Year 2000 Computing Challenge: Financial Management Service Has
Established Effective Year 2000 Testing Controls (Letter Report,
10/29/1999, GAO/AIMD-00-24).

Pursuant to a congressional request, GAO reviewed the Financial
Management Service's (FMS) Year 2000 program, focusing on whether FMS
is: (1) effectively managing its year 2000 testing; and (2) taking
adequate steps to mitigate the year 2000 risks associated with four
mission-critical systems that were not implemented by the Office of
Management and Budget's (OMB) March 1999 deadline.

GAO noted that: (1) FMS has established effective year 2000 test
management controls for its six most mission-critical systems; (2) for
instance, FMS developed test guidance, defined compliance criteria, and
defined test roles and responsibilities; (3) together, these and other
controls, provided the infrastructure needed for planning, executing and
reporting year 2000 test activities, including system acceptance and
end-to-end testing; (4) in line with GAO's year 2000 test guide, which
is widely accepted and used in government and private industry, FMS also
engaged an independent verification and validation (IV&V) contractor to
ensure that testing was complete and thorough; (5) GAO reviewed this
contractor's work and found that: (a) its scope was consistent with
GAO's year 2000 test guide; and (b) the contractor identified no
material problems with system acceptance testing of five of FMS' six
most critical systems; (6) GAO also found that although the IV&V
contractor did not review the sixth system, FMS took steps to gain
reasonable assurance that year 2000 testing for this system was
effectively managed; (7) further, FMS has established effective
management controls in performing its portion of selected year 2000
end-to-end tests; (8) specifically, FMS satisfied the end-to-end testing
key processes defined in GAO's guidance for three critical test events;
(9) these events focused on three of FMS' most important core business
functions--social security payments, Supplemental Security Income
payments, and Internal Revenue Service (IRS) tax refund payments; (10)
the tests included FMS processing payment files from Social Security
Administration and IRS, printing checks, and transmitting electronic
payment files to Federal Reserve Banks; (11) as of October 1, 1999, FMS
reported that it had implemented two of the four systems that did not
meet the March 31, 1999, OMB-imposed deadline for implementation; (12)
for the remaining two, FMS reported that it has: (a) renovated and
tested both; (b) implemented both at two of five sites; and (c) plans to
complete their implementation by the end of October 1999; and (13) in
addition, FMS has prepared and plans to test system contingency plans
for these late systems as well as its other mission-critical systems.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-24
     TITLE:  Year 2000 Computing Challenge: Financial Management
	     Service Has Established Effective Year 2000 Testing
	     Controls
      DATE:  10/29/1999
   SUBJECT:  Y2K
	     Computer software verification and validation
	     Systems conversions
	     Strategic information systems planning
	     Information resources management
	     Systems compatibility
	     Federal agency accounting systems
	     Financial management systems
IDENTIFIER:  FMS Year 2000 Program
	     Supplemental Security Income Program
	     FMS Electronic Federal Tax Payment System
	     Government On-Line Accounting Link System
	     Y2K
	     SSI

******************************************************************
** This file contains an ASCII representation of the text of a  **

** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

Report to the Chairman, Subcommittee on Oversight, Committee on Ways and
Means, House of Representatives

October 1999

YEAR 2000 COMPUTING CHALLENGE

Financial Management Service Has Established Effective Year 2000 Testing
Controls
*****************

*****************

GAO/AIMD-00-24

Letter                                                                     3

Appendixes

Appendix I:Briefing to House Committee on Ways and Means, Subcommittee on
Oversight

                                                                         10

Appendix II:Objectives, Scope, and Methodology

                                                                         64

                                                 Accounting and Information
                                                        Management Division

B-282428

October 29, 1999

The Honorable Amo Houghton
Chairman, Subcommittee on Oversight
Committee on Ways and Means
House of Representatives

Dear Mr. Chairman:

The Treasury Department's Financial Management Service (FMS) annually
disburses social benefit and other payments and collects revenue which in
the aggregate is now about $2.7 trillion. FMS also manages and oversees
the federal government's central accounting and reporting systems that
generate vital financial information used by congressional and executive
agency decisionmakers. Consequently, it is essential for FMS' mission-
critical computer systems to operate correctly at and beyond
January 1, 2000.

