Information Technology Management: SBA Needs to Establish Policies and
Procedures for Key IT Processes (Letter Report, 05/31/2000,
GAO/AIMD-00-170).

Pursuant to a congressional request, GAO reviewed the Small Business
Administration's (SBA) management of information technology (IT),
focusing on the five key IT process areas--investment management,
architecture, information security, software development and
acquisition, and human capital management.

GAO noted that: (1) although SBA plans to improve its key IT processes,
many of SBA's policies and procedures for managing IT are in draft form
or not yet developed; (2) SBA has not yet established policies to manage
IT investments and human capital; (3) procedures for maintaining SBA's
enterprisewide IT architecture and for implementing information security
policies are still in draft form and incomplete; (4) also, standards and
procedures to support new software development are being adopted, and IT
guidance for software acquisition is obsolete; (5) in each of these
areas, SBA intends to implement needed policies and procedures; (6)
while SBA intends to pursue best practices for IT planning, monitoring,
and evaluation, its current practices do not generally adhere to defined
processes; (7) in particular, investment management activities are
limited largely to reviewing IT proposals, architecture related
activities are performed without a defined process, and software
development and acquisition are predominately ad hoc; (8) in the
information security area, SBA lacks centralized oversight of the
activities of its field and program offices; (9) risk assessments have
not been performed periodically on all mission-critical systems and
security training has not yet been provided to employees and contractor
staff; (10) human capital management activities are limited to a
non-IT-specific training needs survey, and a human capital assessment
has not been performed to identify short- and long-term IT knowledge and
skills requirements; and (11) to its credit, SBA recognizes many of
these IT management weaknesses and plans to make improvements in each
key process area.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-170
     TITLE:  Information Technology Management: SBA Needs to Establish
	     Policies and Procedures for Key IT Processes
      DATE:  05/31/2000
   SUBJECT:  Information technology
	     Information resources management
	     ADP procurement
	     Personnel management
	     Computer software
	     Internal controls
	     Small business assistance
	     Strategic information systems planning
	     Systems design
	     Human resources training
IDENTIFIER:  SBA Loan Monitoring System

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

GAO/AIMD-00-170

Accounting and Information
Management Division

B-285295

May 31, 2000

The Honorable Christopher S. Bond
Chairman
Committee on Small Business
United States Senate

Dear Mr. Chairman:

As the Small Business Administration (SBA) tries to transform itself into a
"21st Century leading edge financial institution," it needs to identify and
address operational problems that have agencywide implications. Evaluating
SBA's management of information technology (IT) is a critical part of
efforts to assess whether it has a sound foundation for addressing these
problems. As you requested, our objective was to evaluate SBA's IT
management in five key IT process areas: investment management,
architecture, information security, software development and acquisition,
and human capital management. On April 7, 2000, we briefed your office on
the results of this work. The briefing slides are included in appendix I.

This report provides a high-level summary of the information presented at
the briefing, including (1) background on SBA's mission and programs, IT
environment, budgets, and staffing and (2) our review of SBA's policies,
procedures, and practices in each IT area. SBA provided us with comments on
a draft of the briefing, and we considered those comments in developing this
report. SBA's comments are discussed in the "Agency Comments and Our
Evaluation" section and are reprinted in appendix II.

Although SBA plans to improve its key IT processes, many of SBA's policies
and procedures for managing IT are currently in draft form or not yet
developed. Specifically, SBA has not yet established policies to manage IT
investments and human capital. In addition, procedures for maintaining SBA's
enterprisewide IT architecture and for implementing information security
policies are still in draft form and incomplete. Also, standards and
procedures to support new software development are being adopted, and IT
guidance for software acquisition is obsolete. In each of these areas, SBA
intends to implement needed policies and procedures.

