An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Nov. 26, 2024

Press Release: Improvements Needed in the DoD’s Planning for and Use of Statement on Standards for Attestation Engagements SSAE 18 (DODIG-2025-044)

Audit

Inspector General Robert P. Storch announced today that the Department of Defense Office of Inspector General (DoD OIG) released the “Management Advisory: Improvements Needed in DoD’s Planning for and Use of SSAE 18 Engagements.” This management advisory informs DoD leadership of the deficiency the DoD OIG found related to the DoD’s plan for and use of the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements 18 (SSAE 18) as amended, to improve financial statement audit readiness and efficiency.

SSAE 18 is a critical auditing standard that provides auditors guidance on evaluating and reporting on a service organization’s internal controls and business processes. An SSAE 18 engagement may result in a System and Organization Controls 1 (SOC 1) report, which allows the service organization’s internal controls to be tested once and relied on by all auditors instead of being tested many times, individually. Similar to an overall financial statement audit, auditors express an opinion in the SOC 1 report, stating whether the system of controls complies with standards.

The DoD OIG determined that the DoD made progress in achieving clean opinions on half of its SOC 1 reports, but DoD service organizations did not consistently develop their reporting documentation to include all relevant internal controls to the appropriate users. Furthermore, the DoD did not proactively communicate or engage with users in a consistent manner or prioritize the designing and implementing of effective complementary user controls.  

“SOC 1 reports play a vital role in the financial statement audit process and are a necessary tool for the DoD,” said IG Storch. “When used correctly, they can improve the reliability of financial statements and the efficiency of the audits. SOC 1 reports can also help inform the design and validate the existence of robust systems of internal control, which are necessary for the DoD to meet the congressionally mandated goal of a clean audit opinion by FY 2028.”

Although the DoD spent over $15.5 million in FY 2023 across 30 SSAE 18 engagements, the auditors did not consistently rely on the SOC 1 reports and the internal controls described within the reports. When auditors do not rely on SOC 1 reports, they perform additional testing, which is inefficient and increases the cost of the financial statement audits and the audit burden on the service organizations and users. 

The DoD OIG recommended that the Office of the Under Secretary of Defense (Comptroller)/Chief Financial Officer, DoD, evaluate and verify potential internal control weaknesses and initiate corrective actions. The DoD OIG will continue to track the DoD’s progress toward implementing the recommendations.