At your request, we reviewed FMS' Year 2000 program to determine whether
FMS is (1) effectively managing its Year 2000 testing and (2) taking
adequate steps to mitigate the Year 2000 risks associated with four
mission-critical systems that were not implemented by the Office of
Management and Budget's (OMB) March 1999 deadline. On September 22, 1999,
we briefed FMS' Chief Information Officer (CIO) on our work results and
later obtained FMS' comments on this report.  The CIO agreed with our
results and conclusions. On October 4, 1999, we provided this briefing to
your office. This report summarizes the information presented at that
briefing. The briefing slides are included in appendix I and details of
our scope and methodology are in appendix II. Our work was performed from
February 1999 through October 1999, in accordance with generally accepted
government auditing standards.

Results in Brief

FMS has established effective Year 2000 test management controls for its
six most mission-critical systems. For instance, FMS developed test
guidance, defined compliance criteria, and defined test roles and
responsibilities. Together, these and other controls provided the
infrastructure needed for planning, executing and reporting Year 2000 test
activities, including system acceptance and end-to-end testing. 

In line with our Year 2000 test guide,/Footnote1/ which is widely accepted
and used in government and private industry, FMS also engaged an
Independent Verification and Validation (IV&V) contractor to ensure that
testing was complete and thorough. We reviewed this contractor's work and
found that (1) its scope was consistent with our Year 2000 test guide and
(2) the contractor identified no material problems with system acceptance
testing of five of FMS' six most critical systems./Footnote2/ We also
found that although the IV&V contractor did not review the sixth
system,/Footnote3/ FMS took steps to gain reasonable assurance that Year
2000 testing for this system was effectively managed. 

Further, FMS has established effective management controls in performing
its portion of selected Year 2000 end-to-end tests. Specifically, FMS
satisfied the end-to-end testing key processes defined in our guidance for
three critical test events. These events focused on three of FMS' most
important core business functions-Social Security payments, Supplemental
Security Income (SSI) payments, and IRS tax refund payments. The tests
included FMS processing payment files from the Social Security
Administration (SSA) and Internal Revenue Service (IRS), printing checks,
and transmitting electronic payment files to Federal Reserve Banks. 

As of October 1, 1999, FMS reported that it had implemented two of the
four systems/Footnote4/ that did not meet the March 31, 1999, OMB-imposed
deadline for implementation. For the remaining two, FMS reported that it has
(1) renovated and tested both, (2) implemented both at two of five sites,
and (3) plans to complete implementation in early November 1999. In
addition, FMS has prepared and plans to test system contingency plans for
these late systems as well as its other mission-critical systems. 

Background

FMS, a bureau of the Department of the Treasury, is the federal
government's financial manager. In this capacity, FMS has three primary
functions: disburser, collector, and accountant of financial information. 

As a disburser for most federal agencies, FMS processed in fiscal year
1998 over 860 million disbursements totaling over $1 trillion. These
covered a wide variety of expenses, including social security and veterans
benefit payments, IRS tax refunds, federal employee salaries, and vendor
billings.

As a collections agent, FMS is responsible for administering the world's
largest collections system. In fiscal year 1998, the government collected
over $1.7 trillion from individual and corporate income tax deposits,
customs duties, loan repayments, fines, and proceeds from leases, among
other sources. FMS relies on a network of about 11,000 financial
institutions to help collect these revenues.

As an accountant, FMS operates and maintains the federal government's
central accounting and reporting systems to reconcile and keep track of
the federal government's assets, liabilities, receipts, and disbursements.
Financial and budget execution information from these central systems is
used by FMS to publish financial reports that are used by the Congress,
OMB, and others who make financial decisions on behalf of the U.S.
government. 

