Information Technology

OMB Can Make More Effective Use of Its Investment Reviews Gao ID: GAO-05-276 April 15, 2005

For the President's Budget for Fiscal Year 2005, the Office of Management and Budget (OMB) stated that of the nearly 1,200 major information technology (IT) projects in the budget, it had placed approximately half--621 projects, representing about $22 billion--on a Management Watch List, composed of mission-critical projects with identified weaknesses. GAO was asked to describe and assess OMB's processes for (1) placing projects on its Management Watch List and (2) following up on corrective actions established for projects on the list.

For the fiscal year 2005 budget, OMB developed processes and criteria for including IT investments on its Management Watch List. In doing so, it identified opportunities to strengthen investments and promote improvements in IT management. However, it did not develop a single, aggregate list identifying the projects and their weaknesses. Instead, OMB officials told GAO that to identify IT projects with weaknesses, individual OMB analysts used scoring criteria that the office established for evaluating the justifications for funding that federal agencies submit for major projects. These analysts, each of whom is typically responsible for several federal agencies, were then responsible for maintaining information on these projects. To derive the total number of projects on the list that OMB reported for fiscal year 2005, OMB polled its individual analysts and compiled the result. However, OMB officials told GAO that they did not compile a list that identified the specific projects and their identified weaknesses. The officials added that they did not construct a single list because they did not see such an activity as necessary. Thus, OMB has not fully exploited the opportunity to use the list as a tool for analyzing IT investments on a governmentwide basis. OMB had not developed a structured, consistent process for deciding how to follow up on corrective actions that its individual analysts asked agencies to take to address weaknesses associated with projects on its Management Watch List. According to OMB officials, decisions on follow-up and monitoring of progress were typically made by the staff with responsibility for reviewing individual agency budget submissions, depending on the staff's insights into agency operations and objectives. Because it did not consistently require or monitor follow-up activities, OMB did not know whether the project risks that it identified through its Management Watch List were being managed effectively, potentially leaving resources at risk of being committed to poorly planned and managed projects. In addition, because it did not consistently monitor the follow-up performed on projects on the Management Watch List, OMB could not readily tell GAO which of the 621 projects received follow-up attention. Thus, OMB was not using its Management Watch List as a tool in setting priorities for improving IT investments on a governmentwide basis and focusing attention where it was most needed.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-05-276, Information Technology: OMB Can Make More Effective Use of Its Investment Reviews This is the accessible text file for GAO report number GAO-05-276 entitled 'Information Technology: OMB Can Make More Effective Use of Its Investment Reviews' which was released on April 15, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: April 2005: Information Technology: OMB Can Make More Effective Use of Its Investment Reviews: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-276]: GAO Highlights: Highlights of GAO-05-276, a report to congressional requesters. Why GAO Did This Study: For the President‘s Budget for Fiscal Year 2005, the Office of Management and Budget (OMB) stated that of the nearly 1,200 major information technology (IT) projects in the budget, it had placed approximately half”621 projects, representing about $22 billion”on a Management Watch List, composed of mission-critical projects with identified weaknesses. GAO was asked to describe and assess OMB‘s processes for (1) placing projects on its Management Watch List and (2) following up on corrective actions established for projects on the list. What GAO Found: For the fiscal year 2005 budget, OMB developed processes and criteria for including IT investments on its Management Watch List. In doing so, it identified opportunities to strengthen investments and promote improvements in IT management. However, it did not develop a single, aggregate list identifying the projects and their weaknesses. Instead, OMB officials told GAO that to identify IT projects with weaknesses, individual OMB analysts used scoring criteria that the office established for evaluating the justifications for funding that federal agencies submit for major projects. These analysts, each of whom is typically responsible for several federal agencies, were then responsible for maintaining information on these projects. To derive the total number of projects on the list that OMB reported for fiscal year 2005, OMB polled its individual analysts and compiled the result. However, OMB officials told GAO that they did not compile a list that identified the specific projects and their identified weaknesses. The officials added that they did not construct a single list because they did not see such an activity as necessary. Thus, OMB has not fully exploited the opportunity to use the list as a tool for analyzing IT investments on a governmentwide basis. OMB had not developed a structured, consistent process for deciding how to follow up on corrective actions