For the fifth year in a row, the Defense Department received a failing grade on its consolidated financial statements. However, failing grades did not begin in 2018. DoD financial woes are part of a continuum of over 30 years, dating back to the CFO Act of 1990, which mandated agencies to obtain a “clean opinion” on their financial statements.
I have been a government auditor for more years than I care to remember, first as a civil servant and later working as a consultant. I am also an original member of the government’s “511” audit series, as classified by the Office of Personnel Management with the passing of the Inspector General Act of 1978. In addition, I was a program manager for the audit directorate under the DoD IG for Auditing in the 1980s and 1990s.
Since 2012, I have been involved with the information technology part of the financial statement. Ostensibly, accumulated data from DoD IT systems and applications feed into general ledgers, which in turn tick and tie to an agency’s financial statements. But not for DoD.
The embarrassing accumulation of disclaimers and adverse actions sets the DoD apart from the other 23 agencies in the United States government. DoD is the lone agency that has been unable to ever obtain an unmodified opinion, for 33 years and growing. When does accountability enter the discussion?
Meanwhile, the material weaknesses continue to pile-up, while some agency undersecretary or CFO makes another new promise about audit readiness. The latest is now 17 years after the Secretary of Defense promised that DoD would have reconcilable statements and accountability regarding agency fiscal practices. (Leon Panetta stated in October 2011 that readiness would come in 2017, which morphed into 2018, and is now 2028!)
There is a formula for DoD to reverse its Disclaimer trend and it involves showing the proper respect, dignity, and implementation for all government regulations. Hiring audit consultants who are more savvy with the Government Accountability Office’s “Yellow Book” will also help. While IT techies speak a high grade of English, they are typically not trained in internal controls, nor are they conditioned to follow Office of Management and Budget standards regarding findings (NFRs) and corrective actions.
A few years back, internal auditors at the Indianapolis office of the Defense Finance and Accounting Service developed a simple testing protocol that addressed a group of “high-risk” controls that focused on attacking prominent business activities that created the most havoc for IT systems and applications. There is a smaller version of this methodology that involves the testing of just under 40 controls that, in their totality, will address, identify, and remediate, as necessary, the four major material weaknesses that plague DoD IT operations. A quite simple formula follows, which does not involve the high calculus that DoD financial gurus and consultants keep applying, seemingly with futility.
For security management controls, ensure that controls are adequately designed and documented. In addition, do not create standard operating procedures in haste. An SOP that does not address (a) roles within the application, (b) segregation of duties, or (c) government regulations will not pass muster with the independent auditors.
Regarding user access controls, the user access authorization form and approval process should be the responsibility of the user’s supervisor; the supervisor is the only approving authority who knows all of the systems and applications that his/her user can access. In addition, sensitive transactions still have not been identified, and user terminations are a national security threat, as the Secretary of Defense identified in July 2019.
Internal control issues over segregation of duties (SOD) are deep and sometimes complicated, but not insurmountable. GAO stated in 2009 that a “Matrix” is the best solution to identify conflicts, and nothing has changed that terrain. Hard work indeed, but viable solutions are attainable after analyses of SOD issues within and across applications. (As a sidebar, DoD managers who repeatedly claim that an automated solution for thorny SOD problems is just around the corner, and then walk-away from issues that are very fixable in the near-term, need to adopt a more responsible approach.)
Finally, configuration management may be the easiest fix of all material weaknesses. IT managers need to ensure that testing and approval processes for system changes are properly segregated.
The answer to the above IT clean-up is not complicated, but it will take hard, pick and shovel-type work. Sometimes life requires us to take the road less traveled. Do DoD IT managers have the will to address and remediate these deficiencies? If they do, and then make a corresponding commitment to reverse the material weaknesses, they can rid themselves of these heretofore fatal failures in as little as 12-18 months.
Frank Bonsiero served in the US Air Force from June 1967-December 1970, and entered the government as a civil servant in January 1971. During his 29-year career, Bonsiero served as a “511” auditor with the IRS, the federal courts, and the DoD Office of Inspector General. He left the government in 1999, but was recalled to help stand-up TSA and DHS. Beginning in 2005, Bonsiero began stints as an audit consultant, primarily for CPA firms. Since August 2012, Bonsiero has been involved with FIAR engagements exclusively, serving as a consulting FISCAM/IT Auditor for several Defense components.