To accomplish many of these functions, FMS relies on six systems it
considers its most mission critical:

o   The Social Security Administration (SSA) Payments system validates
  payment certification against payment file totals, performs edit
  checking, and generates and releases old-age and survivor social
  security payments.

o   The Supplemental Security Income (SSI) Payments system validates
  payment certification against payment file totals, performs edit
  checking, and generates and releases SSI payments.

o   The Internal Revenue Service (IRS) Payments system validates payment
  certification against payment file totals, performs edit checking, and
  generates and releases IRS tax refund payments. 

o   The Electronic Federal Tax Payment System (EFTPS) collects, deposits,
  and accounts for taxes withheld by employers from individuals' wages. 

o   The Government On-line Accounting Link System (GOALS) is a commercial
  timesharing service comprised of 18 subsystems that collect, edit, and
  communicate accounting and financial data to and from federal program
  agency users.

o   STAR maintains the Treasury's central accounting system by
  aggregating all transactions relating to the receipt and disbursement
  of government funds.

Because of FMS' heavy reliance on these systems, complete and thorough
testing is essential to provide reasonable assurance that they process
dates correctly and will not jeopardize FMS' ability to perform core
business functions during and after transition to a Year 2000 computing
environment. Our Year 2000 test guide describes a structured and
disciplined approach for managing Year 2000 test activities.

FMS Established an Effective Year 2000 Testing Organizational Infrastructure

Establishing an effective organizational infrastructure for Year 2000
testing provides the foundation for planning, execution, and reporting on
each incremental phase of Year 2000 testing activities, including system
acceptance testing and end-to-end testing. FMS has established the 11
organizational infrastructure key processes that our test guide defines.
For example, FMS (1) designated program- and project-level test managers
for its mission-critical systems, (2) developed and issued organizational
Year 2000 test guidance, (3) defined Year 2000 compliance criteria, (4)
defined the test organization and its components' roles and
responsibilities,
(5) defined test facilities and Year 2000 reporting requirements, and
(6) employed a process for ensuring the Year 2000 compliance of vendor-
supported products and services.

In addition, FMS engaged an IV&V contractor to provide third-party
assurance that its testing of 22 of its most mission-critical systems was
performed effectively (i.e., that it met process and product standards).
We found that the IV&V contractor's scope of work, as specified in the
contract between FMS and the contractor, was consistent with our test
guide and that the IV&V contractor performed according to the scope of
work. 

FMS Employed Effective Management Controls in Performing Systems
Acceptance Testing 

As specified in our test guide, system acceptance testing (SAT) verifies
that the entire system performs as intended. To determine how well FMS
managed SAT, we (1) selected the six mission-critical systems that FMS
identified as being the most important to supporting FMS' central payment,
collections, and accounting functions and (2) determined whether the
selected systems' testing had been independently verified and validated
and, if so, reviewed the results of the IV&V contractor's work. 

FMS' IV&V contractor found no material problems with the SAT of five of
these systems (SSA Payments, SSI Payments, IRS Payments, STAR, and GOALS)
and concluded that FMS had effectively managed SAT. FMS did not subject
EFTPS to IV&V because the two commercial banks that operate and maintain
the system were subject to Year 2000 examinations by a federal banking
regulator-the Office of the Comptroller of the Currency (OCC). 

Nevertheless, FMS took other steps to ensure that SAT for EFTPS was
managed effectively. For example, FMS reviewed the two banks' testing
progress monthly. FMS also required the banks to submit documentation
certifying the system's Year 2000 compliance. In addition, OCC agreed to
review the banks' progress on EFTPS during the regulator's Year 2000
examinations and report any concerns to FMS. According to FMS, as of
October 1, 1999, OCC had performed several on-site Year 2000 reviews at
each bank, reported that both had made satisfactory progress, and raised
no issues to FMS./Footnote5/

FMS Employed Effective Management Controls in Performing Its Portion of
End-to- End Test Events 

End-to-end testing verifies that a set of interrelated systems, which
collectively support an organizational core business area or function,
interoperate properly in an operational environment. These interrelated
systems include not only those owned and managed by the organization but
also the external systems with which the organization interfaces, as well
as the supporting telecommunications infrastructures. 