While SBA intends to pursue best practices for IT planning, monitoring, and
evaluation, its current practices do not generally adhere to defined
processes. In particular, investment management activities are limited
largely to reviewing IT proposals, architecture related activities are
performed without a defined process, and software development and
acquisition practices are predominantly ad-hoc. In the information security
area, SBA lacks centralized oversight of the activities of its field and
program offices. In addition, risk assessments have not been performed
periodically on all mission-critical systems and security training has not
yet been provided to employees and contractor staff. Human capital
management activities are limited to a non-IT-specific training needs
survey, and a human capital assessment has not been performed to identify
short- and long-term IT knowledge and skills requirements. To its credit,
SBA recognizes many of these IT management weaknesses and plans to make
improvements in each key process area.

To improve SBA's IT management, we have made a number of recommendations in
each area. SBA has agreed with our recommendations and has stated that
efforts are underway to address them. SBA also emphasized that it is
committed to improving IT management practices.

SBA's mission is to maintain and strengthen the nation's economy by aiding,
counseling, assisting, and protecting the interests of small business and by
helping businesses and families recover from natural disasters. SBA
administers small business programs, including 8(a)1 federal contracting
set-asides and 7(a)2 loans to help economically disadvantaged firms start,
grow, and stay in business. SBA's disaster loan program offers financial
assistance to businesses and families trying to rebuild in the aftermath of
a disaster.

For fiscal year 2000, SBA's budget request was about $995 million, including
$762 million in regular appropriations and $233 million for
contingency/emergency appropriations to support the disaster loan program.
Based on the total IT budget expenditures incurred by the Office of the
Chief Information Officer, the Office of Disaster Assistance, and the Office
of the Chief Financial Officer, SBA had an average IT budget of about $39
million annually from fiscal year 1997 through fiscal year 2000. IT
expenditures were primarily for operations and maintenance activities, and
limited funds were allocated for systems development activities and IT
training.

To support the management of its programs, SBA depends on its IT
environment, which includes 42 mission-critical systems running on legacy
mainframe and minicomputers. Ten of these systems support administrative
activities, the remaining 32 support loan activities, including loan
accounting and collection, loan origination and disbursement, and loan
servicing and debt collection.

SBA's self-assessment of its IT environment has shown that the legacy
systems are not effectively integrated and thus provide limited information
sharing. The assessment has also shown that SBA cannot depend on the systems
to provide consistent information. Because of these problems, SBA has
embarked on an agencywide systems modernization initiative to replace its
outmoded legacy systems.

In fiscal year 1999, SBA reported having 127 IT staff to set policies, plan
and oversee IT projects, operate and maintain computer systems, and provide
computer training to employees. Also, SBA used about the same number of
contractor staff for technical support and day-to-day operations and
maintenance of systems.

Project Selection Reviews Were Performed

IT investment management is an integrated approach that provides for the
life-cycle management of IT investments. This investment process requires
three essential phases: selection, control, and evaluation. In the selection
phase, the organization determines priorities and makes decisions about
which projects will be funded based on the technical soundness of the
projects, their contribution to mission needs, performance improvement
priorities, and overall IT funding levels. The costs, benefits, and risks of
all IT projects are assessed and the projects are compared against each
other and ranked. In the control phase, all projects are consistently
controlled and managed. Progress reviews, in which progress is compared
against projected cost, schedule, and expected mission benefits, are
conducted at key milestones in each project's life cycle. The evaluation
phase compares actual performance against estimates to identify and assess
areas in which future decision-making can be improved.

SBA has made progress in establishing an investment review board and is
beginning to define an investment selection process. However, it has not yet
established IT investment management policies and procedures to help
identify and select projects that will provide mission-focused benefits and
maximum risk-adjusted returns. Likewise, SBA has not yet defined processes
for investment control and evaluation to ensure that selected IT projects
will be developed on time, within budget, and according to requirements and
that these projects will generate expected benefits. Regarding investment
management practices, SBA has performed only limited reviews of major IT
investments and these reviews were ad-hoc since little data have been
captured for analyzing benefits and returns on investments.

