Information Technology: Treasury Needs to Strengthen Its
Investment Board Operations and Oversight (23-JUL-07,
GAO-07-865).
The Department of the Treasury relies extensively on information
technology (IT) to carry out its mission. For fiscal year 2007,
Treasury requested about $2.8 billion--the third largest planned
IT expenditure among civilian agencies. GAO's objectives included
(1) assessing Treasury's capabilities for managing its IT
investments and (2) determining any plans the agency has for
improving its capabilities. GAO used its IT investment management
framework (ITIM) and associated methodology to address these
objectives, focusing on the framework's stages related to the
investment management provisions of the Clinger-Cohen Act of
1996.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-865
ACCNO: A73148
TITLE: Information Technology: Treasury Needs to Strengthen Its
Investment Board Operations and Oversight
DATE: 07/23/2007
SUBJECT: Chief information officers
Information resources management
Information technology
Internal controls
Investment planning
Investment Review Board
IT investment management
Policy evaluation
Strategic planning
Systems design
Systems evaluation
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-865
* [1]Results in Brief
* [2]Background
* [3]Treasury's Mission and Organizational Structure
* [4]Treasury's Use of Information Technology
* [5]Prior Reviews on IT Management Issues at Treasury
* [6]Role of Department CIO in Investment Management
* [7]Treasury's Approach to Investment Management
* [8]Process for Managing Investments
* [9]ITIM Maturity Framework
* [10]Treasury Has Established Many Key Practices for Managing Its
* [11]Treasury Has Established Many of the Foundational Practices
* [12]Treasury Does Not Have an Executive Investment Review
Board
* [13]Treasury Has a Process for Ensuring Projects Are Aligned
wit
* [14]Treasury Has Processes to Select Major Investments but
Is No
* [15]Treasury Is Not Effectively Overseeing Its Investments
* [16]Treasury Has a Structured Process for Capturing
Investment I
* [17]Treasury Lacks Key Capabilities Needed to Manage IT Investme
* [18]Treasury Has Portfolio Selection Criteria but Lacks
Document
* [19]Treasury Lacks Documented Policies and Procedures for
Analyz
* [20]Treasury Does Not Have Documented Policies for
Evaluating It
* [21]Treasury Has Not Instititionalized a Postimplementation
Revi
* [22]Treasury Does Not Have a Comprehensive Plan to Guide Its Imp
* [23]Treasury CIO's Role in Managing IT Investments Has Been Mixe
* [24]Conclusions
* [25]Recommendations for Executive Action
* [26]Agency Comments and Our Evaluation
* [27]Appendix I: Objectives, Scope, and Methodology
* [28]Appendix II: GAO Contact and Staff Acknowledgments
* [29]GAO Contact
* [30]Staff Acknowledgments
* [31]Order by Mail or Phone
Report to Congressional Requesters
United States Government Accountability Office
GAO
July 2007
INFORMATION TECHNOLOGY
Treasury Needs to Strengthen Its Investment Board Operations and Oversight
GAO-07-865
Contents
Letter 1
Results in Brief 2
Background 3
Treasury Has Established Many Key Practices for Managing Its Investments,
but Has Key Weaknesses with Its Board Operations and Investment Oversight
19
Treasury Does Not Have a Comprehensive Plan to Guide Its Improvement
Efforts 45
Treasury CIO's Role in Managing IT Investments Has Been Mixed 46
Conclusions 50
Recommendations for Executive Action 51
Agency Comments and Our Evaluation 52
Appendix I Objectives, Scope, and Methodology 55
Appendix II GAO Contact and Staff Acknowledgments 59
Tables
Table 1: Governance Roles and Responsibilities 8
Table 2: Stage 2 Critical Processes--Building the Investment Foundation 21
Table 3: Summary of Results for Stage 2 Critical Processes and Key
Practices 22
Table 4: Instituting the Investment Board 23
Table 5: Meeting Business Needs 25
Table 6: Selecting an Investment 28
Table 7: Providing Investment Oversight 31
Table 8: Capturing Investment Information 34
Table 9: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio 36
Table 10: Summary of Results for Stage 3 Critical Processes and Key
Practices 37
Table 11: Defining the Portfolio Criteria 38
Table 12: Creating the Portfolio 40
Table 13: Evaluating the Portfolio 42
Table 14: Conducting Postimplementation Reviews 44
Table 15: CIO Involvement in Performing Investment Management
Responsibilities 47
Figures
Figure 1: Treasury Organizational Chart (condensed) 4
Figure 2: CPIC Process 15
Figure 3: ITIM Stages of Maturity 19
Abbreviations
CADE Customer Account Data Engine
CIO chief information officer
CPIC Capital Planning and Investment Control
EA enterprise architecture
E-board Treasury Executive Investment Review Board
EVMS earned value management system
FinCEN Financial Crimes Enforcement Network
IRS Internal Revenue Service
IT information technology
ITIM information technology investment management framework
OA operational analysis
OCIO Office of the Chief Information Officer
OMB Office of Management and Budget
PIR postimplementation review
SaBRe Savings Bond Replacement System
TFIN Treasury Foreign Intelligence Network
TIRB Technical Investment Review Board
TRACS Treasury Receivable, Accounting, and Collection System
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
July 23, 2007
The Honorable Richard J. Durbin
Chairman
The Honorable Sam Brownback
Ranking Member
Subcommittee on Financial Services and General Government
Committee on Appropriations
United States Senate
The Honorable Christopher S. Bond
United States Senate
The Department of the Treasury relies extensively on information
technology (IT) to carry out its responsibility of promoting the economic
and financial prosperity and security of the United States. For fiscal
year 2007, the department plans to spend about $2.8 billion--the third
largest planned IT expenditure among civilian agencies.^1 Given the size
and significance of the department's IT investments, you asked us to (1)
assess Treasury's capabilities for managing its IT investments, (2)
determine any plans the agency has for improving its capabilities, and (3)
evaluate the Chief Information Officer's (CIO) role in managing the
department's IT investments. We used our IT investment management
framework (ITIM) and associated methodology to address these objectives,
focusing on the framework's stages related to the investment management
provisions of the Clinger-Cohen Act of 1996.^2
We performed our work from August 2006 through July 2007 in accordance
with generally accepted government auditing standards. Appendix I contains
details about our objectives, scope, and methodology.
^1Office of Management and Budget, Report on Information Technology (IT)
Spending for the Federal Government for Fiscal Years 2006, 2007, 2008
(Washington, D.C., May 2007).
^240 U.S.C. SS 11312-11313.
Results in Brief
While Treasury has established many of the capabilities needed to select,
control, and evaluate its IT investments, the department has significant
weaknesses that hamper its ability to effectively manage its investments.
Specifically, the department has executed 19 of the 38 key practices that
the ITIM requires to build a foundation for IT investment management,
(Stage 2) including practices needed to ensure that projects support
business needs and that a disciplined process exists for capturing
investment information. In addition, the department has executed 11 of the
27 key practices required to manage investments as a portfolio (Stage 3),
including documenting policies and procedures for conducting
postimplementation reviews. However, Treasury does not have an executive
investment review board--a group of executives from IT and business units
that is intended to be the final decision-making authority--that is
actively engaged in the investment management process. In addition, the
department does not have any policies and procedures for managing its
nonmajor investments, although they represent almost 70 percent of the
total number of investments. Until the department addresses these
weaknesses, it will not have the investment management structure needed to
effectively assess and manage the risks associated with its
multibillion-dollar portfolio.
To its credit, Treasury has initiated efforts to improve its investment
management process. For example, it has recently implemented a process for
identifying major projects that should receive additional oversight.
However, the department has not developed a comprehensive improvement plan
that (1) is based on an assessment of strengths and weaknesses; (2)
specifies measurable goals, objectives, and milestones; (3) specifies
needed resources; (4) assigns clear responsibility and accountability for
accomplishing tasks; and (5) is approved by senior-level management. We
have previously reported that such a plan is instrumental in helping
agencies coordinate and guide improvement efforts. Treasury officials
recognize the value of having a comprehensive plan and told us they plan
to develop one once their new assistant secretary for management is
confirmed; however, a time frame for completing the plan has not been
established. Until Treasury develops this plan and the controls for
implementing it, the department risks not being able to put in place an
effective management process that will provide appropriate executive-level
oversight for minimizing risks and maximizing returns.
The Treasury CIO's role in managing the department's IT investments has
been mixed---though it has gradually increased since September 2005, when
the department's investment management policy was issued. Specifically,
some responsibilities have been fully performed, some have been partially
performed, and others have not been performed.
To further strengthen Treasury's investment management capability, we are
recommending that the department develop and implement a plan to establish
an executive investment review board, develop policies and procedures to
manage nonmajor investments, and address the other weaknesses we
identified in this report.
In e-mail comments on a draft of this report, the Acting CIO stated that
the report reflects both Treasury's shortcomings as well as progress to
date and recognized the need to take proactive steps to strengthen its
investment board operations and oversight of information technology
resources and programs. Treasury also agreed with the need for an
executive investment review board that is actively engaged in the
investment management process and noted that nonmajor investments have not
been a priority because the major investments the department has chosen to
devote its resources to represent the more significant portion of the
portfolio in terms of dollar value, visibility to OMB and Congress, and
importance to Treasury's mission. Treasury also commented on the
department's authority to redirect funding from one Treasury bureau to
another. We incorporated these comments into our report where appropriate.
Background
Treasury's Mission and Organizational Structure
The Department of the Treasury is the primary federal agency responsible
for the economic and financial prosperity and security of the United
States, and as such is responsible for a wide range of activities,
including advising the President on economic and financial issues,
promoting the President's growth agenda, and enhancing corporate
governance in financial institutions.
To accomplish its mission, Treasury is organized into departmental offices
and operating bureaus. The [32]departmental offices are primarily
responsible for the formulation of policy and management of the department
as a whole, while the nine operating bureaus--including the Internal
Revenue Service and the Bureau of Engraving and Printing--carry out the
specific functions assigned to Treasury. Figure 1 shows the organizational
structure of the department.
