Financial Management: DOD Needs to Improve System Oversight

What GAO Found

For over 30 years, the Department of Defense (DOD) has initiated a variety of efforts and undergone several changes in organizational responsibility to help modernize its business and financial systems. However, these efforts and changes have not been fully successful to date. DOD is the only major federal agency to not achieve an unmodified (clean) audit opinion—its business and financial systems are a key impediment to this effort.

Effective oversight of systems is essential to moving DOD in the right direction. Key elements of such oversight include establishing oversight processes, using and communicating quality information, sustaining leadership commitment, and managing risk.

• Oversight processes. DOD has established a process for overseeing its business and financial management systems. First, systems are not to proceed into development unless the approving official determines that statutory requirements have been met. These requirements are that the system (1) has been reengineered and streamlined, and unique software requirements and interfaces minimized, (2) complies with the defense business enterprise architecture, (3) has valid, achievable requirements, (4) has an acquisition strategy designed to eliminate or reduce the need to modify commercial off-the-shelf systems, and (5) complies with the Department’s auditability requirements. Second, once approved, systems proceed through an annual certification process in which DOD checks to make sure that systems are continuing to meet the requirements. However, the key guidance documents that govern DOD, military department, and defense agency decisions about initial approvals and annual certifications are limited. Specifically, the guidance does not fully address how systems are to document compliance or how decision-makers are to substantiate that systems are complying with requirements. For example, DOD-level guidance does not describe how approval authorities are to determine compliance with the auditability requirement. This places DOD at risk of making decisions based on a “check the box” exercise.

Extent to Which DOD, Military Department, and Defense Agency Guidance Addresses Initial Approval and Annual Certification Requirements for Covered Business Systems

Legend:

● = Fully addressed: Guidance explains how systems are to address and decision-makers are to substantiate the initial approval and annual certification requirements.

◑ = Partially addressed: Guidance discusses at least one of the initial approval and annual certification requirements, but does not fully describe how systems are to address and decision-makers are to substantiate the requirements.

○ = Not addressed: Guidance does not discuss the requirements.

Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539

In addition, DOD does not apply key requirements to systems in sustainment, even though the statute does not provide for such an exclusion. By excluding application of these requirements, DOD may be missing important opportunities for improving these systems.

• Quality information. As part of its oversight, DOD collects data about business and financial system compliance with statutory requirements. For example, of the 136 systems that indicated the auditability requirement was applicable or required, 84 indicated they were compliant with the requirement, 44 indicated they planned to comply, three indicated they were not compliant, and five indicated they had not completed an assessment.

Summary of DOD’s Data on Business System Compliance with Statutory Requirements

Legend:

– = no responses under the specified category.

Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539

^aSystems indicated that compliance with the requirement was required or applicable.

^bDOD defines legacy systems as systems that it plans to phase out over the next 36 months. It does not require legacy systems to comply with certain requirements.

^cDOD does not require systems that have proceeded past the development phase (i.e., systems in sustainment) to comply with selected requirements.

However, the reliability of these data is limited. For example, of the 208 systems that DOD identified as relevant to the financial audit, information on 71 systems indicated that the auditability requirement was not applicable to them. However, a separate database indicated that at least 58 of these 71 were relevant to the audit. In addition, as of January 2022, DOD reported that its Independent Public Auditors had identified 1,411 unresolved IT-related notices of findings and recommendations associated with 3,478 underlying IT-related issues. These results raises further questions about data reliability, which may also impact the extent of compliance with statutory requirements.

• Leadership. DOD has experienced frequent changes to the organizations and entities responsible for overseeing its business and financial systems. For example, in February 2018 a new Chief Management Officer position was established with broad responsibilities for business operations; three years later the position was abolished. GAO has previously reported that demonstrating sustained, consistent leadership is imperative for successful business transformations.
• Managing risk. Officials from across DOD provided their perspectives on risks and challenges facing the department as it seeks to modernize its financial system environment. These include legacy systems, system interfaces, and human capital. DOD has taken a number of steps to address risks and challenges identified by DOD officials. GAO will continue monitoring DOD’s efforts in this area.

In addition, DOD is not taking a strategic approach to managing the human capital needed for its financial management systems. It does not, among other things, analyze the gaps in capabilities between existing staff and future workforce needs, or formulate strategies for filling expected gaps. As a result, as discussed in the report, challenges have emerged.

Why GAO Did This Study

DOD spends billions of dollars each year on its business and financial systems. However, DOD’s business systems modernization and financial management efforts have been on GAO’s high risk list since 1995. These high risk areas remain obstacles to DOD’s efforts to achieve an unmodified audit opinion.

GAO was asked to review DOD’s financial management systems. This report (1) describes DOD’s efforts to improve its business and financial systems; (2) assesses the extent to which DOD is effectively overseeing its business and financial systems; and (3) assesses the extent to which DOD is taking a strategic approach to managing human capital for its financial management systems.

To describe DOD’s efforts to improve its business and financial systems, GAO reviewed related laws, GAO reports, and DOD and military department documentation associated with DOD’s business and financial systems.

To assess DOD’s oversight of these systems, GAO reviewed reports, guidance, and relevant statutes to identify key elements of business and financial management systems oversight. GAO evaluated DOD policy and DOD, military department, and defense agency guidance and plans against statutory requirements for oversight. It also evaluated DOD’s data on its systems’ compliance with statutory requirements associated with improving the department’s ability to obtain an unmodified audit opinion.

GAO also evaluated DOD and military department guidance and plans against key practices for workforce management. In addition, it interviewed relevant officials from DOD and the military departments