SBA Loan Monitoring System: Substantial Progress Yet Key Risks and
Challenges Remain (Testimony, 02/29/2000, GAO/T-AIMD-00-113).

Pursuant to a congressional request, GAO discussed the progress of the
Small Business Administration's (SBA) loan monitoring system, focusing
on: (1) SBA's progress in completed the mandated actions of the Small
Business Reauthorization Act of 1997; (2) GAO's evaluation of SBA's
products completed thus far; (3) the processes used to develop these
products and manage key activities; and (4) actions SBA needs to take to
manage risks.

GAO noted that: (1) SBA has made substantial progress in completing the
eight mandated planning actions, but must still complete work for some
actions and implement key functions to effectively manage the
development of the loan monitoring system; (2) SBA has benchmarked its
business processes against those of leading organizations and has
conducted a reengineering study to identify and select new processes to
improve its operations; (3) using the results of these efforts, SBA has
also started identifying the data needed for the proposed loan
monitoring system, defining data quality standards, developing the
information architecture, determining an acquisition strategy, defining
system requirements, and estimating the costs to complete the project;
(4) SBA has reported that all of the eight mandated planning actions are
complete, except for two concerning the information architecture and
systems requirements; (5) GAO's analyses of SBA products for the
planning actions have shown that SBA has made substantial progress; (6)
at the same time, some of the products lack one or more important
elements, and there are critical steps that SBA has not performed; (7)
several key functions--such as configuration management, quality
assurance, and system security--need to be established and implemented
to effectively manage the project; (8) before beginning systems design
and development, SBA will need to complete key planning actions--such as
performing benefit and cost analyses of business process and system
alternatives--for the mandated planning actions; (9) it should also
implement critical project management controls--such as those needed to
ensure that system design addresses the security challenge posed by
Internet-based access; (10) actions will be needed in such areas as
these if SBA is to effectively manage the risks it will encounter in the
systems development process; (11) the deputy administrator and other SBA
officials commented to GAO that they recognize the benefit of the
actions that GAO suggests to improve project management; (12) however,
they said that the risks from not fully completing such actions before
system development should be weighed against the risks and opportunity
costs associated with delaying the implementation of a system that would
help oversee SBA's guaranteed loan portfolio; and (13) the deputy
administrator and other SBA officials added that the first system
increment they plan to develop will assist them in further defining the
requirements for the entire system, and therefore they need to proceed
with it expeditiously.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-113
     TITLE:  SBA Loan Monitoring System: Substantial Progress Yet Key
	     Risks and Challenges Remain
      DATE:  02/29/2000
   SUBJECT:  Small business loans
	     Lending institutions
	     Systems development life cycle
	     Systems design
	     Strategic information systems planning
	     Performance measures
	     Internal controls
	     Government guaranteed loans
	     Reengineering (management)
IDENTIFIER:  SBA 7(a) General Business Loan Guarantee Program
	     SBA 504 Certified Development Company Debenture Program
	     SBA Loan Monitoring System
	     Standard Commercial-Off-The-Shelf Software
	     Internet

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

   * For Release on Delivery
     Expected at
     10 a.m. EST

Tuesday,

February 29, 2000

GAO/T-AIMD-00-113

sba loan monitoring system

Substantial Progress Yet Key Risks and Challenges Remain

        Statement of Joel C. Willemssen

Director, Civil Agencies Information Systems

Accounting and Information Management Division

Testimony

Before the Subcommittee on Government Programs and Oversight, Committee on
Small Business, House of Representatives

United States General Accounting Office

GAO

Mr. Chairman and Members of the Subcommittee:

Thank you for inviting us to discuss the progress of the Small Business
Administration (SBA) in performing the planning actions for its loan
monitoring system, as mandated by the Small Business Reauthorization Act of
1997. After providing brief background information, my testimony today will
discuss SBA's progress in completing the mandated actions, our evaluation of
SBA's products completed thus far, the processes used to develop these
products and manage key activities, and actions the agency needs to take to
manage risks.

