Financial Management: DOD Needs to Improve System Oversight
Fast Facts
The Department of Defense can't accurately account for or report on its physical assets or spending. For more than 30 years DOD has tried to modernize its business and financial systems—spending billions of dollars a year on them. That's why DOD's business systems modernization and financial management efforts have been on our High Risk List since 1995.
DOD hasn't fully developed guidance for overseeing these systems. Without it, DOD risks investing funds on developing and maintaining systems that don't support financial statements that can be audited.
Our 9 recommendations address this and other issues.
Highlights
What GAO Found
For over 30 years, the Department of Defense (DOD) has initiated a variety of efforts and undergone several changes in organizational responsibility to help modernize its business and financial systems. However, these efforts and changes have not been fully successful to date. DOD is the only major federal agency to not achieve an unmodified (clean) audit opinion—its business and financial systems are a key impediment to this effort.
Effective oversight of systems is essential to moving DOD in the right direction. Key elements of such oversight include establishing oversight processes, using and communicating quality information, sustaining leadership commitment, and managing risk.
- Oversight processes. DOD has established a process for overseeing its business and financial management systems. First, systems are not to proceed into development unless the approving official determines that statutory requirements have been met. These requirements are that the system (1) has been reengineered and streamlined, and unique software requirements and interfaces minimized, (2) complies with the defense business enterprise architecture, (3) has valid, achievable requirements, (4) has an acquisition strategy designed to eliminate or reduce the need to modify commercial off-the-shelf systems, and (5) complies with the Department's auditability requirements. Second, once approved, systems proceed through an annual certification process in which DOD checks to make sure that systems are continuing to meet the requirements. However, the key guidance documents that govern DOD, military department, and defense agency decisions about initial approvals and annual certifications are limited. Specifically, the guidance does not fully address how systems are to document compliance or how decision-makers are to substantiate that systems are complying with requirements. For example, DOD-level guidance does not describe how approval authorities are to determine compliance with the auditability requirement. This places DOD at risk of making decisions based on a “check the box” exercise.
Extent to Which DOD, Military Department, and Defense Agency Guidance Addresses Initial Approval and Annual Certification Requirements for Covered Business Systems
|
Initial approval and Annual certification requirement |
DOD |
Army |
Department of the Navy |
Air Force |
Defense Agencies |
|---|---|---|---|---|---|
|
Business process reengineering |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Business enterprise architecture |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Requirement plan |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Acquisition strategy |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Auditability requirement |
◑ |
◑ |
◑ |
◑ |
◑ |
Legend:
● = Fully addressed: Guidance explains how systems are to address and decision-makers are to substantiate the initial approval and annual certification requirements.
◑ = Partially addressed: Guidance discusses at least one of the initial approval and annual certification requirements, but does not fully describe how systems are to address and decision-makers are to substantiate the requirements.
○ = Not addressed: Guidance does not discuss the requirements.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
In addition, DOD does not apply key requirements to systems in sustainment, even though the statute does not provide for such an exclusion. By excluding application of these requirements, DOD may be missing important opportunities for improving these systems.
- Quality information. As part of its oversight, DOD collects data about business and financial system compliance with statutory requirements. For example, of the 136 systems that indicated the auditability requirement was applicable or required, 84 indicated they were compliant with the requirement, 44 indicated they planned to comply, three indicated they were not compliant, and five indicated they had not completed an assessment.
Summary of DOD's Data on Business System Compliance with Statutory Requirements
|
Compliance response |
Business process reengineering |
Business enterprise architecture |
Requirement plan |
Acquisition Strategy |
Auditability |
|---|---|---|---|---|---|
|
Compliance required or applicablea |
189 |
192 |
66 |
67 |
136 |
|
No answer |
1 |
1 |
1 |
1 |
1 |
|
Not required (Legacy system)b |
18 |
15 |
21 |
20 |
- |
|
Not required (System in sustainment)c |
- |
- |
120 |
120 |
- |
|
Not applicable |
- |
- |
- |
- |
71 |
|
Total |
208 |
208 |
208 |
208 |
208 |
Legend:
- = no responses under the specified category.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
aSystems indicated that compliance with the requirement was required or applicable.
bDOD defines legacy systems as systems that it plans to phase out over the next 36 months. It does not require legacy systems to comply with certain requirements.
cDOD does not require systems that have proceeded past the development phase (i.e., systems in sustainment) to comply with selected requirements.
