Accounting Blog | Fairfax VA CPA firm

How to Respond to DCAA Requests: A Practical Playbook for Government Contractors

by

GovCon Wednesdays
Estimated Read Time: 5 minutes

When DCAA sends a request—whether it’s an email for support, a formal data call, or a list of questions—your response strategy matters as much as the documents themselves. The fastest way to create delays (or raise suspicion) is to respond inconsistently, without a clear audit point-of-contact, or with files that don’t tie back to your accounting records.

DCAA’s audit process overview explains that auditors will submit written or oral requests for cost/pricing data and supporting documentation during an audit.

Below is a practical, repeatable way to respond to DCAA requests professionally—while protecting your time, your billing, and your credibility.

 

First: understand what DCAA is asking for

DCAA requests typically fall into a few buckets:

  • Accounting system / internal controls (policies, approvals, segregation of costs)
  • Timekeeping / labor support (timesheets, corrections, labor distribution, payroll tie-outs)
  • Indirect rates / ICS support (pool/base schedules, GL tie-outs, support for key accounts)
  • Billing support (invoice packages, ODC/sub support, reconciliations)
  • Cost/pricing support (proposal backup, estimating system support)
Why this matters

Different request types require different “owners.” A timekeeping request shouldn’t be managed the same way as an indirect rate schedule request.

 

A step-by-step method to respond to DCAA requests

1) Assign a single audit point-of-contact (POC) immediately

Before you send anything, designate one person to control communications and document flow.

What the audit POC does
  • Receives and logs all requests (one source of truth)
  • Routes each item to the right internal owner
  • Checks that support ties out (no contradictory versions)
  • Sends consolidated responses back to the auditor
Red flag to avoid

Multiple people emailing DCAA separately can create inconsistent answers and unnecessary follow-ups.

 

2) Confirm scope and deadlines in writing

Auditors may submit requests verbally or in writing.
If the request is broad or unclear, confirm scope before you begin pulling files.

A simple confirmation note should include
  • The items you understand are being requested (bulleted)
  • Expected format (PDF, Excel, native exports)
  • Requested due date
  • Any reasonable clarifying question (e.g., “by contract or consolidated?”)
Best practice

If you can’t meet a deadline, propose a partial delivery plan (e.g., “Items 1–5 by Wednesday, remaining by Friday”) rather than going silent.

 

3) Build a “request tracker” and keep it current

Treat DCAA requests like a project. Track what was asked, what was provided, and when.

Your tracker should include
  • Request ID / topic
  • Date received
  • Owner assigned
  • Due date
  • Status
  • Date delivered
  • Notes (tie-out issues, follow-up questions)
Why this matters

Audit management guidance commonly recommends tracking requests, documents provided, and response timelines to keep audits moving.

 

4) Respond with organized packages—not document dumps

DCAA is trying to verify that costs and systems are supportable. Your job is to make the trail easy to follow.

A strong response package includes
  • A short cover note: what’s attached + how it ties out
  • Folder structure that mirrors the request list
  • Consistent file names (Contract_Period_ReportType)
  • One “index” file (Excel/PDF) listing what you delivered
Red flag to avoid

“Here are 47 files—let me know if you need anything else.” That almost guarantees more questions.

5) Tie everything back to your accounting records

If a schedule doesn’t reconcile (GL → job cost → billing), expect the auditor to stop and ask.

Always include tie-out support for
  • Labor: timekeeping → payroll → labor distribution → GL
  • ODCs: invoice/receipt → AP entry → job cost → GL
  • Indirect rates: pool/base schedules → trial balance/GL
Quick rule

If you can’t explain a number in two sentences, it’s not ready to submit.

 

6) Don’t “create records,” but do provide what exists

Many GovCons worry that auditors can demand entirely new reporting. The FAR “Audit and Records—Negotiation” clause describes access to records, but it also states this access may not be construed to require the contractor to create or maintain any record not maintained in the ordinary course of business (or required by law).

Practical approach
  • Provide system exports, reports, and documentation you already maintain
  • If asked for something you don’t produce, offer the closest equivalent and explain the mapping

 

7) Control follow-ups: answer once, clearly, and consistently

Follow-up questions are normal. What creates risk is inconsistent answers (especially when multiple people reply).

Best practices for follow-ups
  • Reply in writing (even if discussed live)
  • Reference the original request ID/topic
  • Provide a single “final” version of a document (avoid v1/v2 confusion)
  • Keep an audit folder with every submission and email thread

 

8) Know when to escalate internally

Escalate quickly when:

  • The request involves potential unallowables or sensitive costs
  • You see mischarging risk or timekeeping corrections
  • A schedule won’t reconcile without major rework
  • You suspect scope creep beyond the audit objective
Why this matters

Early escalation prevents rushed responses that create bigger downstream problems (questioned costs, corrective actions, or delays).

 

FAQs: Responding to DCAA requests

How fast do we need to respond to DCAA?

DCAA requests will include timelines that vary by audit and urgency. The best practice is to acknowledge quickly, confirm scope, and provide a delivery plan—especially if the request is extensive.

What if we can’t meet the deadline?

Communicate early and propose a staged delivery. Missed deadlines without communication can delay the audit and increase follow-ups.

Can DCAA ask for anything they want?

They can request access to records relevant to the audit/contractual scope. FAR 52.215-2 outlines access to records and also clarifies the Government may not require creation of records you don’t keep in the ordinary course.

Should we send native files or PDFs?

When possible, provide electronic information in an organized format; DCAA’s audit process materials note expectations for electronic information when possible.

 

Key takeaways

  • Respond to DCAA requests like a project: assign a single POC, confirm scope, and track everything.
  • Deliver organized packages with tie-outs—document dumps create delays and more scrutiny.
  • FAR 52.215-2 supports record access but does not require you to create records you don’t maintain in the ordinary course.
  • Consistency is protection: one voice to DCAA, one version of each schedule, and clear written follow-up responses.

If DCAA requests feel stressful or disruptive, VSINGH CPA can help you build a repeatable audit-response system—request trackers, tie-out packages, and documentation workflows that reduce follow-ups and protect cash flow.

👉 Check out our YouTube Shorts for quick GovCon Essentials: https://youtube.com/shorts/MBYdtoiCv5g?feature=share

 

What’s next in the DCAA Audit Readiness Series

✅ DCAA Audit Readiness Series #1: What Triggers a DCAA Audit?
✅ DCAA Audit Readiness Series #2: Pre-Audit Readiness Checklist for GovCons
✅ DCAA Audit Readiness Series #3: Common DCAA Findings (and How to Avoid Them)
✅ DCAA Audit Readiness Series #4: Timekeeping & Labor Compliance Red Flags
✅ DCAA Audit Readiness Series #5: Indirect Rates Under Audit Scrutiny
✅ DCAA Audit Readiness Series #6: How to Respond to DCAA Requests
7️⃣ DCAA Audit Readiness Series #7: Audit Outcomes: Pass, Deficiency, or Corrective Action
8️⃣ DCAA Audit Readiness Series #8: What Happens After the Audit?