WASHINGTON — The Pentagon’s first-ever audit discovered major flaws in how it handles IT processes and challenges with its internal tracking databases, but did not discover any major cases of fraud or abuse.
The audit — long sought by Congress and good-government groups — was unveiled Thursday evening. The effort covered $2.7 trillion in DoD assets. Calling it a single audit isn’t strictly right, as the effort, led by the Department of Defense’s inspector general, in collaboration with the comptroller’s office, was actually 21 different audits done by a collection of auditing teams.
Over 1,000 auditors from outside firms, as well as 150 from DoD OIG, visited over 600 DoD locations, requested over 40,000 documents, and tested over 90,000 sample items, per a department fact sheet.
The effort overall is considered a “failed” audit in the strict term, as only 5 of the 21 individual audits checked received a fully passing grade, with two more receiving an ok grade. But department officials were quick to note that was no expectation that the audit would be clean, given the size and scope of the project.
“We never thought we were going to pass an audit, right? Everyone was betting against us, that we wouldn’t even do the audit,” Deputy Secretary of Defense Patrick Shanahan told reporters Thursday at the Pentagon.
Said Glenn Fine, the acting IG for the department, “This is the first year that the DoD has undergone a full financial statement audit, so it is not surprising that it did not obtain a clean opinion.”
“However, the most important thing this year is not the opinion, but that the department takes the audit seriously and seeks to fix the identified deficiencies, which the department is doing,” Fine added. “This is an important, long-term effort, which we are committed to fully supporting."
Rep. Mac Thornberry, R-Texas, the chairman of the House Armed Services Committee, said: “As expected, this audit has uncovered a number of matters that Congress and the Pentagon must work together to address. We must take advantage of this opportunity to continue our reform efforts and make the Pentagon more efficient and agile.”
And, Thornberry said, the audit “should not be used as an excuse for arbitrary cuts that reverse the progress we have begun on rebuilding our strength and readiness.”
That’s good, as the audit does not come with a single digit spelling out how much money the department could save, or recovered through this process. Instead, the report breaks down issues by group and individual area studied, making an overall figure hard to come by.
One figure that is available: the audit itself cost $413 million, which the department notes is roughly 1/30 of one percent of the Pentagon’s overall budget. In addition, $406 million was spend on addressing issues found by the department, with another $153 million on “financial system fixes,” per a DoD factsheet — a total in FY18 of $972 million.
“We didn’t pass. That’s the blunt and bottom line. We have issues and we’re gonna go fix them.”
That is the overall assessment from the Pentagon’s comptroller, David Norquist, who spoke with reporters ahead of the official release of the audit report.
An overarching issue revolves around inventory management challenges. That is, systems in one place saying an item is usable, or missing, when the truth on the ground is different. Another major issue — the single largest issue discovered across the board — comes from the IT realm.
That includes some inventory issues, but the bigger issues are with IT security measures simply not being taken.
“The types of issues there are segregation of duties, terminating user access when they depart, and monitoring sensitive users, people who have special authorities, making sure there is careful monitoring to that,” Norquist said. “Our single largest number of findings is IT security around our business systems. We thought this was likely.”
And many of the same challenges internal to the DoD also extend to contractors.
“It is the systems they built. And in some cases, it's the inventory they hold,” Norquist said about contractor roles. “And what we found is the error rate in inventory held by contractors is higher than the inventory errors that we had in the services.
“I don't know if this will show up in the report, but there's a bigger challenge when it's contractor-maintained inventory,” he added. “So yes, there's going to be an effort with the contractors going forward, both on those responsible for systems and security as well as those responsible for working with us on inventory.”
With the initial work done this year, the department now knows some of the weak spots – and it knows who to hold accountable.
“At this point, we’re recognizing that many of these problems pre-existed the person in command, right? So part of the challenge when you haven’t had an audit in this long, we have tried to message to folks saying ‘look, embrace the audit, because whatever they’re finding was probably there before you got there,’” Norquist explained.
“But your job is to fix it. So I think what you will see from the secretary is a clear message to the workforce that now that you’re aware of it, it’s your job to fix it. and that’s what we have in peoples performance evaluations across senior leadership is, it’s their responsibility to close those findings.”
It’s not all gloom and doom, however.
The good news for the department comes in three flavors. First, military pay came back clean, a big relief for Norquist, given the sheer amount of money that goes out for military salaries every year. Secondly, the department could account for all its major defense articles – systems such as tanks and ships, which would be both embarrassing and dangerous to have lost .in the system
And third, auditors found no evidence of fraud or abuse in their research. That doesn’t mean none exists – the auditors used statically significant samples in their research – but the absence of any fraud uncovered is a good sign, Norquist said.
Structurally, the audit is thin on anecdotes. But Norquist pointed to one situation that he says shows how the audit can be “directly relevant to readiness.”
At Hill Air Force Base, auditors looked in the database and found 71 uninstalled missile motors, worth around $53 million in total.
“If you were to look in the database, it said they were not in working condition,” Norquist explained. “When you go look at the service tags, they were in fact in working condition. So as a result of this, the Air Force was able to redirect those $53 million worth of uninstalled missile motors back into the system to be used in supporting the department's mission, whereas before if they were just relying on the report, they would have thought they were not serviceable and either needed to go to repair or wouldn't have used them.”
“For the people in the field to have an accurate understanding of their inventory….this is a direct benefit to readiness, this is something that will be a priority in the very near term,” he added, noting those could represent quick, easy wins. “The connection between the audit and not just business reform but readiness is one of the things that came out of this that we're excited about.”
That example stands out, but classification errors in databases also applied to physical property, such as at an Army base where buildings were listed as useable in the national database but in the field were clearly broken down beyond repair. Having that information at hand allows the department to make smarter decisions about investing resources.
And fundamentally, now that problems have been identified, the department knows what to go after as the next year of auditing kicks off. As a bonus, the savings from the problems found here will help offset the $972 million cost of doing the audit in the first place, Norquist argued.
“I think when you look at what you learned from the IT security findings, and the cost, the losses you would potentially suffer if you didn’t fix those, and when you look at what we’re going to get — because part of it is they find that problem, over the next year every other base is going to go fix that problem, they’re going to start paying attention,” he said.
“So even the ones we don’t see will get streamlined. So I think if you look at the cost of doing that, I think you can say the audit was definitely worthwhile.”