In its management of its portion of end-to-end test events for three
critical business functions (Social Security payments, SSI payments, and
IRS tax refund payments), FMS satisfied the end-to-end testing key
processes specified in our guide. For example, FMS worked with its test
partners to define the boundaries of these end-to-end tests, secured the
commitment of data exchange partners, used interorganizational test teams,
prepared test procedures and data, defined the expected results of each
test, and documented the test results. In addition, FMS confirmed the Year
2000 compliance of its vendor-supported telecommunications and
infrastructure.

FMS Is Reporting Progress on Its Late Mission-Critical Systems 

OMB's Year 2000 guidance, as amended in January 1998, requires that all
mission-critical systems be renovated, tested, and implemented by
March 31, 1999, in order to allow enough time for agencies to ensure that
systems are running smoothly and to plan for unexpected failures. On that
date, FMS reported that seven mission-critical systems had not yet been
implemented. By June 1999, FMS reported that it had implemented three of
these systems. As of October 1, 1999, FMS reported that it had implemented
two of the four remaining systems. With respect to the remaining two
systems, both of which FMS ranked as lower priority mission-critical
systems, FMS reported that it had (1) renovated and tested both, (2)
implemented both at two of five sites, and (3) planned to complete
implementation in early November 1999. In addition, FMS reports that it
had prepared and planned to test system contingency plans for these late
systems as well as its other mission-critical systems. 

Conclusion

FMS has effectively managed the Year 2000 testing of its most critical
payment, collection, and accounting systems. While this does not guarantee
that Year 2000-induced disruptions will not occur, it should significantly
reduce FMS' risk of internal system failures. 

We are sending copies of this report to Representative William Coyne,
Ranking Minority Member of your Subcommittee; Representatives Bill Archer,
Chairman, and Charles Rangel, Ranking Minority Member, House Committee on
Ways and Means; Senators William Roth, Chairman, and Daniel P. Moynihan,
Ranking Minority Member, Senate Committee on Finance; Senators Fred
Thompson, Chairman, and Joseph Lieberman, Ranking Minority Member, Senate
Committee on Governmental Affairs; Representatives Dan Burton, Chairman,
and Henry Waxman, Ranking Minority Member, House Committee on Government
Reform; and Representatives Steven Horn, Chairman, and Jim Turner, Ranking
Minority Member, Subcommittee on Government Management, Information and
Technology, House Committee on Government Reform.

We are also sending copies to the Honorable Lawrence H. Summers, Secretary
of the Treasury; the Honorable Richard Gregg, Commissioner, Financial
Management Service; the Honorable Kenneth S. Apfel, Commissioner, Social
Security Administration; the Honorable
Charles O. Rossotti, Commissioner of Internal Revenue; the Honorable John
Koskinen, Chair, the President's Council on Year 2000 Conversion; and the
Honorable Jacob Lew, Director, Office of Management and Budget. We will
send copies to others upon request.

If you have any questions, please contact me or Gary Mountjoy, Assistant
Director, at (202) 512-6240 or via e-mail at [email protected]  or
[email protected]. Other major contributors to this work were Bernard
Anderson, Timothy Hopkins, Richard Hung, and Sabine Paul.

Sincerely yours,

*****************

*****************

Randolph C. Hite
Associate Director
Governmentwide and Defense
  Information Systems

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-
  10.1.21, issued as an exposure draft in June 1998; issued in final in
  November 1998).
/Footnote2/-^Social Security Administration (SSA) Payments, Supplemental
  Security Income (SSI) Payments, Internal Revenue Service (IRS) Payments,
  STAR, and Government On-line Accounting Link System (GOALS).
/Footnote3/-^Electronic Federal Tax Payment System (EFTPS).
/Footnote4/-^None of the four were among FMS' six most mission-critical
  systems. Instead, FMS ranked the four to be lower priority mission-
  critical systems. 
/Footnote5/-^We reviewed the Year 2000 oversight efforts of OCC and the
  other federal depository institution regulators and found that they had
  developed and issued detailed Year 2000 guidelines for the institutions
  and performed extensive, periodic on-site examinations of banks' and
  other depository institutions' Year 2000 efforts (e.g., see Year 2000
  Computing Crisis: Federal Depository Institution Regulators Are Making
  Progress, But Challenges Remain (GAO/T-AIMD-98-305, Sept. 17, 1998)).

