Information Technology Management
Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing (BSA Direct R&S) Project Gao ID: GAO-06-947R July 14, 2006The Financial Crimes Enforcement Network's (FinCEN) primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, Congress asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project.
On March 15, 2006 the director of FinCEN placed the Retrieval and Sharing component of the BSA Direct project under a temporary "stop work" order because of significant cost, schedule, and performance issues. For example, phase one of the project was planned for completion in 250 days but was actually completed in 373 days. Judging against the criteria of GAO's framework for information technology investment management, GAO found that FinCEN did not always apply effective investment management processes to oversee the BSA Direct R&S project. This, in part, contributed to the problems experienced by the project, because issues that occurred at the project management level continued and compounded, yet were not addressed at the executive level. For example, MITRE--the organization assisting FinCEN with project monitoring--identified multiple occasions where FinCEN did not take action to mitigate project risks or address significant de-scoping of project functionality. FinCEN is considering three basic options in determining whether or not to continue the BSA Direct R&S project. These include reestablishing a modified contract; finding a new contractor to take over the project; or terminating the contract and assessing needs and plans for new capabilities. FinCEN's inadequate application of sound information technology investment management processes and controls to the BSA Direct R&S project contributed to the cost, schedule, and performance issues that have plagued the project from its inception. FinCEN plans to determine the future direction of BSA Direct R&S in mid-July 2006. Regardless of what decision is made, FinCEN runs the risk of having similar problems and similar results in the future unless better investment management processes and procedures are put in place.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-947R, Information Technology Management: Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing (BSA Direct R&S) Project
This is the accessible text file for GAO report number GAO-06-947R
entitled 'Information Technology Management: Observations on the
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval
and Sharing (BSA Direct R&S) Project' which was released on July 17,
2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
July 14, 2006:
The Honorable Christopher Bond:
Chairman:
The Honorable Patty Murray:
Ranking Minority Member:
Subcommittee on Transportation, Treasury,
the Judiciary, HUD and Related Agencies:
Committee on Appropriations:
United States Senate:
Subject: Information Technology Management: Observations on the
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval
and Sharing (BSA Direct R&S) Project:
FinCEN's primary function is to support and strengthen domestic and
international anti-money laundering efforts through coordination and
partnerships. Since its creation in 1990, FinCEN has been responsible
for overseeing the management, processing, storage and dissemination of
Bank Secrecy Act (BSA) data.[Footnote 1] In 2004, FinCEN embarked on a
major initiative intended to improve the sharing of information
reported under the Bank Secrecy Act. BSA Direct is an umbrella project
intended to provide secure, user-friendly, web-based tools for
accessing, analyzing, and filing BSA data. It is part of a broad effort
to reengineer data management responsibilities and transition them from
the IRS. During the early spring of 2006, it became clear to FinCEN
that the Retrieval and Sharing component of the BSA Direct project (BSA
Direct R&S) was not going to meet the critical implementation deadline
of June 30, 2006.
Objectives:
Because FinCEN has experienced problems with development and
implementation of the BSA Direct R&S, you asked us about the project's
current status and to provide observations on FinCEN's IT investment
management practices. Our objectives were to (1) describe BSA Direct
R&S and the project's current status; (2) examine FinCEN's application
of information technology (IT) investment management processes to the
BSA Direct R&S project; and (3) describe, at a high level, the range of
options FinCEN may consider as it reexamines the BSA Direct R&S
project.
We are sending copies of this report to the Secretary of Treasury, the
Director of FinCEN, and interested congressional committees. We will
also provide copies to others on request.
Scope and Methodology:
To provide observations on FinCEN's BSA Direct R&S project, we reviewed
and analyzed BSA Direct planning and implementation documents,
interviewed agency officials at FinCEN, the Internal Revenue Service
(IRS), and some users of BSA information such as federal law
enforcement agencies. We also examined FinCEN's application of IT
investment management processes to the BSA Direct R&S project using
GAO's guide, Information Technology Investment Management: A Framework
for Assessing and Improving Process Maturity,[Footnote 2] as our
criteria. We did not conduct a comprehensive review of FinCEN's
investment management practices. We focused on critical processes
associated with Stage 2 of the five-stage framework because they
represent the practices needed for basic project-level control. We
reviewed project documents such as the Office of Management and Budget
Exhibit 300, the original BSA Direct R&S contract and revisions,
progress reports, interim briefings, and project assessments conducted
by MITRE. We also interviewed FinCEN officials responsible for
investment management and the BSA Direct R&S project, the contractor
conducting the BSA Direct R&S project, and MITRE officials involved in
the project. We conducted our review according to generally accepted
government auditing standards between May and July 2006.
