Formula for Pentagon to finally get on the road to a clean financial audit

The Department of Defense has failed its consolidated financial statements for the fifth year in a row. But his underperformance didn’t start in 2018. The Pentagon’s financial woes were part of his 30-plus-year continuum, dating back to his CFO Act of 1990, which mandated the agency to obtain a “clean opinion” on its financial statements.

I have been a government auditor for longer than I can remember. Initially…

read more

5 years in a row Department of Defense failed Consolidated financial statements. But his underperformance didn’t start in 2018. The Pentagon’s financial woes were part of his 30-plus-year continuum, dating back to his CFO Act of 1990, which mandated the agency to obtain a “clean opinion” on its financial statements.

I worked first as a civil servant and later as a consultant. I was also the first member of the government’s “511” audit series classified by the OPM that passed the Inspector General Act of 1978. 1980s and 1990s.

Since 2012, I have been working on the information technology part of financial statements. Ostensibly, data accumulated from DoD IT systems and applications enters the general ledger, which is reflected in the agency’s financial statements. But not for the Department of Defense.

Disclaimers and a troubling accumulation of adverse behavior set the Department of Defense apart from 23 other agencies in the U.S. government. The Department of Defense is the only agency in 33 years that has not received an unmodified opinion and continues to grow. When does accountability enter the debate?

Meanwhile, while serious weaknesses pile up, some agency undersecretaries or CFOs make another new promise about audit preparation. The latest comes 17 years after the Secretary of Defense promised that the Pentagon would have reconcilable statements and accountability regarding the agency’s financial practices. (Leon Panetta said in October 2011 that he would be ready in 2017, which would make him 2018, and now he would be 2028!)

The Department of Defense has a formula for reversing the disclaimer trend, which includes showing proper respect, dignity, and enforcement of all government regulations. Hiring an audit consultant familiar with the GAO “Yellow Book” can also help. The IT technician speaks advanced English, but typically has no training in internal controls and is not conditioned to follow her OMB standards for findings (NFRs) and corrective actions.

A few years ago, internal auditors at the Indianapolis office of the Defense Financial Accounting Service addressed a series of “high-risk” controls focused on attacks on critical business activities that caused the greatest disruption to IT systems. We have developed a simple test protocol. application. This methodology includes a smaller number of tests involving just under 40 controls that address, identify, and, if necessary, remediate the four major and critical weaknesses plaguing the DoD’s IT operations. There is a large scale version. A very simple formula follows. This does not involve the sophisticated calculations that DoD financial experts and consultants continue to apply and seemingly futile.

For security management controls, make sure the controls are well designed and documented. Also, do not rush to create a standard operating procedure. An SOP that does not address (a) roles within the application, (b) segregation of duties, or (c) government regulation will not assemble an independent auditor.

Regarding user access control, the user access approval form and approval process should be the responsibility of the user supervisor. A supervisor is the only authorized authority that knows all the systems and applications a user has access to. Additionally, as the Secretary of Defense identified in July 2019, sensitive transactions have not yet been identified, and user termination is a national security threat.

The internal control issues related to segregation of duties (SOD) are deep and sometimes complex, but not insurmountable. The GAO said in 2009 that the “matrix” was the best solution for identifying conflicts, and nothing has changed. It is indeed a lot of work, but after analyzing SOD problems within and across applications he can come up with a workable solution. (As a sidebar, Awkward He repeatedly argues that an automated solution to the SOD problem is on the horizon, and in the short term the Pentagon manager who is far from a highly fixable problem is more responsible. Some approach must be taken.)

Finally, configuration management may be the easiest to fix all critical weaknesses. IT managers must ensure that the processes for testing and approving system changes are properly separated.

The answer to IT cleanup above is not complicated, but it does require a difficult pick and shovel type of work. Sometimes in life you have to take the road less traveled. Do DoD IT managers have the will to address and fix these deficiencies? Failures can be removed in as little as 12-18 months.

Frank Boncielo served in the United States Air Force from June 1967 to December 1970 and entered the government in January 1971 as a civil servant. During his 29-year career, Boncielo served in the IRS, federal courts, and the Office of the Inspector General of Defense. He left the government in his 1999 but was recalled to help launch the TSA and his DHS. From 2005, Bonsiero began working primarily as an audit consultant for a CPA firm. Since August 2012, Bonsiero has only been involved in his FIAR engagements and consulting for several defense components.He serves as FISCAM/IT Auditor.



https://federalnewsnetwork.com/commentary/2023/01/a-formula-to-finally-get-dod-on-the-path-to-clean-financial-audits-2/ Formula for Pentagon to finally get on the road to a clean financial audit

Exit mobile version