that its individual analysts asked agencies to take to address weaknesses associated with projects on its Management Watch List. According to OMB officials, decisions on follow- up and monitoring of progress were typically made by the staff with responsibility for reviewing individual agency budget submissions, depending on the staff‘s insights into agency operations and objectives. Because it did not consistently require or monitor follow- up activities, OMB did not know whether the project risks that it identified through its Management Watch List were being managed effectively, potentially leaving resources at risk of being committed to poorly planned and managed projects. In addition, because it did not consistently monitor the follow-up performed on projects on the Management Watch List, OMB could not readily tell GAO which of the 621 projects received follow-up attention. Thus, OMB was not using its Management Watch List as a tool in setting priorities for improving IT investments on a governmentwide basis and focusing attention where it was most needed. What GAO Recommends: To enable OMB to take advantage of potential benefits of using its Management Watch List as a tool for analyzing, setting priorities, and following up on IT projects, GAO is making recommendations to OMB aimed at more effective development and use of its Management Watch List. In commenting on a draft of this report, OMB did not agree that an aggregated list, as recommended by GAO, is necessary for adequate oversight and management, because it uses other information and processes for this purpose. However, GAO continues to believe that an aggregated list would contribute to OMB‘s ability to analyze IT investments governmentwide and track progress in addressing deficiencies. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-276]: To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512- 9286 or [Hyperlink, pownerd@gao.gov.]: Contents: Letter: Results in Brief: Background: Objectives, Scope, and Methodology: OMB Established Processes and Criteria for Identifying Weak Projects, but It Did Not Use an Aggregate List to Perform Its Analysis or Oversight: OMB's Follow-up on Projects Was Inconsistent, and Follow-up Activities Were Not Tracked Centrally: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix: Appendix I: Comments from the Office of Management and Budget: Abbreviations: IT: information technology: OIRA: Office of Information and Regulatory Affairs: OMB: Office of Management and Budget: RMO: Resource Management Office: Letter April 15, 2005: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: The Honorable Adam H. Putnam: House of Representatives: The President's Budget for Fiscal Year 2005 identified approximately $60 billion for information technology (IT) projects. In that budget, the Office of Management and Budget (OMB) stated that, of approximately 1,200 major IT projects, about half--621 projects, representing about $22 billion--were on a "Management Watch List." This information was reiterated in testimony in March 2004,[Footnote 1] during which OMB officials stated that the list consisted of mission-critical projects that needed to improve performance measures, project management, and IT security. OMB identified weaknesses in these three areas, among others, in its analysis of the business cases that agencies submitted to justify project funding. The officials added that the fiscal year 2005 budget process required agencies to successfully correct project weaknesses and business case deficiencies; otherwise, OMB would limit agencies' spending on new starts and other developmental activities. This report responds to your request that we describe and assess OMB's processes for (1) placing projects on its Management Watch List and (2) following up on corrective actions established for projects on the list. To accomplish these objectives, we reviewed and analyzed OMB's policy and budget guidance for fiscal year 2005 and interviewed OMB officials (further details on our objectives, scope, and methodology are provided following the background section). Results in Brief: For the fiscal year 2005 budget, OMB developed processes and criteria for including IT projects (investments) on its Management Watch List. In doing so, it identified opportunities to strengthen investments and promote improvements in IT management. However, OMB did not develop a single, aggregate list identifying the projects and their weaknesses. Instead, OMB officials told us that individual OMB analysts used scoring criteria established in the office's Circular A-11 for evaluating the justifications for funding (known as exhibit 300s) that are submitted by federal agencies. OMB delegated individual analysts on its staff, each of whom is typically assigned responsibility for several federal agencies, with maintaining, for their respective agencies, information for the IT projects included on the list. To derive the 621 total of projects on the list that OMB reported for fiscal year 2005, OMB polled its individual analysts and compiled the numbers. OMB officials told us that they did not construct a single list of projects meeting their watch list criteria because they did not see such an activity as necessary for performing OMB's predominant mission: to assist in overseeing the preparation of the federal budget and to supervise agency budget administration. Thus, OMB did not exploit the opportunity to use the list as a tool for analyzing IT investments on a governmentwide basis, limiting its ability to identify and report on the full set of IT investments requiring corrective actions. OMB did not develop a structured, consistent process