DOD Financial Management:
Ineffective Risk Management Could Impair Progress toward Audit-Ready Financial Statements
GAO-13-123: Published: Aug 2, 2013. Publicly Released: Sep 3, 2013.
- Highlights Page:
- Full Report:
- Accessible Text:
What GAO Found
The Department of Defense (DOD) has taken some actions to manage its department-level risks associated with preparing auditable financial statements through its Financial Improvement and Audit Readiness (FIAR) Plan. However, its actions were not fully in accordance with widely recognized guiding principles for effective risk management, which include (1) identifying risks that could prevent it from achieving its goals, (2) assessing the magnitude of those risks, (3) developing risk mitigation plans, (4) implementing mitigating actions to address the risks, and (5) monitoring the effectiveness of those mitigating actions. DOD did not have documented policies and procedures for following these guiding principles to effectively manage risks to the implementation of the FIAR Plan.
In January 2012, DOD identified six departmentwide risks to FIAR Plan implementation: lack of DOD-wide commitment, insufficient accountability, poorly defined scope and requirements, unqualified or inexperienced personnel, insufficient funding, and information system control weaknesses. DOD officials stated that risks are discussed on an ongoing basis during various FIAR oversight committee meetings; however, the risks they initially identified were not comprehensive, and they did not provide evidence of efforts to identify additional risks. For example, based on prior audits, GAO identified other audit-readiness risks that DOD did not identify, such as the reliance on service providers for much of the components' financial data and the need for better department-wide document retention policies. Risk management guiding principles provide that risk identification is an iterative process in which new risks may evolve or become known as a program progresses throughout its life cycle.
Similarly, DOD's actions to manage its identified risks were not in accordance with the guiding principles. GAO found little evidence that DOD analyzed risks it identified to assess their magnitude or that DOD developed adequate plans for mitigating the risks. DOD's risk mitigation plans, published in its FIAR Plan Status Reports, consisted of brief, high-level summaries that did not include critical management information, such as specific and detailed plans for implementation, assignment of responsibility, milestones, or resource needs. In addition, information about DOD's mitigation efforts was not sufficient for DOD to monitor the extent of progress in mitigating identified risks.
Without effective risk management at the department-wide level to help ensure the success of the FIAR Plan implementation, DOD is at increased risk of not achieving audit readiness initially for its Statement of Budgetary Resources and ultimately for its complete set of financial statements.
GAO identified two DOD components--the Navy and the Defense Logistics Agency (DLA)--that had established practices consistent with risk management guiding principles, such as preparing risk registers, employing analytical techniques to assess risk, and engaging internal and external stakeholders consistently to assess and identify new risks. These components' actions could serve as a starting point for improving department-level risk management.
Why GAO Did This Study
The National Defense Authorization Act (NDAA) of Fiscal Year 2010 mandated that DOD's consolidated financial statements be validated as audit ready by September 30, 2017. The NDAA for Fiscal Year 2012 further mandated that DOD's General Fund Statement of Budgetary Resources be audit ready by the end of fiscal year 2014. DOD issued the FIAR Plan and related guidance to provide a strategy and methodology for achieving its audit readiness goals. However, substantial risks exist that may impede DOD's ability to implement the FIAR methodology and achieve audit readiness.
GAO was asked to assess DOD's risk management process for implementing its FIAR Plan. This report addresses the extent to which DOD has established an effective process for identifying, analyzing, and mitigating risks that could impede its progress in achieving audit readiness. GAO interviewed DOD and component officials, reviewed relevant documentation, and compared DOD's risk management processes with guiding principles for risk management.
What GAO Recommends
GAO recommends that DOD design and implement policies and procedures for FIAR Plan risk management that fully incorporate the five risk management guiding principles and consider the Navy's and DLA's risk management practices. While DOD did not fully concur, it cited planned actions that are consistent with GAO's recommendations and findings. These are good first steps, but GAO believes additional action is warranted. GAO affirms its recommendations.
