Information Technology: Update on VA Actions to Implement Critical
Reforms (Testimony, 05/11/2000, GAO/T-AIMD-00-74).

Pursuant to a congressional request, GAO discussed the Department of
Veterans Affairs' (VA) progress in implementing its information
technology (IT) program, focusing on: (1) VA's efforts to address GAO's
1998 recommendations; (2) the status of VA's actions to develop and
implement a Master Veteran Record (MVR); and (3) VA's steps to improve
computer security across the department.

GAO noted that: (1) VA has made progress in addressing GAO's 1998
recommendations; (2) for example, compared with its fiscal year (FY)
1999 IT investment review process, VA's FY 2001 process provided
decisionmakers with more detailed information on proposed projects; (3)
however, the department has yet to fill the position of assistant
secretary for information and technology, created in June 1998 and
intended to serve as VA's chief information officer; (4) it also has not
developed an overall strategy for reengineering its business processes
to effectively function as "One VA," a vision VA has articulated, nor
has it defined the integrated IT architecture needed to efficiently
acquire and utilize information systems across VA; (5) VA likewise faces
challenges in developing and implementing a MVR, the Veterans Service
Network (VETSNET), and the Decision Support System (DSS); (6) its MVR
has not been implemented by the Veterans Benefits Administration's (VBA)
compensation and pension service line, although this project could help
reduce overpayments through faster receipt of death notices; (7) VBA's
VETSNET project has experienced many schedule delays, and VBA has not
yet established a completion date for it; (8) the Veterans Health
Administration's (VHA) DSS, while completed, is not being fully used by
VHA for the purposes intended, including budget formulation and resource
allocation; (9) regarding computer security, VA has begun to address
weaknesses identified by GAO and by its Office of the Inspector General;
and (10) it still needs to complete guidance on assessing VA's security
risks and must develop appropriate policies and controls for accessing
its computer systems.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-74
     TITLE:  Information Technology: Update on VA Actions to Implement
	     Critical Reforms
      DATE:  05/11/2000
   SUBJECT:  Information resources management
	     Information technology
	     Strategic information systems planning
	     Chief information officers
	     Customer service
	     Computer security
	     Reengineering (management)
	     Systems design
	     Management information systems
IDENTIFIER:  VA Information Technology Program
	     VA Decision Support System
	     VA Veterans Integrated Service Network

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

   * For Release on Delivery
     Expected at
     11 a.m. EDT

Thursday,

May 11, 2000

GAO/T-AIMD-00-74

information technology

Update on VA Actions to Implement Critical Reforms

        Statement of Joel C. Willemssen

Director, Civil Agencies Information Systems

Accounting and Information Management Division

Testimony

Before the Subcommittee on Oversight and Investigations, Committee on
Veterans' Affairs, House of Representatives

United States General Accounting Office

GAO

Mr. Chairman and Members of the Subcommittee:

We appreciate the opportunity to participate in today's hearing on the
Department of Veterans Affairs' (VA) proposed $1.4-billion information
technology (IT) program, and how VA is using IT to better serve our nation's
veterans. In July 1998 we reported that VA had not fully implemented
critical provisions of the Clinger-Cohen Act and related legislative IT
reforms. We also made several recommendations for improving VA's IT program.

We will begin today by discussing VA's efforts to address our 1998
recommendations, especially those calling for institutionalizing a
disciplined IT investment decision-making process, developing an overall
business process improvement strategy to accomplish reengineering, and
completing an integrated IT architecture. Next, as requested, we will
discuss the status of VA's actions to develop and implement a Master Veteran
Record; the Veterans Benefits Administration's (VBA) actions to modernize
its information systems, also known as the Veterans Service Network, or
VETSNET; and the Veterans Health Administration's (VHA) actions to implement
its Decision Support System. Finally, we will discuss VA's steps to improve
computer security across the department.