for deciding how to follow up on corrective actions that it asked agencies to take to address weaknesses associated with projects on the Management Watch List. According to OMB officials, decisions on follow-up and monitoring of specific projects were typically made by the OMB staff with responsibility for reviewing individual agency budget submissions, depending on the staff's insights into agency operations and objectives. Because it did not consistently monitor the follow-up performed, OMB could not tell us which of the 621 projects received follow-up attention, and it did not know whether the specific project risks that it identified through its Management Watch List were being managed effectively. This approach could leave resources at risk of being committed to poorly planned and managed projects. Thus, OMB was not using its Management Watch List as a tool for improving IT investments on a governmentwide basis and focusing attention where it was most needed. To enable OMB to take advantage of the potential benefits of using the Management Watch List as a tool for analyzing and following up on IT investments, we are recommending that OMB develop a centralized capability for creating and monitoring its Management Watch List, including developing and using criteria for prioritizing the IT projects on the list and appropriate follow-up activities, and that it use the prioritized list for reporting to the Congress as part of its statutory reporting responsibilities. In commenting on a draft of this report, OMB's Administrator of the Office of E-Government and Information Technology expressed appreciation for our review of OMB's use of its Management Watch List. However, the Administrator disagreed with our assessment that an aggregated governmentwide list is necessary to perform adequate oversight and management, and that OMB does not know whether risks are being addressed. According to the Administrator, OMB has more than adequate knowledge of agency project planning and uses others means to assess project performance. Nonetheless, based on OMB's inability to easily report which of the 621 investments on the Management Watch List remained deficient or how much of the $22 billion cited in the President's Budget remained at risk, we continue to believe that an aggregate list would facilitate OMB's ability to track progress. Background: According to OMB, its predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise budget administration in executive branch agencies. In helping to formulate the President's spending plans, OMB is responsible for evaluating the effectiveness of agency programs, policies, and procedures; assessing competing funding demands among agencies; and setting funding priorities. OMB also is to ensure that agency reports, rules, testimony, and proposed legislation are consistent with the President's budget and with administration policies. In addition, OMB is responsible for overseeing and coordinating the administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce unnecessary burden on the public. To drive improvement in the implementation and management of IT projects, the Congress enacted the Clinger-Cohen Act in 1996 to further expand the responsibilities of OMB and the agencies under the Paperwork Reduction Act.[Footnote 2] The act requires that agencies engage in capital planning and performance-and results-based management. OMB is required by the Clinger-Cohen Act to establish processes to analyze, track, and evaluate the risks and results of major capital investments in information systems made by executive agencies. OMB is also required to report to the Congress on the net program performance benefits achieved as a result of major capital investments in information systems that are made by executive agencies.[Footnote 3] In response to the Clinger-Cohen Act and other statutes, OMB developed section 300 of Circular A-11. This section provides policy for planning, budgeting, acquisition, and management of federal capital assets and instructs agencies on budget justification and reporting requirements for major IT investments.[Footnote 4] Section 300 defines the budget exhibit 300, also called the Capital Asset Plan and Business Case, as a document that agencies submit to OMB to justify resource requests for major IT investments. The exhibit 300 consists of two parts: the first is required of all assets; the second applies only to information technology. Among other things, the exhibit 300 requires agencies to provide information summarizing spending and funding plans; performance goals and measures; project management plans, goals, and progress; and security plans and progress. This reporting mechanism, as part of the budget formulation and review process, is intended to enable an agency to demonstrate to its own management, as well as OMB, that it has employed the disciplines of good project management, developed a strong business case for the investment, and met other Administration priorities in defining the cost, schedule, and performance goals proposed for the investment. The types of information included in the exhibit 300, among other things, are to help OMB and the agencies identify and correct poorly planned or performing investments (i.e., investments that are behind schedule, over budget, or not delivering expected results) and real or potential systemic weaknesses in federal information resource management (e.g., project manager qualifications). According to OMB's description of its processes, agencies' exhibit 300 business cases are reviewed by OMB analysts from its four statutory offices--Offices of E-Government and Information Technology (e-Gov), Information