In late June 2006, we provided a detailed briefing to your staff on the
results of this work. The briefing slides are included as Enclosure I.
The purpose of this letter is to publish the briefing slides and to
transmit our recommendations to the Director of FinCEN.
Results in Brief:
On March 15, 2006 the director of FinCEN placed the Retrieval and
Sharing component of the BSA Direct project under a temporary "stop
work" order because of significant cost, schedule, and performance
issues. For example, phase one of the project was planned for
completion in 250 days but was actually completed in 373 days.
Judging against the criteria of GAO's framework for information
technology investment management , GAO found that FinCEN did not always
apply effective investment management processes to oversee the BSA
Direct R&S project. This, in part, contributed to the problems
experienced by the project, because issues that occurred at the project
management level continued and compounded, yet were not addressed at
the executive level. For example, MITRE--the organization assisting
FinCEN with project monitoring--identified multiple occasions where
FinCEN did not take action to mitigate project risks or address
significant de-scoping of project functionality.
FinCEN is considering three basic options in determining whether or not
to continue the BSA Direct R&S project. These include reestablishing a
modified contract; finding a new contractor to take over the project;
or terminating the contract and assessing needs and plans for new
capabilities. FinCEN's inadequate application of sound information
technology investment management processes and controls to the BSA
Direct R&S project contributed to the cost, schedule, and performance
issues that have plagued the project from its inception. FinCEN plans
to determine the future direction of BSA Direct R&S in mid-July 2006.
Regardless of what decision is made, FinCEN runs the risk of having
similar problems and similar results in the future unless better
investment management processes and procedures are put in place.
Recommendation for Executive Action:
In light of the issues experienced on the BSA Direct R&S project, we
recommend that the Director of FinCEN direct the Chief Information
Officer (CIO) to develop a plan for improving the agency's capabilities
for overseeing the BSA Direct project. The plan should focus in
particular on establishing policies and procedures for executives to
regularly review investments' progress against commitments and take
corrective actions when these commitments are not met. In addition, the
plan should (1) specify measurable goals, objectives, and milestones;
(2) specify needed resources; (3) assign clear responsibility and
accountability for accomplishing tasks; and (4) be approved by the
Director of FinCEN. In implementing the plan, the FinCEN CIO should
report progress against expectations to the FinCEN Director and take
appropriate actions to address deviations.
Agency Comments:
In commenting orally on a draft of this report, the Acting Deputy Chief
Information Officer stated that FinCEN concurred fully with our
findings and recommendation.
If you or your staff have any questions, or wish to discuss this
material further, please call me at (202) 512-5594 or whitej@gao.gov.
We are sending copies of this report to the Secretary of Treasury, the
Director of FinCEN, and interested congressional committees. The letter
is also available on GAO's home page at [Hyperlink,
http://www.gao.gov]. We will also provide copies to others on request.
GAO staff who made major contributions to this report are listed in
Enclosure II.
Signed by:
James R. White:
Director, Strategic Issues:
Enclosures (2):
Enclosure I:
Observations on the Financial Crimes Enforcement Network's (FinCEN's)
BSA Direct Retrieval & Sharing Project:
Briefing to Senate Appropriations Subcommittee on Transportation,
Treasury, the Judiciary, HUD and Related Agencies:
June 22, 2006:
Purpose and Outline:
Purpose:
To describe the status of the Retrieval and Sharing component of the
BSA:
Direct project (BSA Direct R&S)[Footnote 3] and provide our
observations on the project and its future.
Outline:
Objectives.
Scope and Methodology.
Results in Brief.
Background.
Status of BSA Direct R&S.
Observations on BSA Direct R&S.
Potential Options for the Future of BSA Direct R&S.
Conclusions.
Recommendation for Executive Action.
Objectives:
Describe BSA Direct R&S and the project's current status.