In brief, VA has made progress in addressing our 1998 recommendations. For
example, compared with its fiscal year 1999 IT investment review process,
VA's fiscal year 2001 process provided decisionmakers with more detailed
information on proposed projects. However, the department has yet to fill
the position of assistant secretary for information and technology, created
in June 1998 and intended to serve as VA's chief information officer (CIO).
It also has not developed an overall strategy for reengineering its business
processes to effectively function as "One VA," a vision the department has
articulated, nor has it defined the integrated IT architecture needed to
efficiently acquire and utilize information systems across VA.

VA likewise faces challenges in developing and implementing a Master Veteran
Record, VETSNET, and the Decision Support System. Its Master Veteran Record
project has not been implemented by VBA's compensation and pension service
line, although this project could help reduce overpayments through faster
receipt of death notices. VBA's VETSNET project has experienced many
schedule delays, and the agency has not yet established a completion date
for it. Finally, VHA's Decision Support System, while completed, is not
being fully used by the agency for the purposes intended, including budget
formulation and resource allocation.

Regarding computer security, VA has begun to address weaknesses identified
by us and by its Office of the Inspector General (OIG). Nevertheless, it
still needs to complete guidance on assessing the department's security
risks and must develop appropriate policies and controls for accessing its
computer systems.

Background

To implement this vision and carry out other activities, VA plans to spend
about $1.4 billion of its proposed fiscal year 2001 budget of about $48
billion on various IT initiatives. Of this $1.4 billion, about $763 million,
$80 million, and $400,000, are intended for VHA, VBA, and the National
Cemetery Administration (NCA), respectively. The remaining $589 million is
for VA-wide IT initiatives in the financial management, human resources,
infrastructure, security, architecture, and planning areas.

The Clinger-Cohen Act and other related legislative reforms provide guidance
on how agencies should plan, manage, and acquire IT as part of their overall
information resources management responsibilities. These reforms require
agencies to appoint CIOs responsible for providing leadership in acquiring
and managing IT resources. They also require agencies to perform business
process reengineering prior to acquiring new IT and to complete an
integrated architecture to guide and constrain future investments.

VA Has Made Progress in Institutionalizing the IT Investment Process

As shown in table 1, VA's decision-making process for IT investments varies
depending upon the proposed project's cost, risk, and visibility. An IT
project starts with a VA administration or office developing a project to
address business needs and preparing a formal proposal for review and
approval. Then, projects with high cost, risk, or visibility are assessed as
part of VA's capital investment planning process, including review by its
Capital Investment Board (CIB). This board is composed of the deputy
secretary, the assistant secretary for congressional affairs, the assistant
secretary for information and technology, the general counsel, the assistant
secretary for financial management, the assistant secretary for planning and
analysis, and the undersecretaries for health, benefits, and memorial
affairs. It reviews projects that exceed specific dollar thresholds or that
are seen as high risk or high visibility. The dollar thresholds for VHA,
VBA, NCA, and staff offices are acquisition costs of $10 million,
$2 million, $1 million, and $1 million, respectively, and/or life-cycle
costs of $30 million, $6 million, $3 million, and $3 million, respectively.
Lower cost projects are not reviewed by the CIB. Instead, they are decided
upon and overseen by VA administrations/offices. Those projects over
$250,000 are also monitored by VA's Office of Information and Technology
(OI&T).

Table 1: Summary of VA Decision-making and Oversight by Type of IT Project
                       Type of VA decision/oversight
 Type of IT project    Select          Approve         Control         Evaluate
 High                  Administration/                                 VA
 cost/risk/visibility:                 VA CIB          VA OI&T         post-implementation
                       office                          approval        reviews
 Projects that meet
 dollar thresholds for
 review by CIB or are                                  VA in-process   VA internal reviews
 high risk or high                                     reviews         and OIG reviews
 visibility
                                       Execution
                                       reviews

                                       Internal
                                       reviews and OIG
                                       reports
 Medium cost:
                                                       VA OI&T
 Projects greater than Administration/ VA OI&T         follow-up on    VA internal reviews
 $250,000 but less thanoffice          approvala of    approvala of    and OIG reviews
 the thresholds for                    procurements    procurements
 review by CIB
 Low cost:
                       Administration/ Administration/ Administration/ Administration/
 Projects less than    office          office          office
 $250,000                                                              office

aExceptions to the requirement for approval include items purchased under
VA's departmentwide procurement computer hardware and software contract and
purchases of picture archiving and retrieval systems.