and Regulatory Affairs (OIRA), Federal Financial Management, and Federal Procurement Policy--and its Resource Management Offices (RMO). In addition to other responsibilities under various statutes, e-Gov and OIRA develop and oversee the implementation of governmentwide policies in the areas of IT, information policy, privacy, and statistical policy. OIRA and e-Gov analysts also carry out economic and related analyses, including reviewing exhibit 300s. Each of about 12 analysts is responsible for overseeing IT projects for a specific agency or (more commonly) several agencies. OMB's RMOs are staffed with program examiners, whose responsibility is to develop and support the President's Budget and Management Agenda. RMOs work as liaisons between federal agencies and the presidency. In formulating the budget, they evaluate agency requests for funding and evaluate agency management and financial practices. RMOs also evaluate and make recommendations to the President when agencies seek new legislation or the issuance of Presidential executive orders that would help agencies to fulfill their organizational objectives. According to OMB officials, the OIRA and e-Gov analysts, along with RMO program examiners, evaluate agency exhibit 300 business cases as part of the development of the President's Budget. The results of this review are provided to agencies through what is called the "passback" process. That is, OMB passes the requests back to agencies with its evaluation, which identifies any areas requiring remediation. The final step in the budget process, occurring after the Congress has appropriated funds, is apportionment, through which OMB formally controls agency spending. According to the Antideficiency Act, before the agency may spend its funding resources, appropriations must be apportioned by periods within the fiscal year (typically by quarters) or among the projects to be undertaken.[Footnote 5] Although apportionment is a procedure required to allow agencies to access their appropriated funds, OMB can also use apportionment to impose conditions on agency spending, such as changes in agency practices; it is one of several mechanisms that the Clinger-Cohen Act authorizes OMB to use to enforce an agency head's accountability for the agency's IT investments.[Footnote 6] The President's Budget for Fiscal Year 2005 included about 1,200 IT projects, totaling about $60 billion. Of this total number of projects, OMB reported in the budget that slightly over half--621 projects, representing about $22 billion--were on a Management Watch List. According to OMB's March 2004 testimony, this list consists of mission- critical projects that needed to improve performance measures, project management, IT security, or overall justification. OMB officials described this assessment as based on evaluations of exhibit 300s submitted to justify inclusion in the budget. According to OMB's testimony, the fiscal year 2005 budget required agencies to successfully correct identified project weaknesses and business case deficiencies; otherwise, they risked OMB placing limits on their spending. OMB officials testified in March 2004 that they would enforce these corrective actions through the apportionment process. OMB continued its use of a Management Watch List in the recently released President's Budget for Fiscal Year 2006. The President's Budget for Fiscal Year 2006 includes 1,087 IT projects, totaling about $65 billion. Of this total number of projects, OMB reported in the budget that 342 projects, representing about $15 billion, are on the fiscal year 2006 Management Watch List. Objectives, Scope, and Methodology: Our objectives were to describe and assess OMB's processes for (1) placing projects on its Management Watch List and (2) following up on corrective actions established for projects on the list. To examine OMB's processes for developing the list, we requested a copy of the Management Watch List; we reviewed related OMB policy guidance, including its Circular A-11 and Capital Programming Guide, as well as the Analytical Perspectives for the President's Budget submissions for fiscal years 2005 and 2006; and we interviewed OMB analysts and their managers, including the Deputy Administrator of OIRA and the Chief of the Information Technology and Policy Branch, to identify the processes and criteria they have in place to determine which IT projects to include on the Management Watch List. To examine OMB's follow-up procedures on corrective actions established for IT projects on the list, we reviewed related policy guidance, including section 300 of Circular A-11 and OMB's Capital Programming Guide. We analyzed OMB's apportionment documentation, specifically the Standard Form 132 (Apportionment and Reapportionment Schedule), which documented special apportionments that specified conditions that had to be met before the agencies could receive funds. In addition, we interviewed OMB officials and analysts and reviewed testimony and laws affecting the management of IT investments, such as the Clinger-Cohen Act. We conducted our work at OMB headquarters in Washington, D.C., from August 2004 through March 2005, in accordance with generally accepted government auditing standards. OMB Established Processes and Criteria for Identifying Weak Projects, but It Did Not Use an Aggregate List to Perform Its Analysis or Oversight: According to OMB officials, including the Deputy Administrator of OIRA and the Chief of the Information Technology and Policy Branch, OMB staff identified projects for the Management Watch List through their evaluation of the exhibit 300s that agencies submit for major IT projects as part of the budget development process. This evaluation is carried out as part of OMB's responsibility for helping to ensure that investments of public resources are justified and that public resources are wisely invested. The OMB officials added that their analysts evaluate agency exhibit 300s by assigning scores to each exhibit 300 based on guidance presented in OMB Circular A-11.