[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]





    CREATING ONE DHS: STANDARDIZING DEPARTMENT OF HOMELAND SECURITY 
                          FINANCIAL MANAGEMENT

=======================================================================

                                HEARING

                               before the

                      SUBCOMMITTEE ON MANAGEMENT,
                     INVESTIGATIONS, AND OVERSIGHT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 29, 2009

                               __________

                           Serial No. 111-42

                               __________

       Printed for the use of the Committee on Homeland Security
                                     





                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
57-850 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001








                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman

Loretta Sanchez, California          Peter T. King, New York
Jane Harman, California              Lamar Smith, Texas
Peter A. DeFazio, Oregon             Mark E. Souder, Indiana
Eleanor Holmes Norton, District of   Daniel E. Lungren, California
Columbia                             Mike Rogers, Alabama
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Henry Cuellar, Texas                 Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania  Paul C. Broun, Georgia
Yvette D. Clarke, New York           Candice S. Miller, Michigan
Laura Richardson, California         Pete Olson, Texas
Ann Kirkpatrick,Arizona              Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emmanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy

                    I. Lanier Avant, Staff Director

                     Rosaline Cohen, Chief Counsel

                     Michael Twinchek, Chief Clerk

                Robert O'Conner, Minority Staff Director

                                 ______

       SUBCOMMITTEE ON MANAGEMENT, INVESTIGATIONS, AND OVERSIGHT

             Christopher P. Carney, Pennsylvania, Chairman

Peter A. DeFazio, Oregon             Gus M. Bilirakis, Florida
Bill Pascrell, Jr., New Jersey       Anh ``Joseph'' Cao, Louisiana
Al Green, Texas                      Daniel E. Lungren, California
Mary Jo Kilroy, Ohio                 Peter T. King, New York (Ex 
Bennie G. Thompson, Mississippi (Ex  Officio)
Officio)

                     Tamla T. Scott, Staff Director

                       Carla Zamudio-Dolan, Clerk

                    Michael Russell, Senior Counsel

               Kerry Kinirons, Minority Subcommittee Lead

                                  (II)












                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Christopher P. Carney, a Representative in Congress 
  From the State of Pennsylvania, and Chairman, Subcommittee on 
  Management, Investigations, and Oversight......................     1
The Honorable Gus M. Bilirakis, a Representative in Congress From 
  the State of Florida, and Ranking Member, Subcommittee on 
  Management, Investigations, and Oversight......................     2
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Prepared Statement.............................................     3

                               Witnesses

Mr. James L. Taylor, Deputy Inspector General, Department of 
  Homeland Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
Ms. Kay L. Daly, Director, Financial Management and Assurance 
  Issues, Government Accountability Office:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Ms. Peggy Sherry, Acting Chief Financial Officer, Department of 
  Homeland Security:
  Oral Statement.................................................    20
  Prepared Statement.............................................    22

 
                    CREATING ONE DHS: STANDARDIZING 
                    DEPARTMENT OF HOMELAND SECURITY 
                          FINANCIAL MANAGEMENT

                              ----------                              


                       Thursday, October 29, 2009

             U.S. House of Representatives,
                    Committee on Homeland Security,
               Subcommittee on Management, Investigations, 
                                             and Oversight,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
Room 311, Cannon House Office Building, Hon. Christopher P. 
Carney [Chairman of the subcommittee] presiding.
    Present: Representatives Carney, Pascrell, Green, and 
Bilirakis.
    Mr. Carney [presiding]. The Subcommittee on Management, 
Investigation, and Oversight will come to order. The 
subcommittee is meeting today to receive testimony on 
``Creating One DHS: Standardizing Department of Homeland 
Security Financial Management.''
    Good morning, all. Please let me begin by stating that this 
subcommittee has rules, and everyone is expected to follow 
those rules. One of those rules, Rule 6, Subsection D, Item 1, 
states that all testimony will be received no later than 48 
hours in advance of a hearing.
    It appears that the Department has a hard time complying 
with this rule from time to time. I know we have had a 
discussion before the hearing started, but this will be my last 
verbal warning to the Department. All testimony will be 
received 48 hours in advance of a hearing, or it will not be 
accepted.
    I would like to thank Mr. Taylor and Ms. Daly for getting 
their testimony in on time and apologize that they needed to 
sit here while I admonished the Department.
    In any event, okay, this hearing is the first in a series 
of hearings the Subcommittee on Management, Investigations, and 
Oversight will conduct regarding the Department of Homeland 
Security's intention to create One DHS.
    One DHS in part will be achieved by consolidating various 
operational functions from the legacy agencies into Department-
wide systems. It has been 6 years since the Department was 
established. It has yet to implement a Department-wide 
integrated financial management system. DHS receives billions 
of taxpayer dollars every year and to date has been unable to 
account for a majority of their appropriated funding the same 
way that other departments and agencies can.
    Today's hearing will examine the Department's myriad 
financial management systems, the steps the Department is 
taking to unify its financial operations into one integrated, 
standardized, auditable system, and best practices that will 
ensure the Department's accounting methodologies will meet the 
existing standards and protocols.
    eMerge2, the Department's initial attempt at financial 
management consolidation, was unsuccessful. Unfortunately, some 
3 years and millions of dollars after the effort ceased, many 
of the problems experienced as part of eMerge2 are being 
experienced with the Department's current effort, the 
Transformation and Systems Consolidation, or TASC program.
    The problems include integrating the Department's myriad 
financial systems, determining how the Department can construct 
a system that will result in accurate and timely financial 
data, and ascertaining how that the limited results of eMerge2 
fit within the Department's current efforts.
    The Government Accountability Office has suggested steps 
the Department could take to ensure a successful TASC program, 
as well as how TASC RFPs should be crafted in a way that will 
ensure DHS is satisfied with the financial--excuse me--with a 
final financial system and accounting system.
    The Department has yet to show that it is taking any of 
these recommendations into consideration. Today I hope to hear 
how the Department will ensure that TASC is a success, 
including a clear strategy that describes how it will be 
implemented and linked to existing Department business 
processes, policies, and legacy systems.
    I want to thank the witnesses for their participation and 
look forward to their testimony.
    We will now hear from the Ranking Member, the gentleman 
from Florida, Mr. Bilirakis.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it 
very much.
    I am pleased the subcommittee is meeting to consider the 
Department of Homeland Security's financial management 
oversight and consolidation efforts. The Department of Homeland 
Security currently has 13 separate financial management 
systems, down from 19 it inherited when the Department was 
created in 2003. The separate financial systems result in 
inconsistent data across the Department and in part contribute 
to the Department's inability to obtain a clean audit of its 
financial statement.
    With respect to the TASC program, I am interested in 
learning more about the Department's concept of operations and 
migration strategy. I would also like to hear about the 
Department's plans for contract oversight. This estimated cost 
of the TASC contract is $450 million. As with other large 
procurements at the Department, there is the possibility for 
cost overruns.
    It has also been suggested that this estimate understates 
the total cost of this contract. By the time eMerge2 was 
canceled, the Department had spent $52 million of the more than 
$250 million estimated project cost. While the GAO indicated 
that ending the program was prudent to cut losses, the 
Department was left with little to show after such a large 
expenditure.
    It is my hope that the Department will use the lessons 
learned from eMerge2 to ensure that the funding for TASC is 
spent in the most efficient and effective way possible. I will 
also note that while important, a consolidated financial system 
is not a silver bullet to fix the Department's financial 
management issues. The Department must have strong internal 
controls in place and provide oversight over its people and 
processes to ensure compliance with the relevant policies.
    That said, I would like to welcome our witnesses here 
today. I look forward to your insights on all of these issues.
    I want to thank the Chairman. Thank you, and I yield back 
the balance of my time.
    Mr. Carney. I thank you, Mr. Bilirakis.
    Seeing that the Chairman and Ranking Member aren't here, 
other Members of the subcommittee are reminded that under 
committee rules opening statements may be submitted for the 
record.
    [The statement of Chairman Thompson follows:]
           Prepared Statement of Chairman Bennie G. Thompson
                            October 29, 2009
    The Department of Homeland Security has one of the largest budgets 
in the Federal Government.
    Each year approximately $40 billion in appropriated funds flows in 
and out of the Department.
    Among other things, these funds are used to pay over 200,000 
employees, provide disaster aid to States and local governments and 
purchase the equipment used by those protecting our borders.
    We owe it to taxpayers to ensure that these funds are appropriately 
used, fully accounted for, and auditable.
    Unfortunately, this is not the case at the Department of Homeland 
Security.
    Six years into several attempts at integrating its financial 
management systems, and millions of dollars later, the Department is 
still using thirteen different systems that cannot talk to each other, 
that do not adequately reflect where funds are located and is unable to 
let the Department of Treasury know, at any given moment, how much 
money is left in the Department of Homeland Security budget.
    Fortunately, the Department knows that the way out of this 
conundrum is to integrate its systems. Unfortunately, I am concerned 
that it may be heading down the same path it took when previous 
attempts to integrate the Department's financial management systems 
failed.
    There is a saying that goes: ``If you keep doing the same thing, 
you will keep getting the same result.''
    Yet, once again, the Department is relying on contractors to do the 
work that should be performed by the Government.
    In this instance, the Department intends to allow a contractor to 
define what the Department needs, then design what it will receive, 
then map out the strategy for implementation.
    The fact that the Department released a Request for Proposal before 
first defining its financial management strategy is troublesome, and 
sounds like putting the cart before the horse.
    Past lessons have taught us that over-relying on contractors can 
lead to lack of proper oversight, performance problems, and 
skyrocketing costs.
    To that end, I would urge the Department, in an effort to reduce 
costs, to develop its own strategy for integrating its financial 
management systems and to establish a more solid road map.
    Moreover, I am greatly concerned with the findings that the GAO 
will be presenting us with today.
    Although the Department has received much guidance from the GAO on 
the steps that must be taken to successfully integrate its financial 
management systems it appears as if this advice has fallen by the 
wayside.
    I look forward to listening to our witnesses' testimony today 
regarding what steps are being taken to correct existing deficiencies 
and whether those steps are enough to prevent an unacceptable outcome.

    Mr. Carney. I want to welcome our witnesses. Our first 
witness is Mr. James L. Taylor, who serves as the deputy 
inspector general for the Department of Homeland Security. Mr. 
Taylor was selected as the deputy inspector general in October 
2005. He previously served as the deputy chief financial 
officer, CFO, and director for financial management at the 
Department of Commerce.
    Prior to his work at Commerce, Mr. Taylor held the position 
of deputy chief financial officer at the Federal Emergency 
Management Agency, FEMA, where he was directly responsible for 
all financial operations, with expenditures of $4 billion to 
$10 billion annually.
    Our second witness is Ms. Kay L. Daly. Ms. Daly currently 
serves as the director for financial management and assurance 
issues at the Government Accountability Office. She is 
responsible for financial management systems, improper 
payments, contracting, cost analysis, and health care financial 
management issues.
    She led GAO's report on key cases of financial management 
system modernization failures that highlighted the need to 
follow discipline processes in software implementation, use 
effective human capital management, and employ other IT 
management practices.
    Our third and final witness is Ms. Peggy Sherry, the acting 
chief financial officer for the Department of Homeland 
Security. Ms. Sherry joined the Department in 2007 as the 
director of the Office of Financial Management and is 
responsible for developing Department-wide financial management 
policy, leading the Department's financial audits and preparing 
Department-wide financial reports.
    Prior to joining the Department, she served as the deputy 
chief financial officer for the United States Holocaust 
Memorial Museum, where she oversaw the successful conversion to 
the museum's new financial management system and instituted 
processes to obtain several unqualified audit options--excuse 
me--several unqualified audit opinions on the museum's 
financial statements.
    Without objection, the witnesses' full statements will be 
inserted into the record. I now ask each witness to summarize 
for 5 minutes their statements, beginning with Mr. Taylor.