Without established policies and defined processes for IT investment
management practices, SBA cannot ensure that consistent selection criteria
are used to compare costs and benefits across project proposals, that
projects are monitored and provided with adequate management oversight, or
that completed projects are evaluated to determine overall organizational
performance improvement. In addition, the agency lacks assurance that the
collective results of postimplementation reviews across completed projects
will be used to modify and improve investment management based on lessons
learned.

To address IT investment management weaknesses, SBA plans to develop and
implement an investment selection process that includes screening, scoring,
and ranking proposals. It also plans to use its target architecture to guide
IT investments. In addition, SBA plans to develop and implement an
investment control process to oversee and control projects on a quarterly
basis. As part of investment control, SBA plans to collect additional data
from all investment projects and compare actual data with estimates in order
to assess project performance.

An IT architecture is a blueprint--consisting of logical and technical
components--to guide the development and evolution of a collection of
related systems. At the logical level, the architecture provides a
high-level description of an organization's mission, the business functions
being performed and the relationships among the functions, the information
needed to perform the functions, and the flow of information among
functions. At the technical level, the architecture provides the rules and
standards needed to ensure that the interrelated systems are built to be
interoperable and maintainable.

SBA has made progress with its target IT architecture by describing its core
business processes, analyzing information used in the business processes,
describing data maintenance and data usage, identifying standards that
support information transfer and processing, and establishing guidelines to
migrate current applications to the planned environment. However, procedures
do not exist for change management to ensure that new system installations
and software changes will be compatible with other systems and SBA's planned
operating environment.

Without established policies and systematic processes for IT architecture
activities, SBA cannot ensure that it will develop and maintain an
information architecture that will effectively guide efforts to migrate
systems and make them interoperable to meet current and future information
processing needs.

To address IT architecture weaknesses, SBA plans to establish a change
management process for architecture maintenance to ensure that new system
installations and software changes will be compatible with other systems and
SBA's planned operating environment. In addition, it plans to incorporate in
the target architecture specific security standards for hardware, software,
and communications.

Acquisition Guidelines Are Obsolete, Practices Are Inconsistent

To provide the software needed to support mission operations, an
organization can develop software using its staff or acquire software
products and services through contractors. To effectively manage software
development and acquisition processes, the organization needs to establish
policies and procedures and assign organizational responsibilities for their
implementation. To manage its software projects, the organization should
have well-defined software development and acquisition processes, including
the methodologies and standards that will be used. Key processes for
software development include requirements management, project planning,
project tracking and oversight, quality assurance, and configuration
management. Additional key processes needed for software acquisition include
acquisition planning, solicitation, contract tracking and oversight, product
evaluation, and transition to support.

SBA lacks policies for software development and acquisition to help produce
information systems within the cost, budget, and schedule goals set during
the investment management process that at the same time comply with the
guidance and standards of its IT architecture. SBA's IT guidance and
procedures for software acquisition are obsolete and thus rarely used for
acquisition planning, solicitation, contract tracking and oversight, product
evaluation, and transition to support. An existing systems development
methodology is being adopted to replace outdated guidelines that lack key
processes for software development. Our review of the selected software
projects indicates that SBA's practices are typically ad-hoc for project
planning, project tracking and oversight, quality assurance, and
configuration management.

Without established policies and defined processes for software development
and acquisition, practices will likely be ad-hoc and not adhere to generally
accepted standards. Key activities, such as requirements management,
planning, configuration management, and quality assurance, will be
inconsistently performed or not performed at all when project managers are
faced with time constraints or limited funding. These weaknesses can delay
delivery of software products and services and lead to cost overruns.

To address software development and acquisition weaknesses, SBA plans to
implement formal practices, such as software requirements management and
configuration management on a project basis before establishing these
practices agencywide. Specifically, SBA has selected the Loan Monitoring
System (LMS) project as a starting point for identifying, developing, and
implementing a new systems development methodology and associated policies,
procedures, and practices. LMS therefore will serve as a model for future
systems development projects.

