The Defense Department is now onto its fourth year of full-scale financial audits. And the audit results from the first three years don’t offer a huge amount of hope that DoD is going to pass an audit anytime soon.
In the latest audit, finished last year, auditors found that DoD and the military services had managed to deal with and close out 857 negative findings from previous years. But they also found even more new issues – and there are now more than 3500 of those notices of findings and recommendations outstanding, and DoD actually has more outstanding NFRs now than it did a year ago.
But there are some signs of forward momentum if you know where to look, and our guest this week certainly does. Carmen Malone is the Deputy Assistant DoD Inspector General for Audit. The OIG recently published its annual plain-language breakdown of the audit results.
Insight by Micro Focus Government Solutions: Learn from agency and industry executives as they explore why protecting data requires a comprehensive approach involving every part of the IT chain – people, policy, infrastructure and applications in this exclusive executive briefing.
Jared Serbu: So Carmen, let me just start at a very, very high level. You repeat the phrase in this report that a lot of things were unchanged compared to last year. When you look at the big picture across the whole DoD audit for 2020, where do you see evidence of improvement; evidence of change? What are your main takeaways for this year?
Carmen Malone: So I think the main takeaway is that progress was made and there’s still a lot of progress that needs to be made. Again, that hasn’t really changed from last year.
Let’s start with the progress. The big thing is those that had clean opinions, or unqualified opinions, actually maintained those and that’s not an easy thing to do, and I’m sure we’ll talk a little bit more about that. Because the next thing I want to mention is the biggest progress we saw was the DISA working capital fund went from a fiscal year 19 disclaimer of opinion, meaning the auditors didn’t have enough evidence to conclude, to a fiscal year 20 clean opinion, and that’s a really big jump, and, something that DISA should be very proud of.
The other thing that we saw was material weaknesses within the DoD, as well as in some of the components, were either eliminated or downgraded to significant deficiencies, which is less than a material weakness. So, those are some really key signs of progress there.
Jared Serbu: Yeah, we’ll dig into some of those more discrete issues as we go here. I must say, when I first saw the report that you guys issued for 2020 back in November, my untrained eyes went straight to numbers of NFRs — notices of findings and recommendation — and numbers of material weaknesses, both of which grew in 2020. They closed a lot of NFRs, but added more new NFRs and maintained a lot from the previous year. So it looks like DoD is on a treadmill that’s moving faster than it can move through this process. Is that the wrong way to look at this? Or are we going to continue ad-infinitum, finding more problems than we’re able to solve in a rapid fashion?
Carmen Malone: So I think the important thing is there’s definitely a glimmer of hope when you dig into the numbers. You know, while the NFR numbers increased year-over-year since fiscal year 18, the number of new NFRs that we’re finding each year has actually decreased. So, in 2018, we found about 1600 new NFRs, in 2019, it was about 1500, And then we were below 1000 new NFRs this past year. So that’s showing glimmers of hope.
In addition, when you’re looking at material weaknesses, while the number increased this year for the DoD overall, we actually presented a prior year material weakness as four material weaknesses and fiscal year 20 and one significant deficiency. So while we increased, in was due to the granular level that we presented the material weaknesses at in fiscal year 20 compared to prior years. In fact, the DoD actually downgraded two material weaknesses from fiscal year 19, showing progress in that way.
So, yes, there is that ever growing number of NFRs, but a lot of the findings that we have will take time to remediate and make sure that they have the sustainable processes in place so we can keep those opinions as we move forward. And I think that that’s important to note: sustainable processes do take time to build. And that is much better than putting in a quick fix to get an opinion or to cause NFRs or material weaknesses to go down.
Jared Serbu: Glad you raised that point, because I was just about to go there. Is there any way to measure the extent to which the NFRs that are getting closed are being done in a sustainable way, versus just a one-time manual work around that whoever’s working in that office next year may not remember how to do?
Carmen Malone: You know, there is, and that’s one of the things that I think as we’re progressing through this, we’re seeing that’s the reason we have additional NFRs. Those first year NFRs are where you don’t have written processes in place. And so now we’re seeing to clear those NFRs, they’re putting those written processes in place and that way, it’s not just, “Oh, we’re gonna do it this way for this year,” and the next person coming in doesn’t have guidance to kind of help them along the way. So that’s important that things are written out and it can be easily handed to the next person in line for that job.