    STATEMENT OF JAMES L. TAYLOR, DEPUTY INSPECTOR GENERAL, 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Taylor. Thank you, Mr. Chairman.
    Mr. Chairman, Ranking Member Bilirakis, and Members of the 
committee, thank you for the opportunity to appear before you 
today on behalf of the Homeland Security Office of Inspector 
General. My testimony today will focus on the financial 
management challenges facing the Department and its components 
and the progress made so far in addressing these challenges.
    Inspectors general are required by law to annually report 
on the top management challenges facing the departments or 
agencies they oversee. For DHS the Office of Inspector General 
has consistently placed financial management high on that list. 
However, fixing financial management at DHS will require more 
than just focusing on this one area singularly.
    Rather, DHS needs continuous efforts to address its 
financial processes, as well as two related areas identified in 
our annual management challenges report: Information technology 
management as well as acquisition management.
    DHS must re-engineer and standardize its underlying 
financial processes so they conform to the requirements of the 
CFO Act of 1990. In addition, DHS must strengthen how it 
manages information technology so it is able to develop and 
implement integrated systems to support redesigned financial 
processes.
    Finally, DHS must address long-standing deficiencies in 
acquisition management to ensure it can acquire effectively the 
information technology needed to meet its financial management 
responsibilities.
    DHS has worked hard to improve financial management over 
the last 6 years, and the OIG is proud of our relationship with 
the CFO's office in trying to meet these challenges. However, 
significant challenges do remain.
    The Department has consistently been unable to obtain an 
unqualified audit opinion or any audit opinion on its financial 
statements. Additionally, the OIG has to issue a separate 
opinion on internal controls. DHS is the only Federal 
department that is required to have a separate audit opinion on 
internal controls.
    That opinion has also been a disclaimer for the last few 
years. In other words the Department is not yet at a point 
where any opinion can be rendered on either the Department's 
financial statements or its internal controls or financial 
reporting.
    Obtaining unqualified opinions on financial statements and 
internal controls should not be the end goal. Rather, it should 
be a milestone in providing management and stakeholders with 
useful, timely financial data for decision-making. The annual 
financial statement audit provides insight into the progress 
the Department is making in resolving weaknesses in processes 
and systems, and an essential part of the Department's efforts 
to improve financial reporting is improving the systems which 
compile and maintain financial information.
    Since 2003 IT general controls have been evaluated as part 
of DHS's financial statement audit. This review has included 
assessing key core financial systems at FEMA, Customs and 
Border Protection, TSA, Coast Guard, Federal Law Enforcement 
Training Center, U.S. Immigration and Customs Enforcement, and 
U.S. Citizenship and Immigration Services.
    Generally, DHS's IT financial systems are fragmented, do 
not share data effectively, and over the years have developed 
security control weaknesses that undermine the overall 
reliability. Collectively, the IT control weaknesses we 
identified limit DHS's ability to ensure that critical 
financial and operational data were maintained in such a manner 
to ensure confidentiality, integrity, and availability.
    In addition, these weaknesses negatively impacted the 
internal controls over DHS's financial reporting and its 
operation, and we consider them to collectively represent 
material weaknesses.
    DHS has recognized that it needs to improve financial 
management processes, as well as the systems that support those 
processes. Toward that end, DHS is moving ahead with the TASC 
system already mentioned, an enterprise-wide initiative aimed 
at modernizing, transforming, and integrating the financial 
acquisition and asset management capabilities of DHS 
components.
    TASC is DHS's third attempt to address comprehensively its 
long-standing financial management process and systems 
problems. The first, known as eMerge, was canceled December 
2005 after DHS had spent millions on what DHS officials had 
determined to be a failure. The second effort ended after a 
successful court challenge.
    These failures illustrate the critical need for close CFO-
CIO cooperation properly identifying the requirements for any 
system and the need for sound oversight of the process by 
trained and experienced contracts officers and specialists.
    The latest effort is a high-risk initiative that would take 
years to complete. It is now estimated to cost in excess of $1 
billion. We are presently completing a review of DHS's efforts 
in planning and implementing TASC and plan to report on the 
results of our review in a few months.
    In summary, Mr. Chairman, the DHS CFO and CIO, in 
conjunction with component CFOs and CIOs, are responsible for 
working together to standardize DHS's core financial systems. 
However, weaknesses in financial management processes and IT 
security controls over the systems continue to hinder the 
Department's ability to effectively produce accurate financial 
information.
    DHS's ability to significantly improve the quality of its 
financial reporting hinges on the successful implementation of 
new systems and improved business processes in order to promote 
sound financial management.
    Mr. Chairman, this concludes my prepared statement. Thank 
you for the opportunity, and I welcome any questions from you 
or Members of the subcommittee.
    [The statement of Mr. Taylor follows:]
                 Prepared Statement of James L. Taylor
                            October 29, 2009
    Mr. Chairman and Members of the committee: Thank you for the 
opportunity to appear before you on behalf of the Department of 
Homeland Security Office of Inspector General. My testimony today will 
focus on the financial management challenges facing the Department and 
its components, and the progress made so far in addressing these 
challenges.
    Inspectors general are required by law to annually report on the 
top management challenges for the departments or agencies they oversee. 
For DHS, the Office of Inspector General has consistently placed 
financial management high on that list. However, fixing financial 
management in DHS will require more than just focusing on this one 
area. Rather, DHS needs to continue its efforts to address its 
financial management processes, as well as two related areas identified 
in our November 2008 report: Information technology (IT) management and 
acquisition management. Specifically, DHS must reengineer and 
standardize its underlying financial processes so they conform to the 
requirements of the Chief Financial Officer Act of 1990. In addition, 
DHS must strengthen how it manages information technology, so it is 
able to develop and implement integrated systems that support 
redesigned financial processes. Finally, DHS must address long-standing 
inefficiencies in acquisition management, to ensure it can acquire 
effectively the information technology needed to meet its financial 
management responsibilities.
                        dhs financial management
    DHS has worked hard to improve financial management, but 
significant challenges remain. The Department consistently has been 
unable to obtain an unqualified audit opinion, or any audit opinion, on 
its financial statements. For fiscal year 2008, the independent 
auditors issued a disclaimer on DHS' financial statements and 
identified significant deficiencies which were so serious they 
qualified as material weaknesses. Additionally the OIG issued a 
disclaimer on DHS' Internal Control Over Financial Reporting (ICOFR). 
DHS' ability to obtain an unqualified audit opinion, and provide 
assurances that its system of internal control is designed and 
operating effectively, is highly dependent upon business process 
improvements across the Department.
    Aside from being required by the Chief Financial Officer Act of 
1990, financial statement audits provide insight into the status of 
financial management and progress in resolving weaknesses in processes 
and systems. For fiscal year 2008, the Department was able to reduce 
the number of conditions leading to the independent auditors' 
disclaimer of opinion on DHS' financial statements from six to three. 
As a result, the Office of Financial Management and the Office of 
Health Affairs no longer contribute to the disclaimer conditions and 
FEMA remediated all its prior year disclaimer conditions. However, 
during the fiscal year 2008 audit, new disclaimer conditions were 
identified at TSA and FEMA. TSA was unable to assert that its capital 
asset balances were fairly stated and FEMA was unable to assert that 
its capital asset balances were fairly stated, respectively.
    The Departmental material weaknesses in internal control were 
primarily attributable to the Coast Guard, FEMA, and TSA. The Coast 
Guard's material weaknesses, which have existed since 1994,\1\ 
contribute to all six of the Department's material weaknesses, while 
FEMA contributed to four and TSA contributed to three. The Coast Guard 
also contributes to TSA's financial systems security material weakness 
due to TSA's reliance on the Coast Guard's financial systems. Although 
the other components did not have material weaknesses, some had 
significant deficiencies that, when combined, contributed to the 
Departmental material weaknesses.
---------------------------------------------------------------------------
    \1\ DOT-OIG, Significant Internal Control Weaknesses Identified in 
Audits of FY 1994 and 1995, R3-CG-6-011, August 1996.
---------------------------------------------------------------------------
                       dhs' it financial systems
    Generally, DHS' IT financial systems are fragmented, do not share 
data effectively, and over the years have developed security control 
weaknesses that undermine their overall reliability. Fixing these 
systems and eliminating security vulnerabilities will be critical to 
DHS' efforts to improve financial management.
    Since 2003, IT general controls have been evaluated as a part of 
DHS's financial statement audit. This review has included assessing key 
core financial systems at FEMA, Customs and Border Protection (CBP), 
TSA, Coast Guard, Federal Law Enforcement Training Center (FLETC), U.S. 
Immigration and Customs Enforcement, and U.S. Citizenship and 
Immigration Services. As a part of these reviews, controls over 
applications being processed on various platforms were evaluated, 
including Oracle and SAP. The objective of these audits was to evaluate 
the effectiveness of IT general controls over DHS' financial processing 
environment and related IT infrastructure as necessary to support the 
results of the financial statement audit.
    We reported in April 2009 that DHS components have taken 
significant steps to improve financial system security and address 
prior year IT control weaknesses, which resulted in the closure of more 
than 40% of our prior year IT control findings.\2\ Additionally, some 
DHS components reduced the severity of the weaknesses when compared to 
findings reported in the prior year. However, access controls and 
service continuity continue to be issues at several components 
including FEMA, Coast Guard, and TSA. The most significant weaknesses 
from a financial statement audit perspective include:
---------------------------------------------------------------------------
    \2\ Information Technology Management Letter for the FY 2008 DHS 
Financial Statement Audit (OIG-09-50, April 2009).
---------------------------------------------------------------------------
   Excessive unauthorized access to key DHS financial 
        applications;
   Application change control processes that are inappropriate, 
        not fully defined, followed, or effective; and,
   Service continuity issues impacting DHS' ability to ensure 
        that DHS financial data is available when needed.
    Collectively, the IT control weaknesses we identified limited DHS' 
ability to ensure that critical financial and operational data were 
maintained in such a manner to ensure confidentiality, integrity, and 
availability. In addition, these weaknesses negatively impacted the 
internal controls over DHS' financial reporting and its operation, and 
we consider them to collectively represent a material weakness. The 
information technology findings were combined into one material 
weakness regarding IT for the fiscal year 2008 audit of the DHS 
consolidated financial statements.
    We recommended that the DHS Chief Information Officer (CIO), in 
conjunction with the DHS Chief Financial Officer (CFO) and the 
component CIOs and CFOs make improvements in the areas of access 
controls, application software development and change controls, service 
continuity, entity-wide security, system software, and segregation of 
duties.
                     component it financial systems
    For fiscal year 2008, we issued separate IT management letter 
reports for FEMA, CBP, TSA, Coast Guard, and FLETC and an overall 
consolidated IT management letter report that summarized the IT issues 
for all seven components. Each management letter addressed the IT 
security issues at each component and provided individual component 
level findings and recommendations. In each of these management letters 
we recommended that the component CIOs and CFOs in conjunction with the 
DHS CIO and CFO work to address the issues noted in our reports.
Coast Guard
    We reported in March 2009 that the Coast Guard took corrective 
action to address nearly half of its prior year IT control 
weaknesses.\3\ However, we continued to identify IT general control 
weaknesses. The most significant weaknesses from a financial statement 
audit perspective related to the development, implementation, and 
tracking of financial systems coding changes, and the design and 
implementation of configuration management policies and procedures.
---------------------------------------------------------------------------
    \3\ Information Technology Management Letter for the United States 
Coast Guard Component of the FY 2008 DHS Financial Statement Audit 
(OIG-09-47, March 2009).
---------------------------------------------------------------------------
    Of the 22 findings identified during fiscal year 2008 testing, 21 
were repeat findings, either partially or in whole from the prior year, 
and one was a new IT finding. These findings represent weakness in four 
of the six key control areas. The areas impacted included Application 
Software Development and Change Controls, Access Controls, Service 
Continuity, and Entity-Wide Security Program Planning and Management. 
The majority of the findings were inherited from the lack of properly 
designed, detailed, and consistent guidance over financial system 
controls.
    Specifically, the findings stem from: (1) Unverified access 
controls through the lack of user access privilege re-certifications, 
(2) entity-wide security program issues involving civilian and 
contractor background investigation weaknesses, (3) inadequately 
designed and operating change control policies and procedures, (4) 
patch and configuration management weaknesses within the system, and 
(5) the lack of updated disaster recovery plans which reflect the 
current environment identified through testing. These weaknesses may 
increase the risk that the confidentiality, integrity, and availability 
of system controls and Coast Guard financial data could be exploited 
thereby compromising the integrity of financial data used by management 
and reported in the DHS financial statements.
CBP
    We reported in April 2009 that CBP took corrective action to 
address prior year IT control weaknesses.\4\ For example, CBP made 
improvements in how it tracks the hiring, termination, and systems 
access of contracted employees within the Office of Information 
Technology (OIT). However, during fiscal year 2008, identified IT 
general control weaknesses continued to exist at CBP. The most 
significant weaknesses, from a financial statement audit perspective, 
related to controls over access to programs and data.
---------------------------------------------------------------------------
    \4\ Information Technology Management Letter for the FY 2008 
Customs and Border Protection Financial Statement Audit (OIG-09-59, 
April 2009).
---------------------------------------------------------------------------
    Although improvement was noted in the audit, many of the conditions 
identified at CBP in fiscal year 2007 have not been corrected because 
CBP still faces challenges related to the merging of numerous IT 
functions, controls, processes, and organizational resource shortages. 
During fiscal year 2008, CBP took steps to address these conditions. 
Despite these improvements, CBP needs further stress on the monitoring 
and enforcement of access controls. CBP needs to further emphasize the 
importance of developing and implementing well-documented procedures at 
the system and entity-level.
FEMA
    FEMA took corrective action to address prior year IT control 
weaknesses. We reported in March 2009 that FEMA made improvements by 
restricting access to off-line account tables, implementing an 
alternate processing site for one of its financial applications, and 
improving the process for retaining National Flood Insurance Program 
(NFIP) change control documentation.\5\ However, during fiscal year 
2008, IT general control weaknesses at FEMA still existed. The most 
significant weaknesses from a financial statement audit perspective 
related to controls over access to programs and data and controls over 
program changes.
---------------------------------------------------------------------------
    \5\ Information Technology Management Letter for the Federal 
Emergency Management Agency Component of the FY 2008 DHS Financial 
Statement Audit (OIG-09-48, March 2009).
---------------------------------------------------------------------------
    Of the 26 findings identified during the fiscal year 2008 testing, 
15 were repeat findings, either partially or in whole from the prior 
year, and 11 were new findings. These findings were representative of 
five of the six key control areas. Specifically, the findings stem 
from: (1) Inadequately designed and operating access control policies 
and procedures relating to the granting of access to systems and 
supervisor re-certifications of user access privileges, (2) lack of 
properly monitored audit logs, (3) inadequately designed and operating 
change control policies and procedures, (4) patch and configuration 
management weaknesses within the system, and (5) the lack of tested 
contingency plans. These weaknesses may increase the risk that the 
confidentiality, integrity, and availability of system controls and 
FEMA financial data could be exploited, thereby compromising the 
integrity of financial data used by management and reported in the DHS 
financial statements.
FLETC
    We reported in April 2009 that FLETC made minimal progress on its 
control weaknesses.\6\ Therefore, many of the prior year Findings and 
Recommendations (NFR) could not be closed completely due to the 
reliance on the impending Momentum application upgrade, the 
decommissioning of Procurement Desktop and the installation of new 
hardware that would improve the overall IT security structure at FLETC. 
As a result, there was one (1) prior year NFR closed, twenty (27) 
reissued NFRs, and three (3) new NFRs issued to FLETC.
---------------------------------------------------------------------------
    \6\ Information Technology Management Letter for the Federal Law 
Enforcement Training Center FY 2008 Financial Statement Audit (OIG-09-
63, April 2009).
---------------------------------------------------------------------------
    The IT testing at FLETC disclosed matters involving the internal 
controls over financial reporting and its operation that we consider to 
be a significant deficiency under AICPA standards. Deficiencies in the 
design and operation of FLETC's internal controls which could adversely 
affect the agency's financial statements were noted. Deficiencies also 
existed in entity-wide security planning, access controls, application 
development and change control, system software, segregation of duties, 
and service continuity that have contributed to the significant 
deficiency.
TSA
    In fiscal year 2008, TSA took corrective action to address prior 
year IT control weaknesses. We reported in April 2009 that TSA made 
improvements in testing disaster recovery procedures, reviewing audit 
logs, and implementing emergency response training for all personnel 
with data center access.\7\ However, IT general control weaknesses that 
impact TSA's financial data remain. The most significant weaknesses 
from a financial statement audit perspective related to controls over 
the termination of the contract with the software support vendor, the 
design and implementation of configuration management policies and 
procedures, and the development, implementation, and tracking of coding 
changes to the software maintained for TSA by the Coast Guard.
---------------------------------------------------------------------------
    \7\ Information Technology Management Letter for the Transportation 
Security Administration FY 2008 Financial Statement Audit (OIG-09-62, 
April 2009).
---------------------------------------------------------------------------
    Of the 15 findings identified during our fiscal year 2008 testing, 
13 are repeat findings, either partially or in whole from the prior 
year, and two are new IT findings. These findings represent weaknesses 
in four of the six key control areas. Specifically, (1) unverified 
access controls through the lack of comprehensive user access privilege 
re-certifications, (2) entity-wide security program issues involving 
civilian and contractor background investigation weaknesses, (3) 
inadequately designed and operating change control policies and 
procedures, and (4) the lack of updated disaster recovery plans which 
reflect the current environment identified through testing. These 
weaknesses may increase the risk that the confidentiality, integrity, 
and availability of system controls and TSA financial data could be 
exploited thereby compromising the integrity of financial data used by 
management and reported in TSA's financial statements.
                    dhs it disaster recovery efforts
    Following a service disruption or a disaster, DHS must be able to 
recover its IT systems quickly and effectively in order to continue 
essential functions, including financial management support. In May 
2005, we reported on deficiencies in the Department of Homeland 
Security's disaster recovery planning for information systems.\8\ We 
recommended that the Department allocate the funds needed to implement 
an enterprise-wide disaster recovery program for mission critical 
systems, require that disaster recovery capabilities be included in the 
implementation of new systems, and ensure that disaster recovery-
related documentation for mission critical systems be completed and 
conform to current Government standards.
---------------------------------------------------------------------------
    \8\ Disaster Recovery Planning for DHS Information Systems Needs 
Improvement (OIG-05-22, May 2005).
---------------------------------------------------------------------------
    We conducted a follow-up audit last year and reported in April 2009 
that the Department has made progress in establishing an enterprise-
wide disaster recovery program.\9\ Specifically, the Department has 
allocated funds for this program since fiscal year 2005, and by August 
2008 had established two new data centers. Further, the Department now 
includes contingency planning as part of the system authorization 
process and it has issued guidance to ensure that contingency planning 
documentation conforms to Government standards.
---------------------------------------------------------------------------
    \9\ DHS' Progress in Disaster Recovery Planning for Information 
Systems (OIG-09-60, April 2009).
---------------------------------------------------------------------------
    While the Department has strengthened its disaster recovery 
planning, more work is needed. For example, the two new data centers 
need interconnecting circuits and redundant hardware to establish an 
active-active processing capability.
    We noted that not all critical Departmental information systems 
have an alternate processing site. Further, disaster recovery guidance 
does not conform fully to Government standards. Finally, risk 
assessments of the data centers are outdated.
    In our fiscal year 2008 report, we recommended that the Chief 
Information Officer implement the necessary circuits and redundant 
resources at the new data centers; ensure that critical Departmental 
information systems have complete contingency planning documentation; 
and conform Departmental contingency planning guidance to Government 
standards. Additionally, the Department should reassess data center 
risks whenever significant changes to the system configuration have 
been made.
    The fiscal year 2008 financial statement audit noted that service 
continuity issues continue to impact DHS' ability to ensure that DHS 
financial data is available when needed, including instances where the 
Continuity of Operations Plan (COOP) does not include an accurate 
listing of critical information technology systems, did not have 
critical data files and an alternate processing facility documented, 
and was not adequately tested, and various weaknesses identified in 
alternate processing sites. Service continuity is one of the main IT 
general control areas that continue to present a risk to financial 
systems data integrity for DHS' financial systems.
    Among recommendations for service continuity for DHS' financial 
systems were to update the COOP to document and prioritize an accurate 
listing of critical IT systems, ensure that alternate processing sites 
are made operational, and test backups at least quarterly.
            transformation and systems consolidation (tasc)
    DHS has recognized that it needs to improve its financial 
management processes, as well as the systems that support those 
processes. Toward that end, DHS is moving ahead with TASC, an 
enterprise-wide initiative, aimed at modernizing, transforming, and 
integrating the financial, acquisition, and asset management 
capabilities of DHS components. According to DHS, TASC is not an update 
of legacy systems, but an implementation of integrated financial, 
asset, and procurement management capabilities that will subsume many 
systems and standardize business processes. The resulting system, once 
implemented, is aimed at providing a real-time (providing immediate 
viewing of data), web-based system (accessed from anywhere) of 
integrated business processes that will be used by component financial 
managers, service providers, program managers, and auditors to make 
sound business decisions to support the DHS mission.
    The goals and objectives of the TASC initiative are numerous and 
reflect the collective input from the components. TASC also represents 
an effort to leverage the work done by Office of Federal Financial 
Management (OFFM) and will achieve full compliance with the rigid 
standards outlined by OFFM. TASC will implement enhanced capabilities 
to achieve the following goals:
   Create end-to-end standardized integrated business 
        processes;
   Support timely financial management;
   Enable the acquisition of best value goods and services that 
        meet the Department's quality and timeliness requirements;
   Enable consolidated asset management across all components;
   Create a standard central accounting line.
    TASC is DHS' third attempt to address comprehensively its long-
standing financial management process and system problems. The first 
effort, known as the Electronically Managing Enterprise resources for 
Government Effectiveness and Efficiency (e-Merge) project, was canceled 
in December 2005 after DHS had spent $24 million on what DHS officials 
had determined to be a failure. The second effort focused on moving DHS 
components to one of two financial systems platforms: SAP and Oracle. 
However, a Federal court ruled in Savantage Financial Services, Inc. 
vs. United States that DHS' decision to use Oracle and SAP financial 
software systems via ``Brand Name Justification'' document is improper 
sole source procurement in violation of the Competition in Contracting 
Act. In response to this decision, RMTO revised its financial systems 
consolidation strategy to the current approach.
    TASC is a high-risk initiative that will take years to complete, 
potentially costing over $1 billion. We are presently completing a 
review of DHS' efforts in planning and implementing TASC, and plan to 
report on the results of our review in a few months.
    In summary, the DHS CFO and CIO in conjunction with the component 
CFOs and CIOs are responsible for working together to standardize DHS' 
core financial systems. However, weaknesses in financial management 
processes and IT security controls over these systems continue to 
hinder the Department's ability to effectively produce accurate 
consolidated financial information. DHS is currently in the processes 
of developing and implementing a new financial system solution that 
will modernize, transform, and integrate financial, acquisition, and 
asset management information for DHS components. Once DHS addresses the 
current issues in financial processing and IT security controls and 
successfully develops and implements a new financial systems solution, 
the Department will be able to promote overall efficiency and 
effectiveness in its financial management.
    Mr. Chairman, this concludes my prepared statement. Thank you for 
this opportunity and I welcome any questions from you or Members of the 
subcommittee.

