3 (requiring audit team to explain during the entrance conference that “the AM [audit manager] or AIC [auditor-in-charge] will be available, as often as desired, to update command on the audit progress and findings”); AAA Reg. 36-3, supra note 16, para. 5.5 (“The audit team should hold periodic meetings with command to discuss audit progress and significant issues.”).

74. AR 36-2, supra note 9, paras. 2-12a(1), 2-12b(1). In addition, organizations have an opportunity to discuss areas of disagreement during the audit exit conference. U.S. Army Audit Agency, Reg. 36-4, Report Writing and Reply Process para. 8.2 (30 June 2021).

75. This input is especially important considering AAA’s tracking recommendations after the audit report is issued and reporting the status of recommendations to the DoDIG semiannually, as discussed in “Step 4,” infra.

76. See AR 36-2, supra note 9, para. 2-12c(2).

77. AAA Reg. 36-4, supra note 74 , para. 10.7.

78. AR 36-2, supra note 9, para. 2-17b.

79. AR 36-2, supra note 9, para. 2-21a; accord U.S. Dep’t of Def., Instr. 7750.06, Information Requirements for Semiannual Report to the Congress encl. 3, tbl.1, items 3, 4, 20 (25 Sept. 2013) (C1, 29 Apr. 2020).

80. U.S. Army Audit Agency, Rep. A-2018-0036-MTH, The Army’s Marketing and Advertising Program: Return on Investment (13 Apr. 2018) [hereinafter Audit Rep. A-2018-0036-MTH].

81. At the time of the audit, the Army Marketing and Research Group (AMRG) was a field operating agency of the Assistant Secretary of the Army (Manpower & Reserve Affairs) responsible for “national marketing and marketing research” in support of the Army’s Enterprise Strategic Brand Marketing and Communication Plan. U.S. Dep’t of Army, Reg. 601-208, The Army Brand and Marketing Program para. 4a(2) (18 July 2013). Effective 30 September 2019, the AMRG was redesignated as the Office of the Chief Army Enterprise Marketing and reassigned as a field operating agency of the Deputy Chief of Staff, G-1 with headquarters in Chicago. Headquarters, U.S. Dep’t of Army, Gen. Order No. 2019-18 (30 May 2019). The organization’s mission is to “coordinate the Army’s national marketing and advertising strategy, develop and maintain relationships with the marketing and advertising industry, and develop marketing expertise and talent within the Army to support the Regular Army, Army National Guard, and U.S. Army Reserve.” Id.

82. Audit Rep. A-2018-0036-MTH, supra note 80, at 5.

83. Audit Rep. A-2018-0036-MTH, supra note 80, at 6.

84. The command agreed to implement two recommendations by 30 June 2018, two recommendations by 30 September 2018, two recommendations by 31 March 2019, and one complex recommendation (to “develop a resource requirements projection model that links to and supports planned marketing efforts”) by 30 September 2020. Audit Rep. A-2018-0036-MTH, supra note 80, at 14–17.

85. John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 599(a)(1), 132 Stat. 1636, 1792 (2018).

86. Id. § 599(b).