Examine FinCEN's application of information technology (IT) investment
management processes to the BSA Direct R&S project.
Describe, at a high level, the range of options FinCEN may consider as
it reexamines the BSA Direct R&S project.
Scope and Methodology:
For objectives 1, 2 and 3 we reviewed and analyzed BSA Direct R&S
planning and implementation documents, interviewed agency officials at
FinCEN, the Internal Revenue Service (IRS), and some users of BSA
information such as federal law enforcement agencies.
In addition, for objective 2 we also examined FinCEN's application of
IT investment management processes to the BSA Direct R&S project using
GAO's guide, Information Technology Investment Management: A Framework
for Assessing and Improving Process Maturity[Footnote 4], as our
criteria. We focused on critical processes associated with Stage 2 of
the five-stage framework because they represent the practices needed
for basic project-level control. We reviewed project documents such as
the Office of Management and Budget Exhibit 300, the original BSA
Direct R&S contract and revisions, progress reports, interim briefings,
and project assessments conducted by MITRE. We also interviewed FinCEN
officials responsible for investment management and the BSA Direct
project, the contractor conducting the BSA Direct R&S project, and
MITRE officials involved in the project.
Results in Brief:
On March 15, 2006 the director of FinCEN placed the retrieval and
sharing component of the BSA Direct project under a temporary "stop
work" order because of significant cost, schedule, and performance
issues. For example, phase one of the contract was planned for
completion in 250 days but was actually completed in 373 days.
Judging against the criteria of GAO's framework for information
technology investment management, we found that FinCEN did not always
apply effective investment management practices to oversee the BSA
Direct R&S project. This, in part, contributed to the problems
experienced by the project, because issues that occurred at the project
management level continued and compounded, yet were not addressed at
the executive level. For example, MITRE-the organization assisting
FinCEN with project monitoring-identified multiple occasions where
FinCEN did not take action to mitigate project risks or address
significant de-scoping of project functionality.
FinCEN is considering three basic options in determining whether or not
to continue the BSA Direct R&S project. These include reestablishing a
modified contract; finding a new contractor to take over the project;
or terminating the contract and assessing needs and plans for new
capabilities.
Background:
Legislative and Statutory Authorities:
The Bank Secrecy Act (BSA), enacted by Congress in 1970, authorizes the
Secretary of the Treasury to issue regulations requiring financial
institutions to retain records and file reports that are determined to
have a significant degree of usefulness in criminal, tax, and
regulatory investigations[Footnote 5]. Following the September 11th
terrorist attacks, Congress passed the USA PATRIOT Act, which among
other things, amended the BSA to allow information collected under the
BSA to be used in the conduct of intelligence or counterintelligence
activities and to protect against international terrorism.
The BSA charged the Secretary of Treasury to designate "a single
officer or agency of the United States to whom suspicious activity
reports shall be made."[Footnote 6] The agency designated for BSA
compliance is responsible for overseeing the administration of the BSA.
Overall authority for enforcement and compliance of the BSA has been
delegated to the Assistant Secretary of the Treasury; which further
delegated responsibility to the Director of the Financial Crimes
Enforcement Network (FinCEN), a bureau of the Department of
Treasury[Footnote 7].
BSA Data Management Responsibilities:
FinCEN's mission is to support and strengthen domestic and
international anti-money laundering efforts through coordination and
partnerships. Since its creation in 1990, FinCEN has been responsible
for overseeing the management, processing, storage and dissemination of
BSA data. FinCEN is the overall administrator of the Bank Secrecy Act
and thus is ultimately responsible for the management of BSA data.
However, the Department of the Treasury, historically, has relied upon
the Internal Revenue Service (IRS) to assist FinCEN in the management
of BSA information. Under a longstanding cooperative arrangement with
FinCEN, the IRS collects and stores all the data reported under the
BSA. IRS's Detroit Computing Center (DCC) is the central point of
collection and housing of all BSA data in a single repository. DCC
maintains the infrastructure needed to collect the reports, convert
paper and magnetic tape submissions to electronic media, correct errors
in submitted forms through correspondence with filers, and store the
data on its Currency and Banking Retrieval System (CBRS).