BRIEFING TO HOUSE COMMITTEE ON WAYS AND MEANS, SUBCOMMITTEE ON OVERSIGHT
========================================================================

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

OBJECTIVES, SCOPE, AND METHODOLOGY
==================================

Our objectives were to determine whether FMS is (1) effectively managing
its Year 2000 testing and (2) taking adequate steps to mitigate the Year
2000 risks associated with four mission-critical systems that were not
implemented by OMB's March 1999 deadline. 

To address the first objective, we assessed whether FMS had
(1) implemented an effective organizational infrastructure for Year 2000
testing, (2) employed effective management controls in performing system
acceptance testing of selected systems, and (3) employed effective
management controls in performing selected end-to-end tests.

To assess organizational infrastructure, we analyzed FMS' institutional
management structure and controls (organizations, policies, guidance, and
standards) used to perform Year 2000 testing. We compared these structures
and controls against the 11 key processes in our Year 2000 test
guidance/Footnote1/ to identify variances, their causes, and impacts.

To evaluate the management of the selected systems' acceptance testing, we
first selected six key systems to review. These systems were selected
because they are the most mission-critical systems that support FMS' three
central functions (payments, collections, and accounting). For payments,
we selected the three systems that process the largest dollar volume and
process payment transactions related to public financial well-
being./Footnote2/ For collections, we selected the system that collects
the vast majority of the government's revenue./Footnote3/ For accounting,
we selected the two systems that, among other things, are central to FMS
meeting its statutory mandate of preparing an annual consolidated
financial statement for the federal government./Footnote4/ FMS officials
agreed that our selected systems were its most important systems. 

We then determined whether the selected systems' testing had been
independently verified and validated and, if so, we compared the IV&V
contractor's scope of work (as specified in the contract between FMS and
the contractor) to our guidance and then compared the actual work to FMS'
IV&V requirements to ensure that the contractor's work was complete and
thorough. This was the case for SSA, SSI, and IRS payments; GOALS; and
STAR. For the system whose testing was not independently verified and
validated (EFTPS), we reviewed the management control and oversight steps
that FMS took to assure itself that the system had been adequately tested.

To assess the management of selected end-to-end tests, we selected three
completed test events (SSA payments, SSI payments, and IRS tax refunds)
pertaining to FMS' core business functions that are essential to its
ability to meet its mission goals. We then analyzed the management
structures and controls that FMS used to manage and perform end-to-end
testing for these events and compared them to the 11 key processes in our
Year 2000 test guidance to identify any variances, their causes, and
impacts. We did not analyze the management structures and controls used by
the other end-to-end test participants (SSA, IRS, and the Federal Reserve). 

To assess the risk mitigation efforts for the four mission-critical
systems that missed OMB's March 31, 1999, implementation date, we (1)
determined the current status of each system, (2) determined each system's
purpose and mission significance, (3) analyzed FMS' plans and schedules
for completing outstanding Year 2000 activities, and (4) analyzed FMS'
plans and activities for identifying and managing each system's risks and
assessed progress in implementing risk mitigation strategies.

We coordinated our work with the Department of the Treasury's Office of
the Inspector General, which is conducting a concurrent review of FMS'
Year 2000 business continuity and contingency planning. 

We conducted our work at the Financial Management Service in Washington,
D.C., and Hyattsville, Maryland. We performed our work from February 1999
through October 1999 in accordance with generally accepted government
auditing standards.

(511138)

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-
  10.1.21, issued as an exposure draft in June 1998; issued in final in
  November 1998).
/Footnote2/-^According to FMS, these systems-the Social Security
  Administration (SSA) Payments, Supplemental Security Income (SSI)
  Payments, and Internal Revenue Service (IRS) Payments systems-issue
  annual disbursements totaling about $497 billion.
/Footnote3/-^Electronic Federal Tax Payment System (EFTPS) processed the
  collection of tax receipts totaling about $1.1 trillion in 1998.
/Footnote4/-^These systems are the Government On-line Accounting Link
  System (GOALS) and STAR.

*** End of document. ***