    Mr. Carney. Okay. Thank you for your testimony.
    I now recognize Ms. Daly to summarize her statement for 5 
minutes.

 STATEMENT OF KAY L. DALY, DIRECTOR, FINANCIAL MANAGEMENT AND 
       ASSURANCE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Daly. Mr. Chairman and Ranking Member Bilirakis, thank 
you very much for the opportunity to discuss the Department of 
Homeland Security's current effort to implement a consolidated 
Department-wide financial management system.
    Since DHS began operations in March 2003, it has faced a 
daunting task of trying to bring together 22 diverse agencies 
and developing an integrated financial system. In June 2007 we 
reported that the Department had made little progress in 
integrating its existing financial management systems and made 
six recommendations focused on the need for DHS to define a 
Department-wide strategy and embrace discipline processes to 
reduce risk.
    In June 2007 DHS officials announced its new financial 
management systems strategy, called the TASC program. In 
January 2009 DHS issued a request for proposal for an 
integrated commercial off-the-shelf software system already in 
use at a Federal agency. DHS is currently evaluating the 
proposals it has received and expects to award a contract in 
January 2010.
    Today my testimony will focus on our preliminary 
observations related to DHS's implementation of the six 
recommendations that we made in June 2007 and two issues that 
have surfaced during our recent review that pose challenges to 
the TASC program.
    Regarding the six recommendations we made in June 2007, our 
preliminary analysis indicates that DHS has begun to take 
action toward implementation of four of the recommendations, 
but all six remain open. We do recognize that DHS cannot fully 
implement all of our recommendations until a contract is 
awarded because of its selected acquisition approach.
    DHS has taken, but not completed, actions related to the 
TASC strategy and plan, a concept of operations, discipline 
processes, and key human capital practices and plans for such a 
systems implementation. DHS has not taken necessary actions on 
two remaining recommendations to standardize business processes 
across the Department and to develop detailed consolidation of 
migration plans.
    I would like to focus on DHS's strategy. The strategy being 
taken by DHS does not appropriately consider whether the 
acquired system will provide the needed functionality. For 
example, the strategy does not require DHS to perform a GAAP 
analysis before the system is selected and to assess the extent 
to which cost-based systems used at another agency have been 
customized.
    Studies have shown that when an effective GAAP analysis is 
not performed, program officers, and contractors have later 
discovered that the selected system lacked essential 
capabilities. Adding these capabilities later during 
implementation required expensive custom development and 
resulted in cost and schedule overruns that could have been 
avoided.
    While updating the status of the six prior recommendations, 
we also identified two issues that pose unnecessary risk to the 
success of the TASC program. The first issue is DHS's 
significant reliance on contractors to define and implement the 
program. The Department plans to have the selected contractor 
prepare a number of key plans needed to carry out discipline 
processes and define additional business processes to be 
standardized and propose a migration approach.
    However, DHS has not developed the necessary contractor 
oversight mechanism to ensure that a significant reliance on 
contractors for TASC does not result in an unfavorable outcome. 
Our work on other systems acquisition and implementation 
efforts has shown that placing too much reliance on contractors 
can result in systems efforts plagued with serious performance 
and management problems.
    The second issue we identified was that the contractor 
hired to perform verification and validation functions for TASC 
was not independent. DHS management has agreed, and they 
indicated they have restructured the contract to address our 
concerns.
    In conclusion, Mr. Chairman and the other Members of the 
subcommittee, 6 years after the Department was established, DHS 
has yet to implement the Department-wide integrated financial 
system. The open recommendations from our prior report continue 
to be vital to the success of the TASC program.
    Given the approach DHS has selected, it will be paramount 
that DHS take steps to minimize risk associated with its 
strategy in contractor oversight. Failure to do so could lead 
to acquiring a system that does not meet cost, schedule, and 
performance goals.
    So, Mr. Chairman and the other Members of the subcommittee, 
this completes my prepared statement, and I would be glad to 
respond to any questions you may have at this time.
    [The statement of Ms. Daly follows:]
      Prepared Statement of Kay L. Daly (with Nabajyoti Barkakati)
                            October 29, 2009
  Financial Management Systems: DHS Faces Challenges to Successfully 
               Consolidate Its Existing Disparate Systems
    Mr. Chairman and Members of the subcommittee: Thank you for the 
opportunity to discuss the Department of Homeland Security's (DHS) 
current effort--the Transformation and Systems Consolidation (TASC) 
program--to implement a consolidated Department-wide financial 
management system. Since DHS began operations in March 2003, it has 
faced the daunting task of bringing together 22 diverse agencies and 
developing an integrated financial management system. DHS officials 
have long recognized the need to integrate their financial management 
systems, which are used to account for over $40 billion in annual 
appropriated funds. The Department's prior effort, known as the 
Electronically Managing Enterprise Resources for Government 
Effectiveness and Efficiency (eMerge2) project,\1\ was expected to 
integrate financial management systems Department-wide and address 
existing financial management weaknesses. However, DHS officials 
terminated the eMerge2 project in December 2005, acknowledging that 
this project had not been successful. In June 2007, we reported \2\ the 
Department had made little progress since December 2005 in integrating 
its existing financial management systems, and that, from an overall 
perspective, the decision to halt its eMerge2 project was prudent. We 
made six recommendations focused on the need for DHS to define a 
Department-wide strategy and embrace disciplined processes to reduce 
risk to acceptable levels.\3\
---------------------------------------------------------------------------
    \1\ The eMerge2 project was expected to establish the strategic 
direction for migration, modernization, and integration of DHS' 
financial, accounting, procurement, personnel, asset management, and 
travel systems, processes, and policies.
    \2\ GAO, Homeland Security: Departmentwide Integrated Financial 
Management Systems Remain a Challenge, GAO-07-536 (Washington, DC: June 
21, 2007); and GAO, Homeland Security: Transforming Department-wide 
Financial Management Systems Remains a Challenge, GAO-07-1041T 
(Washington, DC: June 28, 2007).
    \3\ The use of the term ``acceptable levels'' acknowledges the fact 
that any systems acquisition has risks and can suffer the adverse 
consequences associated with defects.
---------------------------------------------------------------------------
    In June 2007, DHS officials announced its new financial management 
systems strategy, called the TASC program. At that time, the TASC 
program was described as the migration of other DHS component systems 
to two existing financial management systems already in use at several 
components. After a bid protest was filed regarding the proposed 
approach, the TASC request for proposal was revised to acquire an 
integrated commercial off-the-shelf software (COTS) system to be 
implemented Department-wide. In January 2009 DHS issued its TASC 
request for proposal for the provision of an integrated financial, 
acquisition, and asset management commercial off-the-shelf software 
(COTS) system already in use at a Federal agency to be implemented 
Department-wide. DHS is currently evaluating the proposals received and 
expects to award a contract in January 2010.
    Today, our testimony will focus on our preliminary observations 
related to our audit of: (1) DHS' implementation of the six 
recommendations we made in June 2007, and (2) two issues that have 
surfaced that pose challenges to the TASC program. We have discussed 
the preliminary observations included in this testimony with DHS 
officials. To address these objectives, we reviewed the January 2009 
request for proposal and its attachments, such as the Statement of 
Objectives and Solution Process Overview, to understand DHS' plans for 
implementing the TASC program. We also reviewed other available 
planning documents, such as the Acquisition Plan and the draft concept 
of operations, and determined the status of these plans and others to 
see if DHS had fully implemented our recommendations. We interviewed 
key officials from DHS' Office of the Chief Financial Officer and its 
Resource Management Transformation Office (RMTO), including its 
Director and Deputy Director for elaboration and to provide additional 
perspectives to the information contained in these documents. We also 
reviewed the Statement of Work for an independent verification and 
validation (IV&V) contractor and confirmed key information about this 
contract with the Director of RMTO.
    We recently provided our draft report, including recommendations, 
on the results of our audit to the Secretary of Homeland Security for 
review and comment. We plan to incorporate DHS' comments as appropriate 
and issue our final report as a follow-up to this testimony. We 
conducted this performance audit from March through October 2009 in 
accordance with generally accepted Government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives.
                               background
    Bid protests and related litigation have resulted in changes to 
DHS' approach for the TASC program and have contributed to a 
significant delay in awarding a contract. The initial TASC approach was 
to migrate its component systems to two financial management systems--
Oracle Federal Financials and SAP--that were already in use by several 
DHS components.\4\ Figure 1 shows the key events that have occurred 
affecting the TASC program. One of these key events was the filing of a 
bid protest regarding DHS' initial TASC approach to migrate its 
components to two financial management systems already in use. DHS 
subsequently issued its January 2009 TASC request for proposal for the 
provision of an integrated financial, acquisition, and asset management 
COTS system already in use at a Federal agency to be implemented 
Department-wide. A second bid protest was filed over this January 2009 
request for proposal and the U.S. Court of Federal Claims dismissed the 
protestor's complaint, allowing DHS to proceed with this request for 
proposal. However, the protestor filed an appeal of this dismissal in 
July 2009. DHS responded to the July 2009 appeal in September 2009 and 
DHS officials indicated that the protestor responded to DHS' response 
in October 2009.
---------------------------------------------------------------------------
    \4\ Oracle Federal Financials was already in use within the U.S. 
Coast Guard, the Transportation Security Administration, and the 
Domestic Nuclear Detection Office. SAP was already in use within the 
U.S. Customs and Border Protection. 



dhs has made limited progress in implementing our prior recommendations
    In June 2007, we made six recommendations \5\ to DHS to help the 
Department reduce the risks associated with acquiring and implementing 
a Department-wide financial management system. Our preliminary analysis 
indicates that DHS has begun to take actions toward the implementation 
of four of the recommendations, as shown in table 1. However, all six 
recommendations remain open. We do recognize that DHS cannot fully 
implement all of our recommendations until a contract is awarded 
because of its selected acquisition approach.
---------------------------------------------------------------------------
    \5\ GAO-07-536.

