$1B Department of Defense Audit Stresses Cybersecurity Failings

The roughly year-long assessment, which began in December 2017, highlighted issues with inventory accuracy and complying with cybersecurity discipline, and prompted nearly $560 million in remediation and system fixes.

by Caitlin M. Kenney, Stars and Stripes / November 20, 2018
Shutterstock

(TNS) — The Defense Department has spent nearly $1 billion on its first agencywide audit, which has revealed widespread problems with cybersecurity, Pentagon officials said Thursday.

"We failed the audit. But we never expected to pass it,” Deputy Secretary of Defense Patrick Shanahan told reporters at the Pentagon about the audit, which took nearly a year to complete.

Shanahan said the audit, which began in December 2017, revealed many issues including inventory accuracy and complying with cybersecurity discipline. The audit itself cost $413 million. But in addition, the Pentagon has spent $406 million on audit remediation and $153 million on financial system fixes.

With $2.7 trillion in assets and $2.6 trillion in liabilities, David Norquist, the Defense Department’s comptroller, said he thinks this is the largest financial statement audit ever undertaken.

About 1,200 auditors from nine independent public accounting firms and staffers from the department’s Office of the Inspector General conducted 900 site visits at more than 600 department locations, including military bases, warehouses and depots, he said. The audit report is 236 pages.

“Fifty-five percent of the department’s assets and liabilities were under audit for the very first time this year,” Norquist said.

The auditors used statically valid samples to look at the accuracy and completeness of count, location, and condition of military equipment, property such as buildings, and inventory, he said. They also tested the security of the department’s business systems, such as finance and personnel records.

The Office of the Inspector General gave an overall opinion of “disclaimer” on the reports provided by the auditors. In a statement, the inspector general said it was because they “could not obtain sufficient appropriate evidence on which to base an audit opinion.” Audit opinions given as “unmodified” or “clean” are the best, then “modified,” followed by “disclaimer,” and “adverse” as the worst opinion. The inspector general’s opinion is factored into the audit report.

“The audit is not a ‘pass-fail’ process,” Shanahan’s spokesman Lt. Col. Joe Buccino wrote in an email. “We did not receive an “adverse” finding — the lowest possible category — in any area. We did receive findings of ‘disclaimer’ in multiple areas. Clearly more work lies ahead of us.”

Congress has required a Defense Department audit since the early the 1990s, but the federal government’s largest agency had never fully undertaken one. The 2014 National Defense Authorization Act required the department to be ready for an audit by September 2017.

IG officials and auditors issued more than 2,000 notices of findings and recommendations, according to Norquist. The largest number of findings were related to information technology security of the department’s business systems.

“This is a significant number and it reflects the challenges that the department and others face with IT security,” he said.

In the report summary, auditors found the department’s “financial and business management systems and processes do not provide reliable, timely, nor accurate information.”

It also states IT has “systemic shortfalls in implementing cybersecurity measures to guard the data protection environment” and “issues exist in policy compliance with cybersecurity measures, oversight, and accountability.”

Other than IT, there were several areas of “material weakness” listed in the report, including in military pay, contractor and vendor pay, and personnel and organizational management.

However, Norquist said the auditors found no evidence of fraud.

The compliance issues revealed by the audit are “irritating,” Shanahan said. “Some of those things frustrated me because we have a job to do, we just need to follow our procedures.”

Rep. Mac Thornberry, R-Texas, the outgoing chairman of the House Armed Services Committee, said in a statement that while Congress directed the Defense Department to conduct the audit to better manage its resources and identify areas of future reform, it shouldn’t be used as a tool for random cuts at the Pentagon.

“As expected, this audit has uncovered a number of matters that Congress and the Pentagon must work together to address,” Thornberry said. “We must take advantage of this opportunity to continue our reform efforts and make the Pentagon more efficient and agile. It should not be used as an excuse for arbitrary cuts that reverse the progress we have begun on rebuilding our strength and readiness.”

At this point, no one is being punished for problems found by the audit, according to Norquist, because they realize many of the issues existed prior to when the current leadership took control.

Going forward, senior leaders will be graded in their performance evaluations on how they fix issues identified in the audit.

“So I think what you’ll see from [Defense Secretary Jim Mattis] is a clear message to the workforce about — now that you’re aware of it, your job is to fix it,” Norquist said.

©2018 the Stars and Stripes. Distributed by Tribune Content Agency, LLC.