Thursday, November 15, 2018

Departments Need to Improve Chief Information Officers' Review and Approval of IT Budgets

What GAO Found

The departments GAO reviewed—the Departments of Energy (DOE), Health and Human Services (HHS), Justice (DOJ), and the Treasury (Treasury)—took steps to establish policies and procedures that align with eight selected Office of Management and Budget (OMB) requirements intended to implement information technology (IT) acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act, or FITARA) and to provide the chief information officer (CIO) visibility into and oversight over the IT budget. For example, of the eight OMB requirements, all four departments had established policies and procedures related to the level of detail with which IT resources are to be described in order to inform the CIO during the planning and budgeting processes. Agencies varied, however, as to how fully they had established policies and procedures related to some other OMB requirements, and none of the four departments had yet established procedures for ensuring that the CIO had reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (See table.)

Evaluation of Selected Departments' Policies and Procedures for Key Information Technology (IT) Budgeting Requirements

Selected Office of Management and Budget (OMB) requirement

DOE

HHS

DOJ

Treasury

1. Establish the level of detail with which IT resources are to be described in order to inform the Chief Information Officer (CIO) during the planning and budgeting processes.

2. Establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO.

3. Include the CIO in the planning and budgeting stages for programs that are supported with IT resources.

4. Include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level governance boards.

5. Document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources.

6. Ensure the CIO has reviewed and approved the major IT investments portion of the budget request.

7. Ensure the CIO has reviewed IT resources that are to support major program objectives and significant increases and decreases in IT resources.

8. Ensure the CIO has reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request.

●= The department provided documentation that satisfied all of the OMB requirement. ◑= The department provided documentation that satisfied most, but not all of the OMB requirement. ○= The department could not provide documentation that satisfied any of the OMB requirement.

Departments: DOE = Department of Energy, HHS = Department of Health and Human Services, DOJ = Department of Justice, Treasury = Department of the Treasury

Source: GAO analysis of department data. | GAO-19-49

Where the departments had not fully established policies and procedures, it was due, in part, to having not addressed in their FITARA implementation and delegation plans how they intended to implement the OMB requirements. Until departments develop comprehensive policies and procedures that address IT budgeting requirements established by OMB, they risk inconsistently applying requirements that are intended to facilitate the CIO's oversight and approval of the IT budget.

Departments varied in the extent to which they could demonstrate implementation of key IT budgeting requirements when developing fiscal year 2017 funding requests for sampled investments. Specifically, while DOJ demonstrated that it had fully implemented the selected requirements for the majority of the investments GAO sampled, HHS and Treasury partially demonstrated implementation for a majority of the sampled investments, and DOE could not demonstrate implementation for the majority of the sampled investments. For example, DOE, HHS, and Treasury were not able to fully show that their CIOs had reviewed whether estimates of IT resources included in the budget request were appropriate for two of their respective departments' largest fiscal year 2017 IT investments. Departments often could not demonstrate that they had implemented selected IT budgeting requirements at the investment level because they had not established comprehensive policies and procedures that required them to do so. As a result, departments could not show that CIOs were sufficiently involved in planning fiscal year 2017 IT expenditures at the individual investment level.

All four selected departments lacked quality assurance processes for ensuring their IT budgets were informed by reliable cost information. Specifically, the selected departments did not have IT capital planning processes for (1) ensuring government labor costs have been accurately reported, (2) aligning contract costs with IT investments, and (3) utilizing budget object class data to capture all IT programs. This resulted in billions of dollars in requested IT expenditures without departments having comprehensive information to support those requests, and nearly $4.6 billion in IT contract spending that was not explicitly aligned with investments in selected departments' IT portfolios. This was due to a lack of processes for periodically reviewing data quality and estimation methods for government labor estimates, as well as a lack of mechanisms to cross-walk IT spending data in their procurement and accounting systems with investment data in their IT portfolio management systems. In August 2017, OMB developed a new approach of using a standard set of categories to group IT spending that, if properly implemented, has the potential to provide departments and CIOs enhanced visibility into IT costs across the portfolio. Nevertheless, until departments establish processes for assessing or otherwise ensuring the quality of relevant IT cost data used to inform their IT budgets, department CIOs will have less assurance that their budget includes appropriate and comprehensive estimates of IT resources.

Why GAO Did This Study

In December 2014, Congress enacted FITARA, which was intended to improve covered agencies' acquisitions of IT. FITARA also provided an opportunity to strengthen the authority of CIOs to provide needed direction and oversight of agencies' IT budgets.

GAO was asked to review whether CIOs' IT budgeting practices are consistent with FITARA and OMB's implementing guidance. This report addresses the extent to which selected federal agencies (1) established policies and procedures that address IT budgeting requirements, (2) could demonstrate that they had developed fiscal year 2017 IT budgets for sampled investments consistent with FITARA and OMB guidance, and (3) implemented processes to ensure that annual IT budgets are informed by reliable cost information.

GAO selected four departments to review. These departments had the two highest and the two lowest average initial selfassessments scores of compliance with OMB's FITARA guidance, as well as a fiscal year 2017 IT budget of at least $1 billion. Within each of the departments, GAO also selected the component agencies with the largest fiscal year 2017 IT budget. For each selected department and component agency, GAO reviewed relevant IT budget policies and procedures, analyzed a sample of major and non-major investment proposals against key OMB requirements, and determined whether selected departments captured government labor costs, among other things.

What GAO Recommends

GAO is making 43 recommendations to the eight selected departments and component agencies to address gaps in their IT budgeting policies and procedures, demonstrate implementation of OMB requirements, and establish procedures to ensure IT budgets are informed by reliable cost information. HHS, the Centers for Medicare and Medicaid Services, DOJ, the Federal Bureau of Investigation, and the Internal Revenue Service agreed with our recommendations. DOE partially agreed with one recommendation and agreed with the other recommendations made to it, as well as with the recommendations made to its component agency—the National Nuclear Security Administration. Treasury neither agreed nor disagreed with the recommendations.

For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.



https://ift.tt/2B6NBUF

No comments:

Post a Comment

Resilience through business continuity, safety management - manilastandard.net

Imagine a strong earthquake strikes and you are inside your office working. Your reaction is to protect yourself. You find yourself calm eno...