Findings on Findings on Findings: Guess Whose Audit Uncovered Over 2,000 Findings?
If you think tracking findings is challenging, try being the Pentagon. The Department of Defense (DoD) underwent its first-ever full financial audit. More than 1,200 auditors conducted over 900 site visits at over 600 locations across the DoD to examine hundreds of thousands of items. The result was over 2,000 findings and recommendations, according to a report in military newspaper Stars and Stripes.
Auditors from the department’s Office of the Inspector General verified inventory, tested for cybersecurity vulnerabilities in business systems, and reviewed personnel records. Cybersecurity made up the largest number of findings.
- Financial and business management systems and processes do not provide reliable, timely, nor accurate information.
- Systemic shortfalls in implementing cybersecurity measures to guard the data protection environment.
- Issues exist in policy compliance with cybersecurity measures, oversight, and accountability.
- “Material weakness” in military pay, contractor and vendor pay, and personnel and organizational management.
“This is a significant number, and it reflects the challenges that the department and others face with IT security,” a defense department spokesperson said in an email to Stars & Stripes.
A Failing Grade
Overall, the Pentagon got a finding of “disclaimer” because auditors “could not obtain sufficient appropriate evidence on which to base an audit opinion.” The scale for the audit, from best to worst, is:
- unmodified or clean
“We failed the audit, but we never expected to pass it,” Deputy Secretary of Defense Patrick Shanahan, told Reuters of the first large-scale audit in the department’s history. It’s also been called the biggest financial audit ever. (Some areas aced the audit. The U.S. Army Corps of Engineers – Civil Works, the Military Retirement Fund, Defense Health Agency – Contract Resource Management, Defense Contract Audit Agency, and the Defense Finance and Accounting Services Working Capital Fund all received a rating of clean. Also, no fraud was found.)
“We need to develop our plans to address the findings and actually put corrective actions in place,” he later said.
So far the DoD has spent $406 million on audit remediation plus another $153 million on its financial systems, according to Stars & Stripes. That’s almost as much as the audit, which cost $413 million.
I’d be curious to learn more about how the DoD is handling its findings. Financial institutions can find it challenging to track and remediate just a handful of findings. There are so many moving parts and so many other pressing issues. The only way to successfully address findings is to:
- Assign responsibility for remediation
- Provide reminders to ensure tasks get done
- Track progress
- Maintain documentation to demonstrate to examiners and auditors that issues have been corrected
I hope the Pentagon has a centralized and automated process for handling the findings remediation process. The DoD is America’s largest employer with 2.87 million service members and civilian employees and a budget of $716 billion. It’s a big place.
They need to use military precision in dealing with findings, using a systematic strategy rather than a scattershot approach. This needs to be well thought out, carefully executed, and diligently tracked. For instance, since cybersecurity policy compliance fell short of expectations, it could be more efficient to develop a top-down effort to coordinate efforts to improve compliance across the organization.
“Reliable, timely, and accurate” information is critical for planning any military action or response, and the DoD’s systems must be an especially appealing target for cyber attacks by international actors. The sooner these findings are addressed, the better.
Pentagon: It’s Just Like Us
Financial institutions aren’t the only ones who get frustrated when talking about audits and compliance.
“Some of the compliance issues are irritating to me. … The point of the audit is to drive better discipline in our compliance with our management systems and procedures,” Deputy Secretary of Defense Patrick Shanahan told reporters according to Reuters.