                         TABLE 1.--DHS' PROGRESS TOWARD ADDRESSING GAO'S RECOMMENDATIONS
----------------------------------------------------------------------------------------------------------------
                                                                                  Not Completed
            Recommendation                    Completed        -------------------------------------------------
                                                                  Some  Actions Taken        No Action Taken
----------------------------------------------------------------------------------------------------------------
Clearly define and document a                                   
 Department-wide financial management
 strategy and plan to move forward
 with its financial management system
 integration efforts.
Develop a comprehensive concept of                              
 operations document.
Utilize and implement these specific                            
 disciplined processes to minimize
 project risk: (1) Requirements
 management, (2) testing, (3) data
 conversion and system interfaces,
 (4) risk management, (5)
 configuration management, (6)
 project management, and (7) quality
 assurance.
Reengineer business processes and                                                        
 standardize them across the
 department, including applicable
 internal control.
Develop a detailed plan for migrating                                                    
 and consolidating various DHS
 components to an internal shared
 services approach if this approach
 is sustained.
Carefully consider key human capital                            
 practices as DHS moves forward with
 its financial management
 transformation efforts so that the
 right people with the right skills
 are in place at the right time.
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of DHS information.

DHS Faces Significant Challenges To Implement Its Financial Management 
        Strategy and Plan
    DHS has developed certain elements for its financial management 
strategy and plan for moving forward with its financial system 
integration efforts but it faces significant challenges in completing 
and implementing its strategy. DHS has defined its vision for the TASC 
program, which is to consolidate and integrate Department-wide mission-
essential financial, acquisition, and asset management systems, by 
providing a seamless, real-time, web-based system to execute mission-
critical end-to-end integrated business processes. DHS has also 
established several major program goals for TASC which include, but are 
not limited to:
   creating and refining end-to-end standard business processes 
        and a standard line of accounting;
   supporting timely, complete, and accurate financial 
        management and reporting;
   enabling DHS to acquire goods and services of the best value 
        that ensure that the Department's mission and program goals are 
        met; and,
   enabling consolidated asset management across all 
        components.
    DHS officials stated that this system acquisition is expected to 
take a COTS-based system already configured and being used at a Federal 
agency as a starting point for its efforts. This approach is different 
than other financial management system implementation efforts reviewed 
by GAO where an agency acquired a COTS product and then performed the 
actions necessary to configure the product to meet the agency's 
specific requirements.\6\
---------------------------------------------------------------------------
    \6\ GAO, Business Modernization: Improvements Needed in Management 
of NASA's Integrated Financial Management Program, GAO-03-507 
(Washington, DC: April 30, 2003); and GAO, DOD Business Systems 
Modernization: Navy ERP Adherence to Best Business Practices Critical 
to Avoid Past Failures, GAO-05-858 (Washington, DC: Sept. 29, 2005).
---------------------------------------------------------------------------
    Our review found that the strategy being taken by DHS does not 
contain the elements needed to evaluate whether the acquired system 
will provide the needed functionality or meet users' needs. For 
example, it does not require DHS to: (1) Perform an analysis of the 
current processes to define the user requirements to be considered when 
evaluating the various systems, (2) perform a gap analysis \7\ before 
the system is selected \8\ and (3) assess the extent to which the COTS-
based system used at another agency has been customized for the 
respective Federal entities. Studies have shown that when an effective 
gap analysis was not performed, program offices, and contractors later 
discovered that the selected system lacked essential capabilities. 
Furthermore, adding these capabilities required expensive custom 
development, and resulted in cost and schedule overruns that could have 
been avoided. \9\ Without a comprehensive strategy and plan that 
considers these issues, DHS risks implementing a financial management 
system that will be unnecessarily costly to maintain.
---------------------------------------------------------------------------
    \7\ A gap analysis is an evaluation performed to identify the gaps 
between needs and system capabilities.
    \8\ Software Engineering Institute, Rules of Thumb for the Use of 
COTS Products, CMU/SEI-2002-TR-032 (Pittsburgh, PA: December 2002).
    \9\ U.S. Department of Defense, Commercial Item Acquisition: 
Considerations and Lessons Learned (Washington, DC: June 26, 2000).
---------------------------------------------------------------------------
DHS Has Recently Developed a Concept of Operations for the TASC Program
    The January 2009 request for proposal states that the selected 
contractor will be required to provide a concept of operations for 
TASC. This concept of operations is expected to provide an operational 
view of the new system from the end users' perspective and outline the 
business processes as well as the functional and technical architecture 
for their proposed systems. On October 21, 2009, DHS provided us with a 
concept of operations for the TASC program that we have not had the 
opportunity to fully evaluate to assess whether it comprehensively 
describes the new system's operations and characteristics. According to 
DHS officials, this concept of operations document was prepared in 
accordance with the Institute of Electrical and Electronics Engineers 
(IEEE) standards.\10\ However, it is unclear how the DHS-prepared 
concept of operations document will relate to the selected contractor's 
concept of operations document called for in the request for proposal.
---------------------------------------------------------------------------
    \10\ IEEE Guide for Information Technology--System Definition--
Concept of Operations (ConOps) Document, Standard 1362-1998.
---------------------------------------------------------------------------
    According to the IEEE standards, a concept of operations is a user-
oriented document that describes the characteristics of a proposed 
system from the users' viewpoint. A concept of operations document also 
describes the operations that must be performed, who must perform them, 
and where and how the operations will be carried out. The concept of 
operations for TASC should, among other things:
   define how DHS' day-to-day financial management operations 
        are and will be carried out to meet mission needs;
   clarify which component and Department-wide systems are 
        considered financial management systems;
   include a transition strategy that is useful for developing 
        an understanding of how and when changes will occur;
   develop an approach for obtaining reliable information on 
        the costs of its financial management systems investments; and:
   link DHS' concept of operations for the TASC program to its 
        enterprise architecture.
    A completed concept of operations prior to issuance of the request 
for proposal would have benefited the vendors in developing their 
proposals so that they could identify and propose systems that more 
closely align with DHS' vision and specific needs.
DHS Has Not Fully Incorporated Disciplined Processes into the TASC 
        Program
    While DHS has draft risk management, project management, and 
configuration management plans, DHS officials told us that other key 
plans relating to disciplined processes generally considered to be best 
practices will not be completed until after the TASC contract is 
awarded. These other plans include the requirements management,\11\ 
data conversion and system interfaces,\12\ quality assurance, and 
testing plans.\13\ Offerors were instructed in the latest request for 
proposal to describe their testing, risk management, and quality 
assurance approaches as well as component migration and training 
approaches. The approaches proposed by the selected contractor will 
become the basis for the preparation of these plans. While we recognize 
that the actual development and implementation of these plans cannot be 
completed until the TASC contractor and system have been selected, it 
will be critical for DHS to ensure that these plans are completed and 
effectively implemented prior to moving forward with the implementation 
of the new system.
---------------------------------------------------------------------------
    \11\ According to the Software Engineering Institute, requirements 
management is a process that establishes a common understanding between 
the customer and the software project manager regarding the customer's 
business needs that will be addressed by a project. A critical part of 
this process is to ensure that the requirements development portion of 
the effort documents, at a sufficient level of detail, the problems 
that need to be solved and the objectives that need to be achieved.
    \12\ Data conversion is defined as the modification of existing 
data to enable it to operate with similar functional capability in a 
different environment.
    \13\ Testing is the process of executing a program with the intent 
of finding errors.
---------------------------------------------------------------------------
    Disciplined processes represent best practices in systems 
development and implementation efforts that have been shown to reduce 
the risks associated with software development and acquisition efforts 
to acceptable levels and are fundamental to successful system 
implementations. The key to having a disciplined system development 
effort is to have disciplined processes in multiple areas, including 
project planning and management, requirements management, configuration 
management, risk management, quality assurance, and testing. Effective 
processes should be implemented in each of these areas throughout the 
project life cycle because change is constant. Effectively implementing 
the disciplined processes necessary to reduce project risks to 
acceptable levels is hard to achieve because a project must effectively 
implement several best practices, and inadequate implementation of any 
one may significantly reduce or even eliminate the positive benefits of 
the others.
DHS Has Not Yet Identified All Business Processes Needing Reengineering 
        and Standardization Across the Department
    Although, DHS has identified nine end-to-end business processes 
\14\ that will be addressed as part of the TASC program, the Department 
has not yet identified all of its existing business processes that will 
be reengineered and standardized as part of the TASC program. It is 
important for DHS to identify all of its business processes so that the 
Department can analyze the offerors' proposed systems to assess how 
closely each of these systems aligns with DHS' business processes. Such 
an analysis would position DHS to determine whether a proposed system 
would work well in its future environment or whether the Department 
should consider modifying its business processes. Without this 
analysis, DHS will find it challenging to assess the difficulties of 
implementing the selected system to meet DHS' unique needs.
---------------------------------------------------------------------------
    \14\ These nine processes are Request to Procure, Procure to Pay, 
Acquire to Dispose, Bill to Collect, Record to Report, Budget 
Formulation to Execution, Grants Management, Business Intelligence 
Reporting, and Reimbursable Management.
---------------------------------------------------------------------------
    For the nine processes identified, DHS has not yet begun the 
process of reengineering and standardizing those processes. DHS has 
asked offerors to describe their proposed approaches for the 
standardization of these nine processes to be included in the TASC 
system. According to an attachment to the TASC request for proposal, 
there will be additional unique business processes or sub-processes, 
beyond the nine standard business processes identified, within DHS and 
its components that also need to be supported by the TASC system. For 
DHS' implementation of the TASC program, reengineering and 
standardizing these unique business processes and sub-processes will be 
critical because the Department was created from 22 agencies with 
disparate processes. A standardized process that addresses, for 
example, the procurement processes at the U.S. Coast Guard, Federal 
Emergency Management Agency (FEMA), and the Secret Service, as well as 
the other DHS components, is essential when implementing the TASC 
system and will be useful for training and the portability of staff.
DHS Has Not Yet Developed Plans for Migrating the New System to its DHS 
        Components
    Although DHS officials have stated that they plan to migrate the 
new system first to its smaller components and have recently provided a 
high-level potential approach it might use, DHS has not outlined a 
conceptual approach or plan for accomplishing this goal throughout the 
Department. Instead, DHS has requested that TASC offerors describe 
their migration approaches for each of the Department's components.
    While the actual migration approach will depend on the selected 
system and events that occur during the TASC program implementation, 
critical activities include: (1) Developing specific criteria requiring 
component agencies to migrate to the new system rather than attempting 
to maintain legacy business; (2) defining and instilling new values, 
norms, and behaviors within component agencies that support new ways of 
doing work and overcoming resistance to change; (3) building consensus 
among customers and stakeholders on specific changes designed to better 
meet their needs; and (4) planning, testing, and implementing all 
aspects of the migration of the new system. For example, a critical 
part of a migration plan for the new system would describe how DHS will 
ensure that the data currently in legacy systems is fully prepared to 
be migrated to the new system.
    An important element of a migration plan is the prioritizing of the 
conversion of the old systems to the new systems. For example, a FEMA 
official stated that the component has not replaced its outdated 
financial management system because it is waiting for the 
implementation of the TASC program. However, in the interim, FEMA's 
auditors are repeatedly reporting weaknesses in its financial systems 
and reporting, an important factor to be considered by DHS when 
preparing its migration plan. Because of the known weaknesses at DHS 
components, it will important for DHS to prioritize its migration of 
components to the new system and address known weaknesses prior to 
migration where possible. Absent a comprehensive migration strategy, 
components within DHS may seek other financial management systems to 
address their existing weaknesses. This could result in additional 
disparate financial management systems instead of the integrated 
financial management system that DHS needs.
DHS Has Begun Hiring, But Has Not Developed a Human Capital Plan for 
        the TASC Program
    While DHS' RMTO has begun recruiting and hiring employees and 
contractors to help with the TASC program, the Department has not 
identified the gaps in needed skills for the acquisition and 
implementation of the new system. DHS officials have said that the 
Department is unable to determine the adequate staff levels necessary 
for the full implementation of the TASC program because the integrated 
system is not yet known; however, as of May 2009, the Department had 
budgeted 72 full-time equivalents (FTE) \15\ for fiscal year 2010. The 
72 FTEs include 38 Government employees and 34 contract employees, 
(excluding an IV&V contractor). DHS officials told us that this level 
of FTEs may be sufficient for the first deployments of the new system.
---------------------------------------------------------------------------
    \15\ According to OMB guidance, an FTE or work year generally 
includes 260 compensable days or 2,080 hours. These hours include 
straight-time hours only and exclude overtime and holiday hours.
---------------------------------------------------------------------------
    According to RMTO officials, as of August 2009, RMTO had 21 full-
time Federal employees with expertise in project management, financial 
business processes, change management, acquisition management, business 
intelligence, accounting services, and systems engineering. In 
addition, RMTO officials stated that there are seven contract workers 
supporting various aspects of the TASC program. RMTO also utilizes the 
services of the Office of the Chief Financial Officer and component 
staff. According to RMTO officials, some of DHS' larger components, 
such as Immigration and Customs Enforcement have dedicated staff to 
work on the TASC program.
    Many of the Department's past and current difficulties in financial 
management and reporting can be attributed to the original stand-up of 
a large, new, and complex Executive branch agency without adequate 
organizational expertise in financial management and accounting. Having 
sufficient human resources with the requisite training and experience 
to successfully implement a financial management system is a critical 
success factor for the TASC program.
       planned tasc implementation efforts pose unnecessary risks
    While updating the status of the six prior recommendations, we 
identified two issues that pose unnecessary risks to the success of the 
TASC program. These risks are DHS' significant reliance on contractors 
to define and implement the new system and the lack of independence of 
DHS' V&V function \16\ for the TASC program.
---------------------------------------------------------------------------
    \16\ Institute of Electrical and Electronics Engineers Standard 
1012-2004--Standard for Software Verification and Validation (June 8, 
2005) states that the verification and validation processes for 
projects are used to determine whether: (1) The products of a given 
activity conform to the requirements of that activity and (2) the 
software satisfies its intended use and user needs. This determination 
may include analyzing, evaluating, reviewing, inspecting, assessing, 
and testing software products and processes. The verification and 
validation processes should assess the software in the context of the 
system, including the operational environment, hardware, interfacing 
software, operators, and users.
---------------------------------------------------------------------------
Significant Reliance Placed on Contractors to Define and Implement the 
        TASC Program
    The Department plans to have the selected contractor prepare a 
number of key documents including plans needed to carry out disciplined 
processes, define additional business processes to be standardized, and 
propose a migration approach. However, DHS has not developed the 
necessary contractor oversight mechanisms to ensure that its 
significant reliance on contractors for the TASC program does not 
result in an unfavorable outcome.
    Work with other systems acquisition and implementation efforts have 
shown that placing too much reliance on contractors can result in 
systems efforts plagued with serious performance and management 
problems. For example, DHS' Office of Inspector General (OIG) recently 
reported \17\ that the U.S. Customs and Border Protection (CBP) had not 
established adequate controls and effective oversight of contract 
workers responsible for providing Secure Border Initiative (SBI) 
program support services. Given the Department's aggressive SBI program 
schedule and shortages of program managers and acquisition specialists, 
CBP relied on contractors to fill the staffing needs and get the 
program underway. However, CBP had not clearly distinguished between 
roles and responsibilities that were appropriate for contractors and 
those that must be performed by Government employees. CBP also had not 
provided an adequate number of contracting officer's technical 
representatives (COTR) to oversee support services contractors' 
performance. As a result, according to the OIG report, contractors were 
performing functions that should have been performed by Government 
workers. According to the OIG, this heavy reliance on contractors 
increased the risk of CBP relinquishing its responsibilities for SBI 
program decisions to support contractors, while remaining responsible 
and accountable for program outcomes.
---------------------------------------------------------------------------
    \17\ Department of Homeland Security, Office of Inspector General, 
Better Oversight Needed of Support Services Contractors in Secure 
Border Initiative Programs, OIG-09-80 (Washington, DC: June 17, 2009).
---------------------------------------------------------------------------
Verification and Validation (V&V) Review Function for the TASC Program 
        Was Not Independent
    DHS' V&V contractor was not an independent reviewer because RMTO 
was responsible for overseeing the contractor's work and authorizing 
payment of the V&V invoices. On October 21, 2009, DHS officials 
indicated that they have restructured the V&V contract to address our 
concerns by changing the reporting relationship and the organization 
that is responsible for managing the V&V contract. Under the previous 
arrangement, the V&V contractor was reporting on work of the RMTO, the 
program manager for the TASC program and the RMTO Director was serving 
as the COTR \18\ for the V&V contract. As part of the COTR's 
responsibilities, RMTO approved the V&V contractor's invoices for 
payment. The independence of the V&V contractor is a key component to a 
reliable verification and validation function.
---------------------------------------------------------------------------
    \18\ COTRs are responsible for monitoring the contractor's progress 
in fulfilling the technical requirements specified in the contract. 
COTRs often approve invoices submitted by contractors for payment.
---------------------------------------------------------------------------
    Use of the V&V function is a recognized best practice for large and 
complex system development and acquisition projects, such as the TASC 
program. The purpose of the V&V function is to provide management with 
objective insight into the program's processes and associated work 
products. For example, the V&V contractor would review system strategy 
documents that provide the foundation for the system development and 
operations. According to industry best practices, the V&V activity 
should be independent of the project and report directly to senior 
management to provide added assurance that reported results on the 
project's status are unbiased.\19\ An effective V&V review process 
should provide an objective assessment to DHS management of the overall 
status of the project, including a discussion of any existing or 
potential revisions to the project with respect to cost, schedule, and 
performance. The V&V reports should identify to senior management the 
issues or weaknesses that increase the risks associated with the 
project or portfolio so that they can be promptly addressed. DHS 
management has correctly recognized the importance of such a function 
and advised us that they have taken prompt steps so that the V&V 
function is now being overseen by officials in DHS' Office of the Chief 
Information Officer. It is important that V&V is technically, 
managerially, and financially independent of the organization in charge 
of the system development and/or acquisition it is assessing.
---------------------------------------------------------------------------
    \19\ To provide this objective evidence, V&V contractors analyze, 
evaluate, review, inspect, assess, and test software products and 
processes.
---------------------------------------------------------------------------
    In conclusion, Mr. Chairman, 6 years after the Department was 
established, DHS has yet to implement a Department-wide, integrated 
financial management system. DHS has started, but not completed 
implementation of the six recommendations we made in June 2007, aimed 
at helping the Department to reduce risk to acceptable levels, while 
acquiring and implementing an integrated Department-wide financial 
management system. The open recommendations from our prior report 
continue to be vital to the success of the TASC program. In addition, 
as DHS moves toward acquiring and implementing a Department-wide 
financial management system, it has selected a path whereby it is 
relying heavily on contractors to define and implement the TASC 
program. Therefore, adequate DHS oversight of key elements of the 
system acquisition and implementation will be critical to reducing 
risk. Given the approach that DHS has selected, it will be paramount 
that DHS develop oversight mechanisms to minimize risks associated with 
contractor-developed documents such as the migration plans, and plans 
associated with a disciplined development effort including requirements 
management plans, quality assurance plans, and testing plans. DHS faces 
a monumental challenge in consolidating and modernizing its financial 
management systems. Failure to minimize the risks associated with this 
challenge could lead to acquiring a system that does not meet cost, 
schedule, and performance goals.
    To that end, our draft report includes specific recommendations, 
including a number of actions that, if effectively implemented, should 
mitigate the risks associated with DHS' heavy reliance on contractors 
for acquiring and implementing an integrated Department-wide financial 
management system. In addition, we also recommended that DHS designate 
a COTR for the IV&V contractor that is not in RMTO, but at a higher 
level of Departmental management, in order to achieve the independence 
needed for the V&V function. As discussed earlier, DHS officials 
advised us that they have already taken steps to address this 
recommendation and we look forward to DHS expeditiously addressing our 
other recommendations too.
    Mr. Chairman, this completes our prepared statement. We would be 
happy to respond to any questions you or other Members of the 
subcommittee may have at this time.

