IT controls still a pain point, DOD audit finds

The Defense Department failed to get a clean opinion in its fourth annual financial audit, highlighting ongoing struggles to accurately account for IT systems.

The Pentagon (Photo by Ivan Cholakov / Shutterstock)

The Defense Department's fourth annual financial audit highlights ongoing struggles to accurately account for information technology systems and their effectiveness.

The DOD's inspector general and independent auditors completed its fourth annual audit Nov. 15, culling through more than $3.2 trillion in assets and $3.0 trillion in liabilities.

But internal controls for IT assets were spotlighted in the 2021 annual financial report as an ongoing challenge that is frequently named in the DOD's audit notices of findings and recommendations (NFRs).

Michael McCord, the Defense Department's comptroller and chief financial officer, told reporters that protecting personnel and proprietary data doesn't necessarily translate into money saved but is a key focus for the department as it faces a myriad of cyber intrusions.

"I don't know that I would need to put a dollar figure on how much return I got in protecting a piece of information because it might be a leak of personal, proprietary information, might be a leak of, or a breach of what's called PPI, of personal information about the millions of people that we have in our system. So there's, there's good reasons to protect the information we have," McCord said Nov. 15.

The report and the comptroller note that DOD is making progress in these areas with larger efforts, such as the Cybersecurity Maturity Model Certification program led by the undersecretary of defense for acquisition and sustainment to improve contractors' security.

"So cleaning up our own house on controls, protection of information...the contractors that we rely on is an important effort anyway. And I think this is an area where the audit dovetails very nicely with something that we all recognize we need to be doing, regardless of whether I could say that I saved exactly 'X' dollars by cleaning up the environment so that something wasn't breached, something wasn't leaked."

The number of findings is still being completed and is expected to grow, McCord said. A total of 2,600 material weaknesses across several issue areas, including IT, software, health care and real property assets, were identified as of Nov. 15. The Defense Department has closed just 13% of the NFRs issued in previous audits, about 466.

"I don't have the exact number yet of IT related in NFRs. But there's certain to be a pretty substantial number. And again, I think that that's an area that we really need to focus on. Because, again, of all the sort of the cyber threats out there that having either an antiquated system or poor controls, even in a newer system, just make you vulnerable in ways that go beyond the impact on the audit to the operation of the department and into us not wasting resources."

The report noted three department-wide material weaknesses regarding the effectiveness of internal controls over IT operations that were identified in fiscal 2020 and still unresolved in 2021.

That's part of trend: The Pentagon has been confronting department-wide IT weaknesses for more than a decade. Problems including "gaps in cybersecurity access controls," and a "lack of clear, concise IT security requirements for developed-in-house and acquired systems" have been identified by DOD as far back as 2010.

DOD hasn't set a target date for corrective actions to take place. Corrective actions include updating policy and guidance, reinforcing encryption, implementing automation techniques in acquisition, and with regard to software, integrating license media management and limited asset resources into "a single focus point managing software lifecycle."

Business systems modernization suffer from delays due to "degraded DOD business process operations" and an overall complex environment of applications, hosting locations and interfaces that make it "difficult to maintain effective IT general and application controls (including information security)," according to the report.

DOD's broader efforts could yield wins down the line, particularly when it comes to streamlining data centers. DOD shutdown 38 data centers saving $219 million in budgetary actions as of fiscal 2021's third quarter as part of the federal government's Data Center Optimization Initiative, the report states.

The Fourth Estate Cloud and Data Center Reform Initiative, a similar effort to migrate systems for defense agencies and field activities to a singular environment, yielded 115 decommissioned systems by the tail end of fiscal 2021. A total of 667 systems have been migrated or decommissioned since 2018, when the initiative started, with a target of 900 systems to be reduced over the course of the effort.

Additionally, the report noted that IT management is expected to improve as DOD increases the number of systems that report to its data analytics Advana platform to build "a single source of truth to optimize information technology portfolio management, improve financial management, capture lost buying power, and provide enterprise-wide visibility that drives to action."