Risk Assessments Are Not Performed

Information security policies address the need to protect an organization's
computer-supported resources and assets. Such protection ensures the
integrity, appropriate confidentiality, and availability of the data and
systems of an organization. Integrity ensures that data have not been
altered or destroyed in an unauthorized manner. Confidentiality ensures that
information is not made available or disclosed to unauthorized individuals
or entities. Availability ensures that data will be accessible or usable
upon demand by an authorized entity.

Key activities for managing information security include risk assessment,
awareness, controls, evaluation, and central management. Risk assessments
consist of identifying threats and vulnerabilities to information assets and
operational capabilities, ranking risk exposures, and identifying
cost-effective controls. Awareness involves promoting knowledge of security
risks and educating users about security policies, procedures, and
responsibilities. Evaluation involves monitoring effectiveness of controls
and awareness activities through periodic evaluations. Central management
involves coordinating security activities through a centralized group.

SBA's computer security procedures for systems certification and
accreditation are in draft form. With respect to information security
activities, SBA has not conducted periodic risk assessments for all
mission-critical systems; the agency only recently conducted a risk
assessment for one system. Training and education have not been provided to
promote security awareness and responsibilities of employees and contractor
staff. Further, security management responsibilities are currently
fragmented among all of SBA's field and program offices.

Without security policies, SBA faces increased risk that critical
information and assets may not be protected from inappropriate use,
alteration, or disclosure. Without defined procedures, practices are likely
to be inconsistent for such activities as periodic risk assessments,
awareness training, implementation of controls, and evaluation of policy
compliance and effectiveness of controls.

To address information security weaknesses, SBA has hired additional staff
to develop procedures to implement computer security policies and to manage
computer accounts and user passwords. These staff are also responsible for
performing systems security certification reviews of new and existing IT
systems. In addition, SBA plans to finish development and testing of a
comprehensive disaster recovery and business continuity plan.

Strategies and Plans Are Not Yet Developed

The concept of human capital centers on viewing people as assets whose value
to an organization can be enhanced through investment. As the value of
people increases, so does the performance capacity of the organization and
therefore its value to clients and other stakeholders. To maintain and
enhance the capabilities of IT staff, the agency should conduct four basic
activities: (1) assess the knowledge and skills needed to effectively
perform IT operations to support the agency mission and goals; (2) inventory
the knowledge and skills of current IT staff to identify gaps in needed
capabilities; (3) develop strategies and implementation plans for hiring,
training, and professional development to fill the gap between requirements
and current staffing; and (4) evaluate progress made in improving IT human
capital capability and use the results of these evaluations to continuously
improve the organization's human capital strategies.

SBA has not established policies and procedures to identify and address its
short- and long-term requirements for IT knowledge and skills. Similarly,
SBA has not conducted an agencywide assessment to determine gaps in IT
knowledge and skills in order to develop workforce strategies and
implementation plans. Further, SBA has not yet evaluated its progress in
improving IT human capital capabilities or used data to continuously improve
human capital strategies.

Without established policies and procedures for human capital management,
SBA lacks assurance that it adequately identifies the IT knowledge and
skills needed to support its mission, develops appropriate workforce
strategies, and plans to hire and train staff to effectively perform IT
operations.

To address IT human capital management weaknesses, SBA plans to conduct a
comprehensive assessment of training needs with a special emphasis on the
needs of its IT staff. The survey is scheduled for fiscal year 2001 and will
be conducted at both headquarters and SBA field offices.

To improve IT management practices, we recommend that the SBA Administrator
direct the Chief Information Officer (CIO) to establish policies and
procedures for managing information technology and define and implement
processes for each of the following areas:

In the investment management area, we recommend that the Administrator
direct the CIO to adopt policies and procedures and define processes for

ï¿½ investment selection to ensure that IT projects result in mission-focused
benefits and that risk-adjusted return on investment is maximized;

ï¿½ investment control to determine whether selected projects are being
developed on time, within budget, and according to requirements, and to take
corrective actions as appropriate; and

ï¿½ investment evaluation by conducting postimplementation reviews to
determine whether completed projects are generating expected mission-focused
benefits.