Figure 1: Treasury Organizational Chart (condensed)
Treasury's Use of Information Technology
Information technology plays a critical role in helping Treasury meet its
mission. For example, the Internal Revenue Service relies on information
systems to process tax returns, account for tax revenues collected, send
bills for taxes owed, issue refunds, assist in the selection of tax
returns for audit, and provide telecommunications services for business
activities, including the public's toll-free access to tax information. To
modernize the systems it relies on to carry out these functions, Treasury
is engaged in a Business Systems Modernization program.
Treasury requested $11.4 billion in the President's fiscal year 2007
budget. Of this amount, the department estimates it will spend
approximately $2.8 billion for 235 IT investments--some $2.3 billion
(about 80 percent) for 75 major investments and some $480 million (about
20 percent) for 160 nonmajor investments.
Prior Reviews on IT Management Issues at Treasury
Since mid-1999, we have been reviewing the Internal Revenue Service's
(IRS) progress in implementing its Business Systems Modernization program
as part of our reviews of the service's associated expenditure plans.^3
Our reviews have identified a number of weaknesses in IRS's modernization
management controls and capabilities and, over the years, we have made
numerous recommendations to address these weaknesses. IRS has addressed
many of our recommendations; however, several weaknesses remain.
In January 2004, we reported^4 as part of a governmentwide review, that
Treasury had significant weaknesses in investment management. We noted,
for example, that the department had neither developed a capital planning
and investment control guide nor developed work processes and procedures
for the agency's IT investment management board. In addition, Treasury had
not documented the alignment and coordination of responsibilities of its
various boards for decision making related to investments, including the
criteria for which investments--including crosscutting investments--were
to be reviewed by the executive investment review board. We also reported
that Treasury did not have a department-level control process; instead,
each bureau could conduct its own reviews that address the performance of
its IT investments and corrective actions for underperforming projects. We
made several recommendations to address the weaknesses we identified.
Treasury concurred with our recommendations, stating that it recognized
its shortcomings and was working to correct them.
^3See, for example, GAO, Business Systems Modernization: Internal Revenue
Service's Fiscal Year 2007 Expenditure Plan, [33]GAO-07-247 (Washington,
D.C.: Feb.15, 2007).
^4GAO, Information Technology Management: Governmentwide Strategic
Planning,Performance, Measurement, and Investment Management Can Be
Further Improved, [34]GAO-04-49 (Washington, D.C.: Jan. 12, 2004).
In July 2006,^5 we reported on Treasury's Financial Crimes Enforcement
Network's (FinCEN) BSA Direct Retrieval and Sharing project, a nonmajor
investment,^6 noting that FinCEN did not always apply effective investment
management processes to oversee this project. We recommended that the
director of FinCEN direct its CIO to develop a plan for improving the
agency's capabilities for overseeing this project. FinCEN officials
concurred with our findings and recommendation.
In January 2007, in an update to our high-risk series report on the
Internal Revenue Service's Business Systems Modernization,^7 which we
first designated as high-risk in 1995, we reported that while the Internal
Revenue Service had made progress in reducing risk with systems
modernization and financial management, improvements made have not been
sustained long enough to provide confidence that the program is fully
stable. We also reported that many challenges remain, including improving
processes for designing, developing, and delivering modernized IT systems.
Several of Treasury's projects have been deemed to be poorly planned and
managed by the Office of Management and Budget (OMB) and have warranted
inclusion on OMB's Management Watch and High Risk Lists.^8
5GAO, Information Technology Management: Observations on the Financial
Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing
(BSA Direct R&S) Project, [35]GAO-06-947R (Washington, D.C.: July 14,
2006).
^6According to officials, this investment was classified as nonmajor until
August 2006.
^7GAO, High-Risk Series: An Update, [36]GAO-07-310 (Washington, D.C.:
January 2007).
^8OMB determines projects to be included on its Management Watch List
based on an evaluation of Exhibit 300 business cases that agencies submit
for major projects as part of the budget development process. The
high-risk list consists of projects identified by the agencies with the
assistance of OMB, using specific criteria established by OMB, and that
are reported quarterly by the agencies to OMB.
Role of Department CIO in Investment Management
The Clinger-Cohen Act of 1996 requires agency heads to designate the CIO
to lead reforms to help control system development risks; better manage
technology spending; and achieve real, measurable improvements in agency
performance through better management of information resources.^9 The
agency head, through the department-level CIO, is responsible for
providing leadership and oversight for foundational critical processes by
ensuring that written policies and procedures are established,
repositories of information are created that support investment decision
making, resources are allocated, responsibilities are assigned, and all of
the activities are properly carried out where they may be most effectively
executed.
Treasury's Approach to Investment Management
Treasury's IT investment management process is to provide the framework
for decision making and accountability required to ensure IT investments
meet the strategic and business objectives of the department in an
efficient and effective manner. In carrying out this process, the
department makes a distinction between its major and nonmajor investments,
to determine the extent and scope of the department's investment
management oversight and the level of reporting requirements.
An IT investment is classified as major if it meets at least one of the
following criteria:^10
o requires special management attention because of its importance
to the mission or function of the agency, a component of the
agency or another organization;
o is for financial management and obligations of more than
$500,000 annually;
o has significant program or policy implications;
o has high executive visibility;
o has high development, operating, or maintenance costs;
o has total life-cycle costs exceeding $50 million;
o has an annual budget of $5 million or more; or
o significantly impacts more than one bureau.
Investments that do not meet at least one of these criteria are
considered to be nonmajor investments.
Several groups and individuals play a role in the department's
process to manage its IT investments at the department and bureau
levels. They are involved in all aspects of the process, including
reviewing and approving proposed investments, monitoring the
investments through implementation, and evaluating the investments
once they become operational. Table 1 identifies the groups and
individuals that have a role in this process and shows their
composition and responsibilities.
^940 U.S.C. SS 11312, 11313, 11315.
^10The first five criteria are OMB criteria outlined in OMB Circular A-11
for determining major investments. The remaining three criteria are
Treasury-specific criteria.
Table 1: Governance Roles and Responsibilities
Source: GAO analysis of Treasury data.
aThis board currently does not exist; however, according to Treasury
officials, the department has initiated efforts to re-establish it.
Reviews by TIRB and the department's executive investment review board
focus on IT investments that are defined as major strategic investments
for the department. To support this process, Treasury uses an automated
portfolio management tool for collecting and maintaining data during the
four phases of the process. Various forms in the tool are available for
staff to enter new and updated data on Treasury's IT investments.
Process for Managing Investments
In September 2005, the department issued a Capital Planning and Investment
Control Policy Guide defining a four-phase process for managing its IT
investments.^11 These phases consist of preselect, select, control, and
evaluate. Completing the requirements of one phase is necessary before
moving on to the subsequent phase. Each phase is to be overseen by
Treasury's executive investment review board, which ultimately approves or
rejects an investment's advancement to the next phase.
^11The policy document has been updated a few times since it was issued.
The most recent update was issued in October 2006.
o Preselect phase is the annual process by which potential new
major investments seeking funding in the upcoming budget year are
approved to move into the select phase and are considered for
inclusion in the department's budget request. Only major IT
investments are promoted through the preselect process and
reviewed at the departmental level. During this phase, an
investment's business owner is to document the business need for
the investment and describe its anticipated alignment with bureau,
Treasury, and e-government initiatives,^12 and the President's
Management Agenda^13 strategic goals. The CPIC team is then
expected to review and validate the preselect data and pass on its
assessment and recommendation to TIRB, which is to provide
recommendations to the department's executive investment review
board. Once a major investment is approved by the executive
investment review board, it moves forward to the select phase. The
department's bureaus have the exclusive responsibility for the
preselection of nonmajor investments within their respective
bureaus, and the bureaus' executive leadership must approve a
nonmajor investment in order for it to enter the select phase.
o Select phase is the process by which new and existing major IT
investments seeking funding in the upcoming budget year are
annually screened, scored, and selected for inclusion in
Treasury's IT investment portfolio. In this phase, Treasury is to
ensure that only IT investments that best support its mission,
investment principles, and approach to EA are chosen and that the
investment owners have taken steps to be successful, such as
having a qualified project manager and analyzing risks. As in the
preselect phase, the CPIC team is expected to review and validate
that all data is complete, score each investment based on
Treasury's investment principles, and submit its findings and
recommendations to TIRB. TIRB, in turn, is to review the scoring
results and provide its recommendations to Treasury's executive
investment review board, which is then to select which investments
will be included in the department's IT investment portfolio that
is ultimately submitted to OMB for funding considerations.
Investments do not technically exit the select phase until they
are terminated, since they must be reviewed annually for
reselection. The bureaus are responsible for conducting their own
select process for nonmajor investments.
^12The President's e-government initiatives are intended to improve
services to citizens, to increase the efficiency and effectiveness of the
government, and to provide savings to the taxpayer.
^13The President's Management Agenda, announced in 2001, is a strategy for
improving the management of the federal government, focusing on five areas
of management weaknesses across the government. One of these areas
involves expanded use of electronic government for better serving the
public.
o Control Phase ensures, through timely oversight, quality
control, and executive review, that IT investments are managed in
a disciplined and consistent manner. This phase is characterized
by Treasury's Office of the CIO initiating quarterly control
reviews, which focus on ensuring that an investment's projected
benefits are being realized; that cost, schedule, and performance
goals are being met; that risks are minimized and managed; and
that the investment continues to meet strategic goals. Through
Office of the CIO quarterly data calls, bureau project managers
are to update data as of the end of the previous quarter for cost
and schedule, performance measures, and risk assessments for both
major and nonmajor investments. This updated data is to be entered
into the department's automated IT portfolio management tool,
which the bureau project managers and the bureau CIOs are to
certify for accuracy using a certification form within the tool.
Next, Treasury's CPIC team is to evaluate the data and provide
feedback to the bureaus through the bureaus' CPIC coordinators,
giving the bureaus an opportunity to remediate missing or
erroneous data. For major investments, the CPIC team is then
expected to summarize the results, including identifying
corrective actions planned, for presentation to TIRB. TIRB is to
review the results for potential risk factors, such as schedule or
cost slippages or major technical problems, before forwarding its
recommendation to Treasury's executive investment review board.