In addition, one of the things that we do as auditors, prior to implementing some of the corrective action plans that the department has is, many of the components will ask the auditors to look at, “This is what we want to do, do you think it will address the concern?” And one of the things we’re seeing is that for those components that are asking their auditors whether the design of what they want to do would address the problem, we’re seeing the implementation of those actually correcting problems compared to if a component just goes and says, “Okay, this is the problem, this is how we’re going to fix it, we’re going to implement it.” Sometimes that’s not actually addressing the real problem. And so when they’re working with their auditors to really understand what the findings are, we’re seeing a lot more well designed, sustainable processes in place.
Jared Serbu: Going back to another thing you mentioned, some of these new material weaknesses — four I believe — are, as you said, just because you broke apart what had previously been identified in prior your audits as a single material weakness. Can you talk about the decision making process behind that, and why they were broken out separately this year?
Carmen Malone: Yes. So as we discussed in the report, we did present the fiscal year 19 Financial Management Systems and Information Technology material weakness at a more granular level. And the reason we did that is when we looked at that material weakness, it covered a great deal of problems — anywhere from access controls, to security controls, to segregation of duties. And when we looked at it this year, we saw that there were pieces of that material weakness that were going to be solved faster than others. And so to help the department really wrap its hands around the IT piece, we thought if we broke that out into the smaller pieces, it’s going to help them focus.
And so just this year, we were actually able to see a piece of that move down into a significant deficiency, showing that they’ve already made progress on at least one aspect of that, and that was their Risk Management Framework. So, you know, we have Legacy Systems, Configuration Management, Security Management, Access Controls, and Segregation of Duties left at that material weakness level, and they’re kind of taking on each of those individually, so they can close those out faster.
Jared Serbu: Of those — and you mentioned RMF, you’ve seen some progress there — which of those four does the department seem to be closer to resolving than the others?
Carmen Malone: I think they’re focusing a lot on Access Controls, because that is extremely important to their cybersecurity as well. And Segregation of Duties goes right along with that. So the legacy systems, we’ve got a long way to go on that. And, you know, I’m sure we’ll talk a little bit more about it as we get into this. But legacy systems will be a key to getting the department to the clean opinion that they’re after.
Jared Serbu: Actually, let’s go there. And I might have asked you this last year, I can’t frankly remember, but it is something that always strikes me — just that the department has spent literally billions of dollars over more than a decade to implement modern enterprise resource planning systems, or at least purchase them. How are we still, in 2021, reliant on legacy systems that were supposed to have replaced long ago? Is it that the ERP systems exist, but they’re just not being fully utilized? Is there still more purchasing and implementation to do? Or is it just too hard to make broad brush statements like that?
Carmen Malone: I think it’s very difficult to make broad brush statements like that. It really focuses in on the fact that DoD has identified 250 systems that are relevant to financial statements. I don’t want to say that that’s all there are because, you know, we’re still digging into the system. But everything starts with a system. There’s just nothing that doesn’t involve a system.
We’re past the manual labor piece of this. And the problem is that many of the systems that are still in place, those legacy systems we talk about, were put in place long before even the requirement for audit. And when we look at that, it’s very difficult to just move everything over to a modernized system. You have data elements, which are just, it’s a piece of a transaction that don’t necessarily fit into the new system.
And as we’re purchasing these modernized systems, it’s difficult to find that one DoD way of doing business that’s going to fit in a system. So the Navy has its way of recording transactions, the Army has its way. And so it’s getting them all to play nice together and come up with that one DoD way of recording the transactions, having one system to do it in one way. Because when you start combining the Navy’s way of doing things, the Army’s way of doing things, and the Air Force’s way of doing things, it’s not as easy as if everyone were doing it the same way.
Jared Serbu: Correct me if I’m wrong, but I think that’s not just a problem for coming up with consolidated financial statements. It’s also a huge issue when you’re trying to reconcile inter-service transactions, because if you’re recording things differently, they’ve got to be reconciled together at some point. And I think that usually falls to [the Defense Finance and Accounting Service], where they’ve just got to decide which one is right — or which one to deem to be right.