[Footnote 7] According to this circular, the purpose of the scoring is to ensure that agency planning and management of capital assets are consistent with OMB policy and guidance. As described in Circular A-11, the scoring of a business case consists of individual scoring for 10 categories, as well as a total composite score of all the categories. The 10 categories are: * acquisition strategy, * project (investment) management, * enterprise architecture, * alternatives analysis, * risk management, * performance goals, * security and privacy, * performance-based management system (including the earned value management system[Footnote 8]), * life-cycle costs formulation, and: * support of the President's Management Agenda. According to Circular A-11, scores range from 1 to 5, with 5 indicating investments whose business cases provided the best justification and 1 the least. For investments with average scores of 3 or below, OMB may ask agencies for remediation plans to address weaknesses in their business cases. OMB officials said that, for fiscal year 2005, an IT project was placed on the Management Watch List if its exhibit 300 business case received a total composite score of 3 or less, or if it received a score of 3 or less in the areas of performance goals, performance-based management systems, or security and privacy, even if its overall score was a 4 or 5. OMB reported that agencies with weaknesses in these three areas were to submit remediation plans addressing the weaknesses. According to OMB management, individual analysts were responsible for evaluating projects and determining which projects met the criteria to be on the Management Watch List for their assigned agencies. To derive the total number of projects on the list that were reported for fiscal year 2005, OMB polled the individual analysts and compiled the numbers. OMB officials said that they did not aggregate these projects into a single list describing projects and their weaknesses. According to these officials, they did not construct a single list of projects meeting their watch list criteria because they did not see such an activity as necessary in performing OMB's predominant mission: to assist in overseeing the preparation of the federal budget and to supervise agency budget administration. Further, OMB officials stated that the limited number of analysts involved enabled them to explore governmentwide issues using ad hoc queries and to develop approaches to address systemic problems without the use of an aggregate list. They pointed at successes in improving IT management, such as better compliance with security requirements, as examples of the effectiveness of their current approach. Nevertheless, OMB has not fully exploited the opportunity to use its Management Watch List as a tool for analyzing IT investments on a governmentwide basis. According to the Clinger-Cohen Act, OMB is required to establish processes to analyze, track, and evaluate the risks and results of major IT capital investments by executive agencies, which aggregation of the Management Watch List would facilitate. Without aggregation, the list's visibility was limited at more senior levels of OMB, constraining its ability to conduct analysis of IT investments on a governmentwide basis and limiting its ability to identify and report on the full set of IT investments requiring corrective actions. OMB's Follow-up on Projects Was Inconsistent, and Follow-up Activities Were Not Tracked Centrally: OMB did not develop a structured, consistent process or criteria for deciding how to follow up on corrective actions that it asked agencies to take to address weaknesses associated with projects on the Management Watch List. Instead, OMB officials, including the Deputy Administrator of OIRA and the Chief of the Information Technology and Policy Branch, said that the decision on whether and how to follow up on a specific project was typically made jointly between the OIRA analyst and the RMO program examiner who had responsibility for the individual agency, and that follow-up on specific projects was driven by a number of factors, only one of which was inclusion on the Management Watch List. These officials also said that the decision for follow-up was generally driven by OMB's predominant mission to assist in budget preparation and to supervise budget administration, rather than strictly by the perceived risk of individual projects. According to these officials, those Management Watch List projects that did receive specific follow- up attention received feedback through the passback process, through targeted evaluation of remediation plans designed to address weaknesses, and through the apportioning of funds so that the use of budgeted dollars was conditional on appropriate remediation plans being in place.[Footnote 9] These officials also said that follow-up of some Management Watch List projects was done through quarterly e-Gov Scorecards.