FinCEN's BSA Direct R&S Project Description:
BSA Direct is an umbrella project intended to improve the sharing of
information reported under the Bank Secrecy Act. FinCEN characterizes
it as a major initiative intended to provide secure, user-friendly, web-
based tools for accessing, analyzing, and filing BSA data. It has
several components, including electronic filing, secure access, and
retrieval and sharing.
BSA Direct is part of a broad effort by FinCEN to transition from the
IRS, and reengineer, BSA data management responsibilities.
FinCEN entered into a contract with EDS in June 2004 to develop the
retrieval and sharing component of BSA Direct.
FinCEN's BSA Direct Project Status:
On March 15, 2006, the director of FinCEN placed the retrieval and
sharing component of the BSA Direct project under a temporary "stop
work" order because the project had repeatedly failed to meet
performance milestones, was experiencing significant issues with both
functionality and stability, and was not going to meet the critical
implementation deadline of June 30, 2006. This "stop work" period,
originally for 90 days, was extended by the director for an additional
30 days to July 15, 2006.
During this period all work on the project by both FinCEN employees and
the project contractor have been halted. Meanwhile FinCEN is
coordinating with the IRS-who currently and historically has collected
and maintained BSA data-in an effort to ensure users do not experience
an interruption in service. FinCEN has also assembled an assessment
team that has been charged with assessing the BSA Direct R&S system,
conducting an alternatives analysis, and recommending a course of
action moving forward.
FinCEN's BSA Direct R&S Project IRS's Current Role:
After FinCEN recognized BSA Direct R&S would not be implemented before
the critical June 30, 2006 deadline, it determined the need to
coordinate with the IRS to ensure users of BSA data do not experience
an interruption in service.
Meeting the June 30, 2006 deadline was critical to the project's
success because that is when IRS is shutting down the legacy system
(CBRS) containing all BSA data. IRS no longer needs this legacy system
because they have developed a new system, called WebCBRS, to store all
BSA data and then disseminate it to internal (IRS) customers.
Meanwhile, BSA Direct R&S was intended to provide non-IRS users with
access to BSA data once the legacy system was discontinued. Since
FinCEN halted work on BSA Direct R&S, agency officials have been
working with IRS to identify a way to provide non-IRS users with access
to the WebCBRS system in the same way that they had access to CBRS.
Observations on BSA Direct R&S IT Management:
There are many areas that are important to successfully managing IT,
including investment management, system/software development and
acquisition management, enterprise architecture management, information
security, and human capital management. In each of these areas there
are numerous policies and procedures that can be applied.
Of particular relevance to FinCEN's BSA Direct R&S project are
investment management and system/software development and acquisition
management. Investment management focuses on the selection and
management oversight of an agency's or division's IT investments.
Whereas, system/software development and acquisition management focuses
on process management and quality improvement at the project management
level.
The Office of the Inspector General for Treasury is conducting a review
of the BSA Direct R&S project and the system/software development and
acquisition management processes and procedures that were in place.
Therefore, for the purposes of this briefing, the focus is to provide
our observations on FinCEN's application of some investment management
processes and procedures to the BSA Direct R&S project.
Observations on BSA Direct R&S ITIM Overview:
The Information Technology Investment Management (ITIM) framework
focuses on the selection and management oversight of an agency's or
division's IT investments. Built around the select/control/evaluate
approach described in the Clinger-Cohen Act[Footnote 8], the ITIM
framework provides a method for evaluating and assessing how well an
agency is selecting and managing its IT resources. Agencies can also
use the framework as they work to improve their processes.
The maturity stages, depicted in figure 1, represent steps toward
achieving a stable and mature IT investment management process.
Organizations implementing Stages 2 and 3 of the framework have in
place the investment selection, control, and evaluation processes that
are required by the Clinger-Cohen Act.
Observations on BSA Direct R&S The Five Stages of Maturity within ITIM:
Figure 1: Five Stages of Maturity within ITIM:
[See PDF for image]
Source: GAO.
[End of figure]
Observations on BSA Direct R&S Characterization of ITIM Stages 1 & 2:
Stage 1 of the ITIM framework is characterized as IT spending without
disciplined investment processes:
In Stage 2 basic selection capabilities are driven by the development
of project selection criteria, including benefit and risk criteria, and
an awareness of organizational priorities when identifying projects for
funding. Executive oversight is applied on a project-by-project basis.