    Mr. Carney. Thank you, Ms. Daly.
    I now recognize Ms. Sherry for 5 minutes.

  STATEMENT OF PEGGY SHERRY, ACTING CHIEF FINANCIAL OFFICER, 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Sherry. Thank you. Again, I would like to apologize 
again to the committee for getting my testimony in late. Thank 
you for your indulgence in that.
    Thank you, Chairman Carney, Ranking Member Bilirakis and 
Members of the committee, for the opportunity to testify before 
you on the Department of Homeland Security's progress and plans 
to create One DHS by standardizing financial management.
    The DHS mission is to lead a unified National effort to 
secure America. This requires a unified Department and an 
integrated approach across our various operations, including 
financial management. As you know, one of the Secretary's top 
priorities is to unify the Department and to create a common 
culture: One DHS, one enterprise, a shared vision with 
integrated results-based operations.
    We have many initiatives under way to continue to build a 
One DHS culture, including our commitment to strengthening 
internal controls and realigning business processes for 
improved efficiency and effectiveness.
    To this end I would like to thank the Congress for enacting 
the Department of Homeland Security's Financial Accountability 
Act. With the passage of the act, we launched an ambitious 
multi-year effort to improve financial management and reporting 
and to build assurances that internal controls are in place and 
working effectively.
    The foundation for One DHS strategy is to bring together 
the varying perspectives of DHS components to build a 
consolidated best practice approach to financial management. As 
an example, DHS financial reporting working groups were 
established recently to uniformly address financial management 
and business process challenges.
    Financial managers from the components work together to 
identify common areas of weakness, such as accounting for 
property, plant, and equipment or undelivered orders. Instead 
of components developing individual action plans to address 
areas of common weaknesses across the Department, they now work 
together to find the best solutions that can be used by all the 
components.
    We continue to implement initiatives aimed at increasing 
financial management competencies. This past fall we released a 
DHS Financial Management Policy Manual. This on-line manual 
provides Department-wide guidance on budget formulation, 
execution, financial management, accounting, and reporting, and 
introduces standardization throughout DHS with a focus on 
strong internal controls.
    We issued the third edition of the Internal Control 
Playbook, which outlines our strategy and processes to 
eliminate internal control weaknesses and to build management 
assurances.
    To further unify DHS financial management practices, we are 
adopting a Department-wide standard accounting classification 
structure. A common accounting line will improve our ability to 
capture and report financial information in a consistent and 
timely manner across the Department.
    DHS received a disclaimer of opinion in its fiscal year 
2008 financial statement. However, for the third consecutive 
year, audit results show we continue to make steadfast 
progress. Auditors noted the Department's progress in 
implementing corrective actions and improving the quality and 
reliability of our reporting.
    Our multi-year corrective action plan led to reducing the 
number of material weaknesses from 10 to seven to six in the 
past 3 years. We also reduced the number of disclaimer 
conditions from 10 to six to three in the past 3 years. Audit 
challenges remain, but in more focused areas.
    This year we have partnered with the United States Coast 
Guard, Transportation Security Administration, and the Federal 
Emergency Management Agency to address audit disclaimer and 
material weaknesses conditions. As they make improvements on 
our financial reporting and strengthen the skills of our 
workforce, we continue to move forward to consolidate our 
financial system, bringing forward lessons learned from our 
previous effort.
    Currently, DHS has 13 separate financial management 
systems. These systems support different business processes, 
numerous accounting lines, and have varying levels of systems 
integration, with many still relying on manual processes. This 
often results in inconsistent and inaccurate financial data.
    DHS's ability to efficiently and effectively manage and 
oversee our day-to-day operations and programs relies heavily 
on our ability to have financial management systems that 
produce complete, reliable, timely, and consistent financial 
information for use by DHS managers and leaders.
    Although modernization is complex, it is a critical element 
of instituting strong financial management as called for by the 
CFO Act, SFMIA, the Financial Accountability Act, and other 
financial management reform legislation. As we work to address 
our financial management challenges in increased transparency 
and reporting, the Transformation and Systems Consolidation, or 
TASC initiative, it is critical.
    The Department will acquire an integrated system solution 
that's already operating in the Federal space. We are in the 
midst of the TASC acquisition and are on track to select a 
vendor by second quarter fiscal year 2010. This important 
initiative will enhance mission support and improve our ability 
to report financial data in a timely and accurate way.
    Financial management has come a long way at DHS, and I am 
inspired by the extraordinary efforts of our dedicated staff at 
headquarters and in the components to becoming One DHS. I am 
committed to pursuing financial management success in the 
Department. As we continue our progress to building One DHS, I 
look forward to working with the GAO and the IG. Our 
relationship will be able to help us improve our efforts to 
build a consolidated and integrated Department.
    I appreciate the support we have received from our IG, from 
the GAO, this committee and Congress. Thank you for your 
leadership and your continued support of the Department of 
Homeland Security.
    [The statement of Ms. Sherry follows:]
                   Prepared Statement of Peggy Sherry
                            October 29, 2009
    Thank you Chairman Carney, Ranking Member Bilirakis, and Members of 
the committee for the opportunity to testify before you on the 
Department of Homeland Security's (DHS) progress and plans to create 
One DHS by standardizing financial management.
    DHS leads a unified National effort to secure America--this 
requires a unified Department and an integrated approach across our 
varying operations. The Secretary continues to prioritize unifying the 
Department and creating a common culture: One enterprise, a shared 
vision, with integrated results-based operations. In March, Secretary 
Napolitano launched a Department-wide efficiency review to trim costs, 
streamline operations, eliminate duplication, and better manage 
resources across the Department. This effort includes more than two 
dozen initiatives that will increase efficiency, leverage economies of 
scale, create a culture of responsibility and fiscal discipline, and 
save taxpayers millions of dollars.
    We have many initiatives underway to continue to build one DHS 
culture, including our commitment to strengthening internal controls 
and realigning business processes for improved efficiencies and 
effectiveness. To this end, I would like to thank Congress for enacting 
the Department of Homeland Security's Financial Accountability Act. 
With the passage of the act, we launched an ambitious multi-year effort 
to improve financial management and reporting and build assurances that 
internal controls are in place and working effectively. We have worked 
to standardize business practices as well as executed systematic plans 
to correct weaknesses. I look forward to continuing to work 
collaboratively with Congress, the Government Accountability Office, 
the DHS Office of the Inspector General, the Office of Management and 
Budget, and our independent auditor to further strengthen internal 
controls and improve and standardize financial management practices 
across the Department.
           strategies for standardizing financial management
    The financial management community is employing multiple strategies 
to bring together the varying perspectives of DHS components to build a 
consolidated best-practice approach to financial management at DHS.
    As an example, DHS financial reporting working groups were 
established to uniformly address financial management and business 
process challenges. Financial managers meet regularly to identify 
common areas of weakness and develop strategies usable by all 
components. This approach allows components to share success strategies 
with other components struggling in the same area. We also created a 
``Component Requirements Guide'' that contains approximately 40 
standard financial reporting processes. Implementing standard processes 
across the components has resulted in providing ample, reliable, timely 
data and meeting financial statement submission deadlines.
    Last fall, we published the first-ever DHS Financial Management 
Policy Manual, which provides a standard set of financial management 
policies with a focus on strong internal controls. This manual, 
developed with input from all DHS components, is an on-line repository 
of Department-wide guidance for program and budget formulation, budget 
execution, financial management, accounting, and financial reporting.
    To further unify DHS financial management practices, we are 
adopting a Department-wide standard accounting classification 
structure. To do this, we are defining the standard fields for the DHS 
accounting line using the Common Government-wide Accounting 
Classification (CGAC) structure issued by the Financial Systems 
Integration Office in cooperation with the Office of Management and 
Budget (OMB). A common accounting line will allow DHS to capture and 
report financial information in a consistent and timely manner across 
the Department. Staff from across DHS financial, budget, acquisition, 
asset management, and program management communities are working 
together to implement the new standard.
    DHS has more than 230,000 employees, and we have more than 2,000 in 
the financial management community dispersed throughout the United 
States. In order to help bridge our geographic separation, my office 
hosts a training session for all new employees in the DHS financial 
management community. This program welcomes new employees into DHS, 
provides a comprehensive introduction to financial management at DHS, 
and trains employees on a common set of core competencies, including 
the responsibilities of all financial managers to support and reinforce 
strong internal controls and the principles of fiscal law. It also 
provides an opportunity for staff in different components to meet, 
share ideas, and form a valuable network with other financial 
management professionals at DHS. Over the past 2 years, we have hosted 
five of these events with over 450 employees attending, nearly 30 
percent of whom were from outside the Washington, DC area.
 strengthening internal controls to standardize and improve financial 
                               management
    DHS has been working diligently to correct its financial 
weaknesses. When DHS was first stood up, there were an estimated 100 
financial management systems across the 22 components. Further, we 
inherited 30 significant financial reporting deficiencies, with 18 
classified as material weaknesses. These conditions hampered the 
Department's ability to produce timely, reliable financial data in 
support of a clean audit. Over the last several years, however, the 
annual financial statement audits have shown continued improvement 
toward consistent and accurate financial reporting.
    We have institutionalized a strong strategy, updated annually in 
our Internal Control Playbook, across DHS to address the remaining 
weaknesses. For each financial management weakness, we: Identify the 
root cause(s); design strong, actionable plans to address the weakness; 
and then track our progress against those plans. My office leads the 
efforts, and I work closely with component CFOs to oversee and monitor 
progress throughout the year. Our independent auditors report that the 
Department continues to make good progress implementing corrective 
actions and improving the quality and reliability of our financial 
reporting. Consider the following accomplishments that offer validation 
that our strategy is working:
   DHS reduced the number of material weaknesses from 10 in 
        fiscal year 2006, to seven in fiscal year 2007, to six in 
        fiscal year 2008.
   The Secretary's Financial Reporting Assurance Statement has 
        improved from a statement of no assurance in fiscal year 2005 
        to a statement that good internal controls are in place in 
        fiscal year 2008. For fiscal year 2009, the Department's goal 
        is to provide our first-ever assurance that internal controls 
        are working, with only a few exceptions.
   The Department is on target to have five favorable opinions 
        on audits of individual component balance sheets in fiscal year 
        2009, and the goal is to have isolated the adverse conditions 
        that prevent completion of an audit area to one component which 
        has detailed multi-year plans to remedy these conditions.
    Our remaining audit challenges are now contained to a few specific 
areas. We continue to partner with and provide oversight of the U.S. 
Coast Guard, Transportation Security Administration, and Federal 
Emergency Management Agency to address the remaining audit disclaimer 
and material weakness conditions. This joint effort has produced 
significant improvements; for example, I expect the number of material 
weaknesses at FEMA to be reduced for the second consecutive year.
    Key to the Department's continued progress toward good financial 
management is the ability of the components to produce consistent, 
reliable financial data. An integrated, enterprise-wide financial 
acquisition and asset management system will make it easier to 
implement and maintain stronger internal controls and to ensure 
consistent, accurate, and reliable financial information across DHS.
                    financial systems consolidation
    DHS is moving forward with a financial system consolidation effort. 
This will greatly improve the quality of and control over DHS financial 
data, make the financial accounting process more efficient throughout 
DHS, and reinforce standard business and financial management 
practices. Currently, DHS has 13 separate financial management systems. 
While we have made significant progress standardizing various aspects 
of financial management in DHS, the 13 systems support different 
business processes, numerous accounting lines, and have varying levels 
of system integration--with many still relying on manual processes. 
This often results in inconsistent and inaccurate financial data. 
Further, maintaining multiple systems across the Department means 
duplicative operations and maintenance costs, and high overhead when 
upgrades, support services, and system changes are necessary.
    As we work to address our financial management challenges and 
increase transparency, consistency, and accuracy, the Transformation 
and System Consolidation (TASC) initiative is critical. The Department 
will acquire a proven, integrated system solution that meets Federally 
defined financial business processes requirements, as issued by the 
Financial Systems Integration Office in cooperation with OMB. We are in 
the midst of the TASC acquisition and will select a vendor by the 
second quarter of fiscal year 2010. We have also developed a strong 
program management office to provide full-time, day-to-day oversight of 
the integration process to help ensure success. This important 
initiative will enhance mission support and improve our ability to 
report financial data in a timely and accurate way.
                 lessons learned from previous efforts
    In September 2006, the Department ended the Electronically Managing 
Enterprise Resources for Government Effectiveness and Efficiency 
(eMerge2) systems initiative since it failed to build the necessary 
integration between the various commercial off-the-shelf software 
solutions. The effort was budgeted at $252 million but was halted after 
$52 million was spent on the project.
    We have learned from eMerge2 and have applied those lessons to the 
TASC initiative. Rather than building a new system from scratch, as was 
the eMerge2 strategy, DHS is acquiring an existing, already integrated 
Federal system that follows established standard Federal financial 
business processes with defined key internal control requirements. 
Putting in place an integrated system with standard processes will 
allow us to produce data that is consistent and incorporates strong 
internal controls to ensure financial transactions are properly 
processed, verified, and accurately recorded. In addition, TASC will 
take a phased approach to implementation rather than having the entire 
Department go live at once.
    Another key lesson learned from eMerge2 is the importance of having 
adequate Federal staffing and strong oversight of contractor 
performance. To this end, we have put in place a robust team of full-
time Federal employees with expertise in project management, systems 
accounting, change management, acquisition management, business 
intelligence, accounting services, and systems engineering. We also 
have an on-site Independent Verification and Validation team in place 
to monitor and evaluate every aspect of the program as we move forward.
                               conclusion
    We have demonstrated our commitment to developing and executing 
strong, actionable plans that improve our financial management with 
strong internal controls. Consolidating our financial, asset, and 
acquisition systems will accelerate and sustain Department-wide 
progress in our efforts for efficiency, effectiveness, transparency, 
and accountability. As DHS undertakes its transformation and system 
consolidation effort, the Department's financial management 
infrastructure will become more stable and will significantly 
contribute to achieving the intended goals of the DHS Financial 
Accountability Act.
    Financial management has come a long way at DHS. I continue to be 
inspired by the extraordinary efforts of our dedicated staff both at 
headquarters and in the components, and I am committed to pursuing 
financial management success. I appreciate the support that we have 
received from our Office of Inspector General, the GAO, this committee, 
and Congress. Thank you for your leadership and your continued support 
of the Department of Homeland Security. I would be happy to answer any 
questions you may have.

