Financial Management: DOD Needs to Improve System Oversight
Fast Facts
The Department of Defense can't accurately account for or report on its physical assets or spending. For more than 30 years DOD has tried to modernize its business and financial systems—spending billions of dollars a year on them. That's why DOD's business systems modernization and financial management efforts have been on our High Risk List since 1995.
DOD hasn't fully developed guidance for overseeing these systems. Without it, DOD risks investing funds on developing and maintaining systems that don't support financial statements that can be audited.
Our 9 recommendations address this and other issues.
Highlights
What GAO Found
For over 30 years, the Department of Defense (DOD) has initiated a variety of efforts and undergone several changes in organizational responsibility to help modernize its business and financial systems. However, these efforts and changes have not been fully successful to date. DOD is the only major federal agency to not achieve an unmodified (clean) audit opinion—its business and financial systems are a key impediment to this effort.
Effective oversight of systems is essential to moving DOD in the right direction. Key elements of such oversight include establishing oversight processes, using and communicating quality information, sustaining leadership commitment, and managing risk.
- Oversight processes. DOD has established a process for overseeing its business and financial management systems. First, systems are not to proceed into development unless the approving official determines that statutory requirements have been met. These requirements are that the system (1) has been reengineered and streamlined, and unique software requirements and interfaces minimized, (2) complies with the defense business enterprise architecture, (3) has valid, achievable requirements, (4) has an acquisition strategy designed to eliminate or reduce the need to modify commercial off-the-shelf systems, and (5) complies with the Department's auditability requirements. Second, once approved, systems proceed through an annual certification process in which DOD checks to make sure that systems are continuing to meet the requirements. However, the key guidance documents that govern DOD, military department, and defense agency decisions about initial approvals and annual certifications are limited. Specifically, the guidance does not fully address how systems are to document compliance or how decision-makers are to substantiate that systems are complying with requirements. For example, DOD-level guidance does not describe how approval authorities are to determine compliance with the auditability requirement. This places DOD at risk of making decisions based on a “check the box” exercise.
Extent to Which DOD, Military Department, and Defense Agency Guidance Addresses Initial Approval and Annual Certification Requirements for Covered Business Systems
|
Initial approval and Annual certification requirement |
DOD |
Army |
Department of the Navy |
Air Force |
Defense Agencies |
|---|---|---|---|---|---|
|
Business process reengineering |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Business enterprise architecture |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Requirement plan |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Acquisition strategy |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Auditability requirement |
◑ |
◑ |
◑ |
◑ |
◑ |
Legend:
● = Fully addressed: Guidance explains how systems are to address and decision-makers are to substantiate the initial approval and annual certification requirements.
◑ = Partially addressed: Guidance discusses at least one of the initial approval and annual certification requirements, but does not fully describe how systems are to address and decision-makers are to substantiate the requirements.
○ = Not addressed: Guidance does not discuss the requirements.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
In addition, DOD does not apply key requirements to systems in sustainment, even though the statute does not provide for such an exclusion. By excluding application of these requirements, DOD may be missing important opportunities for improving these systems.
- Quality information. As part of its oversight, DOD collects data about business and financial system compliance with statutory requirements. For example, of the 136 systems that indicated the auditability requirement was applicable or required, 84 indicated they were compliant with the requirement, 44 indicated they planned to comply, three indicated they were not compliant, and five indicated they had not completed an assessment.
Summary of DOD's Data on Business System Compliance with Statutory Requirements
|
Compliance response |
Business process reengineering |
Business enterprise architecture |
Requirement plan |
Acquisition Strategy |
Auditability |
|---|---|---|---|---|---|
|
Compliance required or applicablea |
189 |
192 |
66 |
67 |
136 |
|
No answer |
1 |
1 |
1 |
1 |
1 |
|
Not required (Legacy system)b |
18 |
15 |
21 |
20 |
- |
|
Not required (System in sustainment)c |
- |
- |
120 |
120 |
- |
|
Not applicable |
- |
- |
- |
- |
71 |
|
Total |
208 |
208 |
208 |
208 |
208 |
Legend:
- = no responses under the specified category.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
aSystems indicated that compliance with the requirement was required or applicable.
bDOD defines legacy systems as systems that it plans to phase out over the next 36 months. It does not require legacy systems to comply with certain requirements.
cDOD does not require systems that have proceeded past the development phase (i.e., systems in sustainment) to comply with selected requirements.