The executive investment review board is to review TIRB's
recommendations before making a decision to continue, accelerate,
modify, suspend, or terminate investments. While control data are
captured for nonmajor investments, the department leaves it to the
bureaus to conduct their own oversight process for these
investments. However, TIRB and the executive investment review
board may choose to review these investments on a random sample
basis.
In July 2006, Treasury adopted procedures for establishing an
Internal Watch List of major investments at risk of not meeting
established goals.^14 The criteria for placement on this list
include
1. cost or schedule variances greater than plus or
minus 10 percent for two consecutive quarters;
2. lack of validation of project manager's
qualifications by the bureau CIO;
3. lack of a current certification and
accreditation;^15 or
4. duplication of another investment within the
department or with any of the President's
e-government initiatives or lines of business.^16
Treasury's Office of the CIO is to make this determination, and
investments on this list are subject to additional reporting
requirements, including development of an action plan to remediate
the noncompliant conditions. Bureau CIOs are to report monthly to
the Treasury CIO on the status of these investments. Once all
requirements have been met and the Treasury CIO concurs, the
investment can be removed from the list.
o Evaluation phase involves an annual process to determine how
well major investments are performing once they become
operational. This process is to occur in the first quarter of the
fiscal year and is composed of two subprocesses--the
postimplementation review (PIR) and the operational analysis (OA).
The age and the life cycle stage of the investment determine which
of these two subprocesses is conducted on an investment.
^14In August 2005, OMB initiated an effort for agencies to improve IT
project planning and execution. Through this effort, agencies are to
identify "high risk projects" using specific criteria established by OMB
and report quarterly to OMB on each project's performance noted shortfalls
and planned corrective actions to address the shortfalls. The criteria
Treasury used to establish its internal watch list mirrors the list of
shortfalls OMB requires agencies to report on.
^15Certification is the comprehensive evaluation of the management,
operational, and technical security controls in an information system to
determine the effectiveness of these controls and identify existing
vulnerabilities. Accreditation is the official management decision to
authorize operation of an information system. This authorization
explicitly accepts the risk remaining after the implementation of an
agreed-upon set of security controls.
^16Similarly to the e-government initiatives, the line of business
initiatives are intended to improve services to citizens, to increase the
efficiency and effectiveness of the government, and to provide savings to
the taxpayer.
The purpose of the PIR is to assess the performance of an
investment that has been fully developed and has moved into the
operational and maintenance stage of its life cycle. An
investment's project manager is to initiate a PIR 6 to 18 months
after an investment has moved into its operational and maintenance
stage. During a PIR, an investment's actual performance is
compared to its expected performance to identify lessons learned
for improving both the investment and Treasury's CPIC process. The
PIR is also intended to measure the strategic impact, user
satisfaction, and whether the investment is meeting cost,
schedule, and performance metrics. The results of the PIR are to
be documented in Treasury's portfolio management tool. Once the
PIR is completed, Treasury's CPIC team is to evaluate the results,
provide feedback to the project manager and the respective bureau
management, and provide summary information to TIRB. TIRB, in
turn, is to report lessons learned from the PIRs conducted and any
recommendations it may have to the department's executive
investment review board in order to promote the lessons learned
across the department's IT investment portfolio.
o The purpose of the OA is to identify those investments in
operations and maintenance for which PIRs have been conducted that
are likely to require modification, acceleration, replacement, or
retirement, and to help determine the remaining useful life of an
investment. However, because of the newness of Treasury's PIR
requirement and the age of certain investments that have been in
the operations and maintenance stage of their life cycle, a PIR
may not have been performed on these investments prior to the
required OA. Similar to a PIR, in conducting the OA, Treasury
focuses on two key areas: (1) program objectives, looking at
alignment to cost, schedule, and strategic goals; and (2) meeting
user needs. In determining how well the investment aligns to
program objectives, data are to be captured on an annual
basis---most likely from established sources, such as the
quarterly control reviews and annual select phase process. To
determine whether user needs are still being met by the
investment, the investment's project manager, in coordination with
the investment's business owner, is to solicit user input, using
such means as a survey, focus groups, or regular user group
meetings. The results of the OA are to be documented in Treasury's
portfolio management tool and can entail recommending the
investment continue operations as is, be modified, or be
terminated. Based on further analysis by the CPIC team, a review
meeting may be scheduled to discuss the results and the
recommendations. The results of these meetings are to be shared
with TIRB and the executive investment review board, as
appropriate. Prior to exiting the evaluation phase, the executive
investment review board must approve the disposal, retirement, or
replacement of major investments.
Figure 2 shows the schedule of select, control, and evaluate
activities that take place throughout the year.
Figure 2: CPIC Process
aBudget year is a term used in the budget formulation process that refers
to the fiscal year for which the budget is being considered, that is, with
respect to a session of Congress, the fiscal year of the government that
starts on October 1 of the calendar year in which that session of Congress
begins.
bE-board--Executive Investment Review Board.
cTIRB--Technical Investment Review Board.
ITIM Maturity Framework
To provide a method for evaluating and assessing how well an agency is
selecting and managing its IT resources, GAO developed the Information
Technology Investment Management framework (ITIM).^17 The ITIM is a
maturity model composed of five progressive stages of maturity that an
agency can achieve in its investment management capabilities. It was
developed on the basis of our research into the IT investment management
practices of leading private- and public-sector organizations. In each of
the five stages, the framework identifies critical processes for making
successful IT investments. The maturity stages are cumulative; that is, in
order to attain a higher stage, the agency must have institutionalized all
of the critical processes at the lower stages in addition to the higher
stage critical processes.
The framework can be used to assess the maturity of an agency's investment
management processes and as a tool for organizational improvement. The
overriding purpose of the framework is to encourage investment processes
that increase business value and mission performance, reduce risk, and
increase accountability and transparency in the decision process. We have
used the framework in several of our evaluations,^18 and a number of
agencies have adopted it. These agencies have used ITIM for purposes
ranging from self-assessment to redesign of their IT investment management
processes.
ITIM's five maturity stages represent the steps toward achieving stable
and mature processes for managing IT investments. Each stage builds on the
lower stages, and the successful attainment of each stage leads to
improvement in the organization's ability to manage its investments. With
the exception of Stage 1, each maturity stage is composed of critical
processes that must be implemented and institutionalized in order for the
organization to achieve that stage.^19 These critical processes are
further broken down into key practices that describe the types of
activities an organization should be performing to successfully implement
each critical process. It is not unusual for an organization to be
performing key practices from more than one maturity stage at the same
time, but efforts to improve investment management capabilities should
focus on implementing all lower stage practices before addressing higher
stage practices.
^17GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, [37]GAO-04-394G (Washington,
D.C.: March 2004).
^18GAO, Information Technology: DLA Needs to Strengthen Its Investment
Management Capability, [38]GAO-02-314 (Washington, D.C.: Mar. 15, 2002);
United States Postal Service: Opportunities to Strengthen IT Investment
Management Capabilities, [39]GAO-03-3 (Washington, D.C.: Oct. 15, 2002);
Information Technology: Departmental Leadership Crucial to Success of
Investment Reforms at Interior, [40]GAO-03-1028 (Washington, D.C.: Sept.
12, 2003); Bureau of Land Management: Plan Needed to Sustain Progress in
Establishing IT Investment Management Capabilities, [41]GAO-03-1025
(Washington, D.C.: Sept. 12, 2003); Information Technology: FAA Has Many
Investment Management Capabilities in Place, but More Oversight of
Operational Systems Is Needed, [42]GAO-04-822 (Washington, D.C.: Aug. 20,
2004); Information Technology: HHS Has Several Investment Management
Capabilities in Place, but Needs to Address Key Weaknesses, [43]GAO-06-11
(Washington, D.C.: Oct. 28, 2005); Information Technology: Centers for
Medicare & Medicaid Services Needs to Establish Critical Investment
Management Capabilities, [44]GAO-06-12 (Washington, D.C.: Oct. 28, 2005);
Information Technology: DHS Needs to Fully Define and Implement Policies
and Procedures for Effectively Managing Investments, [45]GAO-07-424
(Washington, D.C.: Apr. 27, 2007).
In the ITIM, Stage 2 critical processes lay the foundation for sound IT
investment processes by helping the agency to attain successful,
predictable, and repeatable investment control processes at the project
level. Specifically, Stage 2 encompasses building a sound investment
management foundation by establishing basic capabilities for selecting new
IT projects. It involves developing the capability to control projects so
that they finish predictably within established cost and schedule
expectations and have the capability to identify potential exposures to
risk and put in place strategies to mitigate that risk. It also involves
instituting an IT investment board,^20 which includes defining its
membership, guidance policies, operations, roles, responsibilities, and
authorities for one or, if applicable, more IT investment boards within
the organization, and, if appropriate, each board's support staff. The
basic selection processes established in Stage 2 lay the foundation for
more mature selection capabilities in Stage 3, which represents a major
step forward in maturity. In this stage, the agency moves from
project-centric processes to a portfolio approach, evaluating potential
investments by how well they support the agency's mission, strategies, and
goals.
Stage 3 requires that an organization continually assess both proposed and
ongoing projects as parts of a complete investment portfolio--an
integrated and competing set of investment options. It focuses on
establishing a consistent, well-defined perspective on the IT investment
portfolio and maintaining mature, integrated selection (and reselection),
control, and evaluation processes, which are to be evaluated during PIRs.
This portfolio perspective allows decision makers to consider the
interaction among investments and the contributions to organizational
mission goals and strategies that could be made by alternative portfolio
selections, rather than focusing exclusively on the balance between the
costs and benefits of individual investments.
^19Stage 1 is typified by the absence of an organized, executable, and
consistently applied IT investment management process.
^20An IT investment board is a decision-making body, made up of senior
program, financial, and information officials, that is responsible for
making decisions about IT projects and systems on the basis of comparisons
and trade-offs among competing projects and has an emphasis on meeting
mission goals.
Stages 4 and 5 require the use of evaluation techniques to continuously
improve both the investment portfolio and the investment processes in
order to better achieve strategic outcomes. At Stage 4 maturity, an
organization has the capacity to conduct IT succession activities and,
therefore, can plan and implement the deselection of obsolete, high-risk,
or low-value IT investments. An organization with Stage 5 maturity
conducts proactive monitoring for breakthrough information technologies
that will enable it to change and improve its business performance.