However, the reliability of these data is limited. For example, of the 208 systems that DOD identified as relevant to the financial audit, information on 71 systems indicated that the auditability requirement was not applicable to them. However, a separate database indicated that at least 58 of these 71 were relevant to the audit. In addition, as of January 2022, DOD reported that its Independent Public Auditors had identified 1,411 unresolved IT-related notices of findings and recommendations associated with 3,478 underlying IT-related issues. These results raises further questions about data reliability, which may also impact the extent of compliance with statutory requirements.
- Leadership. DOD has experienced frequent changes to the organizations and entities responsible for overseeing its business and financial systems. For example, in February 2018 a new Chief Management Officer position was established with broad responsibilities for business operations; three years later the position was abolished. GAO has previously reported that demonstrating sustained, consistent leadership is imperative for successful business transformations.
- Managing risk. Officials from across DOD provided their perspectives on risks and challenges facing the department as it seeks to modernize its financial system environment. These include legacy systems, system interfaces, and human capital. DOD has taken a number of steps to address risks and challenges identified by DOD officials. GAO will continue monitoring DOD's efforts in this area.
In addition, DOD is not taking a strategic approach to managing the human capital needed for its financial management systems. It does not, among other things, analyze the gaps in capabilities between existing staff and future workforce needs, or formulate strategies for filling expected gaps. As a result, as discussed in the report, challenges have emerged.
Why GAO Did This Study
DOD spends billions of dollars each year on its business and financial systems. However, DOD's business systems modernization and financial management efforts have been on GAO's high risk list since 1995. These high risk areas remain obstacles to DOD's efforts to achieve an unmodified audit opinion.
GAO was asked to review DOD's financial management systems. This report (1) describes DOD's efforts to improve its business and financial systems; (2) assesses the extent to which DOD is effectively overseeing its business and financial systems; and (3) assesses the extent to which DOD is taking a strategic approach to managing human capital for its financial management systems.
To describe DOD's efforts to improve its business and financial systems, GAO reviewed related laws, GAO reports, and DOD and military department documentation associated with DOD's business and financial systems.
To assess DOD's oversight of these systems, GAO reviewed reports, guidance, and relevant statutes to identify key elements of business and financial management systems oversight. GAO evaluated DOD policy and DOD, military department, and defense agency guidance and plans against statutory requirements for oversight. It also evaluated DOD's data on its systems' compliance with statutory requirements associated with improving the department's ability to obtain an unmodified audit opinion.
GAO also evaluated DOD and military department guidance and plans against key practices for workforce management. In addition, it interviewed relevant officials from DOD and the military departments
Recommendations
GAO is making nine recommendations, including that DOD and the military departments update guidance for initial approvals and annual certifications of business and financial systems to substantiate and document compliance with requirements.
GAO is also recommending that DOD ensure that the data collected on the extent of business and financial system compliance with statutory requirements is reliable.
Further, GAO recommends that DOD develop guidance for systems in sustainment to comply with relevant statutory requirements.
In addition, GAO is recommending that DOD implement a strategic approach to workforce planning that, among other things, analyzes gaps in capabilities between existing staff and future needs, and formulates strategies to fill expected gaps.
DOD concurred with seven of the recommendations and partially concurred with the remaining two. Regarding the recommendation to develop guidance for systems in sustainment, DOD stated that its Chief Information Officer would conduct an analysis on the potential need to develop additional guidance. However, by not fully committing to developing needed guidance, DOD is likely missing opportunities for improving its systems in sustainment. Accordingly, GAO maintains that its recommendation is appropriate.
