Financial Management: DOD Needs to Improve System Oversight
Fast Facts
The Department of Defense can't accurately account for or report on its physical assets or spending. For more than 30 years DOD has tried to modernize its business and financial systems—spending billions of dollars a year on them. That's why DOD's business systems modernization and financial management efforts have been on our High Risk List since 1995.
DOD hasn't fully developed guidance for overseeing these systems. Without it, DOD risks investing funds on developing and maintaining systems that don't support financial statements that can be audited.
Our 9 recommendations address this and other issues.
Highlights
What GAO Found
For over 30 years, the Department of Defense (DOD) has initiated a variety of efforts and undergone several changes in organizational responsibility to help modernize its business and financial systems. However, these efforts and changes have not been fully successful to date. DOD is the only major federal agency to not achieve an unmodified (clean) audit opinion—its business and financial systems are a key impediment to this effort.
Effective oversight of systems is essential to moving DOD in the right direction. Key elements of such oversight include establishing oversight processes, using and communicating quality information, sustaining leadership commitment, and managing risk.
- Oversight processes. DOD has established a process for overseeing its business and financial management systems. First, systems are not to proceed into development unless the approving official determines that statutory requirements have been met. These requirements are that the system (1) has been reengineered and streamlined, and unique software requirements and interfaces minimized, (2) complies with the defense business enterprise architecture, (3) has valid, achievable requirements, (4) has an acquisition strategy designed to eliminate or reduce the need to modify commercial off-the-shelf systems, and (5) complies with the Department's auditability requirements. Second, once approved, systems proceed through an annual certification process in which DOD checks to make sure that systems are continuing to meet the requirements. However, the key guidance documents that govern DOD, military department, and defense agency decisions about initial approvals and annual certifications are limited. Specifically, the guidance does not fully address how systems are to document compliance or how decision-makers are to substantiate that systems are complying with requirements. For example, DOD-level guidance does not describe how approval authorities are to determine compliance with the auditability requirement. This places DOD at risk of making decisions based on a “check the box” exercise.
Extent to Which DOD, Military Department, and Defense Agency Guidance Addresses Initial Approval and Annual Certification Requirements for Covered Business Systems
|
Initial approval and Annual certification requirement |
DOD |
Army |
Department of the Navy |
Air Force |
Defense Agencies |
|---|---|---|---|---|---|
|
Business process reengineering |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Business enterprise architecture |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Requirement plan |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Acquisition strategy |
◑ |
◑ |
◑ |
◑ |
◑ |
|
Auditability requirement |
◑ |
◑ |
◑ |
◑ |
◑ |
Legend:
● = Fully addressed: Guidance explains how systems are to address and decision-makers are to substantiate the initial approval and annual certification requirements.
◑ = Partially addressed: Guidance discusses at least one of the initial approval and annual certification requirements, but does not fully describe how systems are to address and decision-makers are to substantiate the requirements.
○ = Not addressed: Guidance does not discuss the requirements.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
In addition, DOD does not apply key requirements to systems in sustainment, even though the statute does not provide for such an exclusion. By excluding application of these requirements, DOD may be missing important opportunities for improving these systems.
- Quality information. As part of its oversight, DOD collects data about business and financial system compliance with statutory requirements. For example, of the 136 systems that indicated the auditability requirement was applicable or required, 84 indicated they were compliant with the requirement, 44 indicated they planned to comply, three indicated they were not compliant, and five indicated they had not completed an assessment.
Summary of DOD's Data on Business System Compliance with Statutory Requirements
|
Compliance response |
Business process reengineering |
Business enterprise architecture |
Requirement plan |
Acquisition Strategy |
Auditability |
|---|---|---|---|---|---|
|
Compliance required or applicablea |
189 |
192 |
66 |
67 |
136 |
|
No answer |
1 |
1 |
1 |
1 |
1 |
|
Not required (Legacy system)b |
18 |
15 |
21 |
20 |
- |
|
Not required (System in sustainment)c |
- |
- |
120 |
120 |
- |
|
Not applicable |
- |
- |
- |
- |
71 |
|
Total |
208 |
208 |
208 |
208 |
208 |
Legend:
- = no responses under the specified category.