    Mr. Carney. Thanks, Ms. Sherry.
    I want to thank each of the witnesses for their testimony.
    I remind each Member that he or she will have 5 minutes to 
question the panel. I now recognize myself for 5 minutes.
    Ms. Daly, let us begin with you. The news we heard is not 
good. It seems like it might be improving, but we are 6 years 
down the line now, over 6 years, and we are at a place where 
accountability, you know, is trying to be the watchword of the 
day, especially accountability for taxpayers' dollars, and we 
are having a tough time with that at DHS.
    From your opinion, you know, is the news improving? What 
needs to be done that hasn't been done yet? What sort of time 
frame are we looking at for improvement, I mean for doing 
things in a standardized way that we have transparency and 
accountability of taxpayers' dollars?
    Ms. Daly. Mr. Chairman, I think DHS faces a monumental task 
in pulling together the information needed. I am not familiar 
with the time frames that they have in place, but I can assure 
you from our review of the TASC program that we have certain 
concerns with the strategy they are taking related to TASC and 
not doing a detailed, structured GAAP analysis of the proposed 
system to what they want their future business processes to be. 
Without taking that particular step, I think they are 
increasing their risk related to that program.
    Mr. Carney. Mr. Taylor, how do you respond to that?
    Mr. Taylor. Well, sir, we haven't completed our report on 
TASC itself. However, in viewing the prior attempts of the 
Department to try to have an integrated financial system, it 
included a lack of identified requirements, clear requirements. 
It included a lack of adequate oversight capabilities, the 
trained contractor specialists we talked about, and it 
included, as is mentioned by the committee, the over-reliance 
on contractors.
    If those three things still exist, then the Department is 
truly in a high-risk environment for being able to implement 
anything successfully.
    Mr. Carney. Are we on track to fix that, Ms. Sherry?
    Ms. Sherry. Thank you, sir, and yes. I appreciate the 
comments from both the GAO as well as the IG and do know that 
the Department is absolutely committed to working with you and 
to making sure that the recommendations are fully implemented.
    I do believe that we are on track, sir, to be able to 
address some of these recommendations. I look forward to 
working with them as they further develop their report.
    We did learn quite a bit from the initial eMerge effort. 
The initial eMerge initiative basically failed on the idea that 
we were developing the system. What we were doing was gathering 
thousands and thousands of requirements, and ultimately the 
submission failed on its inability to be able to integrate 
everything.
    That is not the strategy the Department is implementing 
currently. Instead, what we are doing is we are acquiring a 
solution that is----
    Mr. Carney. No, I think it was unplugged. She is doing 
something down front here.
    Thank you.
    Mr. Taylor, the Department decided that it was going to use 
a commercial off-the-shelf, or COTS, system to do this. Is that 
a good idea?
    Mr. Taylor. That is usually required by OMB. I have been 
involved with this in the past, and when you do your own 
development, you add a level of risk that most agencies are 
going to find unacceptable.
    Mr. Carney. So that was not a good idea, then.
    Mr. Taylor. To use COTS is a good idea.
    Mr. Carney. Yes, it is.
    Mr. Taylor. It is. I am sorry, sir. Yes, it is. To do your 
own development, to do a custom software development is a bad 
idea, because then you are introducing a higher level of risk. 
The COTS has been tested in the Federal environment, and there 
are a number of vendors out there who can provide it and that 
there was success, and there is usually an implementation you 
can look at and learn from in terms of best practice.
    Mr. Carney. Okay. Well, kind of along those lines, what 
agencies use integrated systems that can serve as a model for 
the Department's efforts? I mean, you know, we got a big 
Government out there. There are probably some cases we could 
have that we could point to which are the best.
    Mr. Taylor. Sure, absolutely. Yes, sir. Most agencies have 
been through the kind of agony, I guess, that the Department of 
Homeland Security is going through now.
    In my experience at the Department of Commerce, we went 
through this between 1997 and 2003, implementing from a 
decentralized approach to a centralized system. The Department 
of Transportation has been through the same thing. I believe 
Agriculture has been through it. There are a number of agencies 
that have gone through this that had, and there are a number of 
best practices.
    There also are vendors out there in the Federal sphere or 
other departments and agencies who provide these services, so 
instead of having to do your own implementation, you can 
purchase the support from those organizations instead of having 
to do this for yourself.
    Mr. Carney. Okay. I think we have a problem with the timers 
here. I imagine my time is about up. I will recognize the 
Ranking Member from Florida, Mr. Bilirakis, for 5 minutes, and 
I guess I will be the official timekeeper here with my 12-year-
old Swiss Army watch.
    Mr. Bilirakis. I won't take the 5 minutes.
    Mr. Carney. There you go.
    Mr. Bilirakis. Ms. Sherry, much was said about the 
importance of leadership from the top to the success of the 
financial consolidation efforts. Have the Secretary and deputy 
secretary been briefed on TASC, the TASC initiative? Are they 
supportive of the current plan?
    Ms. Sherry. Yes, sir, thank you very much. Yes, we have had 
the opportunity. I have had the opportunity to brief the 
Secretary and the deputy secretary on not just the TASC 
initiative, but also on the state of financial management at 
DHS. They understand the criticality of having of having a 
system solution in order to be able to move the Department 
forward.
    Mr. Bilirakis. So they are supportive.
    Ms. Sherry. It is in line and in keeping with the One DHS 
initiative that is so important to the Secretary.
    Mr. Bilirakis. Okay. What impact has the lack of a 
permanent under secretary for management and a permanent CFO 
had on the Department's ability to implement TASC?
    Ms. Sherry. Other than just making me really busy, it 
really has not had much of an impact, sir. The under secretary 
for management has been very engaged, and I think, as you may 
or may not be aware, we actually have a deputy under secretary 
for management as well, so they have been very engaged as well 
as very supportive with us.
    When I go back to my full-time job, or my regular job--I am 
the deputy CFO also--and this is clearly a very important 
initiative, and one that I will be primarily responsible for 
sure, sir.
    Mr. Bilirakis. Okay. How, if at all, has the Department's 
financial management oversight and consolidation efforts 
changed under the new administration?
    Ms. Sherry. I don't really think that we have had a chance, 
sir. I think that management--you know, having strong 
management with the Secretary having been a former Governor, I 
think that she is a very strong executive leader, and I think 
that she really understands and completely supports either the 
objectives and goals of my offices, you know, to continue to 
standardize processes throughout the Department and to really 
make financial management, good financial management, just 
basic, you know, part of every day, you know, what it is that 
we do, rather than something that we have to continually come 
up and, you know, explain the reason why we are not doing very 
well. She is very supportive of it.
    Mr. Bilirakis. Can you explain why TASC will cost so much 
more than eMerge2?
    Ms. Sherry. I am sorry, sir. Can--why TASC would cost----
    Mr. Bilirakis. Why it would cost so much more than eMerge2?
    Ms. Sherry. I can't really speak to the total cost of what 
eMerge2 was, sir. I know that the Department had spent about 
$52 million before they actually stopped the initiative, so I 
can take that for the record and possibly get back to you on 
that.
    Mr. Bilirakis. What controls do you have in place to make 
sure the contract doesn't--there are no overruns?
    Ms. Sherry. There are several things that we have got in 
place currently, and I completely agree with both the GAO as 
well as the IG to be able to say strong contractor oversight is 
paramount. It will be paramount to the success of this 
initiative, and I do believe that that may have been one of the 
failings also of eMerge was the inability of the Department to 
necessarily be able to, you know, make sure I have that 
oversight over the contractors.
    My office in particular has been staffing up very heavily 
to have a very strong project management office. We have worked 
with the other large acquisition efforts within the Department 
to be able to really have lessons learned from them, to find 
out how we should structure our PMO office.
    We talked a little bit about some of the other departments 
that have initiatives under way. We have done heavy outreach 
with them to find out exactly what they--not only what the 
lessons learned from the standpoint of what they have done 
well, but also in particular what they haven't done well, so 
that we can try to avoid those mistakes as well.
    The other thing that we have within the Department which is 
different, I think, than when the eMerge2 initiative was begun, 
is a stronger oversight throughout DHS for large acquisition 
projects.
    We have the Management Directive 102, which really governs 
the acquisition review process, where you have discipline 
processes, including a--a con ops, as Ms. Daly referred to.
    You have required documents that, you know, that the 
project must be able to have completed, get reviewed, and to 
have been accepted through the different keys throughout the 
Department, as well as through the deputy secretary and in the 
acquisition community within DHS, as well as having a systems 
engineering lifecycle documentation and process that was really 
intended to review the acquisition at every step of the 
process.
    So in other words, and before you are able to go to a next 
particular gate, you have to go before the deputy secretary and 
all the people that I just mentioned and to be able to 
demonstrate why you are ready to do that.
    Mr. Bilirakis. Okay. Thank you very much.
    I hope I was under 5 minutes, Mr. Chairman.
    Mr. Carney. Exactly 5 minutes, according to my watch.
    The Chairman now recognizes my good friend from New Jersey, 
Mr. Pascrell, for 5 minutes.
    Mr. Pascrell. Mr. Chairman, let me start by saying this, 
that if we do not address the bureaucratic questions at 
Homeland Security by the next go-round, I want to commit to 
you, Mr. Chairman, that I will not vote for one dime for the 
Department. I want to make it very clear right now, and I want 
to agree with your opening remarks about we have heard a lot of 
this before. It is kind of redundant. We need a re-do here.
    I don't think we need so much financial consolidation as 
consolidation with a capital C. This is a bureaucracy that has 
become cumbersome.
    I am sorry, Mr. Taylor, we cannot make comparison to other 
departments, because this Department that we are talking about 
today has the responsibility, as you better than I know, to 
secure the homeland. This is a different--you are comparing 
apples and oranges, and I really want us to focus in on the 
very nature and uniqueness of this Department.
    The demands that we place on Homeland Security are 
unproductive. I can remember Secretary Chertoff sitting out 
there, telling us, enumerating how many committees his folks 
have to answer questions for. It is ridiculous. We haven't 
changed anything about that. We are wasting your time most of 
the time, when we fail to see our main objective in securing 
the homeland.
    How many committees do you have to answer to, Mr. Taylor? 
You are still counting, I am sure.
    Mr. Taylor. Yes, sir, we are counting on our fingers and 
toes right now. Ninety-one.
    Mr. Pascrell. Ninety-one committees. Now, 91 committees. 
Your request for the budget was $55 billion--correct me if I am 
wrong--$55-plus billion.
    Mr. Taylor. I will defer to Ms. Sherry on that.
    Mr. Pascrell. Is that correct?
    Ms. Sherry. Yes, sir. The net number is $42.8 billion.
    Mr. Pascrell. Yes, we have a very serious problem here. 
This is not going to go away with one committee hearing, but I 
want to commend you for zeroing in on it and not accepting. We 
don't even know the percentage of procurements in the last 
administration--how many were bid. We don't even know that.
    So, Mr. Chairman, I want to thank you for calling the 
hearing. I really hope that people understand the importance of 
this topic. Clearly, if we get a hearing on terror threats or 
vulnerabilities to attack, we would probably get more attention 
from the media in public and the public.
    But I want to be clear when I say this. One of the greatest 
threats to the Nation's security is the bureaucracy itself. We 
are fighting an enemy that is not State-based. They don't have 
a large bureaucratic infrastructure of multi-layered control. 
Their greatest asset is the ability to operate in relative 
silence and to change direction quickly in order to attack our 
vulnerabilities. A bloated Homeland Security bureaucracy is 
one, I believe, of our biggest vulnerabilities.
    After the attacks of September 11, 2001, Members of the 
Congress from both sides of the aisle pushed the Bush 
administration to create this Department. I certainly think 
that was the right decision, but if all we have done is to 
throw over 100 Federal entities together and call it a day, 
well, then I believe we have made our Nation less safe and not 
more safe.
    The whole point of creating a Department of Homeland 
Security was not only to increase coordination, which I think 
we may be getting better at, but also to streamline the process 
by which a threat reported in the field can quickly and 
effectively get to higher command to take action. This is what 
they should be all about.
    I am not convinced that we have cut down on these layers 
from top to bottom. I am not convinced at all. Few things make 
this point more clear than the fact that 6\1/2\ years after its 
creation, the Department of Homeland Security has yet to 
implement a Department-wide integrated financial management 
system--6\1/2\ years later.
    If we can't even keep track of all the billions of dollars 
in taxpayers' funds, then how can we find the excess, how can 
we find the ways, how can we possibly get rid of the bloat in 
the democracy? How can we defend the republic?
    I have a couple of more questions. I will come back after--
my time is up?
    Mr. Carney. Very good. I don't want this to turn into a 
colloquy, but I think Mr. Pascrell is exactly right. If this 
was about a specific threat to the homeland, CNN would be here, 
and we would have a lot more coverage. But this is actually 
what Government does. This is the nuts and bolts stuff that no 
one pays attention to, but is absolutely as important to 
protecting the homeland as anything else that we do, so we 
can't underestimate the importance of getting this right.
    So, you know, we have often heard that when in the private 
sector you would take organizations of the size that comprise 
now DHS and put them together, it would be a 5- to 7-year 
transition to get them into one sort of unit. We are at the 
6\1/2\-year mark now, and we sure see the seams and the 
fissures that exist.
    We got to do better, and we got to it thoughtfully, but 