For the recommendation on strategic workforce planning, DOD reiterated steps the department takes to address skills and training for individual functional communities (e.g., acquisition management and financial management). However, those steps do not address the collective staff requirements and expertise needed to address financial management systems issues. GAO maintains that its recommendation is appropriate.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems to ensure guidance for priority business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 1) |
Open
As of March 2024, the department has not addressed this recommendation. In March 2024, the Department of Defense (DOD) reported that the Office of the DOD Chief Information Officer plans to issue updated guidance for addressing the statutory requirements. In addition, DOD reported that the department plans to address all actions associated with this recommendation by the end of September 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems. The update should ensure guidance for non-priority covered business and financial systems that exist within a defense agency, field activity, or support more than one portion of DOD fully addresses the statutory requirements discussed in this report. (Recommendation 2) |
Open
As of March 2024, the department has not addressed this recommendation. In March 2024, the Department of Defense (DOD) reported that, among other things, officials in the Office of the Chief Information Officer (CIO) plan to update the department's initial approval and annual certification guidance for non-priority covered business and financial systems within a defense agency, field activity, or that support more than one portion of DOD. The department also reported that it expects to address this recommendation by the end of September 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Army should direct the Chief Management Officer of the Department of the Army to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Army business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 3) |
Open – Partially Addressed
As of March 2024, the Department of the Army (Army) demonstrated that it has partially addressed the recommendation. Specifically, in November 2023, Army provided a closure package stating the requirements for the initial approval and annual certification for its defense business systems. For example, in November 2023, the Army provided its fiscal year (FY) 2024 Defense Business System Annual Certification and Portfolio Review Guidance Memorandum, which included information such as coordinating instructions requiring domains to submit a portfolio review brief to the Army's Office of Enterprise Management to ensure that system owners complete all policy requirements for certification. However, the guidance did not fully describe how system-level officials are to document compliance with statutory requirements or how approval authorities are to validate that system documentation is sufficient for addressing statutory requirements for annual review discussed in our report. In addition, the guidance provided by the Army did not discuss initial system approvals. As of March 2024, the department submitted a corrective action plan that stated as of January 2024 the department is awaiting a response from Army about updates related to this recommendation. In addition, as of March 2024, the department plans to address related recommendations from this report associated with its corporate-level initial approval and annual certification guidance and its business enterprise architecture by the end of September and October 2024, respectively. We will continue to monitor Army's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Navy should direct the Chief Management Officer of the Department of the Navy to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Navy business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 4) |
Open – Partially Addressed
As of March 2024, the Department of the Navy (Navy) demonstrated that it has partially addressed the recommendation. Specifically, in February 2024, the Navy provided a closure request memorandum to provide more detailed guidance on how Navy approval authorities are to validate compliance with the requirements in 10 U.S.C. section 2222. This includes, among other things, ensuring that systems are in compliance with the Department's auditability requirements. The memorandum described documentation that systems are to submit along with their initial and annual certification requests, as well as other related information that approving officials are to assess as part of this process. While the Navy's February 2024 closure request memorandum provides additional information associated with documenting and substantiating that systems meet statutory requirements, the memorandum is not part of the Navy's guidance for initial approval or annual review. Further, as of March 2024, the Department of Defense plans to address the recommendations from this report associated with updating its department-level initial approval and annual certification guidance and updating its business enterprise architecture by September and October 2024, respectively. We will continue to monitor Navy's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Air Force should direct the Chief Management Officer of the Department of the Air Force to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Air Force business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 5) |
Open – Partially Addressed