Source: GAO Analysis of Department of Defense (DOD) documentation. | GAO-23-104539
aSystems indicated that compliance with the requirement was required or applicable.
bDOD defines legacy systems as systems that it plans to phase out over the next 36 months. It does not require legacy systems to comply with certain requirements.
cDOD does not require systems that have proceeded past the development phase (i.e., systems in sustainment) to comply with selected requirements.
However, the reliability of these data is limited. For example, of the 208 systems that DOD identified as relevant to the financial audit, information on 71 systems indicated that the auditability requirement was not applicable to them. However, a separate database indicated that at least 58 of these 71 were relevant to the audit. In addition, as of January 2022, DOD reported that its Independent Public Auditors had identified 1,411 unresolved IT-related notices of findings and recommendations associated with 3,478 underlying IT-related issues. These results raises further questions about data reliability, which may also impact the extent of compliance with statutory requirements.
- Leadership. DOD has experienced frequent changes to the organizations and entities responsible for overseeing its business and financial systems. For example, in February 2018 a new Chief Management Officer position was established with broad responsibilities for business operations; three years later the position was abolished. GAO has previously reported that demonstrating sustained, consistent leadership is imperative for successful business transformations.
- Managing risk. Officials from across DOD provided their perspectives on risks and challenges facing the department as it seeks to modernize its financial system environment. These include legacy systems, system interfaces, and human capital. DOD has taken a number of steps to address risks and challenges identified by DOD officials. GAO will continue monitoring DOD's efforts in this area.
In addition, DOD is not taking a strategic approach to managing the human capital needed for its financial management systems. It does not, among other things, analyze the gaps in capabilities between existing staff and future workforce needs, or formulate strategies for filling expected gaps. As a result, as discussed in the report, challenges have emerged.
Why GAO Did This Study
DOD spends billions of dollars each year on its business and financial systems. However, DOD's business systems modernization and financial management efforts have been on GAO's high risk list since 1995. These high risk areas remain obstacles to DOD's efforts to achieve an unmodified audit opinion.
GAO was asked to review DOD's financial management systems. This report (1) describes DOD's efforts to improve its business and financial systems; (2) assesses the extent to which DOD is effectively overseeing its business and financial systems; and (3) assesses the extent to which DOD is taking a strategic approach to managing human capital for its financial management systems.
To describe DOD's efforts to improve its business and financial systems, GAO reviewed related laws, GAO reports, and DOD and military department documentation associated with DOD's business and financial systems.
To assess DOD's oversight of these systems, GAO reviewed reports, guidance, and relevant statutes to identify key elements of business and financial management systems oversight. GAO evaluated DOD policy and DOD, military department, and defense agency guidance and plans against statutory requirements for oversight. It also evaluated DOD's data on its systems' compliance with statutory requirements associated with improving the department's ability to obtain an unmodified audit opinion.
GAO also evaluated DOD and military department guidance and plans against key practices for workforce management. In addition, it interviewed relevant officials from DOD and the military departments
Recommendations
GAO is making nine recommendations, including that DOD and the military departments update guidance for initial approvals and annual certifications of business and financial systems to substantiate and document compliance with requirements.
GAO is also recommending that DOD ensure that the data collected on the extent of business and financial system compliance with statutory requirements is reliable.
Further, GAO recommends that DOD develop guidance for systems in sustainment to comply with relevant statutory requirements.
In addition, GAO is recommending that DOD implement a strategic approach to workforce planning that, among other things, analyzes gaps in capabilities between existing staff and future needs, and formulates strategies to fill expected gaps.