However, the reliability of these data is limited. For example, of the 208 systems that DOD identified as relevant to the financial audit, information on 71 systems indicated that the auditability requirement was not applicable to them. However, a separate database indicated that at least 58 of these 71 were relevant to the audit. In addition, as of January 2022, DOD reported that its Independent Public Auditors had identified 1,411 unresolved IT-related notices of findings and recommendations associated with 3,478 underlying IT-related issues. These results raises further questions about data reliability, which may also impact the extent of compliance with statutory requirements.
- Leadership. DOD has experienced frequent changes to the organizations and entities responsible for overseeing its business and financial systems. For example, in February 2018 a new Chief Management Officer position was established with broad responsibilities for business operations; three years later the position was abolished. GAO has previously reported that demonstrating sustained, consistent leadership is imperative for successful business transformations.
- Managing risk. Officials from across DOD provided their perspectives on risks and challenges facing the department as it seeks to modernize its financial system environment. These include legacy systems, system interfaces, and human capital. DOD has taken a number of steps to address risks and challenges identified by DOD officials. GAO will continue monitoring DOD's efforts in this area.
In addition, DOD is not taking a strategic approach to managing the human capital needed for its financial management systems. It does not, among other things, analyze the gaps in capabilities between existing staff and future workforce needs, or formulate strategies for filling expected gaps. As a result, as discussed in the report, challenges have emerged.
Why GAO Did This Study
DOD spends billions of dollars each year on its business and financial systems. However, DOD's business systems modernization and financial management efforts have been on GAO's high risk list since 1995. These high risk areas remain obstacles to DOD's efforts to achieve an unmodified audit opinion.
GAO was asked to review DOD's financial management systems. This report (1) describes DOD's efforts to improve its business and financial systems; (2) assesses the extent to which DOD is effectively overseeing its business and financial systems; and (3) assesses the extent to which DOD is taking a strategic approach to managing human capital for its financial management systems.
To describe DOD's efforts to improve its business and financial systems, GAO reviewed related laws, GAO reports, and DOD and military department documentation associated with DOD's business and financial systems.
To assess DOD's oversight of these systems, GAO reviewed reports, guidance, and relevant statutes to identify key elements of business and financial management systems oversight. GAO evaluated DOD policy and DOD, military department, and defense agency guidance and plans against statutory requirements for oversight. It also evaluated DOD's data on its systems' compliance with statutory requirements associated with improving the department's ability to obtain an unmodified audit opinion.
GAO also evaluated DOD and military department guidance and plans against key practices for workforce management. In addition, it interviewed relevant officials from DOD and the military departments
Recommendations
GAO is making nine recommendations, including that DOD and the military departments update guidance for initial approvals and annual certifications of business and financial systems to substantiate and document compliance with requirements.
GAO is also recommending that DOD ensure that the data collected on the extent of business and financial system compliance with statutory requirements is reliable.
Further, GAO recommends that DOD develop guidance for systems in sustainment to comply with relevant statutory requirements.
In addition, GAO is recommending that DOD implement a strategic approach to workforce planning that, among other things, analyzes gaps in capabilities between existing staff and future needs, and formulates strategies to fill expected gaps.
DOD concurred with seven of the recommendations and partially concurred with the remaining two. Regarding the recommendation to develop guidance for systems in sustainment, DOD stated that its Chief Information Officer would conduct an analysis on the potential need to develop additional guidance. However, by not fully committing to developing needed guidance, DOD is likely missing opportunities for improving its systems in sustainment. Accordingly, GAO maintains that its recommendation is appropriate.
