Department of Defense financial management has been on our High Risk List since 1995 in part because of deficiencies found in its supporting information systems. DOD uses these systems to report its spending and assets.
DOD's Inspector General and other auditors found the data used for the military services' FY 2019 financial statements unreliable. They identified new and ongoing deficiencies in 2,100 audit findings.
DOD doesn't track how much it spends on the systems. But we calculated it could be at least $2.8 billion in FY 2020.
We made 6 recommendations, including that DOD develop a road map for implementing its improvement strategy.
What GAO Found
Data supporting the Department of Defense's (DOD) fiscal year 2019 financial statements are not reliable, according to the DOD Office of Inspector General (OIG) and independent auditors. In January 2020, the OIG reported that the department had wide-ranging weaknesses in its financial management systems that prevented it from collecting and reporting financial and performance information that was accurate, reliable, and timely. Specifically, the OIG reported 25 material weaknesses that impacted DOD's ability to achieve an unmodified audit opinion on its fiscal year 2019 department-wide financial statements. These material weaknesses are based, in large part, on identified deficiencies and corresponding recommendations, also known as notices of findings and recommendations (NFRs).
In fiscal year 2019, independent public accountants issued 2,100 new and reissued NFRs to the military services and DOD remediated 26 percent of the military services' NFRs from fiscal year 2018. Of the 2,100 fiscal year 2019 NFRs, 1,008 were related to information technology (IT) and cybersecurity issues. Of the 1,008 NFRs, 484 were new and 524 were reissued from previous years. (See figure.)
Figure: IT Notices of Findings and Recommendations Issued by Independent Public Accountants Based on Audits of Military Services' Fiscal Year 2019 Financial Statements
To address the NFRs and DOD's underlying financial management system weaknesses, the department has a strategy that fully addresses three requirements for a comprehensive and effective IT strategic plan; however, it does not include measures for tracking progress in achieving the strategy's goals. (See table on next page.)
Table: GAO Ratings of DOD's IT Financial Management Systems Strategy
IT Strategic Plan Requirementsa
Alignment with the agency's overall strategic plan
Results-oriented goals and performance measures
Strategies to achieve desired results, including a clear narrative of how IT is enabling agency goals
Descriptions of dependencies within and across projects
● Fully addressed: DOD provided evidence that it fully addressed this requirement.
◑ Partially addressed: DOD provided evidence that it addressed some, but not all, of this requirement.
Source: GAO analysis of Department of Defense documentation. | GAO-20-252
aThe requirements for a comprehensive and effective IT strategic plan are based on Office of Management and Budget guidance and prior GAO research and reviews of federal agencies' IT strategic plans.
DOD has not developed an enterprise road map to implement its strategy, as called for by Office of Management and Budget guidance. Such a road map should document the current and future states of a systems environment that, among other things, describes business processes and rules, information needs and flows, and work locations and users; and a transition plan for moving from the current to the future. In response to recently enacted legislation requiring a comprehensive road map, DOD stated that it plans to develop one; however, it did not state by when.
DOD also does not have sufficiently detailed plans for migrating key military service legacy accounting systems to new systems. The Navy has developed a plan to migrate its system, but the plan is missing key elements consistent with Software Engineering Institute guidance. The Army and Air Force do not have detailed migration plans for their key accounting systems.
While DOD has developed a plan to address IT issues identified during annual audits, it has not established performance goals that include indicators, targets, and time frames. Officials said that it is challenging to develop such goals because issues identified by the IPAs vary widely. However, DOD has already grouped the issues by priority, facilitating the establishment of appropriate performance goals.
Moreover, DOD does not know how much it spends on the systems that support its financial statements because it does not have a way to reliably identify these systems in its systems inventory and budget data. GAO calculated that the department will spend at least $2.8 billion on those systems in fiscal year 2020. However, that amount is understated–GAO identified 45 systems that were missing from the list of significant systems that DOD provided to GAO.
As a result of these deficiencies, the department faces challenges in ensuring accountability over its extensive resources and in effectively managing its assets and budgets. DOD also risks wasting funds on short-term fixes that might not effectively and efficiently support longer-term department goals.
Why GAO Did This Study
DOD financial management has been on GAO's High Risk List since 1995 because of long-standing deficiencies found in, among other areas, its supporting information systems. DOD uses these systems to report its spending and assets.
GAO was requested to review DOD's financial management systems. The objectives of this review are to determine (1) to what extent the data produced by DOD financial management systems are reported to be reliable for presenting financial statements in accordance with generally accepted accounting principles, (2) to what extent DOD and the military departments have strategies and plans to address key information technology controls for their financial systems, and (3) how much money DOD reports spending on developing and maintaining its financial management systems.
To address these objectives, GAO analyzed (1) independent public auditors' findings resulting from the department's fiscal year 2019 audit; (2) DOD's financial management systems strategy and plans relative to OMB guidance and recent legislation; (3) data in DOD system and budget databases. GAO also interviewed relevant DOD and military service officials.
GAO made the following six recommendations to DOD:
- Establish performance measures for DOD's financial management systems strategy, including targets and time frames, and how it plans to measure values and verify and validate those values.
- Establish a specific time frame for developing an enterprise road map to implement DOD's financial management systems strategy and ensure that it is developed.
- Develop detailed migration plans for certain key accounting systems.
- Establish performance goals with performance indicators, targets and time frames, to monitor DOD's efforts to address IT-related audit findings.
- Implement a mechanism for identifying a complete list of financial management systems and related budget data.
- Limit investments in financial management systems to what is essential to maintain functional systems and help ensure system security until DOD implements the other recommendations.
DOD concurred with GAO's recommendations and described actions it plans to take to address them.
Recommendations for Executive Action
|Department of Defense||1. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish measures to determine if the department is succeeding in achieving its goal to improve its financial management systems. Specifically, it should document targets and time frames to define the level of performance to be achieved. It should also document how DOD plans to measure expected outcomes by identifying data sources, how it plans to measure values, and how DOD plans to verify and validate measured values. (Recommendation 1)|
|Department of Defense||2. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish a specific time frame for developing an enterprise road map to implement its financial management systems strategy, and ensure that it is developed. The road map should document the current and future states at a high level, from an architecture perspective, and present a transition plan for moving from the current to the future in an efficient, effective manner. The road map should discuss performance gaps, resource requirements, and planned solutions, and it should map DOD's financial management systems strategy to projects and budget. The plan should also document the tasks, time frames, and milestones for implementing new solutions, and include an inventory of systems. (Recommendation 2)|
|Department of Defense||3. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to develop detailed migration plans for the Air Force's General Accounting and Finance System-Reengineered, Navy's Standard Accounting and Reporting System, and Army's Standard Finance System and the Standard Operation and Maintenance Army Research and Development System. (Recommendation 3)|
|Department of Defense||4. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish performance goals that include performance indicators, targets and time frames, to monitor the status of efforts to address IT-related audit findings. (Recommendation 4)|
|Department of Defense||5. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to implement a mechanism for identifying financial management systems that support the preparation of the department's financial statements in the department's systems inventory and budget data, and identify a complete list of financial management systems. (Recommendation 5)|
|Department of Defense||6. The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to ensure that the department limits investments in financial management systems to only what is essential to maintain functioning systems and help ensure system security until it implements the other recommendations in this report. (Recommendation 6)|