Organizations that have implemented Stages 2 and 3 have in place
capabilities that assist in establishing the selection, control, and
evaluation processes that are required by the Clinger-Cohen Act of
1996.^21 Stages 4 and 5 define key attributes that are associated with the
most capable organizations.
Figure 3 shows the five ITIM stages of maturity and the critical processes
associated with each stage.
^21The Clinger-Cohen Act of 1996, 40 U.S.C. SS 11312.
Figure 3: ITIM Stages of Maturity
As defined by the model, each critical process consists of key practices
that must be executed to implement the critical process.
Treasury Has Established Many Key Practices for Managing Its Investments, but
Has Key Weaknesses with Its Board Operations and Investment Oversight
In order to have the capabilities to effectively manage IT investments, an
agency, at a minimum, should (1) build an investment foundation by putting
basic, project-level control and selection practices in place (Stage 2
capabilities) and (2) manage its projects as a portfolio of investments,
treating them as an integrated package of competing investment options and
pursuing those that best meet the strategic goals, objectives, and mission
of the agency (Stage 3 capabilities). These practices may be executed at
various organizational levels of the agency, including at the component
level. However, overall responsibility for their success remains at the
department level. Therefore, at a minimum, the department should
effectively oversee component agencies' IT investment management
processes.
While Treasury has established many of the capabilities needed to select,
control, and evaluate its IT investments, the department has significant
weaknesses that hamper its ability to effectively manage its investments.
Specifically, the department has executed 19 of the 38 key practices that
the ITIM requires to build a foundation for IT investment management
(Stage 2), including practices needed to ensure that projects support
business needs and that a disciplined process exists for capturing
investment information. In addition, the department has executed 11 of the
27 key practices required to manage investments as a portfolio (Stage 3),
including documenting policies and procedures for conducting
postimplementation reviews.
However, Treasury does not have an executive investment review board--a
group of executives from IT and business units that is intended to be the
final decision-making authority--that is actively engaged in the
investment management process. According to the Associate CIO for Capital
Planning and Information Management, while efforts to establish an
executive investment review board have been initiated, these efforts have
been stymied by changes in executive leadership. In addition, the
department does not have any processes in place for managing its nonmajor
investments, although they represent about 70 percent of the total number
of investments. According to officials, nonmajor investments have not been
a priority because the department has instead chosen to devote its
resources to major investments, which represent about 80 percent of its IT
expenditures. While it is reasonable to focus attention on major
investments, nonmajor investments represent a significant amount of
funding (about $480 million) and constitute the bulk of most bureaus'
investment portfolio and therefore also require a certain level of
oversight. Until the department addresses these weaknesses, it will not
have the investment management structure needed to effectively assess and
manage the risks associated with its multibillion-dollar portfolio.
In addition, until the department addresses these weaknesses, it will not
have assurance that key investment management decisions are benefiting
from the contribution of executives who are in the best position to make
the full range of decisions needed to enable the agency to meet its
mission most effectively. In addition, the department will not be able to
ensure that it is effectively assessing and managing the risks associated
with nonmajor investments costing hundreds of millions of dollars.
Treasury Has Established Many of the Foundational Practices Needed to Manage its
Investments
At the ITIM Stage 2 level of maturity, an organization has attained
repeatable, successful IT project-level investment control and basic
selection processes. Through these processes, the organization can
identify expectation gaps early and take the appropriate steps to address
them. According to ITIM, critical processes at Stage 2 include (1)
defining IT investment board operations, (2) identifying the business
needs for each IT investment, (3) developing a basic process for selecting
new IT proposals and reselecting ongoing investments, (4) developing
project-level investment control processes, and (5) collecting information
about existing investments to inform investment management decisions.
Table 2 describes the purpose of each of these Stage 2 critical processes.
Table 2: Stage 2 Critical Processes--Building the Investment Foundation
Source: GAO.
Because of management attention that has recently been given to IT
investment management, Treasury has put in place half of the key practices
needed to establish the investment foundation. These include all of the
key practices associated with identifying and collecting information to
support investment decisions and some of the key practices for ensuring
that projects and systems support organizational needs and meet users'
needs as well as for selecting new proposals^22 and reselecting ongoing
investments.
However, because no executive investment review board currently exists
(see details in next section), the department has not executed many of the
key practices for instituting the investment board. In addition, because
of its limited involvement in managing nonmajor investments, the
department has not executed many of the key practices related to providing
investment oversight. Treasury officials stated that the management
turnover present a challenge to establishing an executive investment
review board. They also acknowledged the need for a process to oversee
nonmajor investments, particularly in light of the recent failure of the
BSA Direct project.
^22According to ITIM, new proposals include both (1) previously submitted
IT proposals that were not originally selected for funding and (2) IT
proposals that have never been submitted.
Table 3 summarizes the status of Treasury's Stage 2 critical processes,
showing how many associated key practices the department has executed.
Table 3: Summary of Results for Stage 2 Critical Processes and Key
Practices
Source: GAO.
Treasury Does Not Have an Executive Investment Review Board
The establishment of decision-making bodies or boards is a key component
of the IT investment management process. At the Stage 2 level of maturity,
organizations define one or more boards, provide resources to support the
boards' operations, and appoint members who have expertise in both
operational and technical aspects of proposed investments. The boards
should operate according to a written IT investment process guide that is
tailored to the organization's unique characteristics, thus ensuring that
consistent and effective management practices are implemented across the
organization. The organization selects board members to ensure they are
knowledgeable about policies and procedures for managing investments.
Organizations at the Stage 2 level of maturity also take steps to ensure
that executives and line managers support and carry out the decisions of
the investment board. According to ITIM, organizations should (1)
establish an enterprisewide IT investment board composed of senior
executives from IT and business units, (2) have a documented IT investment
process directing each investment board's operations, and (3) ensure that
the enterprisewide investment board has oversight responsibilities for the
development and maintenance of the organization's documented IT investment
process. (The complete list of key practices is provided in table 4.)
Treasury has executed three of the eight key practices for this critical
process. For example, the department has documented an IT investment
process that directs investment board operations. In addition, adequate
resources are provided to support board operations. However, Treasury
currently does not have an executive investment review board composed of
senior executives from IT and business units that is actively engaged in
the investment management process. According to officials, such a board
was established in 2005 but stopped functioning at the prompting of the
assistant secretary for management because it was considered inefficient.
In 2006, another executive investment review board structure was proposed
under a new assistant secretary for management, but, according to the
Associate CIO for Capital Planning and Information Management, it was not
implemented, due to yet another change in executive leadership. Officials
told us that one of the challenges in establishing the board has been the
constant turnover in Treasury's management. They noted that many of the
management positions, including the assistant secretary for management
position, are currently being filled by temporary or "acting" officials,
who may be replaced soon. Until the department establishes an executive
investment review board with senior executives from IT and business units,
its investment management process will not benefit from the contribution
of those executives who are in the best position to make the full range of
decisions needed for the department to meet its mission most effectively.
Table 4 shows the rating for each key practice required to implement the
critical process for instituting the investment board at the Stage 2 level
of maturity and summarizes the evidence that supports these ratings.
Table 4: Instituting the Investment Board
Source: GAO.
Treasury Has a Process for Ensuring Projects Are Aligned with Business Needs
Defining business needs for each IT project helps to ensure that projects
and systems support an organization's business needs and meet users'
needs. This critical process ensures that an organization's business
objectives and its IT management strategy are linked. According to ITIM,
effectively meeting business needs requires, among other things, (1)
documenting business needs with stated goals and objectives, (2)
identifying specific users and other beneficiaries of IT projects and
systems, (3) providing adequate resources to ensure that projects and
systems support the organization's business needs and meet users' needs,
and (4) periodically evaluating the alignment of IT projects and systems
with the organization's strategic goals and objectives. (The complete list
of key practices is provided in table 5.)
Treasury has executed two of the seven key practices for ensuring business
needs are met. Specifically, Treasury has a documented business mission,
with stated goals and objectives in its Treasury Strategic Plan for fiscal
years 2003 through 2008. In addition, resources are devoted to ensuring
that IT projects and systems support the organization's business needs and
meet users' needs, including Treasury's portfolio management tool, several
subcouncils, an Exhibit 300 scoring guide to help develop major IT
investments business cases, and training manuals on the use of the
portfolio management tool contained in an online resource called the
CPICResource Link.
Treasury's weaknesses in this area stem mostly from the fact that, while
the department has delegated the management of nonmajors to the bureaus,
it has no mechanism for ensuring that bureaus are effectively carrying out
associated activities. In addition, while Treasury's system development
life-cycle methodology requires user involvement in projects' life cycle,
the investment management process does not have any steps for ensuring
this is done. By not ensuring that bureaus are effectively aligning
nonmajor investments with business needs, Treasury is incurring the risk
that investments that make up approximately 20 percent of their IT budget
and represent the majority of their investments may not be supporting the
department's priorities. In addition, without an executive investment
review board actively involved in the process, Treasury cannot be assured
it is making the best decisions regarding investments' ability to support
ongoing and future business needs.
Table 5 shows the rating for each key practice required to implement the
critical process for meeting business needs at the Stage 2 level of
maturity and summarizes the evidence that supports these ratings.
Table 5: Meeting Business Needs
Source: GAO.
Treasury Has Processes to Select Major Investments but Is Not Effectively
Selecting Nonmajor Investments
Selecting new IT proposals and reselecting ongoing investments requires a
well-defined and disciplined process to provide the agency's investment
boards, business units, and developers with a common understanding of the
process and the cost, benefit, schedule, and risk criteria that will be
used both to select new projects and to reselect ongoing projects for
continued funding. According to ITIM, this critical process requires,
among other things, (1) providing adequate resources for investment
selection activities; (2) making funding decisions for new proposals
according to an established process; and (3) using a defined selection
process to select new investments and reselect ongoing investments. (The
complete list of key practices is provided in table 6.)