For the recommendation on strategic workforce planning, DOD reiterated steps the department takes to address skills and training for individual functional communities (e.g., acquisition management and financial management). However, those steps do not address the collective staff requirements and expertise needed to address financial management systems issues. GAO maintains that its recommendation is appropriate.
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems to ensure guidance for priority business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 1) |
Open
As of June 2023, the department has not addressed this recommendation. Specifically, Department of Defense (DOD) officials stated that the Office of the DOD Chief Information Officer plans to issue updated guidance for addressing the statutory requirements discussed in our report. In addition, the Office of the Under Secretary of Defense (Comptroller)/Chief Financial Officer plans to expand existing systems compliance documentation and reporting to include core auditability requirements in the business system data repositories. The department plans to address all actions associated with this recommendation by the end of January, 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems. The update should ensure guidance for non-priority covered business and financial systems that exist within a defense agency, field activity, or support more than one portion of DOD fully addresses the statutory requirements discussed in this report. (Recommendation 2) |
Open
As of June 2023, the department has not addressed this recommendation. The Department of Defense (DOD) reported that, among other things, officials in the Office of the Chief Information Officer (CIO) plan to update the department's initial approval and annual certification guidance by the end of January 2024. This update will include expectations on how systems are to substantiate compliance with statutory requirements and how approval authorities are to validate that compliance. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Army should direct the Chief Management Officer of the Department of the Army to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Army business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 3) |
Open – Partially Addressed
As of November 2023, the Department of the Army (Army) demonstrated that it has partially addressed the recommendation. Specifically, in November 2023, the Army provided its fiscal year (FY) 2024 Defense Business System Annual Certification and Portfolio Review Guidance Memorandum, which included information such as coordinating instructions requiring domains to submit a portfolio review brief to the Army's Office of Enterprise Management to ensure that system owners complete all policy requirements for certification. However, the guidance did not fully describe how system-level officials are to document compliance with the statutory requirements discussed in our report or how approval authorities are to validate that system documentation is sufficient for addressing the requirements. In addition, the guidance provided by the Army did not discuss initial system approvals. DOD's associated corrective action plan also stated that Army completed its FY 2024 Annual Certification and Portfolio Review policy as of September 2023. However, the Army did not provide the updated policy or its updated Army Business Enterprise Architecture compliance guidance. In addition, the Department of Defense has not yet issued its updated corporate-level guidance for how business systems are to address statutory requirements. The Department of Defense is also in the process of updating its business enterprise architecture. We will continue to monitor Army's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Navy should direct the Chief Management Officer of the Department of the Navy to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Navy business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 4) |
Open – Partially Addressed
As of August 2023, the Department of the Navy (DON) has not demonstrated that it has fully addressed this recommendation. in August 2023, DON provided a closure package stating that it had updated its Defense Business System Annual Investment Certification Guide to ensure that its business and financial systems comply with the requirements in Title 10 U.S.C ? 2222, for both initial approval and annual certification of its covered and non-priority systems. The guidance addresses each of the 10 U.S.C 2222 requirements for both initial approval and annual certification. However, the guidance does not fully describe how approval authorities are to validate compliance with the requirements. For example, for the requirement that systems demonstrate they have an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems, the guidance calls for certain evidence to be on file in a DON repository. However, it does not discuss how approval authorities are to determine if the evidence is sufficient. In addition, DOD is in the process of updating its overall guidance for initial approvals and annual certifications, as well as its Business Enterprise Architecture. As a result, it is not yet apparent if this August 2023 guidance will be consistent with DOD's updated guidance. As a result, this recommendation remains open.