SBA has made substantial progress in completing the eight mandated planning
actions, but must still complete work for some actions and implement key
functions to effectively manage the development of the loan monitoring
system. SBA has benchmarked its business processes against those of leading
organizations and has conducted a reengineering study to identify and select
new processes to improve its operations. Using the results of these efforts,
SBA has also started identifying the data needed for the proposed loan
monitoring system, defining data quality standards, developing the
information architecture, determining an acquisition strategy, defining
systems requirements, and estimating the costs to complete the project. SBA
has reported that all of the eight mandated planning actions are complete,
except for two concerning the information architecture and systems
requirements.

Our analyses of SBA products for the planning actions have shown that the
agency has made substantial progress. At the same time, some of the products
lack one or more important elements, and there are critical steps that SBA
has not performed. Several key functions-such as configuration management,
quality assurance, and system security-need to be established and
implemented to effectively manage the project.

Before beginning systems design and development, SBA will need to complete
key planning actions-such as performing benefit and cost analyses of
business process and system alternatives-for the mandated planning actions.
It should also implement critical project management controls-such as those
needed to ensure that system design addresses the security challenge posed
by Internet-based access. Actions will be needed in such areas as these if
SBA is to effectively manage the risks it will encounter in the systems
development process.

In commenting on a draft of this testimony, the deputy administrator and
other SBA officials told us that they recognize the benefit of the actions
we suggest to improve project management. However, they said, the risks from
not fully completing such actions before system development should be
weighed against the risks and opportunity costs associated with delaying the
implementation of a system that would help oversee SBA's guaranteed loan
portfolio. They added that the first system increment they plan to develop
will assist them in further defining the requirements for the entire system,
and therefore they need to proceed with it expeditiously.

Background

To enhance its capabilities for loan and lender monitoring, SBA has proposed
improvements to its automated systems, lender oversight, and risk management
infrastructure. The purpose of SBA's proposed loan monitoring system is to
use technology and new processes to manage its loan portfolios, identify and
effectively mitigate risks incurred through loans guaranteed by SBA,
implement oversight of internal and external operations, and calculate
subsidy rates.

After reviewing SBA's basis for this request, we reported in June 1997 that
the agency had not undertaken the essential planning needed to develop the
proposed loan monitoring system. The Congress subsequently enacted
provisions in the Small Business Reauthorization Act of 1997 that required
the SBA Administrator to perform and complete eight planning actions to
serve as the basis for funding the development and implementation of the
computerized loan monitoring system. The act also required SBA to report by
June 2, 1998, on its progress in completing the planning actions.

As required by the act, in June 1998 we commented on SBA's report. We
reported that while SBA had formed a team for the loan monitoring system in
December 1997, it had not yet completed any of the eight mandated actions.
SBA's report included a project plan, laying out its approach for addressing
these actions. Work on the first of the required planning actions was begun
in May 1998 and, according to the project plan, SBA was to complete work on
the last of the eight mandated actions in August 1999.

In July 1998 we testified that SBA's project plan delineated the project's
goals and objectives, resource requirements, quality standards and control
systems, assumptions, methodologies, work breakdown structure with timetable
for completion of tasks, and estimated costs. The plan estimated that a
staff of 18 would be needed for the first phase of the project, which was to
address the eight mandated planning actions, and scheduled completion of the
mandated actions by the end of August 1999.

While development of the project plan was a good start, we also testified
that SBA faced formidable technical and management challenges and risks in
executing the plan, including

   * establishing software project management capability while undertaking
     its largest information technology project ever;
   * using methodologies and practices for the first time while conducting a
     large, complex project; and
   * implementing the loan monitoring system without having an information
     technology architecture in place.

SBA acknowledged these challenges and committed to providing the loan
monitoring system project with the necessary management support.