Source: VA.

As shown in figure 1, projects that require approval by the CIB are
submitted by the applicable administration/office to the department's CIO
Council Investment Panel. This panel evaluates and ranks IT proposals for
the CIO Council. The council then reviews the proposals and forwards
selected ones to the Capital Investment Panel. This panel ranks and scores
both IT and non-IT projects and makes recommendations to the CIB, which then
makes recommendations to the Secretary for inclusion in the department's
capital plan and annual budget request.

Figure 1: VA's Investment Decision-making Process

Although VA had established a detailed process for selecting, controlling,
and evaluating IT investments, discipline within the process was previously
lacking. Specifically, we reported in July 1998 that VA decisionmakers did
not have current and/or complete information-such as cost, benefit,
schedule, risk, and performance data at the project level-with which to make
sound investment decisions. In addition, VA's process for controlling and
evaluating its investment portfolio was incomplete and, as a result,
decisionmakers did not have the information needed to detect or avoid
problems early or to improve the VA investment process for the future.

Accordingly, we made several recommendations to VA to improve its selection,
control, and evaluation of IT investments. As discussed below, the
department agreed to implement them.

VA Has Improved Its Process for Selecting CIB-Level Projects

In response to our recommendation that it implement a disciplined process
for selecting IT investments in which decisions are based on complete and
current project data, VA now requires its administrations/offices to meet a
more comprehensive and specific set of criteria. The selection criteria used
during the fiscal years 2000 and 2001 capital investment planning processes
covered areas such as the proposed projects' (1) impact on "One-VA" customer
service, (2) return on taxpayer investment, (3) contribution to a
high-performing workforce, (4) risks, and (5) comparison with alternatives.
VA investment review panels then screened proposals to ensure that they had
adequate information.

The proposals submitted for the fiscal years 2000 and 2001 reviews were much
more complete than those submitted for the fiscal year 1999 investment
planning process. In fiscal year 1999, none of the seven proposals that we
reviewed contained all the required information, yet all were passed by the
CIB. In fiscal year 2000, by contrast, all seven of the proposals that
passed VA's review had the required information, including cost-benefit
analysis, risk analysis, and alternatives analysis. Similarly, in the fiscal
year 2001 review, all five proposals that passed VA's review generally met
the criteria.

VA Has Improved Its Process for Monitoring and Managing CIB-Level
Investments

VA agreed with this recommendation and has taken steps to implement it. For
example, in response to our recommendation that in-process reviews be
conducted at key milestones of a project's life, VA recently changed its
method for identifying projects for such reviews. In the past, in-process
reviews were conducted in an ad hoc manner, such as when it became apparent
that a project was behind schedule, over budget, or not performing as
planned, or when oversight agencies raised questions. Now, the CIO Council
plans to identify projects for review by VA OI&T based on the council's
assessment of the project. This assessment will take into consideration the
results of execution reviews and input from project managers. These reviews
focus on whether the project meets cost, schedule, and performance goals.

Additionally, VA has made progress in responding to our recommendation that
the results of in-process reviews be provided to decisionmakers.
Specifically, the results of formal in-process reviews are given to
decisionmakers along with the results of post-implementation reviews and
audits of IT issues conducted by VA's OIG.

However, the in-process reviews may still not be timely. As of April 28,
2000, VA OI&T has only completed five of the eight in-process reviews
scheduled for fiscal year 1999. Without timely reviews, VA is limited in its
ability to control approved projects. Accordingly, it is important that VA
establishes and monitors deadlines for completing in-process reviews.

VA Has Improved Its Post-Implementation Reviews

VA concurred with our recommendation and has taken steps to improve its
process. For example, in three of the four post-implementation reviews
conducted in fiscal year 1999, actual and estimated costs, schedules, and
mission-related benefits were compared. The remaining review did not include
a comparison between actual and estimated costs.