[Footnote 10] OMB officials also stated that those Management Watch List projects that did receive follow-up attention were not tracked centrally, but only by the individual OMB analysts with responsibility for the specific agencies. For example, if an agency corrected a deficiency or weakness in a specific area of the exhibit 300 for a Management Watch List project, that change was not recorded centrally. Accordingly, OMB could not readily tell us which of the 621 watch list projects for fiscal year 2005 were followed up on, nor could it use the list to describe the relationship between its follow-up activities and the changes in the numbers of projects on the watch list between fiscal year 2005 (621 projects) and fiscal year 2006 (342). Further, because OMB did not trace follow-up centrally, senior management could not report which projects received follow-up attention and which did not. OMB does not have specific criteria for prioritizing follow-up on Management Watch List projects. Without specific criteria, OMB staff may be agreeing to commit resources to follow up on projects that did not represent OMB's top priorities from a governmentwide perspective. For example, inconsistent attention to OMB priorities, such as earned value management, could undermine the objectives that OMB set in these areas. In addition, major projects with significant management deficiencies may have continued to absorb critical agency resources. In order for OMB management to have assurance that IT program deficiencies are addressed, it is critical that corrective actions associated with Management Watch List projects be monitored. Follow-up activities are instrumental in ensuring that agencies address and resolve weaknesses found in exhibit 300s, which may indicate underlying weaknesses in project planning or management. Tracking these follow-up activities is essential to enabling OMB to determine progress on both specific projects and governmentwide trends. In addition, tracking is necessary for OMB to fully execute its responsibilities under the Clinger-Cohen Act, which requires OMB to establish processes to analyze, track, and evaluate the risks and results of major capital investments made by executive agencies for information systems. Without tracking specific follow-up activities, OMB could not know whether the risks that it identified through its Management Watch List were being managed effectively; if they were not, funds were potentially being spent on poorly planned and managed projects. Conclusions: By scoring agency IT budget submissions and identifying weaknesses that may indicate investments at risk, OMB is identifying opportunities to strengthen investments. This scoring addresses many critical IT management areas and promotes the improvement of IT investments. However, OMB has not developed a single, aggregate list identifying the projects and their weaknesses, nor has it developed a structured, consistent process for deciding how to follow up on corrective actions. Aggregating the results at a governmentwide level would help OMB take full advantage of the effort that it puts into reviewing business cases for hundreds of IT projects. A governmentwide perspective could enable OMB to use its scoring process more effectively to identify management issues that transcend individual agencies, to prioritize follow-up actions, and to ensure that high-priority deficiencies are addressed. OMB's follow-up on poorly planned and managed IT projects has been largely driven by its focus on the imperatives of the overall budget process. Although this approach is consistent with OMB's predominant mission, it does not fully exploit the insights developed through the scoring process, and it may leave unattended weak projects consuming significant budget dollars. The Management Watch List described in the President's Budget for Fiscal Year 2005 contained projects representing over $20 billion in budgetary resources that could have remained at risk because of inadequate planning and project management. Because of the absence of a consistent and integrated approach to follow-up and tracking, OMB was unable to use the Management Watch List to ascertain whether progress was made in addressing governmentwide and project- specific weaknesses and where resources should be applied to encourage additional progress. Thus, there is an increased risk that remedial actions were incomplete and that billions of dollars were invested in IT projects with planning and management deficiencies. In addition, OMB's ability to report to the Congress on progress made in addressing critical issues and areas needing continued attention is limited by the absence of a consolidated list and coordinated follow-up activities. Recommendations for Executive Action: In order for OMB to take advantage of the potential benefits of using the Management Watch List as a tool for analyzing and following up on IT investments on a governmentwide basis, we are recommending that the Director of OMB take the following four actions: * Develop a central list of projects and their deficiencies. * Use the list as the basis for selecting projects for follow-up and for tracking follow-up activities; * to guide follow-up, develop specific criteria for prioritizing the IT projects included on the list, taking into consideration such factors as the relative potential financial and program benefits of these IT projects, as well as potential risks. * Analyze the prioritized list to develop governmentwide and agency assessments of the progress and risks of IT investments, identifying opportunities for continued improvement. * Report to the Congress on progress made in addressing risks of major IT investments and management areas needing attention. Agency Comments and Our Evaluation: In written comments on a draft of this report, OMB's Administrator of the Office of E-Government and Information Technology expressed appreciation for our review of OMB's use of its Management Watch List. She noted that the report was narrowly focused on the