For more information, contact Asif A. Khan at (202) 512-9869 or email@example.com.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: DOD partially concurred with our recommendation. While DOD did concur with our assessment that they did not have a risk management policy and procedures related to implementing the FIAR guidance. They did not concur with our assessment of the overall environment of DOD's risk management of the FIAR initiative. DOD has taken steps to address our recommendation including implementing an Notice of Findings and Recommendations (NFR) tracker and standard operating procedures designed to track DOD component material weaknesses. DOD has also documented a critical path and milestones in Appendix F of their FIAR Guidance; military component tasks and milestones in appendix G of the FIAR Guidance; and audit readiness deal breakers, now referred to as critical capabilities. According to the May 2017 FIAR Status Update for the HASC Panel Recommendations, DOD has reinforced the importance of internal controls over areas of significant risk by updating the FIAR Guidance with a new chapter dedicated to internal controls. The FIAR Guidance has been transformed into two separate documents: DOD financial Statement Audit Guide and DOD Internal Controls over Financial Reporting (ICOFR) Guide. DOD identified policies and procedures in the ICOFR Guide that address identifying and analyzing risk, a plan for risk mitigation and implementation, and monitoring risks. Components prepare their Annual Risk Assessment, which reviews and reevaluates their organization risks on at least an annual basis. Risks categorized as having substantial impact, significant provability of occurrence, and/or identified as priority by Component leadership are evaluated and reported in the Risk Assessment as part of the annual Statement of Assurance (SoA). Risk Assessments submitted by Components are evaluated along with risk identified across DOD and assist OSD with determining the effectiveness of internal controls implemented across the Department. The SoAs submitted by Components are evaluated by OUSD(C) to assess the effectiveness of ICOR on a Department-wide basis and facilitate the completion of a Department-wide SoA.
Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to design and implement department-level policies and detailed procedures for FIAR Plan risk management that incorporate the five guiding principles for effective risk management. The following are examples of key features of each of the guiding principles that DOD should, at a minimum, address in its policies and procedures. (1) Identify risks. Generate a comprehensive and continuously updated list of risks that includes the root cause of each risk, audit area(s) each risk will affect, and the potential consequences if a risk is not effectively mitigated. (2) Analyze risks. Consult with key stakeholders, including program managers; use analytical techniques, such as risk categorization, risk urgency assessment, or sensitivity analysis; and determine the impact of the identified risks on individual DOD components' abilities to achieve audit readiness. (3) Plan for risk mitigation. Assign responsibility or ownership of the risk mitigation actions, define roles and responsibilities in executing mitigation plans, establish deadlines or milestones for individual mitigation actions, and estimate resource needs. (4) Implement risk mitigation plan. Document the implementation of mitigation actions, develop appropriate metrics that allow for tracking of progress, and validate reported metrics. (5) Monitor risks. Track identified risks and assess the effectiveness of implemented mitigation actions on a continuous basis, including identifying and planning for new risks.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: The Department is proceeding with full financial statement audits in FY 2018. Both the Navy and the Defense Logistics Agency (DLA) have been under audits. Results from the Navy and DLA audits helped to identify best practices for the Department and those best practices are being leveraged across the Department. Further, the Department's audit remediation strategy includes ongoing, enterprise risk-management, as depicted in the FIAR Guidance. Additionally, the Department has several tools and processes in place, or being put in place, to identify and respond to risk, such as its OMB A-123 program and its strategy for tracking audit finding through standardized Notice of Findings and Recommendations and developing corrective action plans. In conjunction with the development of the DOD Internal Controls over Financial Reporting (ICOFR) GuideI and the Statement of Assurance Handbook, the Department held multiple sessions and meetings with components, including Navy and DLA to gain feedback and address questions. Part of this process included reviewing current risk management practices with components and where applicable, including further clarification during the preparation of the documents and addressing in a Frequently Asked Questions document. Navy provided their risk management documents to aid in the discussions.
Recommendation: The Secretary of Defense should direct the Under Secretary of Defense, in his capacity as the Chief Management Officer and in consultation with the Under Secretary of Defense (Comptroller), to consider and incorporate, as appropriate, the Navy's and DLA's risk management practices in department-level policies and procedures.
Agency Affected: Department of Defense