|
| Department of Defense | The Secretary of the Air Force should direct the Chief Management Officer of the Department of the Air Force to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Air Force business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 5) |
Open – Partially Addressed
As of November 2023, the Department of the Air Force (Air Force) demonstrated that it had partially addressed the recommendation. Specifically, in November 2023, the Air Force provided a closure package stating that it had updated guidance to ensure that its defense business systems comply with the statutory requirements described in our report ("statutory requirements"). The Air Force's fiscal year (FY) 2024 Organization Execution Plan (OEP) How-to Guide stated, among other things, that after the Pre-Certification Authority determines that the portfolio of investments are defense business systems, they will need to demonstrate how the proposed defense business systems comply with the functional plans and with the business enterprise architecture. However, the guidance did not fully describe how system-level officials are to document compliance with statutory requirements or how approval authorities are to validate that system documentation is sufficient for addressing statutory requirements for initial approvals and annual reviews discussed in our report. In addition, the Air Force did not provide finalized FY 2024 guidance referenced in its FY 2024 OEP guidance memo. Further, the Department of Defense has not yet issued its updated corporate-level guidance for how business systems are to address statutory requirements. The Department of Defense is also in the process of updating its business enterprise architecture. We will continue to monitor the Air Force's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to develop guidance that calls for business and financial systems in sustainment to comply with statutory requirements for having valid, achievable requirements and eliminating or reducing the need to tailor commercial off-the-shelf systems. (Recommendation 6) |
Open
As of June 2023, the department has not addressed this recommendation. In June 2023, the Department of Defense (DOD) reiterated that it partially concurred with our recommendation. In addition, DOD reported that the Office of the Chief Information Officer (OCIO) plans to determine whether it will benefit the department's overall goals to require business and financial management systems in sustainment to comply with statutory requirements for having valid, achievable requirements and eliminating or reducing the need to tailor commercial off-the-shelf systems. Further, DOD reported that it will issue the updated compliance guidance by March 2024 if the OCIO determines that business and financial management systems should be subject to these statutory requirements. We will continue to monitor the department's efforts to implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to ensure that data maintained about business and financial system certifications are complete and accurate. (Recommendation 7) |
Open
As of June 2023, the department has not addressed this recommendation. Specifically, in June 2023, Department of Defense (DOD) officials reported that officials within DOD's Office of the Chief Information Officer have automated DOD's Financial Management IT Systems Roadmap data into their advanced analytics tool. The department reported that it plans to continue maturing system migration retirement dashboards by expanding high level system information, including retirement and budget data and compliance information to better inform the certification process. The department stated that these and other efforts are expected to improve data accuracy and provide executable data to support its portfolio management tasks for business and financial systems. DOD reported that it expects to address this recommendation by the end of September 2024. We will continue to monitor the status of this recommendation as DOD continues to take steps to address it.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to develop and implement plans for documenting detailed system compliance with the business enterprise architecture. (Recommendation 8) |
Open
As of June 2023, the department has not addressed this recommendation. In June 2023, the Department of Defense (DOD) reported that the Office of the DOD Chief Information Officer (CIO) develops and implements plans for documenting detailed system compliance with the business enterprise architecture (BEA). The DOD CIO also plans to publish a DOD BEA framework and guidebook and document and develop detailed system compliance capability. DOD reported that it plans to complete all actions associated with addressing this recommendation by March 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to establish a mechanism for ensuring that DOD financial management systems take a strategic approach to workforce planning for the government and contractor staff that develop and maintain its systems. (Recommendation 9) |
Open
As of June 2023, the department has not addressed this recommendation. In June 2023, the department reported on actions that it plans to take to address this recommendation. Nevertheless, the department reiterated that it partially concurs with the recommendation. The department reported that it plans to build a Workforce Health Index for the financial management community that will monitor key workforce metrics in real time. Further, it plans to regularly review competencies, including those outside of the financial management community that are needed to support financial management systems. For example, the department plans to develop an overarching strategy for addressing workforce plans in all the professional series impacted by changes in technology. The department also reported that maintaining and updating the numerous skillsets outside of the financial management community will remain under the purview of the appropriate functional communities (e.g., acquisition and the cyber-excepted workforce) already managing the career fields. The department plans to complete all tasks associated with this recommendation by the end of December 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|