To perform the planning for the loan monitoring system and conduct related
modernization activities, SBA was appropriated $8 million annually for
fiscal years 1998, 1999, and 2000. According to loan monitoring system
project data, SBA used about $1 million in fiscal year 1998 and $0.7 million
in fiscal year 1999. For fiscal year 2000, SBA plans to use about $2 million
for contractor project support, SBA staff, and travel costs; and about $8.5
million for infrastructure acquisition and system development activities.

Objective, Scope, and Methodology

We conducted our work at SBA's headquarters in Washington, D.C., from August
1999 through February 2000, in accordance with generally accepted government
auditing standards. In our analyses of SBA's products for the mandated
actions, we used the methodologies and criteria that SBA officials said they
used in performing their work and preparing the products, as well as
guidance issued by the Office of Management and Budget, the General Services
Administration, the Institute of Electrical and Electronics Engineers, Inc.
(IEEE), and our office that are applicable to the mandated planning actions.
Our analyses of the products were performed to assess the structure, general
content, and processes used in the planning actions. Detailed analyses could
not be performed on all SBA products because many were only recently
provided to us and time constraints precluded an opportunity to discuss
these products and the processes used to produce them with cognizant SBA
officials. We provided a copy of our draft testimony to SBA officials; we
received comments from them, and made changes as appropriate.

SBA Has Made Substantial Progress in Completing Mandated Actions

Table 1: Status of Products for Mandated Actions as Reported by SBA, as of
February 23, 2000
Fully define the requirements for the system that uses on-line, automated
capabilities to the extent feasible

 Mandated Action                SBA Product                     Status of
                                                                Product
 Benchmark loan monitoring      Benchmark study                 Final
 business processes and systems
 against comparable industry    Business process reengineering  Final
 processes and, if appropriate, study
 simplify or redefine work
 processes based on these       Feasibility analysis of         Final
 benchmarks                     recommendations
 Analysis of "as is" baseline
 cost and time                  Final

 Concept of operations          Final

 Implementation strategy        Final
 Analyze the benefits and costs
 of alternatives and use them toBusiness case for
 demonstrate the advantages of  reengineering                   Final
 final project
 Ensure that proposed
 information system is          "As is" information technology
 consistent with agency's       architecture                    Final
 information architecture
                                Technology policy statement     Final
                                Enterprise information
                                technology architecture report  Draft

                                Gap analysis, migration
                                strategy, and transition plan   Draft

 Plan to synchronize loan
 monitoring system with
 information technology         Final
 architecture
 Identify all data inputs and
 outputs necessary for timely   Needs statement (logical data   Final
 report generation              model)

 Determine data quality         Data quality guidance           Final
 standards and control systems
 for ensuring information       Data quality issues             Final
 accuracy                       Data quality management plan    Final

 Statement of need for the loan
 monitoring system              Final

 Systems requirements           Draft
 Identify acquisition strategy
 and work increments to         Acquisition strategy            Final
 completion
 Estimate cost to system
 completion, identifying        Needs statement (total cost to  Final
 essential cost elements        completion)

SBA officials advised us on February 23 that they expected to complete the
remaining actions by March 2000 and then proceed to design and develop the
first increment of the proposed system.

Actions Still Needed for Key Items

Benchmarking and Business Process Reengineering Are Complete Except for
Costs and Performance Measurement Data, Analysis of Alternatives, and
Implementation Plans

SBA's contractor used a seven-step benchmarking process to evaluate SBA
business gaps with similar organizations for five loan management functions.
The functions benchmarked were risk management, lender oversight, guaranty
procedures, subsidy rate calculation, and asset sales. These functions were
benchmarked against the practices of 11 federal and private-sector
organizations.

The benchmark report identified standard industry or "good" practices and
showed a significant gap between SBA and benchmark partners' practices for
each of the management functions. The report also contained suggestions that
senior management needed to "buy in" to the reengineering process,
communications plans needed to be developed, systems requirements needed to
be preliminarily defined, and training plans needed to be examined.