The five critical processes of investment management at Stage 2 are:
Instituting the investment board,
Meeting business needs,
Providing investment oversight,
Capturing investment information, and
Selecting an investment:
Table 1 describes the critical ITIM processes at Stage 2 and our
observations on how these processes have been applied to the BSA Direct
R&S project.
Observations on BSA Direct R&S Application of Critical Stage 2
Processes:
Table 1: Observations on FinCEN's Application of Stage 2 ITIM Processes
to the BSA Direct R&S Project:
Stage 2 ITIM Processes: Instituting the investment board: entails
creating and defining the membership and guiding policies, operations,
roles, responsibilities, and authorities for one or more IT investment
boards within the organization;
Observations on Application to BSA Direct R&S: FinCEN chartered a
Technology Review Board in June 2005 that is responsible for managing
capital planning investment control processes and overseeing the use of
technology. However, in practice, this review board did not have
jurisdiction or final decision-making authority over the BSA Direct R&S
project.
Stage 2 ITIM Processes: Meeting business needs: entails ensuring that
IT projects and systems support the organization's business needs and
meet users' needs. It involves identifying business and users' needs
for each IT project and having users participate in project management
throughout the project's life cycle;
Observations on Application to BSA Direct R&S: Users did not
consistently participate in BSA Direct R&S during the project life
cycle. Specifically, FinCEN involved users in conducting a requirements
analysis to document business and users' needs before the BSA Direct
R&S contract was awarded. However, after the contract award, every
FinCEN user we spoke with stated they had not participated in the
process since that time.
Stage 2 ITIM Processes: Providing investment oversight: entails
monitoring the progress of all IT projects and systems relative to
cost, schedule, risk, and benefit expectations and taking corrective
action when these expectations are not being met;
Observations on Application to BSA Direct R&S: FinCEN project managers
met regularly with the BSA Direct R&S contractor and occasionally with
MITRE to discuss the project's progress. They were provided reports
documenting issues impacting the cost, schedule, and performance of the
BSA Direct R&S project, however, it is unclear what information was
provided to FinCEN executives, when it was provided, or how it was used
in decision-making.
Stage 2 ITIM Processes: Capturing investment information: involves
identifying IT assets and creating a comprehensive repository of
investment information for decision makers to use to evaluate the
impacts and opportunities created by proposed (or continuing) IT
investments;
Observations on Application to BSA Direct R&S: FinCEN has made efforts
to capture information on its IT assets. However, this information was
not always used effectively to evaluate the impact that interfacing BSA
Direct R&S with other IT systems would have. For example, nine months
after the BSA Direct R&S contract was awarded significant modifications
had to be made to address system incompatibility issues.
Stage 2 ITIM Processes: Selecting an investment: entails ensuring that
a well-defined and disciplined process be used to select new IT
proposals and reselect ongoing investments;
Observations on Application to BSA Direct R&S: We did not examine the
process used to select the BSA Direct R&S proposal. Since the stop-work
order on BSA Direct R&S, FinCEN has also developed an assessment team
to reselect-i.e. determine whether to continue funding-this project.
Source: GAO analysis:
[End of Table]
Observations on BSA Direct R&S Importance of Internal Control
Techniques:
One important focus in Stage 2 of the ITIM framework is the attainment
of repeatable successful IT investment control techniques at the
project level. For an organization to develop a sound IT investment
process, it must first be able to control its investments so that they
finish predictably within established schedule and budget ranges. In
addition, it must be able to identify potential exposures to risk and
put in place strategies to mitigate that risk.
In the absence of predictable, repeatable, and reliable investment
control processes, selected investments will be subject to a higher
risk of failure despite rigorous analysis of the estimates used to
justify them. Further the absence of repeatable control processes will
result in ineffective evaluation processes and contradictory efforts at
process improvement.