VA also now identifies lessons learned from its evaluation of completed
projects, and documents them in the post-implementation review report. For
example, among the lessons learned were the need to ensure that (1) a
variety of users participate in the decision-making process on systems
enhancements and/or user modifications and (2) user documentation is readily
available and updated regularly to reflect the latest systems changes.

However, the lessons learned are provided only to the sponsoring VA
organizations, and not to decisionmakers, such as the investment panel
members, who could also benefit from them. Decisionmakers receive only a
summary of the audit findings in post-implementation reviews; lessons
learned are not part of that summary. To improve the department's process
for selecting, controlling, and evaluating IT investments, decisionmakers
should be provided with such lessons learned information so they can use it
in making better-informed judgments about projects.

IT Investment Process for Projects Below CIB-Level Is Not as Structured

To implement the approval process for projects above $250,000 and beneath
the CIB thresholds, VA OI&T has issued guidance-IRM Planning and
Acquisitions Handbook-to project sponsors. Sponsors requesting approval must
submit a package containing key information, such as a requirements
analysis, benefit/cost analysis, and a minimum 10 percent return on
investment. It has not yet issued written guidance for
(1) monitoring and managing approved procurements or (2) evaluating
completed projects. VA OI&T is now in the process of revising its handbook
to address these areas.

Guidance for IT projects costing up to $250,000 is partially complete. VBA
has issued selection process guidance entitled Information Technology:
Investment Board and Investment Evaluation Process that covers all IT
projects, including those under $250,000. It requires each project sponsor
to submit a package containing information such as the names of the team
members, cost-effectiveness analysis, alternatives analysis, risk analysis,
and performance measures. This information is reviewed by VBA's Information
Technology Investment Board. The board reviews the proposal for (1)
consistency with and support of the VA/VBA mission, goals, and objectives,
along with technical and organizational feasibility, and (2) completeness of
project plan, cost-effectiveness analysis, and risk analysis. It then ranks
the proposal in terms of risk and return. VBA's guidance also requires its
Information Technology Investment Board to review ongoing projects. VBA has
not issued written guidance for evaluating completed projects, but a VBA
official told us that the agency is in the process of developing such
guidance.

Lastly, VHA issued written guidance this past January for selecting IT
investments for its Office of Information, which manages VHA-wide projects.
This guidance requires project sponsors to submit cost-benefit analyses,
alternatives analyses, project schedules, and a discussion of funding
sources. VHA offices in headquarters and the field have typically relied on
group meetings and discussions to select IT initiatives. According to a
director in the Office of Information, VHA is currently drafting guidance
for selecting IT investments at its field offices. VHA does not have written
guidance for monitoring and managing IT procurements nor does it have
guidance for evaluating completed projects. VHA plans to develop such
guidance, but it has not established a date for when this will be completed.

VA's Progress in Addressing Other Clinger-Cohen Act Provisions Has Been
Limited

Limited Progress Made in Appointing Full-time CIOs

As we reported in July 1998, however, the responsibilities of VA's CIO were
not limited to information management. Specifically, the CIO served the
department in a variety of top management positions, including assistant
secretary for management, chief financial officer, and deputy assistant
secretary for budget. We noted that in an agency as decentralized as VA, the
CIO was faced with many significant information management responsibilities,
which constitute a full-time job for any CIO. Accordingly, we recommended
that the Secretary of Veterans Affairs appoint a CIO with full-time
responsibility for information resources management alone.

VA concurred with this recommendation and established the position of
assistant secretary for information and technology to serve as its CIO.
However, this executive branch position has been unfilled since its creation
in June 1998. Accordingly, the Secretary created the position of principal
deputy assistant secretary for information and technology and designated
that person as VA's acting CIO until an assistant secretary could be
appointed. The Secretary also realigned information resources management
functions within VA under this position.

