Editor’s note: This story has been updated to clarify that DoD ended fiscal year 2018 with $27.7 billion in expired funds. Not all of that money was appropriated in the same year.
The Defense Department has long known that weaknesses in its information technology systems are a major reason it’s never been able to successfully undergo a financial statement audit.
But now that the entire department has been through a full audit for the first time, the results paint a clear picture of how serious the problem is: Almost half of the defects auditors found in 2018 were about IT systems, not financial management practices per se.
Across the 21 separate component-level audits that feed into the department-wide version, examiners issued 1,119 separate notices of findings and recommendations (NFRs) related to IT. That’s compared to 1,291 NFRs on financial matters, and despite the billions of dollars the department has spent over the past two decades to replace its legacy business systems with modern, auditable enterprise resource planning (ERP) systems.
The Pentagon’s inspector general issued the NFR tally on Tuesday as part of a detailed summary of the 2018 audit. Among the military services and agencies, the Department of the Navy had the most IT problems: 298 separate findings, including 52 that had already been identified in partial DoD audits in prior years.
The Air Force had a total of 169 NFRs in the IT category, followed by the Army’s 157.
The Government Accountability Office has repeatedly pointed out that successful implementation of DoD’s ERPs would be critical to passing its first audit. GAO also warned in a 2017 report that the systems still would not be fully ready in time for the first audit in 2018.
“ERP implementation has been delayed because of deficiencies in functional capability and the need for remedial corrective actions,” GAO reported. “The DoD components will need to identify effective work-around processes or modifications to legacy systems that will enable audit readiness. Without fully deployed ERPs, the department will be challenged to produce reliable financial data and auditable financial statements without resorting to labor-intensive efforts, such as data calls or manual workarounds, or to provide reliable financial data on a recurring basis.”
Altogether, the DoD IG identified 20 separate material weaknesses in the first audit. Within those, the office pointed to six that it deemed the “most significant,” and put DoD’s more than 400 accounting-related IT systems at the top of the list.
“For example, to process and record contract payments, the [military] services depend on over a dozen IT systems that are owned and operated by other DoD components,” the IG wrote in the Jan. 8 report. “Ineffective IT system controls can also result in significant risk to DoD operations and assets. For example, payments and collections could be lost, stolen, or duplicated as a result of weak IT controls. In addition, critical operations, such as those supporting national defense and emergency services, could be disrupted through weak IT controls.”
Among the problems the IG pointed to: DoD organizations don’t always follow regulations that require them to monitor the activities of privileged users, and aren’t consistently enforcing restrictions on what users can and can’t do based on their specific roles. They also tended not to cut off a particular user’s access to the system once he or she left the organization, and didn’t implement security controls meant to detect accidental or unauthorized changes to financial data.
And tightening up enforcement of IT policies isn’t just about the integrity of DoD’s financial data, auditors wrote.
“Improving internal controls for IT systems that process financial transactions will also improve the cybersecurity of the DoD’s IT systems,” according to the report. “The DoD must defend its own networks, systems, and information from malicious cyber attacks. Improved internal controls on IT systems that process financial information will help the DoD both protect against and rapidly respond to cyber threats across different networks and systems.”
Besides IT, the inspector general pointed to several other weaknesses that it considered “most significant” based on the 2018 audit:
Universe of Transactions (50 NFRs): DoD still doesn’t have a single repository of all of its payroll, property and inventory transactions that auditors can query.
Inventory (70 NFRs): The IG says DoD can’t assure the “existence, completeness, and valuation” of its inventory. That causes the military services to, for example, buy extra spare parts that they might already have on hand.
Real estate and other high-value property (100 NFRs): Similar to the spare parts problem, DoD can’t provide a full inventory of the facilities and military equipment it owns, including evidence of how they were paid for.
Fund Balance with Treasury (60 NFRs): DoD can’t reconcile the funds its components believe they have available to spend with what’s actually in its accounts at the Treasury Department, the equivalent of balancing a checkbook.
In a separate report issued last month, the IG said the department’s inability to reconcile its Treasury accounts makes it difficult to make well-informed spending decisions in any given year — especially in complex, intermingled accounts like the one shared by more than 100 separate “other Defense organizations” outside the military services.
“Without a proper checkbook balance, the DoD’s spending decisions could result in an over- or underutilization of its appropriation,” the office wrote in a report describing the department’s broader management challenges. “For example, if a DoD component believes it will overspend its appropriation, it might not hire sufficient staff, make needed repairs, or maintain critical equipment.”
Indeed, according to DoD’s own financial statement, the department ended fiscal year 2018 with $27.7 billion in unspent funds that expired on September 30; those funds generally can’t be used for any new spending in future years. Most of the money, $19 billion, was in DoD’s operations, readiness and support accounts, where funds must be used in the same year they’re appropriated.
That figure is actually down from the number of dollars DoD allowed to expire in previous years: $33.6 billion in 2017 and $37 billion in 2016. In each case, the money generally remains locked in DoD’s Treasury accounts for another five years after it’s expired, and can’t be used for new military expenditures or any other purpose.