In the IT architecture area, we recommend that the Administrator direct the
CIO to

ï¿½ develop a systematic process for architecture development to ensure that
the architecture will meet the agency's current and future information
processing needs,

ï¿½ establish policies and procedures for architecture maintenance to ensure
that new systems and software changes are compatible with other systems and
SBA's planned operating environment, and

ï¿½ set a target date for implementation of the maintenance processes.

For software development and acquisition, we recommend that the
Administrator direct the CIO to

ï¿½ complete the systems development methodology and develop a plan to
institutionalize and enforce its use agencywide, and

ï¿½ establish policies, procedures, and processes for software development and
software acquisition and develop a mechanism to enforce them. These
policies, procedures, and processes need to address areas such as
requirements management, project planning, project tracking and oversight,
software quality assurance, configuration management, acquisition planning,
solicitation, contract tracking and oversight, product evaluation, and
transition to support.

For information security, we recommend that the Administrator direct the CIO
to

ï¿½ conduct periodic security risk assessments to identify and rank threats
and vulnerabilities;

ï¿½ implement a complete, effective security awareness program;

ï¿½ periodically update policies and procedures on information security and
implement security controls to address identified vulnerabilities;

ï¿½ complete the development and testing of its comprehensive disaster
recovery and business continuity plan, which should then be updated and
tested periodically;

ï¿½ conduct periodic security evaluations to determine whether policies,
procedures, and controls are effective against identified vulnerabilities
and take remedial action as needed; and

ï¿½ develop and implement a centralized mechanism to monitor and enforce
compliance on information security by employees, contractors, and program
offices.

In the human capital management area, we recommend that the SBA
Administrator direct the CIO to

ï¿½ identify SBA's IT knowledge and skills requirements,

ï¿½ perform periodic IT staff assessments to identify current levels of IT
knowledge and skills,

ï¿½ develop workforce strategies and implement plans to acquire and maintain
the necessary IT knowledge and skills to support the agency mission, and

ï¿½ periodically evaluate progress in improving SBA's IT human capital
capability and use the results to continuously improve human capital
strategies.

In its written comments on a draft of the briefing, SBA agreed with our
recommendations and stated that actions are already underway to address many
of them. SBA also agreed with our findings but expressed concerns about the
presentation of results, some statements in the draft briefing that do not
reflect SBA's latest status, and assumptions on the appropriate level of
detail in SBA planning documents.

Concerning the presentation of results, SBA requested that we clearly
describe our assessment criteria to allow for a fair interpretation of its
findings--since many of these criteria include industry standards that had
emerged only in the last few years. Our briefing slides identify the
criteria and standards that we applied in assessing SBA IT management. These
standards have sufficient flexibility to make possible the development of
key IT processes appropriate for the size and complexity of the IT
environment of any organization.

SBA also contended that other small federal agencies would not show
compliance much beyond SBA's. We note that SBA is the first federal agency
for which we have used indicators to graphically depict our evaluation
results. Regardless of where SBA operations may stand relative to similar
size federal agencies, comparison with industry standards is a sound
approach for identifying activities that can be improved to enhance the
capability of supporting the agency's mission and obtaining a positive
return on IT investment.

Concerning statements in the draft briefing report that do not reflect SBA's
current status and our assumptions on the level of detail in SBA planning
documents, we updated appropriate briefing slides to include information
recently provided by SBA. Appendix II contains specific revisions made to
the briefing report and also provides the full text of SBA's comments and
our responses to comments not discussed above.

The SBA Deputy Administrator also provided oral comments on a draft of this
letter. He was concerned that our report did not fully reflect SBA's
commitment to improve IT management as demonstrated in its recent actions in
planning for the loan monitoring system and suggested that we recognize
this. We agree that SBA has demonstrated a commitment to improve IT
management and, accordingly, we made changes to reflect this comment in this
report.