Observations on BSA Direct R&S Application of Internal Control
Processes:
In FinCEN's case, the BSA Direct R&S project lacked sufficient
investment control techniques. This, in part, contributed to the
problems experienced by the project, because issues that occurred at
the project management level continued and compounded, yet were not
addressed at the executive level. For example, MITRE found that the
project:
was not fully baselined from inception in July 2004 until February
2005;
lost the baseline 3 months later and could not be fully recovered, in
part, because of:
* contractor staffing issues thru September 2005,
* ongoing schedule slippages, without risk mitigation activity, and
* project de-scoping, meaning certain functionalities in the original
contract would not be provided;
lacked system acceptance criteria, known as a Service Level Agreement.
These, and other, issues were significant and had a major impact on the
project, yet they remained for months and often were never adequately
addressed. Figure 2 illustrates how these, and other, issues impacted
the project from a chronological perspective and table 2 provides a
month-by-month accounting of many of the issues identified by MITRE.
Observations on BSA Direct R&S Schedule Slippages:
Figure 2: BSA Direct R&S Project Schedule Slippages:
[See PDF for Image]
Source: GAO.
Note: Updates and revisions were made to the BSA Direct R&S project
schedule on an ongoing basis; however, we selected the following three
revision dates to illustrate how the schedule changed over time:
Revision 1 - March 21, 2005; Revision 2 - September 19, 2005; Revision
3 - February 22, 2006.
Note: Phases 1, 2, and 3 denote critical milestones established by
FinCEN and the contractor for the BSA Direct R&S project.
[End of Figure]
Observations on BSA Direct R&S Chronology of Issues Identified:
Table 2: Chronology of Some Issues Identified by MITRE during the BSA:
Update: July 2004 (Project launched);
Issue Identified: [Empty].
Update: August 2004;
Issue identified: Project schedule not baselined, Project understaffed.
Update: September 2004;
Issue Identified: Project schedule not baselined, Project understaffed.
Update: October 2004;
Issue identified: Project schedule not baselined, Project understaffed.
Update: November 2004;
Issue identified: Project schedule not baselined, Project understaffed.
Update: December 2004;
Issue identified: Project understaffed.
Update: January 2005;
Issue identified: February 2005.
Update: February 2005;
Issue identified: Project understaffed.
Update: March 2005;
Issue identified: Project understaffed.
Update: April 2005;
Issue identified: Project understaffed.
Update: May 2005;
Issue identified: Project understaffed, Project baseline lost.
Update: June 2005;
Issue identified: Project understaffed, Project baseline lost.
Update: July 2005;
Issue identified: Project understaffed, Project baseline lost.
Update: August 2005;
Issue identified: Project understaffed, No business continuity plan,
MITRE not consistently included in project discussions and meetings.
Update: September 2005;
Issue identified: Project understaffed, Lack of project baseline, Need
for system design change, MITRE not consistently included in project
discussions and meetings.
Update: October 2005;
Issue identified: Contractor project manager resign.
Update November 2005;
Issue identified: Schedule slippage with no risk mitigation activities.
Update: December 2005;
Issue identified: Schedule slippage with no risk mitigation activities.
Update: January 2006;
Issue identified: Loss of project baseline.
Update: February 2006;
Issue identified: Project de-scooping, Schedule slippage with no risk
mitigation activities.
Update: March 2006;
Issue identified: Temporary stop work order issued.
Source: GAO Summary of MITRE data:
[End of table]
Observations on BSA Direct R&S Critical Aspects of Improvement:
Critical to maturing project-level IT investment control processes is
the ability to recognize the need for and to take swift corrective
action when a project is having trouble meeting its schedule
expectations and cost estimates.
As it moves through Stage 2, an organization develops robust methods to
collect data from the project-level management processes and aggregate
it appropriately to provide executive management with the information
it needs to execute its oversight responsibilities. As the organization
matures, it also learns from past decisions and better manages the
causal factors that created past problems, thus improving the
performance results of ongoing projects.
Beyond investment control processes, the organization also begins to
implement basic selection processes. The core business needs for each
IT project are identified and the basic portfolio development processes
are used to select new IT proposals.
BSA Direct R&S Project Options:
Since the director of FinCEN issued a stop-work order on BSA Direct R&S
on March 15, 2006, FinCEN has established a reassessment team to
determine the future of the project. According to FinCEN officials,
they are considering three basic options during this reassessment
period. These include:
reestablishing a modified contract with EDS;
developing a new request for proposal, enabling a new contractor to
take over the project; or:
terminating the contract and assessing agency needs and plans for new
capabilities:
Potential Options for BSA Direct R&S Project Options and Reasons for
Selection:
Table 3: BSA Direct R&S Options and Potential Reasons for Selection:
Option: FinCEN reestablishes a modified contract with EDS;
Potential Reason for Selecting: After nearly two years working on the
project, EDS has developed significant knowledge of the working
environment.