DOD concurred with seven of the recommendations and partially concurred with the remaining two. Regarding the recommendation to develop guidance for systems in sustainment, DOD stated that its Chief Information Officer would conduct an analysis on the potential need to develop additional guidance. However, by not fully committing to developing needed guidance, DOD is likely missing opportunities for improving its systems in sustainment. Accordingly, GAO maintains that its recommendation is appropriate.
For the recommendation on strategic workforce planning, DOD reiterated steps the department takes to address skills and training for individual functional communities (e.g., acquisition management and financial management). However, those steps do not address the collective staff requirements and expertise needed to address financial management systems issues. GAO maintains that its recommendation is appropriate.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems to ensure guidance for priority business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 1) |
As of January 2025, the Department of Defense (DOD) has partially addressed this recommendation. Specifically, in October 2024, the department published its updated Defense Business Systems (DBS) Certification and Management Guidance. The guidance documents processes for initial approvals and annual certifications of DBS. It also discusses authoritative data sources and analytical frameworks that support these processes. The department also publishes an annual certification guidance memorandum. The most recent guidance addresses the fiscal year 2025 certification process for priority DBS. In January 2025, DOD officials stated that they believe the information contained in DOD's October 2024 DBS Certification and Management Guidance and the requirements published in DOD's annual certification guidance memorandum is sufficient to address this recommendation. However, DOD did not demonstrate that these documents fully address all statutory requirements discussed in this report. For instance, the fiscal year 2025 memorandum discusses a requirement for DBSs to have approved acquisition documentation on file; however, it does not describe what system owners need to provide to demonstrate that the DBS is designed to eliminate or reduce the need to tailor commercial off the shelf systems to meet or incorporate unique requirements. Additionally, these documents do not fully describe how approval authorities are to validate that systems have met statutory requirements. We will follow-up with the department for additional information and continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to update guidance for initial approval and annual certification of business and financial systems. The update should ensure guidance for non-priority covered business and financial systems that exist within a defense agency, field activity, or support more than one portion of DOD fully addresses the statutory requirements discussed in this report. (Recommendation 2) |
As of January 2025, the Department of Defense (DOD) has partially addressed this recommendation. Specifically, in October 2024, the department published its updated Defense Business Systems (DBS) Certification and Management Guidance. The guidance documents processes for initial approvals and annual certifications of DBSs that include non-priority covered business systems that exist within a defense agency, field activity, or support more than one portion of DOD (described as Fourth Estate Covered Defense Business Systems in the guidance). It also discusses authoritative data sources and analytical frameworks that support these processes. The department also publishes an annual certification guidance memorandum, most recently for fiscal year 2025, addressing the certification process for non-priority covered DBS. In January 2025, DOD officials stated that they believe that the information contained in DOD's October 2024 DBS Certification and Management Guidance and the requirements published in DOD's annual certification guidance memorandum is sufficient to address this recommendation. However, DOD did not demonstrate that these documents fully address all statutory requirements discussed in this report. For instance, the fiscal year 2025 memorandum discusses a requirement for non-priority covered DBSs to have approved acquisition documentation on file, however, it does not describe what system owners need to provide to adequately demonstrate that the DBS is designed to eliminate or reduce the need to tailor commercial off the shelf systems to meet or incorporate unique requirements. Additionally, these documents do not fully describe how approval authorities are to validate that systems have met statutory requirements. We will follow-up with the department for additional information and continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Army should direct the Chief Management Officer of the Department of the Army to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Army business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 3) |