The principal deputy assistant secretary for information and technology has
reported directly to the Secretary and is involved in IT planning issues
across the department. He said that his responsibilities have included
advising the Secretary on IT issues, serving as chair of the department's
CIO Council and a member of VA's CIB, and working with the CIOs in VBA and
VHA. He sees his role as one of helping them use IT to support their
administrations. According to this official, one of his priorities has been
to ensure that IT activities in VBA and VHA are in concert with VA's
departmentwide efforts.

VA's acting CIO recently announced, however, that he will be retiring from
VA at the end of this month. As a result, VA will again be left without IT
leadership, and the CIO position will have been vacant for almost 2 years.
It is critical that this position be filled to provide the leadership to
achieve the "One VA" vision through effective IT.

In a separate yet somewhat similar situation, VHA has a CIO vacancy that was
created when its previous CIO left the agency in October 1999. To address
this situation, in November 1999 the acting undersecretary for health
designated VHA's chief facilities management officer as VHA's acting CIO.
This individual currently carries both responsibilities-for facilities and
IT management.

According to VHA's acting CIO, he devotes approximately 60 to 75 percent of
his time to information management activities. He acknowledged that he has
no background in IT and relies on staff to provide expertise and guidance in
this area. He said, however, that he does not think the allocation of his
time or lack of background is cause for concern, especially given his
background in and knowledge of VHA. His immediate focus, he said, is to
bring about general management improvements in VHA's Office of Information
for such areas as the fiscal process, communications, and project
management.

We believe this dual responsibility is contrary to good management
practices, and that the VHA CIO should have information management as his
primary focus. We have stressed the importance of this principle in
testimony and in our February 1997 high-risk report, in which we emphasized
that the CIO's duties should be centered on strategic information management
issues and not include other major responsibilities. VHA is no exception: it
needs a CIO focused on information management.

VA No Longer Plans to Develop a Departmentwide Business Process Improvement
Strategy

Our 1998 report noted that VA had not analyzed its business processes in
terms of implementing its "One VA" vision. We also pointed out that VA did
not have a departmentwide business process improvement strategy specifying
what reengineering and improvement projects were needed, how they were
related, and how they were prioritized. At the time, VA concurred with our
recommendation to develop such a strategy.

VA's assistant secretary for policy and planning and principal deputy
assistant secretary for information and technology have now, however,
informed us that VA no longer plans to develop an unified, departmentwide
business process improvement strategy. According to the assistant secretary,
the department will, instead, rely on each of its administrations-VBA, VHA,
and NCA-to reengineer its own business process.

As we reported in 1998, an overall business process improvement strategy can
provide the means to coordinate and integrate various reengineering and
improvement projects, set priorities, and make appropriate budget decisions.
Given the department's approach of delegating to its three major components
reengineering of their own business processes, it is unclear how VA will be
able to provide veterans with a unified view of VA services. Accordingly, VA
should either reassess its "One VA" vision or, if it is committed to that
vision, reassess its strategy given the inconsistency in its approach.

VA Lacks an Integrated IT Architecture

A VA architecture team consisting of representatives from VA administrations
and offices issued a report to the VA CIO Council in May 1997 adopting the
National Institute of Standards and Technology (NIST) five-layer model for
its departmentwide IT architecture. The five layers-business processes,
information flows and relationships, applications processing, data
descriptions, and technology-provide a framework for defining an IT
architecture.

However, as discussed in our 1998 report, VA and its components had yet to
define a departmentwide, integrated architecture. Accordingly, we
recommended that VA develop a detailed implementation plan with milestones
for completing such an IT architecture.

Although VA concurred with our recommendation, it did not develop a detailed
implementation plan with milestones for completing the architecture.
Instead, VA published a departmentwide technical architecture, which
includes a technical reference model and standards profile. This document
describes only one element-the technology layer-of the full NIST model. VA
has not yet documented the logical architecture showing the business
processes, information flows and relationships, applications processing, and
data description layers for the entire department.