Option: FinCEN develops new request for proposal for a new contractor
to take over the project;
Potential Reason for Selecting: Brings a fresh approach that builds on
the nearly functional aspects of the system.
Option: FinCEN terminates the contract, assesses agency needs, and
plans for new capabilities;
Potential Reason for Selecting: The IRS's WebCBRS system is deemed
sufficient to provide the capability needed for the short-to
intermediate-term. This also provides FinCEN the time to reevaluate its
long-term strategy for reengineering and transitioning data management
processes.
Source: FinCEN and GAO:
[End of table]
Conclusions:
FinCEN's inadequate application of sound information technology
investment management processes and controls to oversee the BSA Direct
R&S project contributed to the cost, schedule, and performance issues
that have plagued the project from its inception.
FinCEN plans to determine the future direction of BSA Direct R&S in mid-
July 2006. Regardless of what decision is made, FinCEN runs the risk of
having similar problems and similar results in the future unless better
investment management processes and procedures are put in place.
Recommendation for Executive Action:
In order to improve FinCEN's ability to manage its IT investments, we
recommend that Director of FinCEN direct the CIO to develop a plan for
improving the agency's capabilities for overseeing the BSA Direct
project. The plan should focus in particular on establishing policies
and procedures for executives to regularly review investments' progress
against commitments and take corrective actions when these commitments
are not met.
In addition, the plan should:
specify measurable goals, objectives, and milestones;
specify needed resources;
assign clear responsibility and accountability for accomplishing tasks;
and:
be approved by the Director of FinCEN.
In implementing the plan, the FinCEN CIO should report progress against
expectations to the FinCEN Director and take appropriate actions to
address deviations.
Enclosure II:
GAO Contact and Staff Acknowledgments:
GAO Contact:
James R. White, (202) 512-5594 or whitej@gao.gov:
Acknowledgments:
In addition to the person named above, Timothy Hopkins, Robyn Howard,
Brian James, Signora May, Donna Miller, Sabine Paul, David Powner, and
Katrina Taylor made key contributions to the report.
(450500):
FOOTNOTES
[1] The Bank Secrecy Act, enacted by Congress in 1970, authorizes the
Secretary of the Treasury to issue regulations requiring financial
institutions to retain records and file reports that are determined to
have a significant degree of usefulness in criminal, tax, and
regulatory investigations or in the conduct of intelligence or
counterintelligence activities, including analysis, to protect against
international terrorism. Pub. L. 91-508, codified as amended at 12
U.S.C. 1829b,12 U.S.C. 1951-1959 and 31 U.S.C. 5311-5332.
[2] See U.S. GAO, Information Technology Investment Management: A
Framework for Assessing and Improving Process Maturity GAO-04-394G
(Washington, D.C.: March 2004).
[3] BSA Direct is an overall umbrella project with several components,
including: electronic filing, secure access, and retrieval and sharing.
This briefing focuses on the retrieval and sharing component of BSA
Direct. For purposes of clarity and to prevent confusion with the
broader BSA Direct project we use the term--BSA Direct R&S throughout
this briefing.
[4] See U.S. GAO, Information Technology Investment Management: A
Framework for Assessing and Improving Process Maturity GAO-04-394G
(Washington, D.C.: March 2004).
[5] Pub. L. 91-508, codified as amended at 12 U.S.C. §1829b,12 U.S.C.
§§1951-1959 and 31 U.S.C. §§5311-5314;5316-5332.
[6] 31 U.S.C. §5318(g) (4) (A).
[7] 31 CFR103.56 subpart (e).
[8] The fiscal year 1997 Omnibus Consolidated Appropriations Act, Pub.
L. 104-208, renamed both Division D (the Federal Acquisition Reform
Act) and E (the Information Technology Management Reform Act) of the
1996 DOD Authorization Act, Pub. L. 104-106, as the Clinger-Cohen Act
of 1996.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