Carmen Malone: Absolutely. And that’s one of the material weaknesses that we have. We don’t discuss it in-depth in the report, but inter-governmental and inter-departmental transactions are very difficult to reconcile, and oftentimes causes what we refer to as unsupported journal vouchers, meaning that there’s no support behind why they did what they did. It’s a heavy lift, and it takes a lot of manpower. And components get closer, if we’re not able to easily reconcile these items, I’m not sure that DFAS will have the manpower, or the ability to get through the number of reconciliations and really support which one they go with in time to issue financial statements.
Jared Serbu: I want to dig into IT issues a little more here — it’s such a significant part of the audit. So in 2020, DoD had 3559 total notices of findings and recommendations, Of those, 1093 were reissued IT-specific NFRs and 393 were new IT NFRs. And I raise all the numbers just to try and get us into a conversation about how far could the department go just by just by resolving all of these IT issues? And are they strictly IT issues, or does fixing the IT problems also get you toward closing out some of the quote-unquote financial-related NFRs?
Carmen Malone: So when you think of auditing a system, we always like to start with the reliability of the of the system and the underlying data. And so when we do that, we start with what we call general information technology controls. And those are your access controls, your security management controls, your segregation of duties. Basically, these allow the auditors to see that the system is secure, that only authorized users have access, and they only have access to what they need access to. If those controls fail, it’s sometimes a concern that the data changes or could change.
And we saw a perfect example of this at the very end of fiscal year 19, where we saw one control fail in a system that caused millions of records to be duplicated. We were very lucky that the error was caught and fixed rather quickly, and it didn’t actually impact any of the financial statements and the opinions. But it did require a lot more testing of the component’s management as well as the auditors just to validate the accuracy of the data. Now, those general information technology controls, that’s where we’re seeing a lot of the NFRs and a lot of the closed NFRs.
But as we move forward and we’re digging deeper into the IT controls, we’re moving past just the top system controls, and really getting into those applications that reside on the systems. And those are the controls that are really going to be important from the financial statement aspect of, Did it process correctly? Was the information transferred correctly? Were their application controls to ensure that we transferred all of the records from one system over to the financial reporting system? And those are the controls that we’re starting to get into, and that you’re really seeing a lot of new NFRs for.
Jared Serbu: Yeah, I was just gonna say, it’s probably fair to expect that as you dig deeper into that application layer, we’re going to continue to have a lot of new IT NFRs for some number of years.
Carmen Malone: Yeah, and that’s not unheard of. And as they change applications, or implement new systems, we anticipate that there will NFRs related to those. But as long as they’re working to fix them quickly and modernizing the systems, that’s going to be key to building those strong sustainable business processes that will lead them to the clean opinion.
Jared Serbu: And I guess to put a happy gloss on this, even if the number of NFRs issued and reissued each year is still, at the moment, outpacing what’s being closed, each one of those closed really is a solved problem that probably wouldn’t have been solved without the audit process. And it probably matters to DoD’s underlying business operations and efficiency. Is that is that a fair way to think about it?
Carmen Malone: That is a fair way to think about it. And we’re also seeing the DoD actually look at if they have a problem in one area, does it exist in other areas? And we’ve seen some good progress related to that, especially in the information technologies arena. So when we look at some of the smaller entities, we don’t necessarily get into each smaller entity’s systems, we may test one or two of the smaller entities, and let everyone know what the findings were so they can implement any corrective actions across the department and not just in one.
Jared Serbu: And this also kind of gets us back to one of the points that you made earlier in the conversation, which is that once you have achieved something in the audit world, it’s not a guarantee that you’re going to stay there forever. And that gets us to the DISA issue in their working capital fund opinion for 20. As you said, they went from a disclaimer of opinion in 19 to a clean opinion in 2020. But they had previously had a clean opinion on that same working capital fund back in 2016. And then they went backwards. How common is that? How does that sort of thing happen, and how much of a danger is it for the broader department as they go through this process and make improvements along the way?