As requested, our objective was to evaluate SBA's management of information
technology in the areas of investment management, architecture, software
development and acquisition, information security, and human capital
management. These five key areas encompass major IT functions and are
recognized by the IT industry as having substantial influence over the
effectiveness of operations. In each IT area, we reviewed SBA's IT policies
and procedures and compared them against applicable laws and regulations,
federal guidelines, and industry standards. We evaluated SBA's IT management
using the Clinger-Cohen Act, Computer Security Act, and guidelines issued by
the Chief Information Officer's Council, the Office of Management and
Budget, the General Services Administration, the National Institute of
Standards and Technology, the Software Engineering Institute, the Institute
of Electrical and Electronics Engineers, Inc. (IEEE), and ourselves. We also
reviewed selected SBA IT projects and activities to determine if practices
complied with SBA's policies and procedures and industry standards. The
projects selected for review included the Loan Monitoring System,
SmartStream, PRO-Net, HubZones, and Subsidy Rate. These selected projects
represent a mix of ongoing and completed IT projects of various cost and
duration. We also reviewed activities related to current investments.

For each IT area we reviewed, we depicted our evaluation results and
judgments on the current state of SBA policies, procedures, and practices by
using three broad indicators. SBA is the first federal agency in which we
have used these indicators to graphically represent our assessment results.
Accordingly, there is no basis for comparing SBA against other agencies
using this type of depiction.

We conducted our review at various SBA headquarters offices including the
Office of the Chief Information Officer, the Office of Disaster Assistance,
the Office of the Chief Financial Officer, the Office of Human Resources,
and the Office of Field Operations. We also worked at the Office of
Financial Systems in Denver and at the Disaster Office in Sacramento. We
conducted our work from August 1999 through April 2000 in accordance with
generally accepted government auditing standards.

As agreed with your office, unless you publicly announce the contents of
this report earlier, we will not distribute it until 30 days from the date
of this letter. At that time, we will send copies to the Honorable Aida
Alvarez, Administrator, Small Business Administration; the Honorable Jacob
J. Lew, Director, Office of Management and Budget; and other interested
parties. Copies will also be made available to others upon request.

If you have questions on matters discussed in this report, please contact me
at (202) 512-6253, or James R. Hamilton, Assistant Director, at (202)
512-6271. We can also be reached at [email protected] and
[email protected] , respectively. Key contributors to this report were
William G. Barrick, John T. Christian, Mike J. Dolak, Myong S. Kim, Anh Q.
Le, Thomas F. Noone, Edward R. Tekeley, and Hai V. Tran.

Sincerely yours,
Joel C. Willemssen
Director, Civil Agencies Information Systems

Briefing on Small Business Administration's Management of Information
Technology

Comments From the Small Business Administration

The following are GAO's additional responses to SBA's letter dated April 4,
2000.

1. Business processes--because SBA has now established a completion date,
the statement "SBA has not yet provided a completion date for the
architecture" has been removed from the briefing slide.

2. Information flows and relationships--the Chief Operating Officer states
that SBA developed an information architecture in 1995 that lists the
entities and individual data elements used and collected by each of the SBA
business activities. However, the 1995 architecture is obsolete and is being
replaced by a new draft IT architecture. The draft IT architecture still
does not include the flows and relationships of information needed by
different business entities and does not identify who is responsible for
maintaining and updating the information. This information is needed for
other components of the architecture to develop proper information and
communications services.

3. Applications--because SBA has now provided a consolidated list of
applications in its latest draft version of the IT architecture, the
statement "the draft architecture does not provide a consolidated inventory
of applications" has been removed from the briefing slide.

4. Data descriptions and relationships--GAO assessed SBA's current effort to
develop its IT architecture and did not compare its effort with other
agencies.