As of March 2024, the Department of the Air Force (Air Force) demonstrated that it has partially addressed the recommendation. Specifically, in February 2024, the Air Force provided additional guidance documents and a corrective action plan intended to describe how Air Force approval authorities are to validate compliance with the requirements in 10 U.S.C. 2222. For example, the Air Force provided, among other things, Organizational Execution Plan (OEP) guidance for fiscal year (FY) 2024. According to Air Force officials, the FY 2024 OEP How-to-Guide requires system owners and program managers to provide a standard set of minimum data elements in authoritative data sources. This includes, among other things, data intended to document that systems comply with the Department's auditability requirements. However, the FY 2024 OEP guidance does not document how approval authorities review and approve these required data elements. For example, the guidance calls for systems to document if they comply with statutory requirements, but does not discuss the detailed assessment steps approval authorities are to follow to make their decisions or discuss the documentation required to document or substantiate these decisions. In addition, as of March 2024, the Department of Defense plans to address related recommendations from this report associated with updating its department-level initial approval and annual certification guidance and updating its business enterprise architecture by the end of September and October 2024, respectively. We will continue to monitor Air Force's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to develop guidance that calls for business and financial systems in sustainment to comply with statutory requirements for having valid, achievable requirements and eliminating or reducing the need to tailor commercial off-the-shelf systems. (Recommendation 6) |
Open
As of March 2024, the department has not addressed this recommendation. In March 2024, the Department of Defense (DOD) reiterated that it partially concurred with our recommendation. In addition, DOD reported that the Office of the Chief Information Officer plans to determine whether it will benefit the department's overall goals to require business and financial management systems in sustainment to comply with statutory requirements for having valid, achievable requirements and eliminating or reducing the need to tailor commercial off-the-shelf systems. Further, DOD reported that, it plans to address this recommendation by the end of May 2024. We will continue to monitor the department's efforts to implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to ensure that data maintained about business and financial system certifications are complete and accurate. (Recommendation 7) |
Open
As of March 2024, the department has not addressed this recommendation. Specifically, in March 2024, the Department of Defense (DOD) reported that officials within DOD's Office of the Chief Information Officer will continue its efforts to enforce data validity in department repositories used to assess statutory compliance. In addition, they will continue efforts to ensure the completeness and accuracy of system certification data through the deployment of automated tools in support of business and financial system portfolio management tasks. For example, according to the department, DOD plans to develop and deploy a financial management systems comprehensive compliance scorecard in in DOD's Advana tool. DOD reported that it expects to address this recommendation by the end of September 2024. We will continue to monitor the status of this recommendation as DOD continues to take steps to address it.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to develop and implement plans for documenting detailed system compliance with the business enterprise architecture. (Recommendation 8) |
Open
As of March 2024, the department has not addressed this recommendation. In March 2024, the Department of Defense (DOD) reported that the Office of the DOD Chief Information Officer plans to develop and implement plans for documenting detailed system compliance with the business enterprise architecture (BEA). Specifically, in January 2024 the department published an updated BEA framework. The department plans to subsequently publish a DOD BEA guidebook and develop and document a detailed system compliance capability. DOD reported that the department plans to complete all actions associated with addressing this recommendation by the end of October 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to establish a mechanism for ensuring that DOD financial management systems take a strategic approach to workforce planning for the government and contractor staff that develop and maintain its systems. (Recommendation 9) |
Open
As of March 2024, the department has not addressed this recommendation. In March 2024, the department reported on actions that it plans to take to address this recommendation. Nevertheless, the department reiterated that it partially concurs with the recommendation. The department reported that it plans to build a Workforce Health Index for the financial management community that will monitor key workforce metrics in real time. Further, it plans to regularly review competencies, including those outside of the financial management community that are needed to support financial management systems. For example, the department plans to develop an overarching strategy for addressing workforce plans in all the professional series impacted by changes in technology. The department also reported that the numerous skillsets outside of the financial management community will remain under the purview of the appropriate functional communities (e.g., acquisition and the cyber-excepted workforce) already managing the career fields. The department plans to complete all tasks associated with this recommendation by the end of December 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|