As of January 2025, the Department of the Army (Army) demonstrated that it has partially addressed the recommendation. In November 2023, the Army provided its fiscal year (FY) 2024 Defense Business System Annual Certification and Portfolio Review Guidance Memorandum. In addition, in January 2025, it provided the FY 2025 version of this memorandum. The FY 2025 guidance includes information such as instructions requiring domains to submit a portfolio review brief to the Army's Office of Enterprise Management to ensure that system owners complete all certification requirements. However, the FY 2025 guidance does not fully describe how system-level officials are to document compliance with statutory requirements. Additionally, the FY 2025 guidance does not fully describe how approval authorities are to validate that system documentation is sufficient for addressing the statutory requirements for annual reviews discussed in our report. Further, the guidance does not discuss initial system approvals. In addition, in October 2024, the Department of Defense (DOD) issued its updated Defense Business Systems Certification and Management Guidance. This guidance documents processes for initial approvals and annual certifications of defense business systems. However, the guidance and its accompanying annual certification guidance memorandum for FY 2025 do not fully address how systems are to document and approval authorities are to substantiate initial approval and annual certification decisions. In addition, the department is in the process of updating its business enterprise architecture (BEA), which supports one of the relevant statutory requirements. In December 2024, the department stated that it planned to publish its BEA Guidebook in the second quarter of FY 2025. We will follow-up with the Army for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Navy should direct the Chief Management Officer of the Department of the Navy to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Navy business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 4) |
As of January 2025, the Department of the Navy (Navy) demonstrated that it has partially addressed the recommendation. Specifically, in February 2024, the Navy provided a closure request memorandum to provide more detailed guidance on how Navy approval authorities are to validate compliance with the requirements in 10 U.S.C. section 2222. This includes, among other things, ensuring that systems are in compliance with the Department's auditability requirements. The memorandum described documentation that systems are to submit along with their initial and annual certification requests, as well as other related information that approving officials are to assess as part of this process. While the Navy's February 2024 closure request memorandum provides additional information associated with documenting and substantiating that systems meet statutory requirements, the memorandum is not part of the Navy's guidance for initial approval or annual review. In addition, in October 2024, the Department of Defense (DOD) issued its updated Defense Business Systems Certification and Management Guidance. This guidance documents processes for initial approvals and annual certifications of defense business systems. However, the guidance and its accompanying annual certification guidance memorandum for fiscal year 2025 do not fully address how systems are to document and approval authorities are to substantiate initial approval and annual certification decisions. In addition, the department is in the process of updating its business enterprise architecture (BEA), which supports one of the relevant statutory requirements. In December 2024, the department stated that it planned to publish its BEA Guidebook in the second quarter of FY 2025. We will follow-up with the Navy for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of the Air Force should direct the Chief Management Officer of the Department of the Air Force to update guidance for initial approval and annual certification of covered business and financial systems. The update should ensure guidance for non-priority Department of the Air Force business and financial systems fully addresses the statutory requirements discussed in this report. (Recommendation 5) |
As of January 2025, the Department of the Air Force (Air Force) demonstrated that it has partially addressed the recommendation. Specifically, in February 2024, the Air Force provided additional guidance documents and a corrective action plan intended to describe how Air Force approval authorities are to validate compliance with the requirements in 10 U.S.C. 2222. For example, the Air Force provided, among other things, Organizational Execution Plan (OEP) guidance for Fiscal Year (FY) 2024. According to Air Force officials, the FY 2024 OEP How-to-Guide requires system owners and program managers to provide a standard set of minimum data elements in authoritative data sources. This includes, among other things, data intended to document that systems comply with the department's auditability requirements. However, the FY 2024 OEP guidance does not document how approval authorities review and approve these required data elements. For example, the guidance calls for systems to document if they comply with statutory requirements but does not detail the assessment steps approval authorities are to follow to make their decisions for initial approvals or annual certifications. The guidance also does not discuss the documentation required to document or substantiate these decisions or compliance with statutory requirements. In addition, in October 2024, the Department of Defense (DOD) issued its updated Defense Business Systems Certification and Management Guidance. This guidance documents processes for initial approvals and annual certifications of defense business systems. However, the guidance and its accompanying annual certification guidance memorandum for FY 2025 do not fully address how systems are to document and approval authorities are to substantiate initial approval and annual certification decisions. In addition, the department is in the process of updating its business enterprise architecture (BEA), which supports one of the relevant statutory requirements. In December 2024, the department stated that it planned to publish its BEA Guidebook in the second quarter of FY 2025. We will follow-up with the Air Force for additional information and continue to monitor its efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to develop guidance that calls for business and financial systems in sustainment to comply with statutory requirements for having valid, achievable requirements and eliminating or reducing the need to tailor commercial off-the-shelf systems. (Recommendation 6) |