5. Technology architecture--GAO did not compare SBA's technology
architecture with other federal agency architectures.

6. Technical reference model--the Zachman framework for enterprise
architecture calls for populating various "cells" of the framework with
models and defining the generic contents of each of the cells of the
framework. We noted "SBA has not clearly defined how the framework will be
applied for the development of its architecture" because SBA does not
identify cells of the framework to be populated with models and if a cell of
the framework is not populated with a model, SBA does not explain why that
part of SBA IT architecture is not relevant. Also, we noted "SBA IT
architecture does not identify the products specifying the contents of the
framework" because the contents of SBA's architecture components for
applications and technical infrastructure do not adequately address plans
and controls for defining the roles, responsibilities, and skills required
within the architecture process.

7. Legacy systems integration--because SBA has now provided a list of legacy
systems for migration to the target architecture, the statement "SBA is also
working to develop a list of legacy systems for migration to the target
architecture" was removed from the briefing slide.

8. Requirements management--the Chief Operating Officer states that SBA uses
IEEE guidance for requirements documentation and has developed procedures
for requirements management. We acknowledge that SBA recently said that it
will adhere to the format recommended by the IEEE standard for specifying
system requirements. However, SBA's use of this particular industry standard
on the LMS project, though commendable, is an exception to the general
practices employed by SBA on its other system development projects. SBA
lacks organizational policy and procedures for implementing generally
recognized best practices in this area, including allocating requirements,
implementing requirements traceability, assessing the impact of proposed
changes to requirements, and measuring requirements variability for use as a
management indicator of project risk.

9. Project planning--the Chief Operating Officer states that SBA is using
the LMS project to develop and establish guidance for project planning. We
commend the intention of SBA to define guidance for this area and formalize
its adoption throughout the agency. Our review focused, however, on
reporting what is currently in place and how the current state of affairs
compares with generally accepted industry practices. In this regard, SBA's
stated intention is not yet matched by a plan to attain specific
improvements in this area. For example, there is no identifiable task or
scheduled date for defining, issuing, and implementing agencywide policies
on standards and accountability for project planning, the use of the systems
development methodology, the application of documented procedures, and the
performance of standard organizational practices defined for this area.

10. Project tracking and oversight--the Chief Operating Officer states that
SBA managers formally tracked progress on projects that we did not review
and informally tracked progress on projects that we did review. Tracking, as
applied by best practices in this area, is used to measure, identify, and
report on the health of a project's schedule and cost, as these relate to
work products, critical events, and other project commitments. However, we
found that at SBA, project management reports were not always available and,
when available, lacked comparative data for analysis. In addition, recording
and reporting of project information either did not occur, or were
inconsistently performed.

11. Configuration management--the Chief Operating Officer states that SBA is
performing configuration management for the LMS system and that
configuration management guidance is included in the LMS statement of work.
Our review of the LMS project revealed that configuration management
practices were not performed--we did not find any items placed under
configuration management.

12. Needs assessment--the Chief Operating Officer states that SBA conducted
a training needs survey in late fiscal year 1998. Our review of IT human
capital activities revealed that this survey did not focus on the training
needs of SBA's IT staff, nor was it reflective of an analysis of the short-
and long-term knowledge and skills requirements of SBA's IT staff. Several
times during our review, the CIO stated that SBA had not yet done an
assessment of its IT staff's knowledge and skills requirements, nor had it
developed strategies for addressing gaps in its current knowledge and skills
level.

(511851)
  

1. Sec. 8(a), Small Business Act, 15 USC 637(a): SBA's 8(a) program assists
in the development of small companies that are owned and operated by
socially and economically disadvantaged individuals. An 8(a) company is
eligible for federal contracting set-asides and other business development
support to gain access to the economic mainstream.

2. Sec. 7(a), Small Business Act, 15 USC 636(a): the 7(a) loan program is
for business start-ups and to meet the varied short- and long-term needs of
existing small businesses. Under 7(a), SBA guarantees loans to small
businesses that cannot obtain financing on reasonable terms through other
channels.
*** End of document. ***