VA's principal deputy assistant secretary for information technology said
that in order to develop the logical architecture, the business owners would
have to be involved. However, he has no plans to bring them together to
begin this process. He believes, instead, that their individual business
process reengineering initiatives will eventually result in development of
these areas, although he did not explain how this would happen without
guidance from VA. We believe that it is important for VA's CIO or designee
to take the leadership role and work with the business owners to develop the
logical architecture so that the department can produce an integrated IT
architecture.

At the component agency level, neither VBA nor VHA has fully defined and
documented their current IT architectures. VBA's new CIO recently stated
that plans to hire a contractor to document the architecture are now on hold
until completion of a new information systems strategic plan. This
individual stated that the IT architecture would be made part of the plan.
Regarding VHA's architecture, our analysis of its most recent document, IT
Architecture-Fiscal Year 1999 Plan, shows that it also lacks key layers of
the NIST model. It contains information on VHA's business processes and the
technology infrastructure, but details on the information flows and
relationships, applications processing, and data description layers are
missing. VHA's IT architect said that VHA recognizes that it needs to
complete these other layers of the architecture but does not have an
estimate of when this will happen.

VA Faces Challenges on Three IT Projects

MVR Has Not Been Completely Implemented Within VBA

According to VA's principal deputy assistant secretary for information and
technology, the MVR project was completed in 1999. The project director told
us that MVR's life-cycle cost was about $4 million. MVR has enabled the
transmission of messages across VHA, NCA, and VA staff offices. As
anticipated, these messages include veteran status changes such as addresses
and death notifications, which can be reported to any VA office with the
expectation that all benefits programs operations will be informed of the
new information. According to VA, MVR has begun to produce some of the
benefits expected. For example, VHA medical centers can now be notified more
quickly of changes in veterans' benefits status that affect hospital
eligibility. However, VA is unable to quantify the benefits attributable to
MVR.

Although VA considers MVR to be completed, one VA administration-VBA-is not
yet fully linked to the system. In particular, VBA's largest service line,
compensation and pension, does not yet have a gateway to receive MVR
information, such as address changes and death notifications, from other
systems. VBA initially stated that funding and policy issues had to be
resolved before MVR could be implemented, yet it planned to develop the
gateway needed for its compensation and pension benefits payments system to
become fully linked to MVR by December 1999. VBA did not, however, meet this
deadline due to a departmental request that it study the feasibility of
using an existing interface between VBA and NCA to access MVR. As of April
28, 2000, VBA still had not awarded a contract to complete this study and
develop the MVR gateway.

According to VA's MVR director, the delay in VBA's compensation and pension
service line fully linking to MVR has not significantly affected the
department's ability to realize benefits. While unable to quantify benefits
for the program, he said that MVR is paying for itself today as VHA uses the
system for its enrollment program, specifically to determine veterans'
eligibility for medical care benefits.

Notwithstanding these enrollment related benefits, the potential additional
benefits of MVR could be significant if VBA's compensation and pension
service line was linked to it. In particular, early death notifications via
MVR could help minimize compensation and pension overpayments to veterans
who had died. According to a December 1996 report by VA's OIG on
compensation and pension overpayments, 20 percent of overpayments went to
veterans who had already died. These overpayments increase the amount of
debt or accounts receivable that VBA must subsequently attempt to collect.
Full linkage to MVR could provide compensation and pension personnel with
notices of death sooner, and thereby help minimize such overpayments.

VETSNET Has Experienced Schedule Delays

Two major projects initiated under VETSNET were compensation and pension
(C&P) replacement and education redesign. The C&P project was intended to
replace VBA's existing legacy compensation and pension payment systems with
one new, state-of-the-art system. This project, which began in April 1996,
had an estimated cost of $8 million and was scheduled for completion in May
1998. The education redesign project was intended to replace each of VBA's
four education payment systems. This project, which began in January 1997,
had an estimated cost of $9 million and was scheduled for completion in
December 1998.