Carmen Malone: You know, I’m really glad that you brought this up because it is a healthy reminder that achieving a clean opinion is only the first step. It’s easy to throw as many resources as you want at a component and help achieve that clean opinion. However, maintaining the opinion is so much tougher than it really looks. It does require having those sustainable business processes and continued improvement on the internal controls.
Just looking at DISA working capital fund, trying to get that over the finish line of fiscal year 20 took a lot of manpower from DISA and DFAS personnel to make sure that we had all the necessary documentation, all of the transactions were available. And even then it took a little bit longer than what we would like to see. We’d like to see financial statements by November 15 at the latest, and that opinion wasn’t issued until December, it took about another month to make sure that we were able to get there.
So the question becomes — and what we will definitely be looking for in fiscal year 21 — is did they establish the processes to where they’re repeatable and sustainable to keep that opinion in fiscal year 21? As we get more components closer, it’s not going to be sustainable If DFAS personnel have to put in as many hours as they had to to support the DISA opinion. They won’t be able to do that for the others as well. So it’s getting the repeat processes in place that they can use.
Jared Serbu: One example of an area that has had a clean opinion for as long as I can remember is the Army Corps of Engineers Civil Works. They’ve had an unmodified opinion since I started covering this stuff, I think 10 years ago or so, and they’ve never backslid. Is it just that that’s such a different animal than the rest of the the DoD entities, or are they genuinely doing something right that others could follow?
Carmen Malone: You know, they are a little bit different. They do not use DFAS for their accounting. So when it comes to having to support as many other components, it’s just not there. So the Army Corps of Engineers has its own accounting function; they kind of keep everything in house, and that has helped them.
But it’s also a reminder that they didn’t get that clean opinion overnight, it did take some time. And it took a lot of building of those internal controls and business processes. And even as you look at the Army Corps of Engineers, they still have notices of findings and recommendations, they still have material weaknesses, but they’re able to overcome those with other controls and other processes to make sure that those financial statements are accurate.
Jared Serbu: That’s such an important point —I’m glad you brought it up. There will be a point, hopefully, when DoD has unmodified opinions on its overall financial statements. But that doesn’t require getting to zero on the NFRs and material weaknesses. Is that what I hear you saying?
Carmen Malone: Absolutely. We have a lot of clean opinions that still have notices of findings and recommendations, they still have material weaknesses. So that’s something to keep in mind as we continue to look at this. From a numbers perspective, it’s not necessary to get everything down to zero, you can achieve a clean opinion while still having deficiencies in your in your internal controls and business processes.
Jared Serbu: What’s that threshold for an auditor? Is there any way to characterize it, where an auditor can can look at a financial statement and say, “You’re definitely not perfect, but this is good enough for me to trust it at a level where I say that I’m going to give you an unmodified opinion”?
Carmen Malone: That all comes down to what auditors call materiality. And that is, you know, what is acceptable? It is always going to depend. There’s a nice, easy mathematical formula to calculate materiality, but it’s not always that simple. There’s also an issue of the qualitative factors.
If we were to look and say that a major weapon system was not included in the financial statements, even if it was only 1% of the DoD’s entire budget, I think most people would still consider that a problem. And so that would be one that the mathematical equation sounds great. But we have to look at it and say, “Would somebody really care?”
And that really comes down to auditor judgment a lot of times, and it’s not always as black and white. So to say, yeah, we’re gonna get down to two material weaknesses, and that’s going to be it — if we got down to just the Joint Strike Fighter material weakness, I can’t say that we wouldn’t still be sitting there saying, um, we probably still have an issue here.
Jared Serbu: Switching gears a little bit to the the corrective action plans that DoD develops for all of these notices of findings and recommendations. We haven’t talked much about that yet, at least this year. How are they doing with those? The department got, I think, a fair amount of praise in the first couple years for creating this centralized database where they could track each one of the NFRs, and assign and accountable official to make sure that they did get fixed. How is that system of accountability working? And how are the corrective action plans working in 2020?
Carmen Malone: You know, the short answer is that they are still tracking them and management is still being held accountable from the OSD level. Obviously, we have a huge change in leadership this year, so seeing how the the incoming leadership within the department handles the financial statements and just overall oversight of how the components are doing remains to be seen. But we have some indication that they’re going to continue looking at it the same way.