In evaluating SBA's benchmark effort, in May 1999 we reported that it was an
important first step in SBA's actions to develop a loan monitoring system.
In general, the benchmarking methods used were consistent with accepted
practices and the benchmarking methodology was followed at a high level.
However, the study had a number of weaknesses, the most significant being
that it did not produce cost and performance measurement data for SBA and
the benchmark partners' processes. SBA agreed with our analysis and stated
that it planned to collect additional benchmarking information during its
business process reengineering activities.

Because the benchmark study identified wide gaps between SBA's business
processes and the best practices of the benchmark partners' practices for
each of the management functions, SBA decided to pursue business process
reengineering for each of the five SBA areas that were included in the
study. Business process reengineering is an approach for redesigning the way
work is done to better support the organization's mission and reduce costs.
Reengineering identifies, analyzes, and redesigns an organization's core
business processes with the aim of achieving dramatic improvement in
critical performance measures such as cost, quality, service, and speed.

The purpose of SBA's business process reengineering (BPR) study was to
analyze the current business practices within five functional areas of the
organization, and develop new, more effective processes, supported by
modernized, state of the art, information technology systems.

The five functional areas addressed in the study were the following:

Guaranty Procedures encompass the full life cycle of a loan, from
application through payment in full or liquidation, with three major
subprocesses:

   * Processing: encompasses application, approval, and closing
   * Servicing: includes all loan actions handled through payment in full
   * Liquidation: includes the process of recovering value from defaulted
     loans

Lender Oversight is composed of three main functions:
(1) communicating to lenders about policies, procedures, and standards of
performance; (2) monitoring of lender performance; and (3) taking
enforcement action when lender behavior and/or performance deviate from
accepted standards.

Risk Management is the process by which SBA monitors its loan portfolio,
tracks lenders and borrows and oversees the management of the portfolio to
keep losses to an acceptable level.

Subsidy Rate is an estimate of the subsidy cost of SBA's guaranteed and
direct loan programs as a percentage of the total level of commitment.

Asset Sales is composed of the processes used to sell SBA loan assets,
including direct loans and repurchased guaranteed loans, to private
investors.

The SBA BPR team, with facilitation support from contractor staff, analyzed
the best practices of the industry and made recommendations for SBA's
systems modernization primarily from the standpoint of maximizing efficiency
with the highest degree of automation. As a result of this analysis, the BPR
report contained 38 recommendations for new elements or characteristics for
SBA's business processes. A few of the more significant recommendations were
that SBA's new business processes include

   * one set of core data elements for all loan programs, and one standard
     electronic channel for submitting all applications;
   * centralized processing of all guaranty applications;
   * lenders' ability to directly access the SBA system to submit a
     servicing action request or report a unilateral action;
   * lenders, direct borrowers, and designated SBA personnel being able to
     view the real-time status of all loans;
   * liquidations being centralized in the servicing centers to achieve
     economies of scale in labor and technology;
   * continuous capturing of lender performance information and electronic
     analysis for early warning of potential changes in lender performance;
     and
   * performance information collected through the new lender monitoring
     system and lender reviews providing the necessary base of information
     to facilitate informed decisionmaking.

To decide which of the recommendations would be adopted in whole or in part,
SBA formed a team that analyzed the risks and barriers associated with their
implementation. Based on this analysis, the SBA Administrator fully adopted
30 of the 38 recommendations and adopted the remaining eight with
modifications. For example, the recommendation to centralize the processing
of all applications was modified to centralize the processing for programs
that represent about 75 percent of all guaranteed loans.