Management Watch List and the use of exhibit 300s in that context. She added that the report did not address the more broad budget and policy oversight responsibilities that OMB carries out or the other strategic tools available to OMB as it executes those responsibilities. We agree that our review described and assessed OMB's processes for (1) placing the 621 projects representing about $22 billion on its Management Watch List and (2) following up on corrective actions established for projects on the list. The Administrator commented that OMB's oversight activities include the quarterly President's Management Agenda Scorecard assessment. We acknowledge these activities in the report in the context of the e-Gov scorecard, which measures the results of OMB's evaluation of the agencies' implementation of e-government criteria in the President's Management Agenda. We also agree with the Administrator that OMB is not the sole audience of an exhibit 300. As we state in the report, an exhibit 300 justification is intended to enable an agency to demonstrate to its own management, as well as to OMB, that it has employed the disciplines of good project management, developed a strong business case for the investment, and met other Administration priorities in defining the cost, schedule, and performance goals proposed for the investment. The Administrator disagreed with our finding that OMB did not have specific criteria for prioritizing follow-up on exhibit 300s that have been included on the Management Watch List. She explained that OMB establishes priorities on a case-by-case basis within the larger context of OMB's overall review of agency program and budget performance. However, our review showed that OMB did not develop a structured, consistent process or criteria for deciding how it should follow up on corrective actions that it asked agencies to take to address the weaknesses of the projects on the Management Watch List. Accordingly, we continue to believe that OMB should specifically consider those factors that it had already determined were critical enough that they caused an investment to be included in the Management Watch List. Without consistent attention to those IT management areas already deemed as being of the highest priority by OMB, the office risks focusing on areas of lesser importance. We agree with the Administrator's separate point that agencies have the responsibility for ensuring that investments on the Management Watch List are successfully brought up to an acceptable level. The follow-up that we describe in our report consists of those activities that would allow OMB to ascertain that the deficient investments have, in fact, been successfully strengthened. We note in the report that the quarterly President's Management Agenda Scorecard plays a role in this activity (in the report, we refer to the e-Gov Scorecard, which contributes to the Management Agenda Scorecard). Finally, the Administrator disagrees with our assessment that an aggregated governmentwide list is necessary to perform adequate oversight and management, and that OMB does not know whether risks are being addressed. However, our review indicated that OMB was unable to easily determine which of the 621 investments on the Management Watch List remained deficient or how much of the $22 billion cited in the President's Budget remained at risk. In our assessment we observed that OMB had expended considerable resources in the scoring of all exhibit 300s and the identification of investments requiring corrective action, but that it never committed the additional resources that would be required to aggregate the partial management watch lists held by each individual analyst. Because no complete Management Watch List was formed, OMB lost the opportunity to analyze the full set of deficient investments as a single set of data. This undermined its ability to assess governmentwide trends and issues. In addition, the lack of a complete Management Watch List necessarily inhibited OMB's ability to track progress overall and to represent the full set of investments requiring corrective action. We continue to believe that these activities could be facilitated by an aggregate Management Watch List. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the report date. At that time, we will send copies to other interested congressional committees and to the Director of the Office of Management and Budget. We also will make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov.] Should you or your offices have questions on matters discussed in this report, please contact me at (202) 512-9286, or Lester P. Diamond, Assistant Director, at (202) 512-7957. We can also be reached by e-mail at [Hyperlink, pownerd@gao.gov] or [Hyperlink, diamondl@gao.gov], respectively. Key contributors to this report were William G. Barrick, Barbara Collier, Sandra Kerr, and Mary Beth McClanahan. Signed by: David A. Powner: Director, IT Management Issues: [End of section] Appendixes: Appendix I: Comments from the Office of Management and Budget: Executive Office Of The President: Office Of Management And Budget: Washington, D.C. 20503: April 5, 2005: Mr. David A. Powner: Director: IT Management Issues: Government Accountability Office: 441 G Street, SW: Washington, DC 20548: Dear Mr. Powner: Thank you for the opportunity to comment on the draft GAO report on OMB's information technology investment review process, "INFORMATION TECHNOLOGY: OMB Can Make More Use of Its Investment Reviews" (GAO-05- 276). We appreciate GAO's careful review of OMB's management and oversight activities with respect to OMB's budget Exhibit 300 (Capital Asset Plan and Business Case), and