Neither of these two major projects has yet been completed. The C&P
replacement project missed several key milestones, including its May 1998
completion date and a revised completion date of December 1998. VBA
currently has no expected completion date for this project. The education
redesign project was terminated without a product in November 1997, and VBA
has not established a date for when this project will be restarted. To date,
at least $11.5 million has reportedly been spent on the VETSNET C&P
replacement project and about $3 million on the education redesign project,
with no measurable improvement in service to veterans.

We and others have previously reported on problems that VBA has had in
completing the VETSNET C&P and education redesign projects. One key reason
for these problems is the lack of an integrated architecture defining the
business processes, information flows and relationships, business
requirements, and data descriptions. For example, the C&P project was begun
before VBA had fully developed and validated its business requirements on
what the new system was supposed to do. Project delays subsequently resulted
because of confusion over the specific requirements to be developed. At the
same time, the contractor for the education redesign project cited problems
with the constant redefining of the computer hardware and software to be
used.

Another key reason for its problems with the VETSNET projects is VBA's
immature software development capability. In 1996 we reported and testified
that VBA's software development capability was ad hoc and chaotic-the lowest
level of software development capability. More specifically, at this level,
VBA could not reliably develop and maintain high-quality software on any
major project within cost and schedule constraints. Reviews by us and VA
illustrated that these projects had difficulties meeting deadlines and that
not all critical systems development areas were adequately addressed. For
example, in our May 1997 report, we noted that both the C&P replacement and
education redesign projects had missed deadlines and had schedule delays.

VBA officials acknowledge these problems and have informed us that efforts
are underway to address them. As we have previously recommended, it is
critical that VBA establish a complete, integrated systems architecture and
improve its software development capability if it is to avoid problems like
these in the future.

VHA's DSS Has Been Implemented, but System Usage Varies

VHA planned to implement DSS at all of its medical centers-currently
143-from 1994 through 1997 at an estimated cost of $132 million. Beginning
in May 1994, VHA implemented DSS in its medical centers in six separate
implementation efforts. It had been implemented at all VA medical centers by
the end of October 1998. The total estimated cost through fiscal year 1999
to develop and operate DSS was reportedly at least $213 million. VHA expects
to spend about $48 million to operate DSS this year.

Although VHA could not quantify the benefits derived from the use of DSS, to
date at least 44 VHA medical centers and selected Veterans Integrated
Service Networks (VISN) have cited benefits attributable to DSS, including
cost reductions and improved clinical processes. For example, VISN 9
determined that integrating services between its Nashville and Murfreesboro
(Tennessee) medical centers could result in projected savings of $5.8
million. In another example, the clinical practice of routinely ordering two
units of pre-surgery autologous blood for total knee replacement was
changed, at the Portland (Oregon) VA medical center, resulting in estimated
savings of $600+ per case.

However, none of the medical centers and VISNs we contacted use DSS for all
of the purposes for which VHA intended. For example, of the 20 VISNs we
contacted-representing 126 medical centers-only 3 VISNs-representing 14
medical centers-use DSS for budget formulation and resource allocation,
according to DSS staff. Instead, they tend to use the cost distribution
report for budget formulation and the Veterans Equitable Resource Allocation
model for resource allocation. Only one VISN has begun to use DSS to measure
outcomes-based performance and effectiveness of health care delivery
processes.

A variety of reasons were given for why more medical centers and VISNs have
not made greater use of DSS. First, some medical centers have been reluctant
to use DSS because of concerns about the accuracy and completeness of its
data. Work performed by us, VA's OIG, and the DSS Steering Committee has
raised similar concerns. Second, VHA fiscal officials that we interviewed
told us that medical centers need about 2 years of DSS data before the
system can be used for budget formulation and resource allocation. It was
not until last October that the 52 medical centers in the final round of DSS
implementation had accumulated 2 years of data.

Third, DSS usage may have been hampered by insufficient staff, staff with
inadequate skills, and staff turnover. For example, according to a
post-implementation review performed by VA's IRM Policy and Standards
Service, over 70 percent of the medical centers had not followed staffing
guidelines recommended by VHA's Implementation and Training Service. The
review further stated that in some of these medical centers, the DSS teams
were understaffed by as much as 50 percent. VHA's previous deputy director
for technical implementation also told us that some medical center directors
assigned personnel with inadequate skills. Additionally, several VISN DSS
coordinators said that they have had difficulty retaining well-trained DSS
personnel.

