This is the accessible text file for GAO report number GAO-12-295 entitled 'Information Technology: SBA Needs to Strengthen Oversight of Its Loan Management and Accounting System Modernization' which was released on February 8, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Chairman, Committee on Small Business, House of Representatives: January 2012: Information Technology: SBA Needs to Strengthen Oversight of Its Loan Management and Accounting System Modernization: GAO-12-295: GAO Highlights: Highlights of GAO-12-295, a report to the Chairman, Committee on Small Business, House of Representatives. Why GAO Did This Study: The Small Business Administration (SBA) performs a range of significant activities intended to strengthen small businesses and relies extensively on information technology (IT) systems to do so. These systems are used to support loan accounting and track loans through origination, servicing, and liquidation. SBA has been attempting to modernize these systems for several years through its Loan Management and Accounting System (LMAS) modernization effort. The most recent iteration of this effort is a series of more focused development efforts, known as the LMAS-Incremental Improvement Projects (IIP). GAO was asked to describe the status of SBA’s LMAS modernization effort and determine whether SBA has adequate processes and procedures in place to manage and oversee its LMAS modernization effort. In performing this work, GAO reviewed cost and schedule reports to Congress and assessed SBA’s current management of the projects against best practices and federal guidance. What GAO Found: As of October 2011, SBA had completed one of the seven projects and awarded contracts for work on three others. However, the projects are experiencing increasing costs and schedule delays. Specifically, according to the most recent project schedule, SBA completed one project in May 2011, 2 months later than planned, and SBA expects five of the remaining six projects to finish between 4 and 11 months later than the dates reported to Congress. Further, according to the agency’ s most recent report to Congress, dated March 2011, the total cost of the projects increased approximately $5 million since October 2010. SBA plans to complete the seven IIPs at a total cost of approximately $28 million by July 2013. SBA has inconsistently implemented key information technology management practices for successfully managing and overseeing its LMAS modernization efforts; these practices include software requirements management, risk management, IT human capital management, enterprise architecture, and investment management (see table below). For example, SBA appropriately managed changes to IIP requirements, identified risks for three of four active projects, inventoried existing human capital capabilities, drafted target segment architectures, and had the overall direction of the IIP effort approved by an executive review committee. However, it has not fully implemented other key aspects of these practices and policies. For example, it did not validate the requirements for one of the ongoing IIPs. Also, the agency did not fully prioritize risks related to one IIP or plan to mitigate them. In addition, it did not fully identify gaps in project workforce skills, and did not fully implement basic enterprise architecture practices, including maintaining and prioritizing its segment architectures, which provide the modernization details needed to develop and implement portions, or segments, of an agency’s IT portfolio. In addition, the cost baselines approved by SBA’s executive oversight body differ from the projected costs reported to Congress 2 months later. Further, there is no evidence that the projects have approved schedule baselines. These weaknesses in basic management practices make it less likely that SBA will be able to complete the projects within the time, budget, and scope parameters originally planned. Table: Summary of SBA Implementation of Key IT Management Controls: IT management control: Software requirements management; Rating: Partially implemented. IT management control: IT risk management; Rating: Partially implemented. IT management control: IT human capital management; Rating: Partially implemented. IT management control: Enterprise architecture; Rating: Partially implemented. IT management control: IT investment management; Rating: Partially implemented. Source: GAO analysis of SBA data. [End of table] Inconsistencies in SBA’s application of IT management practices occurred, in part, because it did not provide adequate executive oversight through its investment management process, even though it is using two executive boards to oversee the IIPs. While these boards have overlapping responsibilities and lines of authority, several basic oversight responsibilities, including executive approval of the project’s schedule, were left unaddressed by either body. What GAO Recommends: GAO is recommending that the Administrator of SBA ensure that appropriate IT management practices are applied to the projects and clarify the responsibilities of the executive bodies with purview over the