holy cow, folks, you know, this is getting to a point where we 
need to start asking the tough questions about are we secure, 
more secure, than we have been? I think we probably are, but we 
have got to solidify. We have got to have the foundations in 
place.
    So to that end, you know, hearings like this occur and 
questions like these are asked. You know, folks like Mr. 
Bilirakis and Mr. Pascrell and I come and, you know, we want to 
make it better for everyone.
    Ms. Sherry, according to the GAO's most recent audit, the 
Department has taken very limited action toward implementation 
of four of its recommendations and since, you know, they made 
those recommendations in June 2007, about a year-and-a-half 
ago, it has taken no action on the remaining two. Can you tell 
me why?
    Ms. Sherry. Yes, sir. Part of the reason is because we have 
not selected a solution. What the Department has done is we 
have taken to heart all of the recommendations and have 
implemented those that we can, sir, and we will continue to 
work with the GAO as well as the IG to make sure that we fully 
implement all of the recommendations at the time that we have 
selected the actual solution.
    So, for instance, one of the recommendations was to develop 
a con ops, a concept of operations, and we have done that. It 
is in accordance with the IEEE standard within, you know, the 
recognized standards, and what we will do is it is based on all 
the information that we know currently without actually knowing 
the actual solution. What we will do is we will work to update 
all of them once we have actually awarded the contract.
    Mr. Carney. Once again, can I ask a time frame question?
    Ms. Sherry. Absolutely, sir. We are on target currently to 
be able to award the contract in second quarter of 2010.
    Mr. Carney. Second quarter of 2010.
    Ms. Sherry. Yes, sir.
    Mr. Carney. Okay. So we will certainly see you back here 
roughly in that time frame and----
    Ms. Sherry. I look forward to it.
    Mr. Carney [continuing]. Get more accountability there.
    Mr. Bilirakis, any questions?
    Mr. Bilirakis. Thank you, Mr. Chairman.
    Ms. Daly, your written testimony expresses concern about 
the Department's reliance--I know you touched on this--on 
contractors for the implementation of TASC and notes that the 
Department has not developed necessary contract oversight 
mechanisms. I would have hoped that the Department would have 
learned from its problems with SBI.
    My question is what actions would you recommend that the 
Department take to enhance contract oversight?
    Ms. Daly. I think the Department could take a number of 
steps that are based in what the Software Engineering Institute 
has recommended for these types of software implementations. 
There are a number of tasks that they have planned to do in the 
future, but that have not been formalized yet. A lot of these 
are very important. I think what we have seen at other agencies 
is that if these steps are not taken, what can happen is the 
cost and schedule overruns that none of us want to occur.
    One of the key examples I can give you are things such as 
having a good testing plan in place. What you often see on a 
system that gets rolled out is that the people that are for the 
Government are relying on the contractors to develop a good 
testing plan, and the Government officials need to understand 
what are the right testing steps to take so that a good 
comprehensive test is done that identifies all the defects so 
those defects can be addressed before they are ruled out. Those 
are the types of mechanisms we think would be important for the 
Department to have in place.
    Mr. Bilirakis. Can you comment on that, Ms. Sherry?
    Ms. Sherry. Yes, sir. Thank you. We are in complete 
agreement with that. I think that we have learned quite a bit 
since the eMerge initiative, and we are in complete agreement 
that we really do need to have strong contractor oversight.
    You know, referring to some of the systems engineering 
lifecycle steps, we are absolutely going to make sure that we 
incorporate all of them. We will be working with the contractor 
on the testing plans. We are not going to hand over simply to 
the contractor to be able to do the work for us.
    It is somewhat different than the SBInet initiative. Again, 
absolutely we have learned from the things that we did not do 
right in that initiative. But this is not a development effort, 
you know, that what the Department is doing is we are acquiring 
an already integrated, proven system that is working currently 
in the Federal space, you know. So we will know a lot about the 
system, and we will not actually be developing the system.
    But we are absolutely committed to being able to use all of 
those discipline processes, such as making sure that you have a 
strong testing plan, working with our science and technology 
group that has lots of expertise in this particular area, and 
also as we come before our acquisition review board, having to 
prove to them before we are able to go on to next step that we 
in fact do have solid test plans.
    Mr. Bilirakis. Thank you.
    Mr. Taylor, the inspector general has done considerable 
work in the area of Department financial management. In your 
opinion does the Department have sufficient personnel in both 
the financial offices and the procurement offices to provide 
sufficient oversight over the systems migration in the contract 
without any over reliance on contractors? That is my question.
    Mr. Taylor. Without speaking directly to TASC, because we 
are working on that right now, based on the work we have done 
previously, we have a lot of concern about that, concerns 
because the component organizations have skills deficiencies in 
both procurement as well as financial management. So to layer a 
very comprehensive integration effort on top of that would be 
posing even more risk. So we are very concerned about that, 
sir.
    Mr. Bilirakis. Thank you very much. Appreciate it.
    I yield back, Mr. Chairman.
    Mr. Carney. Thank you.
    The Chair now recognizes Mr. Green for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I thank you for--and 
you, the Ranking Member, as well--for hosting this important 
meeting.
    I am honored to have an opportunity to speak to the 
witnesses, and I thank you for being here today.
    My concerns probably have been addressed, and I apologize, 
because we have a Financial Services hearing that is taking 
place, and we have Mr. Geithner, and we have a host of others, 
and we are obviously having to deal with some of the great 
issues of our time. But this does not in any way excuse me from 
the issues that we have to contend with at Homeland Security. 
They, too, are among the great issues of our time.
    I am concerned about the means by which we can do some of 
the small things. For example, we had the TWIC card issued, but 
we did not have a card reader. It seems to me that that was 
something that did not necessitate a real study to know that if 
you are going to have the card and the reader, it would 
probably be prudent--judicious, if you will--to have both the 
card and the reader presented, make a debut, be put to use at 
the same time.
    Last time I checked, we still didn't have a reader that 
would work with the cards and we are still exploring the 
possibility of acquiring a reader for cards that we have 
issued.
    I remember when we had the former Secretary here, whom I do 
not in any way intend to demean, but I do remember commitments 
being made about the cards and the readers, and we never 
actually got that done. So little things like that leave an 
indelible memory such that it becomes difficult to get a grip 
on how we can do some of these very complicated things if we 
don't do these little things.
    So let me ask, for fear that I may have missed something, 
have we deployed the reader for the TWIC cards?
    Ms. Sherry. I can find out for you, sir. I apologize. I 
don't know that right off the top of my head. I will find out 
and get back to you.
    Mr. Green. Does the representative from GAO know?
    Ms. Daly. Congressman Green, I am sorry. I am not aware of 
the status of that.
    Mr. Green. Okay. All right. That is one example.
    Let us move to another one: P28. I had the good fortune to 
be here while we had much said about P28. Most of what was said 
by way of witnesses was good in the sense that P28 was supposed 
to provide us with a model, a prototype that was to at some 
point be replicated such that we would have this system that 
allowed us to have a merging of various security devices as 
well as something as simple as a fence such that we would be 
able to monitor our border effectively.
    The P28 didn't quite work out at build after we were billed 
a lot of money. We spent a lot on P28, and it is a little bit 
disappointing for us not to get the product that we paid for. 
Taxpayers are demanding people, and when we spend their money, 
they would like to see the results that are promised.
    I am not going to ask you to give me an update on P28. I am 
merely mentioning these things such that I can provide you 
examples of how we clearly can do better with better 
management, better oversight.
    It is my hope--excuse me--it is my hope, my sincere desire 
that we find a means by which we can have GAO, which plays an 
important role in this process--GAO provide us with some of the 
acid tests that we ultimately will have to confront at the 
genesis of these operations, as opposed to what appears, from 
my perch, to be an understanding that manifests itself after we 
get into revelations.
    Revelation is a bad time to know what is expected of you. 
You ought to know what is expected of you somewhere at genesis 
or shortly thereafter, so that you can perform and maybe you 
will get some sort of heavenly blessing as a result of good 
performance.
    Unfortunately, we don't get, it seems to me, the marriage 
between what GAO is going to monitor and what the contractors 
are going to do by way of performance. We don't get that early 
enough in the process. So my hope is that we will get that 
done.
    Mr. Chairman, I am 17 seconds over. I thank you, and I 
yield back the balance of my time.
    Mr. Carney. Thank you, Mr. Green.
    Mr. Pascrell, for 5 minutes.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Most of the bipartisan 9/11 Commission recommendations have 
been addressed sooner or later in the past couple of years 
except for one glaring oversight. That is what we are talking 
about today: The bureaucracy in Homeland Security has not been 
addressed.
    I would suggest, Mr. Chairman, that the leadership of both 
parties must be confronted on this particular issue. I just 
gave one example before about how many committees they have to 
come before and how many divisions and the total lack of 
coordination, which does not help our intelligence apparatus 
one iota. So I think they need to be confronted.
    Ms. Sherry, I know in your testimony you talked about 
Secretary Napolitano's efforts towards efficiency and effective 
financial management. Can you talk specifically towards my 
point and address how the new initiatives towards financial 
management will lend themselves to streamlining operations in 
the Department of Homeland Security?
    Ms. Sherry. Yes, sir. Thanks for the question. I am happy 
to address that. This initiative really does speak to the One 
DHS issues that I think that you are addressing as far as the 
bureaucracy. I think that we recognize that that is something 
of an issue that can potentially hold us back from operating 
efficiently and effectively. That is something, clearly, that 
Secretary Napolitano is aware of.
    Several of the things that we are going to be able to do in 
this IT initiative that are outside of the actual financial 
management initiatives that we have going on that I have 
mentioned, such as the Financial Management Policy Manual, you 
know, us having working groups where we are trying to come up 
with collective solutions to common problems, some of the 
things that this IT solution will do in addition to that will 
be to standardize business processes throughout DHS.
    There are requirements. There are FSIO standards, what are 
called FSIO standards, which is done by OMB and the GSA with 
input from the various agencies that basically talk about best 
practices on how you do standard business processes throughout 
the Government.
    One of the objectives of the FMLoB initiative of the OMB is 
to be able to make more standardization in some of those 
processes that you can standardize that the Government, such as 
paying a bill. The idea that you are going to be paying a 
bill--you really shouldn't be doing it in a bunch of different 
ways.
    What we currently have at DHS are, you know, the different 
components who pay bills differently, and the reason they have 
to do that is because they maybe have different types of 
systems. Some of them have legacy issues that come along with 
them.
    They have different integration so that in one instance you 
have full integration, so once you put in a procurement or you 
put in an award contract, it neatly populates your financial 
system. In other components we don't have that. Well, you know, 
what you do is you actually put something into the procurement 
system and then you rely on a manual transfer over into your 
financial system.
    So the idea that we can have the integration, which will 
really bring about more of that One DHS and the standardization 
of the processes, and what comes along with that are internal 
controls, the idea that you should have strong key internal 
controls as outlined in FSIO and as has been validated through 
our A123 process, which is the Federal Government's equivalent 
to, like, Sarbanes-Oxley, where we go out there, where 
management goes out there and we identify how are we doing 
business currently, such as paying a bill and identifying 
within each component what should we be doing differently, such 
as having segregation of duties and, you know, so that the 
person who puts in the contract and approves the contract is 
not the same person who actually ends up paying the bill, so 
that we can minimize the risk of fraud.
    So things of that nature, sir, and IT solution in addition 
to these other initiatives that we have on-going will help 
bring about standardization at the Department.
    Mr. Pascrell. Thank you.
    Mr. Taylor, the GAO has had the management study of 
Homeland Security, made recommendations. A couple of them have 
not been done. We know, and I think you would agree with me, 
that we are not talking about bureaucracy in the Transportation 
Department. We are talking about bureaucracy in defending the 
country, which is a heck of a lot more serious, it would seem 
to me.
    Let me ask you this. Is this Department manageable?
    Mr. Taylor. Sir, I believe it is.
    Mr. Pascrell. You believe it is.
    Mr. Taylor. That is my personal opinion. I don't have a 
report to show you from the IG's office that that concludes 
this is a manageable office. We have done work on the 
organization of the Department, particularly before the second 
stage review that was conducted 3 years ago. We concluded there 
were inefficiencies, some of which were addressed in the second 
stage review. We think the Congress addressed some of the 
concerns when they mandated a reorganization of FEMA and the 
grants program within the Department.
    Is the Department perfectly constructed in terms of 
inefficiencies? Absolutely not. But there has been progress 
since 6\1/2\ years ago towards making it more manageable.
    Mr. Pascrell. So at this point you would say, and what you 
have seen and what you have done and what your GAO has 