As of January 2025, the Department of Defense (DOD) has partially addressed this recommendation. Specifically, in October 2024, the department published its updated Defense Business Systems Certification and Management Guidance, which documents processes for initial approvals and annual certifications of defense business systems. This guidance does not discuss exceptions for systems in sustainment. Additionally, the department's Fiscal Year 2025 annual certification guidance memorandum, which details the certification process and technical and functional requirements for covered defense business systems, similarly does not include exceptions for systems in sustainment. In January 2025, DOD officials also stated that these exceptions have been removed. However, as described in our report, DOD data previously indicated that over half of the systems relevant to the audit and included in the department's compliance data were in sustainment and therefore did not need to comply with selected requirements. While the updated overarching guidance does not call for systems in sustainment to be excluded from these requirements, we will follow-up with DOD to validate that additional guidance associated with documenting compliance in its data repository reflects the removal of these exclusions.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to ensure that data maintained about business and financial system certifications are complete and accurate. (Recommendation 7) |
As of January 2025, the department has not addressed this recommendation. Specifically, in March 2024, the Department of Defense (DOD) reported that officials within DOD's Office of the Chief Information Officer (CIO) will continue their efforts to enforce data validity in department repositories used to assess statutory compliance. In addition, officials reported that they will continue efforts to ensure the completeness and accuracy of system certification data through the deployment of automated tools in support of business and financial system portfolio management tasks. For example, according to the department, DOD plans to develop and deploy a financial management systems comprehensive compliance scorecard in DOD's Advana tool. In March 2024, DOD reported that it expected to address this recommendation by the end of September 2024. However, as of January 2025, DOD has not provided an update on its plans to implement this recommendation. We will continue to monitor the status of this recommendation as DOD continues to take steps to address it.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to develop and implement plans for documenting detailed system compliance with the business enterprise architecture. (Recommendation 8) |
As of January 2025, the department has not addressed this recommendation. In March 2024, the Department of Defense (DOD) reported that the Office of the DOD Chief Information Officer (CIO) plans to develop and implement plans for documenting detailed system compliance with the business enterprise architecture (BEA). Specifically, in January 2024 the department published an updated BEA Framework. The department plans to subsequently publish a DOD BEA Guidebook and develop and document a detailed system compliance capability. In December 2024, DOD officials stated that the department plans to publish its BEA Guidebook in the second quarter of Fiscal Year 2025. We will continue to monitor the department's efforts to fully implement this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO and USD(C)/CFO to establish a mechanism for ensuring that DOD financial management systems take a strategic approach to workforce planning for the government and contractor staff that develop and maintain its systems. (Recommendation 9) |
As of January 2025, the department has not addressed this recommendation. In March 2024, the department reported on actions that it plans to take to address this recommendation. Nevertheless, the department reiterated that it partially concurs with the recommendation. The department reported that it plans to build a Workforce Health Index for the financial management community that will monitor key workforce metrics in real time. Further, it plans to regularly review competencies, including those outside of the financial management community, that are needed to support financial management systems. For example, the department plans to develop an overarching strategy for addressing workforce plans in all the professional series impacted by changes in technology. The department also reported that the numerous skillsets outside of the financial management community will remain under the purview of the appropriate functional communities (e.g., acquisition and the cyber-excepted workforce) already managing the career fields. As of October 2024, the department planned to complete all tasks associated with this recommendation by the end of December 2024. However, as of January 2025, DOD has not provided an update on its plans to implement this recommendation. We will continue to monitor the department's efforts to fully implement this recommendation.
|