We have discussed these concerns with VHA officials and they generally
concur with them. According to these officials, efforts are underway to
address these problems and corrective actions are expected to be completed
by 2002. It is critical that VHA follow through in addressing these problems
if it is to achieve the benefits intended from the hundreds of millions of
dollars spent to date on DSS.

VA Has Begun to Address Computer Security Challenges

In September 1998 we reported that VA's lack of effective information system
controls placed critical department operations-such as financial management,
health care delivery, benefits payments, and other operations-at risk of
misuse and disruption. A key reason for these continuing information systems
control problems was that the department did not have a comprehensive
computer security planning and management program. Accordingly, we
recommended that the Secretary develop and implement such a departmentwide
program, and work with the VBA and VHA CIOs and facility directors to
implement appropriate security measures and controls in agency facilities.
VA recognized the significance of these problems and reported information
systems security as a material weakness in its Federal Managers' Financial
Integrity Act reports for 1998 and 1999.

To address our recommendation to develop a comprehensive computer security
planning and management program, VA established a centrally managed security
group in February 1999 and an information security working group in March
1999. Since then, VA has (1) developed a departmentwide plan to improve
information systems security throughout the department, (2) established a
departmentwide computer security planning and management program, and (3)
initiated a program to increase computer security awareness across its
administrations and offices. VA is now developing a risk-based framework for
addressing information security issues.

In addition, VA organizations have independently initiated actions to
improve certain aspects of their computer security programs. For example, as
we reported in October 1999, the Austin Automation Center corrected most of
the computer security issues we identified in 1998. Specifically, the center
reduced the number of users with access to the computer room; restricted
access to certain sensitive libraries, audit information, and utilities;
improved identification and password management controls; developed a formal
software change control process; and expanded tests of its disaster recovery
plan.

In contrast, the VBA benefits delivery centers are still in the process of
correcting most of the weaknesses we reported in 1998. For example,
information security reviews performed by VA's OIG in 1999 found that only
one of seven weaknesses we found had been corrected at the Philadelphia
benefits delivery center and that five of seven weaknesses had not been
fully addressed by the Hines, Illinois, benefits delivery center.

In addition, audits by us as well as by VA's OIG continue to find serious
problems related to the department's control and oversight of access to its
computer systems at VA facilities such as the Philadelphia Insurance Center,
and the Hines (Illinois) and Philadelphia benefits delivery centers. For
example, VA still has not adequately limited the access granted to
authorized users, appropriately segregated incompatible duties among
computer personnel, adequately managed user identifications and passwords,
or routinely monitored access activity. We made several recommendations to
address these problems.

We performed this assignment in accordance with generally accepted
government auditing standards, from July 1999 through April 2000. In
carrying out this assignment, we reviewed and analyzed VA's IT investment
process policies and compared these with applicable guidance in this area.
We also analyzed the results of IT investments conducted by the CIB, VA
OI&T, and VA components/offices. In particular, we reviewed 17 IT proposals
submitted as part of the department's fiscal year 2000 investment planning
process and 12 IT proposals submitted as part of the fiscal year 2001
process. We reviewed VA's directives regarding the responsibilities of the
CIO and reviewed and analyzed VA, VBA, and VHA IT architecture documents,
comparing these to NIST's five-layer standard, the guidance used by VA. For
the MVR, VETSNET, and DSS projects, we reviewed and analyzed costs,
schedules, and status updates. In the area of computer security, we reviewed
our recent reports and VA updates on actions taken to address our
recommendations.

Mr. Chairman, this concludes my statement. I would be pleased to respond to
any questions that you or other members of the Subcommittee may have at this
time.

Contact and Acknowledgments

(511778)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

[email protected]

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected]

1-800-424-5454 (automated answering system)
  
*** End of document. ***