Treasury has executed 6 of the 10 key practices associated with selecting
an investment. Treasury's portfolio management tool contains a form for
entering select data and provides staff, such as project managers and CPIC
desk officers, with information to help manage the select process. We
verified that three of the systems we reviewed--TFIN, CADE, and
SaBRe--did, in fact, use the select form in the portfolio management tool
for entering select data. The department has aligned funding decisions
with the budget process for new and ongoing investments through the
department's budget formulation process, which is used to select both
enterprisewide and bureau investments. Treasury has also documented
criteria for analyzing, prioritizing, selecting, and reselecting new and
ongoing major investments that address its strategic goals and its IT
strategic goals, value, and risk. The criteria are incorporated into the
department's portfolio management tool and adjusted within the tool to
reflect organizational objectives.
However, the executive investment review board that is supposed to make
final selection and reselection decisions does not exist. Treasury
officials state that, as part of the budget formulation process, the
results of the select process are approved by executives and that the
results of the fiscal year 2008 select process were approved by a group of
executives, including the Treasury Assistant Secretary for Management and
other department and bureau executives, prior to being forwarded to OMB.
The officials recognized, however, that this group was convened only for
that purpose and did not include business (i.e., mission) representation
from the bureaus.
In addition, Treasury has delegated the selection and reselection of the
nonmajor systems to the bureaus; however, as previously noted, Treasury
does not have a mechanism for ensuring that the bureaus are effectively
carrying out these activities. Without such a mechanism, Treasury cannot
have assurance that investments that make up approximately 20 percent of
its budget and represent the majority of investments are being
consistently and objectively selected and reselected.
Table 6 shows the rating for each key practice required to implement the
critical process for selecting an investment at the Stage 2 level of
maturity and summarizes the evidence that supports these ratings.
Table 6: Selecting an Investment
Source: GAO.
Treasury Is Not Effectively Overseeing Its Investments
An organization should effectively oversee its IT projects throughout all
phases of their life cycles. An investment board should observe each
project's performance and progress toward predefined cost and schedule
expectations as well as each project's anticipated benefits and risk
exposure. This does not mean that a departmental board should micromanage
each project to provide effective oversight; rather, it means that the
departmental board should be actively involved in all IT investments and
proposals that are high cost or high risk or have significant scope and
duration and, at a minimum, should have a mechanism for maintaining
visibility of all investments. The board should also use early warning
systems that enable it to take corrective actions at the first sign of
cost, schedule, and performance slippages. According to ITIM, effect
project oversight requires, among other things, (1) having written
policies and procedures for management oversight; (2) developing and
maintaining an approved management plan for each IT project; (3) making
up-to-date cost and schedule data for each project available to the
oversight boards; (4) having regular reviews by each investment board of
each project's performance against stated expectations; and (5) ensuring
that corrective actions for each underperforming project are documented,
agreed to, implemented, and tracked until the desired outcome is achieved.
(The complete list of key practices is provided in table 7.)
Treasury has executed two of the seven key practices associated with
effective project oversight. Treasury has adequate resources to support
the executive investment review board for this critical process. The TIRB
conducts quarterly control reviews of IT investments and can make
recommendations to the executive investment review board based on these
reviews. The department uses an automated portfolio management tool for
the collection and maintenance of information to support the department's
quarterly control reviews. Treasury's CPIC team, composed of Office of the
Chief Information Officer (OCIO) personnel, assists the bureaus in
compiling data on their respective IT portfolios, reviewing the data for
accuracy and completeness prior to submission to TIRB for its quarterly
control reviews. In addition, the bureaus have CPIC coordinators, each of
which serve as a single point of quality control for their respective
bureaus before information is released to OCIO's CPIC team and provide
assistance in addressing CPIC team comments received during the
department's quarterly control reviews. In addition, we verified that
cost, schedule, benefits, and risk expectations were documented for the
four projects we reviewed: CADE, SaBRe, TFIN, and TRACS. All four projects
maintained project management plans or other documents that captured this
information.
However, although the department has written policies and procedures for
management oversight of its investments, including its Capital Planning
and Investment Control Policy Guide and its Earned Value Management Policy
Guide, these policies and procedures are centered on the department's
major investments. Treasury leaves oversight of its nonmajor investments
to the bureaus. According to Treasury officials, the department has thus
far focused on the major investments because they represent about 80
percent of its IT expenditures. Until the department develops a mechanism
for TIRB and its executive investment review board to periodically conduct
nonmajor portfolio reviews, as indicated in its CPIC guide, or develops a
mechanism for ensuring that the bureaus are doing so, the department risks
not being able to identify investment problems when it is easier and less
costly to resolve them.
In addition, because the executive investment review board does not exist,
Treasury is not executing any of the activities associated with providing
investment oversight. Specifically, there is no executive investment
review board to receive actual investment performance data, review the
performance of projects and systems against expectations, and ensure that
appropriate actions are taken to correct or terminate underperforming
projects. The TIRB is currently carrying out these activities. However,
without the involvement of an executive investment review board, these
reviews are being performed without the corporate perspective that is
useful in determining the impact individual project decisions may have on
other projects and on the attainment of organizational goals and
objectives.
Table 7 shows the rating for each key practice required to provide
investment oversight and summarizes the evidence that supports these
ratings.
Table 7: Providing Investment Oversight
Source: GAO.
Treasury Has a Structured Process for Capturing Investment Information
To make good IT investment decisions, an organization must be able to
acquire pertinent information about each investment and store that
information in a retrievable format. During this critical process, an
organization identifies its IT assets and creates a comprehensive
repository of investment information. This repository provides information
to investment decision makers to help them evaluate the potential impacts
and opportunities created by proposed or continuing investments. It can
provide insights into major IT cost and management drivers and trends. The
repository can take many forms and need not be centrally located, but the
collection method should, at a minimum, identify each IT investment and
its associated components. This critical process may be satisfied by the
information contained in the organization's current enterprise
architecture (EA), augmented by additional information--such as financial
information and information on risk and benefits--that the investment
board may require to ensure that informed decisions are being made.
According to ITIM, effectively managing this repository requires, among
other things, (1) developing written policies and procedures for
identifying and collecting the information; (2) assigning responsibilities
for ensuring that the information being collected meets the needs of the
investment management process; (3) identifying IT projects and systems and
collecting relevant information to support decisions about them; and (4)
making the information easily accessible to decision makers and others.
(The complete list of key practices is provided in table 8.)
Treasury has in place all six key practices associated with capturing
investment information. For example, the department's Capital Planning and
Investment Control Policy Guide and Earned Value Management Policy Guide
define the policies and procedures for identifying and collecting
information to support its investment management process and, according to
Treasury officials, the Associate CIO for Capital Planning and Information
Management is assigned responsibility for ensuring that the information
collected meets the needs of the investment management process. Also, the
department has adequate resources for supporting the process, including
the Office of the CIO's CPIC team, which is responsible for reviewing the
information for accuracy and completeness before it is presented to TIRB
for review prior to making its recommendations to the executive investment
review board for final decisions. It also maintains an automated portfolio
management tool for collecting and maintaining information on its IT
investments. This tool is used by department and bureau components for
updating information on their projects in response to data calls for the
information required by TIRB to conduct its quarterly reviews.
Table 8 shows the rating for each key practice required to implement this
Stage 2 critical process and summarizes the evidence that supports these
ratings.
Table 8: Capturing Investment Information
Source: GAO.
Treasury Lacks Key Capabilities Needed to Manage IT Investments as a Portfolio,
and It Has Not Conducted Postimplementation Reviews
Once an agency has attained Stage 2 maturity, it needs to implement
critical processes for managing its investments as a portfolio (Stage 3).
An IT investment portfolio is an integrated, agencywide collection of
investments that are assessed and managed collectively based on common
criteria. Managing investments as a portfolio is a conscious, continuous,
and proactive approach to allocating limited resources among an
organization's competing initiatives in light of the relative benefits
expected from these investments. Taking an agencywide perspective enables
an organization to consider its investments comprehensively, so that
collectively the investments optimally address the organization's mission,
strategic goals, and objectives. Managing IT investments as a portfolio
also allows an organization to determine its priorities and make decisions
about which projects to fund and continue to fund based on analyses of the
relative organizational value and risks of all projects, including
projects that are proposed, under development, and in operation. Although
investments may initially be organized into subordinate portfolios--based
on, for example, business lines or life cycle stages--and managed by
subordinate investment boards, they should ultimately be aggregated into
this enterprise-level portfolio.
According to the ITIM, Stage 3 maturity includes (1) defining the
portfolio criteria, (2) creating the portfolio, (3) evaluating the
portfolio, and (4) conducting postimplementation reviews. Table 9
summarizes the purpose of each critical process in Stage 3.
Table 9: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio
Source: GAO.
Treasury has executed 11 of the 27 key practices required by Stage 3. For
example, the department has a working group in place that is responsible
for managing the development and modification of the department's IT
portfolio selection criteria. In addition, it has documented criteria to
regularly assess its portfolio performance expectations through its
portfolio tool. However, many key practices still need to be executed
before Treasury can effectively manage its IT investments from a portfolio
perspective. For example, the department has only addressed 3 of the 7
practices for evaluating the portfolio and 2 of the 6 practices for
conducting PIRs. Until Treasury fully implements the critical processes
associated with managing its investments as a complete portfolio, it will
not have the data it needs to make informed decisions about competing
investments.
Table 10 summarizes the status of Treasury's Stage 3 critical processes
and shows how many associated key practices the department has executed.
Table 10: Summary of Results for Stage 3 Critical Processes and Key
Practices
Source: GAO.
Treasury Has Portfolio Selection Criteria but Lacks Documented Policies and
Procedures for Modifying Them
To manage IT investments effectively, an organization needs to establish
rules or portfolio selection criteria for determining how to allocate
scarce funding to existing and proposed investments. Thus, developing an
IT investment portfolio requires defining appropriate cost, benefit,
schedule, and risk criteria with which to evaluate individual investments
in the context of all other investments. To ensure that the organization's
strategic goals, objectives, and mission will be satisfied by its
investments, the criteria should have an enterprisewide perspective.
Further, if an organization's mission or business needs and strategies
change, criteria for selecting investments should be re-examined and
modified as appropriate. Portfolio selection criteria should be
disseminated throughout the organization to ensure that decisions
concerning investments are made in a consistent manner and that this
critical process is institutionalized. To achieve this result, project
management personnel and others should be aware of the criteria and
address the criteria in funding submissions for projects. Resources
required for this critical process typically include the time and
attention of executives involved in the process, adequate funding, and
supporting tools. (The complete list of key practices is provided in table
11.)