concluded, that the Department itself could be organized 
differently, perhaps, which is a problem with results that we 
have gotten. Or would you say that?
    Like, you know, George Kennan used to talk about democracy 
in that sense. It was like a huge dinosaur that needed its tail 
whacked once in a while. I think of dinosaurs when I think of 
the Homeland Security Department, having been in this effort 
since 
9/12.
    This is in my bone marrow. This is important to protecting 
our neighborhoods. I am not sure that we have created the right 
Erector set. I am not so sure. So I am listening and reading 
what you have to put out every time you do it.
    Thank you, Mr. Chairman.
    Mr. Carney. Thank you, Mr. Pascrell.
    Let us for a moment talk about kind of specific numbers, as 
long as we have the opportunity here.
    Ms. Sherry, how much do you think it is going to cost to 
actually implement TASC?
    Ms. Sherry. Sir, the independent Government cost estimate 
is at $450 million.
    Mr. Carney. Okay.
    Ms. Daly, would you care to comment on that?
    Ms. Daly. Our work has not examined the dollars that are 
associated with this effort yet, but we plan to look into that 
more in our future work for the committee.
    Mr. Carney. Mr. Taylor.
    Mr. Taylor. In my testimony, sir, I mentioned $1 billion. 
That was the figure that was provided in testimony 3 weeks ago 
by the under secretary for management. I think that includes--
being from the CFO side originally, it depends on how you 
measure things. You know, is it the core financial system we 
are talking about? Is it everything, including all the 
components efforts?
    Depending on how you measure this, the under secretary for 
management saying it is a billion-dollar effort, so we are 
assuming it is a billion-dollar effort.
    Mr. Carney. So more than twice what Ms. Sherry thinks the 
price is.
    Mr. Taylor. Depending on how you measure it, yes, sir.
    Mr. Carney. So are you telling me we can't even come up 
with a consistent definition or consistent measures of what we 
are trying to accomplish here?
    Mr. Taylor. I contend that the IG's office has not been 
provided with an estimate and the definition of what that 
estimate includes.
    Mr. Carney. Can the IG's office tell me who is in charge of 
defining what it is we are trying to do here?
    Mr. Taylor. Our understanding is it is CFO.
    Mr. Carney. Ms. Sherry, so we are somewhere between $450 
million and $1 billion to implement that. You know, from my 
chair and from practically everybody in this room, how do you 
get a delta that large?
    Ms. Sherry. Right, sir. What I can do is I can go back see 
what the $1 billion is referring to, but I think Mr. Taylor is 
exactly right as far as the question that I answered, and 
possibly I didn't answer the question correctly, was the 
independent Government cost estimate as it relates to migration 
and operation and maintenance, which is really within the 
purview of this particular contract.
    Things such as the hardware and the software are not 
included in that number. In addition, we have developed a life 
cycle cost estimate. Again, we are standing up the data center. 
It will be done in our data center down in Stennis so that the 
costs that are associated with that data center is not included 
in this number as well.
    We do have a life cycle cost estimate that we are working 
on and we are going to be sharing with Ms. Daly as well as Mr. 
Taylor, which I believe--and again, without knowing what was in 
the billion, and I promise I will go back and look at that, I 
would imagine would include some of the things that Mr. Taylor 
talked about, which are not in the $450 million that I referred 
to, sir.
    Mr. Carney. Okay. So the $450 million does not include the 
hardware, the software, the data center or the lifecycle costs.
    Ms. Sherry. It includes the implementation, and it includes 
operation and maintenance for the implemented solution.
    Mr. Pascrell. [Inaudible.]
    Mr. Carney. Boy.
    Mr. Taylor, is $450 million a reasonable price for what we 
are getting?
    Mr. Taylor. Well, sir, I am not sure. I am still not sure 
what that includes, and so we would have to look at what 
exactly is included in that cost estimate, which, of course, we 
haven't had a chance to review.
    I will say that what you are experiencing is the problem 
with these kinds of initiatives.
    Mr. Carney. Yes.
    Mr. Taylor. What happens is that the core financial system 
itself is just a small part of the activity and a part of the 
cost.
    When Mr. Bilirakis asked me about the financial management 
and the components, do they have the kind of resources 
necessary to carry this out, we are concerned because in my 
personal experience the vast majority of the effort isn't in 
hooking up a new box with new software.
    The vast majority of the effort is involved in changing the 
business processes at the feeder level, at the component level, 
so that the information coming in makes sense, not so that you 
are just having a really fancy way of computing bad data.
    That is where the costs are. So any estimate of cost needs 
to include all those kinds of activities and the plan has to 
account for the weaknesses that we have identified in our 
financial statement audits in the component organizations where 
this is going to fall on.
    Mr. Carney. So just kind of a back of the envelope figuring 
here, it may be more than $1 billion in this transition. But 
once again, we don't know, because we can't define what it is 
we are trying to do.
    Ms. Sherry. But I mean we can define what it is that we are 
trying to do, and I would absolutely agree with Mr. Taylor that 
the change of management piece of it is critical and having 
that governance structure in place is critical.
    So these are things that are outside of that $450 million 
that I am talking about, because this is stuff that the Federal 
workforce will be responsible for ensuring that we do stay on 
track so that when we are doing the migrations, when we are 
doing the analysis to be able to determine what are our 
requirements, and we do know what our requirements are relative 
to what the solution is, that we make sure that we have got 
strong oversight of that.
    We have stood up a program management office in my office. 
It has all the different disciplines in it that are required, 
such as change management. You know, we have CPAs, we have 
project managers, we have systems engineers, we have data 
warehouse specialists, business intelligence specialists. So we 
have got those. You know, we have staffed up to be able to have 
those people within my office.
    We are working with the larger components to set up their 
own project management offices. To the idea, to the 
competencies, it will be critical for them to be able to have, 
you know, their ability to be able to understand what it is 
that the contractor is bringing in and to be able to have that 
oversight and to be able to guide the actual implementation.
    Mr. Carney. Ms. Sherry, you have signed up for an 
exceptionally difficult job, and I applaud your courage for 
doing that. We need people of goodwill and brains to take on 
this kind of thing, and I really applaud you for that.
    That said, this subcommittee is going to watch very closely 
where we are in the cost for TASC. That is our task to watch 
the cost of TASC, to put it indelicately here. We will come 
back to this.
    Mr. Bilirakis.
    Mr. Bilirakis. Thank you, Mr. Chairman.
    Ms. Sherry, the TASC award, which you have plans to be 
awarded in early 2010, is for an indefinite delivery indefinite 
quantity contract. Did you consider using a firm fixed-price 
contract, which would limit the risk to the Department in the 
event of cost overruns? If so, why would you ultimately decide 
on the IDIQ?
    Ms. Sherry. Yes, sir. Thank you very much for the question. 
I appreciate the opportunity to add one other point, which I 
think I have not talked about, and I believe that your question 
here kind of leads into the idea that the Department is 
absolutely undertaking a phased approach here.
    So what we are not doing, what they had done initially with 
the eMerge, where they tried to bring up the entire Department 
all at once with all these, you know, 8,000-plus requirements 
that they had gathered, we are doing this in a very phased 
approach. So with this IDIQ contract, we will allow us to be 
able to do that, sir, is to be able to issue specific task 
orders so that we can do this within phased approach.
    We have done an awful lot of outreach to other agencies to, 
like I said, to learn the things that they have done well, but 
also things that they wish that they could have changed.
    One of the things that we heard is that if you go right out 
of the box with a firm fixed-priced contract, there is a high 
likelihood, sir, that as they get in there and they start 
really understanding it and doing that analysis between what is 
it that you want versus what is it that the solution has and 
the things that you need to change, that basically you end up 
with a lot of the items that are simply out of scope.
    So what you thought that you were getting with your firm 
fixed price, ultimately you end up just getting an awful lot of 
out of scope issues.
    The way that this contract is structured allows us to be 
able to work with the contractor in phased approach starting 
with maybe one of the smaller entities, and we learn. Not only 
does the contractor learn, but the agency learns.
    My PMO will be with them every step of the way, and what we 
would do is we will learn. As we build on our knowledge and our 
learning curve and our competencies, it will move us, sir, into 
the ability to be able to do a firm fixed-price contract. So 
that is within the realm of our ability to be able to issue a 
firm fixed-price task order as well, sir.
    Mr. Bilirakis. Customs and Border Protection has been doing 
well on its current platform. Are you concerned that moving 
them onto the new TASC system will impact their performance?
    Mr. Taylor. I think the CBP has clean audit opinions and 
has probably one of the better installations in DHS in terms of 
financial systems. However, they aren't without their own 
issues. Moving even a large organization like them in a phased 
approach to a centralized system would probably still in the 
long run be in the best interest of that organization.
    That said, depending on how you plan this, how you carry it 
out, there are a lot of risks involved in it, absolutely.
    Mr. Bilirakis. Also, in your written testimony you note a 
number of IT control weaknesses at the component level. How 
many of these weaknesses will be resolved by the migration to 
TASC?
    Mr. Taylor. I think it is premature to answer the question, 
sir, to be honest. I mean because some of the findings are 
redundant, by definition if you have three organizations with 
the same three material weaknesses, then you only have the 
consolidated three, so you drop it from that standpoint.
    But what we do is we take the component material weaknesses 
and roll them up into a consolidated, so assuming that the 
system had the proper internal controls and that the internal 
processing, the way that they are identified and the way 
planned, then they would reduce a lot of the material weakness 
findings we had.
    Mr. Bilirakis. Anyone else want to comment on that?
    Okay. Thank you very much.
    I yield back, Mr. Chairman.
    Mr. Carney. Thank you, Mr. Bilirakis.
    We have time for a few more questions.
    Mr. Pascrell, 5 minutes.
    Mr. Pascrell. Mr. Chairman, I hope you will follow up on 
the two points that we need an immediate reduction of how many 
committees these folks have to report to--I just think it 
doesn't make any sense--that point, with leadership. We need to 
do what we have been talking about, you know, around the edge 
about it.
    The other thing is that bureaucracy within the Department 
itself. We need to do something about it. To establish, maybe 
even take another look at how our committee system sets up 
within the Homeland Security Committee's subcommittees, whether 
we are feeding the bureaucracy.
    We started out by wanting to look into the various 
financial management systems throughout Homeland Security. You 
need people in the Department that are hired within the 
Department, have a lot to do about implementing the mission, 
and your background before you come to the Department.
    This is unlike HHS and Transportation and Labor and all of 
those different departments, because we are talking about a 
paramilitary. We are talking about the security of the Nation. 
The people we attract to the Department are going to implement 
these financial mechanisms and systems, but it would seem to me 
that we should spent a lot more time attracting people who have 
background in security, be it in the police, be it in the 
military, because this is the kind of operation that we need to 
defend the country.
    We are going to debate numbers. We are going to debate 
words, which are most of the time meaningless unless we have 
results. How can we best defend the homeland? It would mean to 
me that the people we hire in the Department should have some 
background, some knowledge of how military or civilian police 
operate.
    I hope you would take that message back to the Secretary, 
because I have not had any indication so far in the last 6 
months that that is at the centerpiece of the people we are 
attracting into the Department.
    When I hear all of this stuff, Mr. Chairman, about quotas 
and make sure everybody is represented in the Department--and I 
put my record up against anybody--but if they don't know 
anything about security, how in God's name can they be part of 
this Department?
    I would like to know who they are hiring, which is just as 
significant to me as the different financial mechanisms in all 
of these subdivisions of this Department. I don't want to 
minimize, but I want to prioritize. To me the priority is who 
is operating.
    So I want to thank these three folks for your service to 
your country. You did a great job of answering the questions, 
all of you.
    I think dearly of GAO. I really do. You have made a big 
difference in the Congress and how we look at things.
    I hope Ms. Daly and Ms. Sherry take back to the Secretary, 
who I have a great respect for, but we are not playing 
tiddlywinks here. We are not playing in the sandbox. This is 
serious stuff. I know it is serious for you. It is serious for 
us. Thank you.
    Thank you, Mr. Chairman.
    Mr. Carney. Thank you, Mr. Pascrell.
    We will adjourn momentarily here. We have votes, and I 
think we are at the end of the string as far as the questions 
go.
    We have seen the theme here. We started to talk about TASC 
and financial management of the Department and moving and 
migrating to a different system, but it doesn't take too many 
scrapes of the trowel to really expose a lot of underlying 
problems here.
    We are trying to get to an organization that is efficient 
and agile. We have one that is very inefficient and very 
cumbersome. You know, we take a lot on ourselves here in 
Congress to try to get that. Certainly, in this subcommittee we 
try to do that. I think you have been able to determine the 
passion that many of us have for this task at hand.
    But, you know, we need good people focused on the right 
questions, and please, I admonish every one of you, please let 
common sense prevail. Please.
    I want to thank the witnesses for their testimony. I 
imagine we will see you back again before too long. With that, 
we are adjourned.
    [Whereupon, at 11:20 a.m., the subcommittee was adjourned.]

                                 