SBA's contractor followed a methodology that conforms with generally
accepted practices. However, as acknowledged in the report, key cost and
performance measurement data-needed to compare and analyze proposed
processes against current-were not collected during the BPR study. According
to generally accepted practices, a performance-based and risk-adjusted
benefit and cost analysis of alternatives being considered for each business
process is needed to support the final selection of processes to implement.
Accordingly, the BPR report recommended that SBA perform an activity-based
cost analysis to provide critical data in evaluating current practices. SBA
officials subsequently told us that they would produce a business case that
would support their selection of new business processes. SBA did prepare
this business case but it did not include benefit and cost analyses of
alternatives being considered for each business process. Without analyzing
benefits and costs, SBA increases the risk that the most effective and
efficient business processes will not be selected.

SBA also has not yet developed an implementation plan for the new business
processes as required by generally accepted BPR practices. It developed an
overall strategy for implementing the new business processes, but did not
develop a detailed plan that lays out the critical elements and milestones
for implementing them. SBA should consider formulating such a plan before it
starts developing the first segment of the new system to ensure that the
development and implementation of supporting information systems will be
synchronized with the implementation of new business processes.

Loan Monitoring System Is Intended to Provide Electronic Data Collection and
Ready Access to a Comprehensive Data Repository

Based on the results of its BPR study, SBA has developed a general
description of the new loan monitoring system. The system is to be used by
program managers and staff in headquarters, loan processing and service
centers, field offices, financial operations, lenders, and external service
providers under contract to perform specific portfolio support tasks. The
system is expected to be "on-line to all users around the clock."
Internally, SBA staff are to have all necessary data available through a
loan system that provides access to records from anywhere in the agency,
while externally the system is expected to allow lenders to view their own
portfolios.

SBA plans to have the loan monitoring system include a "virtual private
network" using high-speed communications based on the Internet and dial-up
access for smaller lenders, a security system that requires prior
identification and approval of users, and high-level encryption of all
messages. Because the Internet is a public network, SBA states that it will
require authentication of lenders and SBA staff as they try to initiate
access to the system.

In addition to the network, the system is expected to integrate a secure Web
site and a technologically advanced system of data, applications, and
processes. Requests for loan guarantees are to be submitted electronically,
either through a formatted file transfer or on-line entry into the system.
The loan monitoring system is also expected to have a comprehensive central
data repository to support early warning systems, exception reporting,
management reporting, decision support, ad hoc reporting, operational
reporting, and financial management reconciliation. The central data
repository is also considered to be the key to providing early warning
systems for lender oversight and risk management functions.

SBA has decided to design and develop the loan monitoring system in
increments. According to the agency, the first increment will include the
establishment of a standard set of data elements for loan guarantee
applications and the electronic processing of applications for part of its
loan guarantee programs. However, SBA has not yet provided us with key
documents related to this, such as a description of the system design,
documentation on the make or buy decision, proposed acceptance criteria for
contract deliverables, and project plans.

Benefit-Cost Analyses Have Not Yet Been Performed

SBA's business case analysis describes the current system, discusses
proposed system changes, identifies alternatives for the proposed loan
monitoring system, and presents a benefit-cost analysis showing that the
benefits associated with the new loan monitoring system are greater that the
increases in costs for investment, maintenance, ongoing operations, and
related items. SBA estimated that the new system would produce, by the end
of fiscal year 2006, cumulative cash savings of $147 million. In its
analysis, SBA considered-but dismissed-alternatives such as the
privatization and outsourcing of loan monitoring functions to the private
sector, noting that "SBA already has accomplished most of what can be done
in terms of privatization."

SBA considered five system alternatives. It concluded that two of the
alternatives-continued use of the current system and making improvements to
the current system-were not viable because the current system is completely
outmoded in both functionality and technical design. SBA noted that the
remaining three alternatives-using standard commercial-off-the-shelf (COTS)
software, standard COTS software with custom-made software, and custom-made
software alone-will be analyzed at a later point.

Before beginning system design, SBA should perform benefit-cost analyses of
all identified alternatives, determine the benefits and costs of each
alternative, evaluate alternatives by comparing their benefits and costs,
and select the best alternative for implementation. This will increase the
probability that SBA will obtain a system that meets its needs at the lowest
cost.