One of the things that I think was important in the past year was that the prior Deputy Defense Secretary [David] Norquist had each of the components draw roadmaps on not just corrective action plans, but these are the material weaknesses we want to clear. Here’s when we want to clear them, and here’s how we’re going to clear them, instead of focusing solely on those NFRs.
And that has continued into this year, where we are seeing a lot of focus on what is the material weaknesses you plan to focus on this year for each component. And that not only allows the components to really focus their efforts, but it also allows the auditors to focus their audit efforts for those that are already there or will be receiving disclaimers of opinion.
Jared Serbu: And yet you call out two specific material weaknesses that I think are directly related to the leadership issues that you just talked about. There’s a material weakness called out on DoD-wide oversight and monitoring, and component level oversight and monitoring. Are those different things from what you’re talking about, which is that there has been at least a sustained messaging from the Department of Defense leadership that the audit is important?
Carmen Malone: Yeah, so it’s slightly different. When when I’m talking about leadership, we’re talking about tone at the top, maintaining that importance and support for the financial statements while also maintaining a balance and allowing them to come up with some realistic milestones.
But that oversight and monitoring, starting at the component level, it’s really, are they paying attention to how we’re implementing the controls, how we’re pulling the financial statements together? Do they have that buy in from not just the financial management side of the house, but from the operational side of the house as well? And are they all working together to really build the processes and internal controls that will help lead to that strong financial management?
From a DoD perspective on that oversight and monitoring, we’re really talking about the consolidation piece of the financial statements, and making sure that they understand what is in each of the components’ financial statements and how that needs to be consolidated together. And, you know, one of the things we talked about in the report was the ability to extend some of the milestones for getting financial statements out.
And so both the Navy and DISA, as I mentioned earlier, were a little bit past the Nov. 15 reporting date. And part of that was we actually saw for the Navy, their oversight and monitoring actually picked up a very large error — a $9.3 billion error in their financial statements. And that was all because their their monitoring allowed them to really work together and say, “Wait a minute, this site over here made a $9.3 billion adjustment that shouldn’t have been made.” And while that caused a lot of work from a DoD consolidated standpoint — they did reissue their agency financial report in December just to adjust for that $9.3 billion error — it shows that the oversight and monitoring worked for the Navy, and that they had that control on place.
So the key here is to just keep the pressure, communicate the need to make the internal controls not just on the financial side, but on the operational side. And not just do it for the audit, but to do it for good business processes and hopefully making the department more efficient and have better operations.
Jared Serbu: As we start to wind down here. I want to talk a bit about how this year’s unusual circumstances surrounding COVID impacted the audit. I’m not sure that people realize the extent to which the audit process requires physical in person site visits. I mean, it’s not just an auditor staring at a spreadsheet all day. How much did COVID complicate the whole process this year? And how did the legions of audit teams work around it?
Carmen Malone: Yeah, obviously, there were impacts as a result of the pandemic. The travel restrictions and quarantines alone really kept auditors from getting out there and doing some of the on-site work, such as counting parts, physically seeing buildings that are on the financial statements. However, we actually were able to work around it quite a bit.
The first thing I want to say is it’s important to note that no opinion for the DoD or its components were contingent upon completing any in-person site visits, and all the necessary audit procedures were completed, especially for those that did receive clean opinions. For those that received clean opinions, while some in person site visits are required, they were able to accomplish those in fiscal year 20. I think it’s important to note that we did just as many site visits as we did in fiscal year 19, it was just that 500 of them were virtual instead, using audio and video technology.
And I think that that’s an important aspect as we move forward. Can we do that? And in some cases, yes, in some cases, no. There are going to be times where auditors must be on the ground. In order to get those that are receiving disclaimers of opinion past that, we need to be able to count, we need to be able to physically see things. And, you know, a lot of people will be like, “Just take the video technology wherever you need to take it.” Unfortunately, this is the Department of Defense. And there are areas we cannot carry video and audio technology, and we have to be there to do that.
