Information Technology Management

As the Small Business Administration (SBA) tries to transform itself into a 21st century leading edge financial institution, it needs to identify and address operational problems that have agencywide implications. Although SBA plans to improve its key information technology process, many of the agency's policies and procedures for managing this critical area are now in draft form or not yet developed. SBA intends to pursue best practices for information technology planning, monitoring, and evaluation, but its current practices do not generally adhere to defined processes. In particular, investment management efforts are limited largely to reviewing information technology proposals, architecture related activities are carried out without a defined process, and software development and acquisition practices are often ad-hoc. In the information security area, SBA lacks centralized oversight of the activities of its field and program offices. Also, periodic risk assessments have not been done on all mission-critical systems and security training has not been given to employees and contractor staff. Human capital management efforts are limited to a non-information technology training needs survey, and a human capital assessment has not been done to identify short- and long-term information technology knowledge skills and requirements. This testimony summarizes the May 2000 report, GAO/AIMD-00-170.

GAO noted that: (1) SBA had made progress in establishing an investment review board and is beginning to define an investment selection process; (2) however, it had not yet established IT investment management policies and procedures to help identify and select projects that will provide mission-focused benefits and maximum risk-adjusted returns; (3) likewise, SBA had not yet defined processes for investment control and evaluation to ensure that selected IT projects will be developed on time, within budget, and according to requirements, and that these projects will generate expected benefits; (4) the agency had performed only limited reviews of major IT investments, and these reviews were ad-hoc since little data had been captured for analyzing benefits and returns on investment; (5) SBA had made progress with its target IT architecture by describing its core business processes, analyzing information used in its business processes, describing data maintenance and data usage, identifying standards that support information transfer and processing, and establishing guidelines for migrating current applications to the planned environment; (6) however, procedures did not exist for change management to ensure that new systems installations and software changes would be compatible with other systems and SBA's planned operating environment; (7) SBA lacked policies for software development and acquisition to help produce information systems within the cost, budget, and schedule goals set during the investment management process that at the same time comply with the guidance and standards of its IT architecture; (8) an existing systems development methodology was being adopted to replace outdated guidelines that lacked key processes for software development; (9) GAO's review of the selected software projects indicated that SBA's practices were typically ad-hoc for project planning, project tracking and oversight, quality assurance, and configuration management; (10) SBA had not conducted periodic risk assessments for its mission-critical systems; (11) the agency had only recently conducted a security workload assessment and a risk assessment for one system; (12) training and education had not been provided to promote security awareness and responsibilities of employees and contract staff; (13) SBA had not established policies and procedures to identify and address its short- and long-term requirements for IT knowledge and skills; and (14) further, SBA had not evaluated its progress in improving IT human capital capabilities or used data to continuously improve human capital strategies.