Treasury has executed four of the seven key practices associated with
defining the portfolio selection criteria. For example, according to
Treasury officials, the department has adequate resources for portfolio
selection activities, including the Associate CIO for Capital Planning and
Information Management, the CPIC team, the CPIC subcouncil, which is
responsible for managing the development and modification of the IT
portfolio selection criteria, as well as a portfolio management tool. In
addition, project management personnel and other stakeholders are made
aware of the portfolio selection criteria through Treasury's CPIC team,
and the department's internal Web site.
Despite these important steps in defining portfolio selection criteria,
weaknesses remain. Specifically, the department has not developed policies
or procedures for modifying the portfolio selection criteria to reflect
changes to its strategic initiatives. In addition, because Treasury does
not have an executive investment review board, the activities that call
for this board to review and approve the portfolio selection criteria are
not being performed. Reviews of the portfolio selection criteria are
performed by the department's CPIC subcouncil, which forwards its reviews
to TIRB for approval of the criteria. Until Treasury fully defines and
implements the practices required for defining the portfolio selection
criteria, it will not have the tools it needs to effectively select the
mix of investments that best meet the department's mission needs
considering resource and funding constraints.
Table 11 shows the rating for each key practice required to create a
portfolio and summarizes the evidence that supports these ratings.
Table 11: Defining the Portfolio Criteria
Source: GAO.
Treasury Lacks Documented Policies and Procedures for Analyzing and
Maintaining its Portfolio
At Stage 3, organizations create a portfolio of IT investments to ensure
that IT investments are analyzed according to the organization's portfolio
selection criteria and to ensure that an optimal IT investment portfolio
with manageable risks and returns is selected and funded. According to
ITIM, creating the portfolio requires organizations to, among other
things, document policies and procedures for analyzing, selecting, and
maintaining the portfolio; provide adequate resources, including people,
funding, and tools for creating the portfolio; and capture the information
used to select, control, and evaluate the portfolio and maintain it for
future reference. In creating the portfolio, the investment board must
also (1) examine the mix of new and ongoing investments and their
respective data and analyses and select investments for funding and (2)
approve or modify the performance expectations for the IT investments they
have selected. (The complete list of key practices is provided in table
12.)
Treasury has executed two of the seven key practices associated with
creating the portfolio. For example, the department has adequate resources
for creating its portfolio, including the CPIC subcouncil and the use of
the department's portfolio management tool. In addition, information is
captured and maintained for future reference in the department's portfolio
management tool. The information in the tool is used to select, control,
and evaluate all major IT portfolio investments.
Nevertheless, Treasury has weaknesses in the way it creates a portfolio.
First, it does not have a complete set of policies and procedures that
address this critical process. Even though the department has policies and
procedures for selecting the IT portfolio criteria, it lacks policies and
procedures for using the criteria to analyze and maintain the department's
IT investment portfolio. Second, since the department does not have an
executive investment review board, board members are not knowledgeable
about creating a portfolio. In addition, information comparing the
performance of IT investments against expectations is not currently being
provided to the board because Treasury does not have one. Even though TIRB
board selects IT investments based on data associated with the mix of new
and ongoing major investments, this activity is not done for nonmajors,
and there is not an executive investment review board to select the IT
investments. Moreover, the executive investment board does not approve or
modify the performance expectations of the selected IT investments. Unless
Treasury defines and implements the practices for creating a comprehensive
portfolio of IT, it will not be able to determine whether it has selected
the mix of investments that best meets its needs and considers resource
and funding constraints.
Table 12 shows the rating for each key practice required to create a
portfolio and summarizes the evidence that supports these ratings.
Table 12: Creating the Portfolio
Source: GAO.
Treasury Does Not Have Documented Policies for Evaluating Its Portfolio
This critical process builds on the Stage 2 critical process--Providing
Investment Oversight--by adding the elements of portfolio performance to
an organization's investment control capacity. Compared with less mature
organizations, Stage 3 organizations will have the foundation they need to
control the risks faced by each investment and to deliver benefits that
are linked to mission performance. In addition, a Stage 3 organization
will have the benefit of performance data generated by Stage 2 processes.
Executive-level oversight of risk management outcomes and incremental
benefit accumulation provides the organization with increased assurance
that each IT investment will achieve the desired results. (The complete
list of key practices is provided in table 13.)
Treasury is executing three of the seven key practices for this critical
process by providing adequate resources for reviewing the portfolio,
including the use of a portfolio tool that captures data on cost,
schedule, and risk and is used to produce scorecards on a quarterly basis
that summarizes portfolio data. The performance data are consolidated in
the portfolio tool and used by TIRB. The CPIC staff is responsible for
ensuring that the data are consistent with the portfolio performance
criteria and that it is modified as needed. For example, based on OMB
guidance, the department has added and modified criteria related to the
Exhibit 300s, EA, and earned value management reporting requirements. In
addition, Treasury uses the portfolio tool to collect portfolio
performance data in a consistent manner that aligns with Treasury's
portfolio performance criteria.
Despite these strengths, the department has yet to develop policies and
procedures that address the review, evaluation, and improvement of its IT
portfolio performance. In addition, TIRB members are not consistently
provided with oversight review information for nonmajor IT investments by
bureaus even though nonmajors make up about 70 percent of the department's
total number of projects. Also, while the department has a process in
place for ensuring that adjustments are made to major investments in
response to actual portfolio performance, it does not have a process in
place to ensure that the bureaus make the necessary adjustments to their
nonmajor investments on a consistent basis. Until Treasury executes all
the key practices associated with this critical process, senior executives
will not have the information they need to determine whether the
investments they have selected are delivering mission value at the
expected cost and risk.
Table 13 shows the rating for each key practice required to implement the
critical process for portfolio performance oversight at the Stage 3 level
of maturity and summarizes the evidence that supports these ratings.
Table 13: Evaluating the Portfolio
Source: GAO.
Treasury Has Not Instititionalized a Postimplementation Review Process
The purpose of a PIR is to evaluate an investment after it has been
completely developed (that is, after its transition from the
implementation phase to the operations and maintenance phase) in order to
validate actual investment results. This review is conducted to (1)
examine differences between estimated and actual investment costs and
benefits and possible ramifications for unplanned funding needs in the
future and (2) extract "lessons learned" about the investment selection
and control processes that can be used as the basis for management
improvements. Similarly, PIRs should be conducted for investment projects
that were terminated before completion, to readily identify potential
management and process improvements. (The complete list of key practices
is provided in table 14.)
Treasury has executed two of the six key practices for conducting PIRs.
According to officials, in fiscal year 2006, the department finished
revising its PIR policies and procedures as part of the last phase of its
CPIC process, the evaluate phase. The PIR guidance states that PIRs are to
be conducted 6 to 18 months after the investment has been deployed
(transitioned into the steady state life-cycle stage) or after the
investment has rolled out major functionality. In addition, the
department's portfolio tool (PIR form) requires that reviews measure user
satisfaction, achievement of strategic goals, and whether the investment
met cost, schedule, and performance goals. The CPIC guidance also
stipulates that project managers are responsible for conducting the
reviews and collecting the information needed to document lessons learned,
and who is responsible for approving the final PIR recommendations.
Nevertheless, the department has not yet performed any PIRs since the CPIC
policy was issued and therefore has not performed any of the activities
associated with this critical process. Treasury officials stated that,
since the issuance of their PIR policy, they have not conducted any PIRs
because they have not had any investments transitioning from the
development phase into the steady state phase. In 2005, the department
conducted pilot PIRs on two major IT investments. Of the two, one review
met its goals and the other review was recommended for a follow-up PIR
because it was unable to provide information on customer satisfaction,
benefits analysis, and systems performance due to schedule delays. Until
PIRs are conducted on a regular basis with senior executive management
involvement, Treasury will not be able to effectively evaluate the results
of its IT investments to determine whether continuation, modification, or
termination of an IT investment would be necessary in order to meet stated
Treasury mission objectives.
Table 14 shows the rating for each key practice required to conduct PIRs
and summarizes the evidence that supports these ratings.
Table 14: Conducting Postimplementation Reviews
Source: GAO.
Treasury Does Not Have a Comprehensive Plan to Guide Its Improvement Efforts
We have previously reported that to effectively implement IT investments
management processes, organizations need to be guided by a plan that (1)
is based on an assessment of strengths and weaknesses; (2) specifies
measurable goals, objectives, and milestones; (3) specifies needed
resources; (4) assigns clear responsibility and accountability for
accomplishing tasks; and (5) is approved by senior-level management. Such
a plan is instrumental in helping agencies coordinate and guide
improvement efforts.
Treasury has initiated efforts to improve its investment management
process.
o Treasury has contracted for a review of the CPIC governance
process at each of its bureaus that entails performing portfolio
investment validation and evaluation on the bureaus' major
investments. The reviews involve visiting the respective bureaus
to verify key CPIC documentation, the health of their governance
and investment processes, and their compliance with the
department's CPIC process. These reviews are to provide the
department with a better understanding of the bureau's processes
and help the department identify opportunities for investment
management improvements. The reviews also are to provide the
department with greater confidence in the investment information
being provided by the bureaus.
o In April 2007, Treasury issued an Internal Watch List that
identifies major investments at risk of not meeting established
goals. Among the criteria for placement on this list is cost or
schedule variances greater than plus or minus 10 percent for two
consecutive quarters. The department's Office of the CIO is
responsible for overseeing the Internal Watch List. Investments
placed on this list are subject to additional reporting
requirements, including development of an action plan to remediate
the investment's noncompliant conditions. Bureaus are to report on
the status of their corrective actions to the CIO monthly. Once
the corrective actions have been implemented and the CIO concurs,
the investment may be removed from the list. According to
officials, as of May 2007, bureaus were beginning to submit their
corrective action plans to the CIO. The Internal Watch List
process should improve project oversight by providing greater
assurance that actions are taken to address deficiencies.