SBA's Information Architecture Is Incomplete

SBA has analyzed and documented its existing architecture, defined the
future-or target-architecture, and analyzed the gaps between the two. The
gap analysis forms the basis for development of a migration strategy to move
from the current systems to the new system. However, SBA has not fully
documented the current systems in the existing architecture, and has not
completed its target information technology architecture.

To deal with the incomplete architecture, SBA has developed an approach to
maintaining consistency between the SBA information technology architecture
and proposed loan monitoring system. This approach-which requires that the
system under construction be mapped to the partially defined target
architecture-increases the risk that the loan monitoring system would not be
seamlessly integrated with the SBA target architecture. To address this
increased risk, before beginning system design SBA should consider
developing and including the rules and standards needed to ensure that the
interrelated systems are built to be interoperable and maintainable in its
information technology architecture. These include specifications of
critical aspects of component systems' hardware, software, communication,
data, security, and performance characteristics.

Data Inputs and Outputs Are Necessary for Timely Report Generation

SBA identified a sample of current reports, including reports now being
produced by local systems and several reports being produced by the
mainframe system, but has not identified high-level requirements for all
internal reports. Before initiating system design for each increment, SBA
should consider identifying the high-level requirements for all internal
reports. In addition, it should define detailed input and output data
elements necessary for the timely generation of reports.

Data Quality Standards Still Need Schedule, Resource Allocation, and
Business Process Measures

SBA developed a data quality plan and a conceptual data model that includes
data quality information. The data quality plan is a strategy paper and, as
such, provides a framework for pursuing data quality goals and contains
guidelines for developing and maintaining data quality. For example, it
discusses data migration actions to cleanse data in current systems.
However, it does not identify the business priorities with respect to
near-term and long-term requirements for data quality improvement, or
provide a schedule of planned actions to improve data quality.

Before beginning design, SBA should consider completing the definition of
specific data quality standards, developing a schedule of planned actions to
improve data quality in the current systems, and implementing data quality
measures for the new loan monitoring system.

Some System Requirements Are Yet to Be Defined

SBA has drafted a systems requirements document that defines requirements
for each function in the loan monitoring system, cross-references data bases
to loan monitoring system business processes, identifies some of the reports
by user and purpose, and includes sections required by the SBA methodology.
However, some areas of systems requirements are not complete. For example,
the systems requirements document does not specify capacity and performance
requirements. Accordingly, before proceeding with system development, SBA
should define its system capacity and performance requirements.

Acquisition Strategy Awaits Final Selection of Implementation Alternative

In addition, SBA has taken action to mitigate acquisition risk, by selecting
an incremental approach to systems development. Under this approach, cost
and schedule risks will be managed by revisiting cost, schedule, and project
objectives after the first increment. For each business function, SBA has
identified whether automated solutions are available from vendors or
government sources, whether business functions can be outsourced, and
whether business functions can be developed as customized applications.
However, in documenting this information, SBA does not identify sources for
each approach, nor does it explain why it believes that 40 percent of the
functions must be custom-developed and therefore cannot be outsourced or
purchased. Because the risk and cost generally increase as the proportion of
customized components increases, it is important that SBA have a sound,
justified basis explaining its rationale for this.

Cost to Completion Substantially Set

Table 2: Loan Monitoring System Estimated Cost to Completion ($000)
 Cost Element         FY 1998  FY 1999     FY 2000  FY 2001  FY 2002 Total

 Project startup      $ 375          $ 300                      $ 675
 Initiate project     150     $650   1,160    $ 950    $ 600    3,510
 Definition           325     50     150                        525
 System design        150            350                        500
 Build system:
 Data scrub,
 Integrator, IV&V                    1,150    1,200    650      3,000
 Iteration 1                         843                        843
 Iteration 2                         2,468    800      250      3,518
 Iteration 3                         93       675               768
 Iteration 4                         928      1,930    200      3,058
 Iteration 5                         218      970               1,188
 Iteration 6                         898      1,530    700      3,128
 Data migration                      950      1,150    200      2,300
 Infrastructure                      950      1,900    1,100    3,950
 Evaluate                            84       120      120      324
 Operate                             50       150      200      400

 Total cost to
 completion           $1,000  $700   $10,592  $11,375  $4,020   $27,687

Source: The SBA Loan Monitoring System Estimated Cost to Completion, Project
Plan (Attachment) LMS.V1.0.004, February 14, 2000.

