More bad news for DOD audit-readiness

The Defense Department's financial management problems have been well-documented over the years, with numerous watchdog reports providing an ongoing saga of the Pentagon's struggles to achieve audit-readiness and implement a solid business enterprise architecture.

The latest of those reports comes from the Government Accountability Office and addresses DOD's ineffective risk management planning, a deficiency GAO says could sabotage the department's ability to have audit-ready financial statements by 2014, as required in the 2012 defense bill.

The Pentagon's financial management programs have been on GAO's "high risk" list – deemed susceptible to waste, fraud, abuse and mismanagement – since 1995. The latest report does not bode well for an exit from the list anytime soon.

"DOD remains the only major federal agency that has been unable to receive an audit opinion of any kind on its department-wide financial statements," the latest report's author wrote. "Given the size and complexity of DOD's worldwide operations—involving a requested budget of approximately $614 billion for fiscal year 2013—accurate, complete, and timely financial management information and effective accountability are critical."

The report acknowledges that Pentagon leaders have taken some action to manage department-level risks associated with financial auditability, primarily through its Financial Improvement and Audit Readiness (FIAR) plan. But GAO noted problems with FIAR, saying that its risk management efforts were not carried out "in accordance with widely recognized guiding principles for effective risk management," such as fully assessing and planning for risks that could make goals unachievable.

According to GAO, Pentagon leaders in July 2012 identified six department-wide risks to FIAR's implementation, noting that they regularly meet to discuss issues with an oversight committee. Those risks include lack of full commitment, insufficient accountability, poorly defined scope and requirements, unqualified personnel, insufficient funding and weaknesses in information system control.

GAO says DOD's list of risks is not comprehensive enough, and that there is no evidence of efforts to identify further risks.

"For example, based on prior audits, GAO identified other audit-readiness risks that DOD did not identify, such as the reliance on service providers for much of the components' financial data and the need for better department-wide document retention policies," authors wrote in the report. "Similarly, DOD's actions to manage its identified risks were not in accordance with the guiding principles. GAO found little evidence that DOD analyzed risks it identified to assess their magnitude or that DOD developed adequate plans for mitigating the risks."

DOD Comptroller Robert Hale, in a written response included in the GAO report, admitted that the Pentagon does not have a risk management policy specifically for FIAR. But he disputed the findings pointing to inadequate risk management.

"All common risk management activities are occurring, including identification, evaluation, remediation and monitoring of enterprise-wide risk for the FIAR initiatives. These ongoing activities are effectively monitoring risk," Hale wrote, adding that risk management efforts have been embedded in FIAR's processes and activities. "We will take steps to improve documentation related to FIAR risk management activities and reinforce the importance of more detailed risk management that logically should be taking place within each DOD element that is executing its own detailed FIAR plan."