Why you can’t decide (And what to do about it)
May 27, 2016
Commentary: The rapidly changing digital world can leave tech executives feeling overwhelmed when they're faced with charting the course of their company's cybersecurity strategy.
The Government Accountability Office released another critical report of the Defense Department’s ongoing effort to be partly audit ready by the end of the 2014 fiscal year.
A new report Tuesday found the Pentagon is not doing an adequate job analyzing and mitigating its risks. While the department does track and publish its risk assessments, GAO thought the results were “brief, high-level summaries that did not include critical management information, such as specific and detailed plans for implementation, assignment of responsibility, milestones, or resource needs,” the report reads. “In addition, information about DOD’s mitigation efforts was not sufficient for DOD to monitor the extent of progress in mitigating identified risks.”
The report was specifically critical of DOD’s reliance on third-party providers and for its financial data and poor document-retention policies.
GAO has classified DOD’s financial management as having a “high risk of fraud, waste, abuse and mismanagement” since 1995. So it has closely monitored the department’s efforts to become audit ready since the 2010 National Defense Authorization Act mandated that DOD’s consolidated financial statements be audit ready by the end of the 2017 fiscal year. DOD’s general fund statement of budgetary resources is also supposed to be ready by the end of the 2014 fiscal year.
Since 2010, GAO has continued to find risks that would prevent the Pentagon from hitting these timelines, including lack of commitment across DOD, insufficient funding and unqualified personnel.
But the most recent report focuses more on risk management.
“[DOD’s] risk identification procedures were not comprehensive or documented,” according to the report. “In addition, its procedures for analyzing, mitigating and monitoring risks were also undocumented and did not adhere to guiding principles.”
The report did single out the Navy and Defense Logistics Agency for their superlative work on this issue, and suggested DOD implement similar risk management procedures departmentwide.
The Pentagon did not completely agree with the findings, pointing to actions in place already consistent with GAO’s recommendations.
“These are good first steps, but GAO believes additional action is warranted,” the report reads.