Although Treasury has initiated these efforts, the department has
not developed a comprehensive plan with the characteristics listed
above that would help guide improvements to its investment
management process. Treasury officials recognize the value of
having a comprehensive plan and told us they plan to develop one
once their new assistant secretary for management is confirmed;
however, a time frame for completing the plan has not been
established. Until Treasury develops this plan, the department
risks not being able to put in place an effective management
process that will provide appropriate executive-level oversight
for minimizing risks and maximizing returns.
Treasury CIO's Role in Managing IT Investments Has Been Mixed
The Clinger-Cohen Act, E-Government Act of 2002,^23 and
implementing guidance from OMB provide a number of investment
management responsibilities to CIOs that generally entail working
with the agency head and senior managers to define and implement
processes for selecting, controlling, and evaluating investments.
Our IT investment management framework defines practices that are
consistent with these provisions. Because CIOs are to carry out
their investment management functions with the support of an
enterprisewide investment review board, many of the
responsibilities we used to evaluate the Treasury CIO's role
relate to key practices discussed earlier in the report as part of
our evaluation of the department's investment management
capabilities.
^23Pub. L. No. 107-347 (Dec. 17, 2002)
The Treasury CIO's^24 role in managing the department's IT
investments has been mixed, although it has gradually increased
since September 2005, when the department's CPIC policy was
issued.
o Many responsibilities have been fully performed, including
responsibilities for establishing investment management policy,
several associated with selecting investments, and some associated
with controlling investments.
o Several responsibilities have been partially
performed--including some associated with selecting investments,
and others associated with controlling investments--either because
the department has not extended them to nonmajor investments or
because some activities have not yet been completed.
o A few responsibilities--most of them associated with controlling
investments--have not yet been performed, primarily because they
are just getting under way and have yet to produce results.
Table 15 shows the CIO's role in performing key investment
management responsibilities.
Table 15: CIO Involvement in Performing Investment Management
Responsibilities
* Not performed
* Partially performed
0M Fully performed
Source: GAO.
^24We are referring to both the current CIO who has been acting since
January 2007 and the former CIO.
The CIO's involvement in managing the department's investments has
strengthened the investment management process. For example, by regularly
reviewing and modifying investment selection criteria, as appropriate, to
reflect organizational objectives, the CIO, as Chair of the TIRB, has
helped ensure investments supporting organizational goals are selected.
However, several responsibilities have not been fully performed. For
example, several responsibilities for selecting and controlling
investments have not been performed for nonmajor investments. As discussed
earlier in the report, Treasury officials stated they have not made the
nonmajor investments a priority because they have instead chosen to devote
their resources to the major investments, which represent about 80 percent
of the department's IT expenditures. As noted earlier, while it is
reasonable to focus on the major investments, the nonmajor investments
also require a certain level of oversight, given the significant amount of
funding (about $480 million) and number of investments (160) involved.
Because several responsibilities have not been fully performed, there is
increased risk that investments will not be effectively managed.
Conclusions
Given the importance of IT to Treasury's mission, it is vital that the
department manage its investments effectively. To its credit, because of
the attention that has recently been given to investment management,
Treasury has established many of the practices needed to build the
investment foundation and manage its projects as a portfolio and, as such,
has made progress since we examined the department's process as part of
our governmentwide review 3 years ago. However, the absence of an
executive investment review board actively engaged in the investment
management process and the department's limited involvement in the
management of nonmajor investments are significant weaknesses that hamper
the department's ability to effectively manage its investments. As a
result, the department cannot ensure that it is managing the mix of
investments that will maximize returns to the organization, taking into
account the appropriate level of risk.
Critical to Treasury's success going forward will be the development and
implementation of a plan that (1) is based on the assessment of strengths
and weaknesses identified in this report; (2) specifies measurable goals,
objectives, and milestones; (3) specifies needed resources; (4) assigns
clear responsibility and accountability for accomplishing tasks; and (5)
is approved by senior management. Without such a plan and procedures for
implementing it, it will be difficult for the department to maintain
steady progress in improving its investment management process. As a
result, Treasury will continue to be challenged in its ability to make
informed and prudent investment decisions in managing its annual
multibillion-dollar IT budget.
By fully performing selected investment management responsibilities, the
CIO has taken positive steps toward strengthening the department's process
for selecting, controlling, and evaluating investments. However, the
department's investments will continue to be at risk as long as there are
responsibilities that are partially performed or not performed.
Recommendations for Executive Action
To strengthen Treasury's investment management capability, we recommend
that the Secretary of the Department of the Treasury direct the Assistant
Secretary for Management, in collaboration with the CIO, to develop and
implement a plan to address the following two actions:
(1) Establish an executive investment review board, composed of executives
representing IT and business units, that would be actively engaged in the
investment management process.
(2) Develop and implement policies and procedures to manage nonmajor
investments.
We also recommend that the plan include actions to address the weaknesses
in eight critical processes identified in this report, beginning with
those identified in our Stage 2 analysis and continuing with those
identified in our Stage 3 analysis. The plan should, at a minimum, provide
for fully implementing the following:
In Stage 2:
o instituting the investment board,
o meeting business needs,
o selecting an investment, and
o providing investment oversight.
In Stage 3:
o defining the portfolio criteria,
o creating the portfolio,
o evaluating the portfolio, and
o conducting postimplementation reviews.
In developing the plan, the Secretary of the Department of the
Treasury should direct the Chief Information Officer to ensure
that the plan draws together ongoing and additional efforts needed
to address the weaknesses identified in this report, including
those relating to the CIO's role in performing investment
management responsibilities. The plan should also (1) specify
measurable goals, objectives, and milestones; (2) specify needed
resources; (3) assign clear responsibility and accountability for
accomplishing tasks; and (4) be approved by senior management. In
implementing the plan, the Chief Information Officer should ensure
that the resources are available to carry out the plan and that
progress is measured and reported periodically to the Secretary of
the Department of the Treasury.
Agency Comments and Our Evaluation
In e-mail comments on a draft of this report, the Acting CIO
stated that the report reflects both Treasury's shortcomings as
well as progress to date and recognized the need to take proactive
steps to strengthen its investment board operations and oversight
of information technology resources and programs. Treasury also
commented on the need for an executive review board, nonmajor
investments, and the department's authority to redirect funding
from one Treasury bureau to another.
Regarding the need for an executive investment review board,
Treasury noted that, in addition to the Technical Investment
Review Board chaired by the CIO, an E-Board consisting of Treasury
executives previously existed. We acknowledge the establishment of
these boards in our report but emphasize that there currently is
no executive investment review board composed of executives from
IT and business units that is actively engaged in the investment
management process. The department recognizes this in its
comments, stating that it agrees it needs to reconstitute its
executive board such that it is actively engaged in the investment
management process.
Regarding nonmajor investments, Treasury commented that nonmajor
investments have not been a priority because the major investments
the department has chosen to devote its resources to represent the
more significant portion of the portfolio in terms of dollar
value, visibility to OMB and Congress, and importance to
Treasury's mission. We recognize the importance of the major
investments in our report and acknowledge that it is reasonable to
focus attention on these investments. Nevertheless, we maintain
that nonmajor investments should require a certain level of
oversight given the amount of funding involved (about $480 million
in estimated expenditures for fiscal year 2007) and the fact that
they represent the bulk of most bureaus investment portfolio.
Treasury also stated that its CPIC guide contains guidance on
managing nonmajor IT investments and that the department conducts
quarterly control reviews of all IT investments, both major and
nonmajor. While the guide requires all IT investments to comply
with its provisions, it clearly states that the select phase
described applies to major investments and that bureaus are
responsible for conducting their own select process for nonmajor
investments. In addition, while, as we note in the report,
Treasury requires bureaus to report on the cost, schedule, and
performance of its nonmajor investments on a quarterly basis, this
information is not provided to TIRB for review. Treasury noted
that it is currently developing guidance and reporting
requirements for nonmajors that integrates enterprise architecture
and capital planning.
In its comments, Treasury also noted that the department's ability
to exercise effective management of its IT portfolio requires that
the CIO (as chairman of the Technical Investment Review Board) be
empowered to make recommendations to the executive board
concerning IT budgetary requests across the department.
Additionally, the executive board needs to be empowered to make
decisions across organizational lines on behalf of the department.
Treasury added that, currently, neither the Treasury Department,
including the Acting CIO, nor the executive board has the
prerogative (authority) to redirect IT funding from one Treasury
bureau to another. While this particular authority was not the
subject of our review, we agree that not having it could present a
challenge to effectively managing the IT portfolio. Nevertheless,
effective portfolio management requires the collective
decisionmaking of executives from both IT and business units,
which highlights the importance of having an executive investment
review board that is actively engaged in the investment management
process.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of other Senate and House committees that have
authorization and oversight responsibilities for Treasury and
other interested congressional committees; the Director of the
Office of Management and Budget; the Secretary of the Treasury;
the Assistant Secretary for Management and Chief Financial
Officer; and the Chief Information Officer. We also will make
copies available to others upon request. In addition, the report
will be available at no charge on the GAO Web site at
[46]www.gao.gov .
If you or your staff have any questions about this report, please
contact me at (202) 512-9286 or [email protected]. Contact points
for our Offices of Congressional Relations and Public Affairs may
be found on the last page of this report. Key contributors to this
report are listed in appendix II.
David A. Powner
Director, Information Technology Management Issues
Appendix I: Objectives, Scope, and Methodology
The objectives of our review were to (1) assess the Department of
the Treasury's capabilities for managing its IT investments, (2)
determine any plans Treasury might have for improving those
capabilities, and (3) evaluate the CIO's role in managing the
department's IT investments.
To address our first objective, we reviewed the results of the
department's self-assessment of Stages 2 and 3 practices using our
IT investment management framework and validated and updated the
results of the self-assessment through document reviews and
interviews with officials. We reviewed written policies,
procedures, and guidance and other documentation providing
evidence of executed practices, including Treasury's Capital
Planning and Investment Control Policy Guide, Earned Value
Management Policy Guide, Exhibit 300 Scoring Guide, Alternative
Analysis Policy Guide, FY06 IT Portfolio Alignment Summary, IT
Modernization Blueprint Volume 2: IT Strategic Plan, portfolio
management tool guidance, and various memorandums. We also
reviewed TIRB and CIO Council meeting materials. In addition, we
conducted interviews with officials from the Office of the CIO,
whose main responsibility is to oversee and ensure that Treasury's
IT investment management process is implemented and followed.
