Hundreds of vulnerabilities in the Pentagon’s IT ecosystem put the agency at risk of having billions of dollars in payments lost, stolen or duplicated, an internal watchdog found.

The Defense Department inspector general flagged some 800 new shortcomings across the agency’s IT systems and processes in 2018, according to a report published Tuesday. Much of the flawed tech is used to process contract payments and other transactions, leaving the department’s financial ecosystem potentially vulnerable to bad actors, auditors said.

The IG also found the department failed to resolve more than 300 additional IT vulnerabilities that had been highlighted in prior years. The public report, which stemmed from an audit of the Pentagon’s financial statements, didn’t disclose which specific internal systems were affected.

The audit revealed “significant control deficiencies” that prevented officials from identifying when accidental or unauthorized changes were made to agency databases and applications. The department also failed to properly monitor sensitive user activities, limit access to critical systems and revoke users’ access once they left the agency, the report said.

“Ineffective IT system controls can ... result in significant risk to DoD operations and assets,” the IG wrote. “Payments and collections could be lost, stolen or duplicated as a result of weak IT controls. In addition, critical operations, such as those supporting national defense and emergency services, could be disrupted through weak IT controls.”

The Navy was responsible for roughly 250 of the vulnerabilities and process flaws uncovered in the audit, while 96 were related to Air Force systems and another 64 were found in the Army’s IT ecosystem. About 160 shortcomings were found in the department’s enterprisewide infrastructure.

Improving internal controls around IT would greatly improve the department’s overall cybersecurity posture and enable the agency to respond more quickly to digital threats, auditors said. The agency is already working to lockdown its IT infrastructure by better identifying the tech is involved in financial transactions and phasing out 26 legacy systems over the next four years.