the related management watch list, which we believe will provide insight into how Exhibit 300s and the management watch list are used. For proper context of the report, we note the report was narrowly focused on these two tools, and not on the many strategic tools available to OMB in fulfilling its budget and policy oversight responsibilities. Additionally, we note the report focused on OMB's management and oversight activities, and does not address the agencies' equally important actions and responsibilities. In that vein, we would like to note some important points which may add to the breadth and context of your report. Namely, while an Exhibit 300 does include information on whether the agency has considered performance as part of the project planning, such information is only an annual snapshot and is neither designed nor used for measuring ongoing project execution and performance. Managing and measuring actual project performance is conducted by the agency. OMB oversees project performance through, among other means, the quarterly President's Management Agenda scorecard assessment of agency's earned value management activity. It is also important to recognize that OMB is not the sole or even primary audience of an Exhibit 300 justification. Agency officials and investment review boards must use them to effectively manage their own IT portfolios and submit to OMB only those investment requests meeting criteria specified in OMB policies. Accordingly, we disagree with your assessment that OMB does not have specific criteria for prioritizing follow-up on Exhibit 300s or the management watch list and therefore OMB oversight is inconsistent. Responsibility for ensuring corrective actions for the management watch list investments rests with each individual agency. They report their progress at least quarterly to OMB through the President's Management Agenda scorecard. The process and criteria are consistent, and OMB analyzes whether a systematic problem exists affecting the overall agency's program and ability to perform. OMB establishes priorities on a case-by-case, not a one-size-fits-all, basis. Moreover, as stated previously, these priorities exist within the larger context of OMB's overall review of agency program and budget performance. In addition, we disagree with your assessment that an aggregated government-wide list is necessary for OMB to perform adequate oversight and management, and that OMB does not know whether risks were being managed effectively. As noted above, OMB uses Exhibit 300s and the management watch list in the larger context of OMB's budget and program oversight processes. OMB has more than adequate knowledge of agency project planning and uses other means to assess project performance. For example as your report also states, OMB has successfully used Exhibit 300s and the management watch list to help identify agency and government-wide program-level weaknesses in areas such as earned value and project management, enterprise architecture, and security. Thank you for the opportunity to review and comment on your draft report on this important issue. While we appreciate your careful review and discussion of OMB's budget Exhibit 300 and the related management watch list, we caution readers to view the report in the context of the many oversight responsibilities of both OMB and the agencies. Sincerely, Signed by: Karen S. Evans: Administrator: Office of E-Government and Information Technology: (310472): [End of Section] FOOTNOTES [1] On March 3, 2004, OMB's Deputy Director for Management and its Administrator for Electronic Government and Information Technology testified at a hearing conducted by the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, House of Representatives. The hearing topic was "Federal Information Technology Investment Management, Strategic Planning, and Performance Measurement: $60 Billion Reasons Why." [2] 44 U.S.C. 3504(a)(1)(B)(vi) (OMB); 44 U.S.C. 3506(h)(5) (agencies). [3] These requirements are specifically described in the Clinger-Cohen Act, 40 U.S.C. 11302(c). [4] OMB Circular A-11 defines a major IT investment as an investment that requires special management attention because of its importance to an agency's mission or because it is an integral part of the agency's enterprise architecture, has significant program or policy implications, has high executive visibility, or is defined as major by the agency's capital planning and investment control process. [5] 31 U.S.C. 1512. [6] 40 U.S.C. 11303(b)(5)(B). [7] These scoring criteria are presented in Office of Management and Budget Circular A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets (July 2004). [8] Earned value management is a project management tool that integrates the investment scope of work with schedule and cost elements for investment planning and control. This method compares the value of work accomplished during a given period with that of the work expected in the period. Differences in expectations are measured in both cost and schedule variances. [9] The authority for apportioning funds is specifically described in the Clinger-Cohen Act, 40 U.S.C. 11303(b)(5)(B)(ii). [10] The quarterly e-Gov Scorecards are reports that use a red/yellow/ green scoring system to illustrate the results of OMB's evaluation of the agencies' implementation of e-government criteria in the President's Management Agenda. The scores are determined in quarterly reviews, where OMB evaluates agency progress toward agreed-upon goals along several dimensions, and they provide input to the quarterly reporting on the President's Management Agenda. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.