And so in fiscal year 20, what we saw was, not only do we do these virtual site visits, but the auditors also redirected some of their efforts on other aspects of accounting that were more conducive to the virtual environment, such as valuation of assets. One of the things that we’ve really talked about in the last few reports is that there are certain assets that have not been properly valued. And that really includes a lot of the inventory, a lot of the large equipment and buildings. And so we’re really starting to see the methodology that the department and its components are starting to put together to value those. And we were able to spend a lot more time on that in fiscal year 20. And it really did help many of the components develop better methodologies as we’re moving forward to being able to value those those assets.
Jared Serbu: Are there clear examples were things that had to be done because of COVID this year makes sense to carry forward? Some of those audio and video technologies, for example? And do government audit standards typically accommodate that kind of thing?
Carmen Malone: You know, it actually really does accommodate that. It will be interesting to see how much we can really take from fiscal year 20 and move forward with. I don’t think you will see an overall change of everything moving to virtual. But I think that it will be important that we can probably save a little bit of money on allowing some of the virtual to continue while having less people on site. And that does save travel funds, it saves time. And people will be able to still maintain that knowledge.
It’s also a good tool to allow for continued knowledge development from some of the the associates at the IPA firms, or new auditors here at the OIG. We can allow them to sit in virtually and learn the environment without automatically sending them to a location. But definitely, there were lessons learned that we can carry forward, but there are going to be areas where we can’t carry things forward.
You know, I think of the classified environment, we cannot carry this kind of thing forward into a classified environment. It’s very difficult to carry this forward when we’re talking about counting munitions, or any major weapon system that we work with. It’s also very difficult when we’re talking about going into contractor locations such as Lockheed or Boeing, where we have a lot of parts. The virtual environment doesn’t work as well there.
Jared Serbu: We’ve talked about a couple of the material weaknesses, and we definitely can’t do all 26 in this setting. But I did want to raise one more, which is Real Property, just because there’s been some news around that in the last few days. GAO just took the DoD real property category off of its high risk list for 2021. I totally understand there’s very different standards for the GAO high risk list versus an audit material weakness, but they’re seeing progress in that area. I’m wondering if the audit is showing progress in that area too.
Carmen Malone: We actually did see some progress in fiscal year 20. It was limited due to the pandemic, in that really impacted the department’s ability to get out there and make sure they have everything on their books as well as the auditors’ ability to get out there and confirm.
What we really saw in fiscal year 20 was the movement of property to what we call the installation host. The installation host is the is the service that runs the base or owns the base. And so this is going to allow the department to really focus all of its property on just a few financial statements. And it allows them to do a little bit more on the analytics to make sure that buildings are not double counted. So for example, if I’m looking at Fort Bragg, anything in Fort Bragg’s fenceline is now considered part of the Army’s real property, it will be on their books, regardless of whether it’s a DLA building or a Navy building. It’s staying on the Army’s books. And this really allows for not duplicating.
In prior years, if it was a Navy building on Fort Bragg, the Navy may have it recorded, but somehow it could have gotten included on the Army’s books as well. And I believe we saw a huge decrease in Army real property that was actually duplicated on their financial statements.
Jared Serbu: That’s an interesting example. How does that sort of thing work with a joint base?
Carmen Malone: We had the same question [laughter]. They do decide that upfront, and at that point, it is that component’s responsibility. And as of right now, they have those agreements in place.
Jared Serbu: As we wrap up here, I want to kind of take us back to where we started with big picture issues. You’re, I think, careful to say in the report that this is going to be a long term effort. And I don’t think anybody’s willing to guess how many years it’s going to take, but what are the most important things for the department to be focusing on during that long term effort? Because I think one of the things you’re pointing to here is this really can’t just be audit for audit’s sake.
Carmen Malone: Absolutely. We should not do anything just for audit sake. As we look forward — and I’ve used this term quite frequently, we will always be looking for the strong, sustainable, DoD-wide processes and internal controls, because that’s not only going to help lead to that clean audit opinion, but it is ultimately going to make the department more efficient and improve their operations.
As we look into fiscal year 21, I think what we will be looking at is any improvement on inventory, real property, as well as the oversight and monitoring piece. Those are areas that I know are key to the department and areas that I think that they’ve put a lot of resources towards improving. The other last aspect is looking for components who have clean opinions, or moving towards clean opinions in fiscal year 21, and making sure that it’s a repeatable process as we move forward.