The total $27.7 million estimate includes about $4 million for
infrastructure, $9.3 million for software, $8.8 million for services,
$2.5 million for support, $3 million for internal labor, and $0.3 million
for other costs. SBA has awarded a contract to refine the cost-to-completion
estimate, including costs of work increments.

SBA should continue to refine its cost-to-completion estimate following the
completion of the benefit-cost analysis of alternatives and the selection of
the best alternative for implementation. In addition, once SBA determines
the life expectancy of the loan monitoring system, it also should develop
and maintain a lifecycle cost estimate for the system and its components.

Key Management Controls and Processes Need to Be Implemented

Project Tracking and Oversight Is Planned

SBA has adopted an agencywide systems development methodology that suggests
that projects should use this type of project tracking and review. According
to SBA officials, they intend to use this for the loan monitoring system.

Configuration Management Plans, Policies, and Procedures Need to be
Finalized

SBA has started to formulate and implement configuration management plans,
policies, and processes for the loan monitoring system project. Finalizing
these will provide SBA with further assurance of the success of the project.

Quality Assurance Activities Are Planned

SBA has not yet established a quality assurance process to ensure that the
loan monitoring system project and its activities comply with SBA policies,
procedures, and systems development methodologies. However, it is planning
to establish a technical review group whose purpose will be to review loan
monitoring system project adherence to SBA standards outlined in the SBA
systems development methodology. In addition, SBA is planning to contract
for independent verification and validation to provide oversight of its
systems development efforts.

Loan Monitoring System Security and Privacy Requirements Are Not Fully
Defined

While SBA's proposed Internet-based virtual private network may reduce
telecommunications costs and provide easy nationwide access to loan
monitoring system, the reliance on the Internet as a key component of the
system's architecture brings unique security challenges that must be
addressed early in the project's life. However, SBA has not yet developed a
security architecture for its target environment, updated its security
operating procedures, or defined security and privacy requirements for the
loan monitoring system. Because security is a critical feature for the loan
monitoring system, SBA should complete its security architecture and update
its security operating procedures before it begins the design and
development phase of the loan monitoring system.

Summary of Actions Needed

In the area of planning actions, SBA should consider taking the following
actions: completing the analyses of benefits and costs for alternative
business processes identified through SBA's business reengineering effort;
performing benefit-cost analyses for systems alternatives; completing the
part of its information architecture that specifies the rules and standards
for interoperability and maintainability of interrelated systems;
identifying requirements and data elements for reports; completing the
definition of specific data quality standards; ensuring that systems
requirements document include capacity and performance requirements;
ensuring that sound justification exists for pursuing custom-developed
functions; and estimating the cost to completion that are based on an
analysis of the benefits and costs of system alternatives.

In the project management area, SBA should strengthen its project management
process and controls. These include putting in place project tracking and
oversight capabilities; implementing configuration management processes;
acquiring independent verification and validation for the loan monitoring
system project and establishing an internal quality assurance function; and
addressing the security challenge posed by Internet-based access to loan
monitoring system functions and data. These processes and capabilities are
essential to a major systems development and acquisition.

Mr. Chairman, this concludes my statement. I would be pleased to respond to
any questions that you or other members of the Subcommittee may have at this
time.

Contact and Acknowledgments

(511761)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

[email protected]

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected]

1-800-424-5454 (automated answering system)
  
*** End of document. ***