DOD Financial Management: Role of Service Organization Reports in Assessing the Effectiveness of Internal Controls

What GAO Found

Service organizations provide centralized services, such as payroll, to user entities (customers) that are important for managing the Department of Defense's (DOD) financial operations. Customers retain responsibility for the processes involved in these services. Therefore, customers and their financial statement auditors need to understand the design and operating effectiveness of service organizations' controls over such processes. System and Organization Controls 1 (SOC 1) reports can help them do so.

SOC 1 reports give service organizations a basis for improving their operating processes and controls by identifying deficiencies. They can also provide customers and their financial statement auditors reasonable assurance about whether a service organization's controls described in the report were suitably designed and operated effectively to achieve the control objectives.

GAO found that the number of DOD's service organization SOC 1 reports issued for fiscal years 2020 through 2024 ranged from 25 (2020) to 30 (2023). Additionally, the SOC 1 audit opinions, which were either unmodified (or clean) or modified, changed over this period. The deficiencies that contributed to modified audit opinions were primarily in the areas of logical access controls (which limit access to data and IT), configuration management (which identifies and manages changes to IT), segregation of duties (which ensures that one individual does not control all critical stages of a process), and processing controls (which ensure that IT transactions are authorized and errors are resolved). Further, service organization officials identified ongoing challenges in achieving unmodified audit opinions on their SOC 1 reports, such as transitioning to a new inventory management system.

To address the identified deficiencies, most of the service organizations whose SOC 1 reports GAO selected for further review had performed root cause analyses; however, the methods used to document their analyses varied. In response to a GAO recommendation, in January 2025, DOD updated its guidance instructing DOD service organizations to document root cause analysis. This will help ensure that service organizations are taking appropriate actions to resolve the underlying causes of deficiencies identified in SOC 1 reports. GAO will monitor DOD's implementation of this guidance.

In addition to updating guidance on root cause analysis, to address DOD's Service Organizations material weakness, the Office of the Under Secretary of Defense (Comptroller) has, among other things, developed a standard operating procedure to help customers monitor their service organizations.

Why GAO Did This Study

DOD has the largest discretionary budget authority of any agency in the federal government-$920 billion in fiscal year 2024.Yet it is the only major federal agency to have never achieved an unmodified audit opinion on its agencywide financial statements. For fiscal year 2024, DOD's agencywide financial statement auditor reported 28 material weaknesses in internal control over financial reporting, including one related to DOD's use of service organizations.

This report discusses auditors' opinions in DOD service organizations' fiscal years 2020 through 2024 SOC 1 reports and the actions DOD service organizations took to address any deficiencies identified in those reports. GAO is also providing information on DOD's efforts to address its Service Organizations material weakness. GAO reviewed DOD's policies and procedures related to the SOC 1 process and service organization SOC 1 reports for fiscal years 2020 through 2024. Additionally, to evaluate actions that DOD service organizations have taken to address the deficiencies, GAO selected eight DOD SOC 1 reports for further review. GAO also interviewed DOD, service organization, service auditor, and customer officials.

For more information, contact Asif Khan at [email protected].