We compared the evidence collected from our document reviews and
interviews to the key practices in ITIM. We rated the key
practices as "executed" on the basis of whether the agency
demonstrated (by providing evidence of performance) that it had
met the criteria of the key practice. A key practice was rated as
"not executed" when we found insufficient evidence of a practice
during the review or when we determined that there were
significant weaknesses in Treasury's execution of the key
practice. In addition, Treasury was provided with the opportunity
to produce evidence for key practices rated as "not executed." We
did not assess progress in establishing the capabilities found in
Stages 4 and 5 because the department acknowledged it had not
executed the key practices in these higher maturity stages.
To determine the level of guidance the department is providing to
its bureaus, we interviewed officials and obtained written
responses from the Bureau of the Public Debt, Financial Management
Service, and the Internal Revenue Service (IRS) to determine the
level of investment management guidance and oversight that is
provided by the department. As part of our analysis, we selected
one enterprisewide and three bureau-level IT projects as case
studies to verify that the critical processes and key practices
were being applied. The projects selected (1) are in different
life-cycle phases, (2) represent a mix of headquarters and
component bureau investments, (3) support different functional
areas, and (4) required different levels of funding. The four
projects are described as follows:
1. Customer Account Data Engine (CADE). The database
initiative is the foundation for managing taxpayer
accounts in IRS's Business Systems Modernization^1
effort. CADE is being incrementally designed,
developed, and implemented to form the data
foundation for a modernized IRS by replacing the
Individual Master File^2 and its related applications
with new technology, new applications, and new
databases. The system's purpose is to enable IRS tax
specialists to post transactions and update taxpayer
account and return data using an online interface
tool. Updates are to be available daily to authorized
personnel who have access to this data, which provide
a complete, timely, and accurate account of the
individual taxpayer's information. The project is a
major investment and has an estimated life-cycle cost
of over $1.3 billion.
2. Savings Bond Replacement System (SaBRe). SaBRe
supports two of the President's Management Agenda
initiatives: financial performance and expanded
e-government. It processes cash and security
transactions that result when accrued savings bonds
are sold or redeemed by Federal Reserve Bank
processing sites or by financial institutions and
corporate entities designated as fiscal agents.
Federal Reserve Bank processing sites consolidate and
report to SaBRe daily issue and retirement
transactions generated by processing cash and
security transactions. SaBRe processes the
transactions, updates electronic records that are
used for customer service, and reports daily
financial transactions for inclusion in the Daily
Treasury Statement. The project is a major investment
and has an estimated life-cycle cost of over $57
million.
^1The Business Systems Modernization is a highly complex,
multibillion-dollar effort to modernize IRS's technology and related
business processes.
^2The Individual Master File is IRS's database that stores various types
of taxpayer account information. This database includes individual,
business, employee plans, and exempt organizations data.
3. Treasury Receivable, Accounting, and Collection
System (TRACS). TRACS is to provide Treasury's
Financial Management Service with a tool for
supporting its Payment Business Line for the
accounting, debt billing, collection, and reporting
requirements associated with Treasury's check claims
business process. It is to aid in the processing of
check claims accounting, authorization of payments,
issuing of bills, debt collection, and funds
transfers from and to federal program agencies.
Currently all funding for TRACS will be used to
maintain and enhance the system. The project is a
nonmajor investment and has an estimated life-cycle
cost of over $11 million through fiscal year 2012.
4. Treasury Foreign Intelligence Network (TFIN). TFIN
exists to assist Treasury analysts in their ongoing
efforts to provide meaningful intelligence to senior
Treasury management as well as to other agencies
within the intelligence community. It was originally
built as a customized in-house network over 10 years
ago. In early fiscal year 2005, Treasury identified a
need to modernize TFIN due to the age of the system,
outdated components, and performance issues, and to
address Treasury's expanding mission in the fight
against terrorism. The system is currently listed as
a major department-level development, modernization,
and enhancement effort, with total estimated
life-cycle costs of $43 million.
For these projects, we reviewed project management documentation,
such as project plans, and status reports. We also obtained
investment information from the bureau officials responsible for
managing the projects.
To address our second objective, we obtained and evaluated
documents showing what management actions had been taken and what
initiatives had been planned by the agency. This documentation
included the IT Modernization Blueprint Volume 2, IT Strategic
Plan, The Department of the Treasury's Strategic Plan, and a
contractor work request for an independent validation and
verification of Treasury's capital planning program support
process. We also interviewed officials from the Office of the CIO
to determine efforts undertaken to improve IT investment
management processes.
To address our third objective, we reviewed legislation, including
the Clinger-Cohen Act of 1996 and the E-Government Act of 2002,
and OMB guidance to determine the roles and responsibilities of
CIOs regarding investment management. We also reviewed the
practices laid out in GAO's IT investment management framework. We
reviewed documentation and conducted interviews with Treasury
officials, including the Associate CIO for Capital Planning and
Information Management, to determine the extent of the CIO's
involvement in selecting, controlling, and evaluating the
department's IT investments. We conducted our work at Treasury
headquarters in Washington, D.C., from August 2006 through July
2007 in accordance with generally accepted government auditing
standards.
Appendix II: GAO Contact and Staff Acknowledgments
GAO Contact
David A. Powner, (202) 512-9286 or [email protected]
Staff Acknowledgments
In addition to the contact named above, Sabine Paul, Assistant
Director; William Barrick; Camille Chaires; Neil Doherty; Nancy
Glover; and Tomas Ramirez; made key contributions to this report.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( [47]www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to [48]www.gao.gov and
select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
(202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [49]www.gao.gov/fraudnet/fraudnet.htm E-mail:
[50][email protected] Automated answering system: (800) 424-5454 or
(202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [51][email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [52][email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
(310816)
[53]www.gao.gov/cgi-bin/getrpt?GAO-07-865 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact David Powner at (202) 512-9286 or
[email protected].
Highlights of [54]GAO-07-865 , a report to congressional requesters
July 2007
INFORMATION TECHNOLOGY
Treasury Needs to Strengthen Its Investment Board Operations and Oversight
The Department of the Treasury relies extensively on information
technology (IT) to carry out its mission. For fiscal year 2007, Treasury
requested about $2.8 billion--the third largest planned IT expenditure
among civilian agencies. GAO's objectives included (1) assessing
Treasury's capabilities for managing its IT investments and (2)
determining any plans the agency has for improving its capabilities. GAO
used its IT investment management framework (ITIM) and associated
methodology to address these objectives, focusing on the framework's
stages related to the investment management provisions of the
Clinger-Cohen Act of 1996.
[55]What GAO Recommends
To further strengthen Treasury's investment management capability, GAO
recommends that the department develop and implement a plan to establish
an executive investment review board and policies and procedures to manage
nonmajor investments and address the other weaknesses GAO identified. In
e-mail comments on a draft of this report, Treasury stated that the report
reflects both Treasury's shortcomings as well as progress to date and
recognized the need to take proactive steps to strengthen its investment
board operations and oversight of information technology resources and
programs.
While Treasury has established many of the capabilities needed to select,
control, and evaluate its IT investments, the department has significant
weaknesses that hamper its ability to effectively manage its investments.
Specifically, the department has executed 19 of the 38 key practices that
the ITIM requires to build a foundation for IT investment management
(Stage 2), including practices needed to ensure that projects support
business needs and that a disciplined process exists for capturing
investment information. In addition, the department has executed 11 of the
27 key practices required to manage investments as a portfolio (Stage 3),
including documenting policies and procedures for conducting
postimplementation reviews (see table). However, Treasury does not have an
executive investment review board--a group of executives from IT and
business units that is intended to be the final decision-making
authority--that is actively engaged in the investment management process.
In addition, the department does not have any policies and procedures for
managing its nonmajor investments, although they represent almost 70
percent of the total number of investments. Until the department addresses
these weaknesses, it will not have the investment management structure
needed to effectively assess and manage the risks associated with its
multibillion-dollar portfolio.
To its credit, Treasury has initiated efforts to improve its investment
management process. For example, it has recently implemented a process for
identifying major projects that should receive additional oversight.
However, the department has not developed a comprehensive improvement plan
that (1) is based on an assessment of strengths and weaknesses; (2)
specifies measurable goals, objectives, and milestones; (3) specifies
needed resources; (4) assigns clear responsibility and accountability for
accomplishing tasks; and (5) is approved by senior-level management. GAO
has previously reported that such a plan is instrumental in helping
agencies coordinate and guide improvement efforts. Until Treasury develops
this plan and the controls for implementing it, the department risks not
being able to put in place an effective management process that will
provide appropriate executive-level oversight for minimizing risks and
maximizing returns.
Treasury's IT Investment Management Capabilities
Source: GAO.
References
Visible links
32. http://www.ustreas.gov/education/duties/treas/
33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-247
34. http://www.gao.gov/cgi-bin/getrpt?GAO-04-49
35. http://www.gao.gov/cgi-bin/getrpt?GAO-06-947R
36. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
37. http://www.gao.gov/cgi-bin/getrpt?GAO-04-394G
38. http://www.gao.gov/cgi-bin/getrpt?GAO-02-314
39. http://www.gao.gov/cgi-bin/getrpt?GAO-03-3
40. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1028
41. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1025
42. http://www.gao.gov/cgi-bin/getrpt?GAO-04-822
43. http://www.gao.gov/cgi-bin/getrpt?GAO-06-11
44. http://www.gao.gov/cgi-bin/getrpt?GAO-06-12
45. http://www.gao.gov/cgi-bin/getrpt?GAO-07-424
46. http://www.gao.gov
47. http://www.gao.gov/
48. http://www.gao.gov/
49. http://www.gao.gov/fraudnet/fraudnet.htm
50. mailto:[email protected]
51. mailto:[email protected]
52. mailto:[email protected]
53. http://www.gao.gov/cgi-bin/getrpt?GAO-07-865
54. http://www.gao.gov/cgi-bin/getrpt?GAO-07-865
*** End of document. ***