LMAS-IIPs and ensure they provide the appropriate oversight of the projects’ progress. View [hyperlink, http://www.gao.gov/products/GAO-12-295]. For more information, contact David A.Powner at (202) 512-9286 or pownerd@gao.gov. [End of section] Contents: Letter: Summary: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Briefing to the Staff of the House Committee on Small Business: Appendix II: Comments from the Small Business Administration: Appendix III: GAO Contact and Staff Acknowledgments: Table: Table 1: IIP Initial and Current Expected Completion Dates and Projected Costs: Abbreviations: BTIC: Business Technology Investment Council: CMMI: Capability Maturity Model--Integration: COBOL: Common Business Oriented Language: EA: enterprise architecture: EAMMF: Enterprise Architecture Management Maturity Framework: FSAB: Financial Systems Advisory Board: IIP: Incremental Improvement Project: IT: information technology: ITIM: information technology investment management: LAS: Loan Accounting System: L/LMS: Loan and Lending Monitoring System: LMAS: Loan Management and Accounting System: OIG: Office of Inspector General: OMB: Office of Management and Budget: SBA: Small Business Administration: SEI: Software Engineering Institute: [End of section] United States Government Accountability Office: Washington, DC 20548: January 25, 2012: The Honorable Sam Graves: Chairman: Committee on Small Business: House of Representatives: Dear Mr. Chairman: The Small Business Administration (SBA) performs a range of significant activities intended to strengthen small businesses. To accomplish these activities, SBA relies extensively on information technology (IT) systems. Among these are financial systems used to support loan accounting and track loans through origination, servicing, and liquidation. The loan systems, collectively called the Loan Accounting System, were implemented in the 1970s and outsourced to be run on a contractor's mainframe hardware. SBA has been pursuing efforts to upgrade and modernize its financial systems for several years. The current effort, referred to as the Loan Management and Accounting System (LMAS) program, dates from 2005 and was a response to concerns about the age and information security risks of the legacy system. The effort was intended to result in a single, integrated loan management and loan accounting solution. However, after an independent study and two reviews by the Office of Management and Budget (OMB) raised concerns about SBA's management of the program, it was restructured into a series of seven more focused projects with shorter time frames, referred to as LMAS-Incremental Improvement Projects (IIP). As agreed, our objectives were to: (1) describe the status of SBA's LMAS modernization effort; and (2) determine whether SBA has adequate processes and procedures in place to manage and oversee its LMAS modernization effort. To describe the status of SBA's LMAS modernization effort, we analyzed pertinent LMAS documentation--such as program schedules, plans, budget justifications, cost and schedule data, reports provided to congressional committees, and documents provided to OMB--and we interviewed agency officials. We then compared cost and schedule information to recently published reports to Congress to determine the progress to date of the program. To determine whether SBA has adequate processes and procedures in place to manage and oversee its LMAS modernization effort, we evaluated its capabilities to employ the following IT management controls, which are critical to the success of a systems modernization effort: software requirements management, IT risk management, IT human capital management, enterprise architecture, and information technology investment management. For each of these controls, we determined how SBA applied the practices to the four IIPs for which development efforts are complete or in progress or for which contracts had been awarded by analyzing pertinent documentation--such as policies, procedures, plans, meeting minutes, risk logs, and software requirements--and by interviewing agency officials. We then compared the information collected to key aspects of federal guidance, best practices, and SBA policies. We conducted this performance audit from February 2011 to January 2012 in Washington, D.C., in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Summary: On November 18, 2011, we transmitted the results of our review to the staff of the House Committee on Small Business. This report transmits the briefing materials we provided and the recommendations we made to the Administrator of SBA. The full briefing materials, including the full details on our scope and methodology, are reprinted in appendix I.[Footnote 1] In summary, we made the following points: As of October 2011, SBA had completed one of the seven LMAS- Incremental Improvement Projects, and awarded contracts for three others. Specifically, it completed the first project, an upgrade of its internal administrative accounting and management system, in May 2011. A contract has been awarded for another project--to migrate user interfaces from a legacy mainframe platform to SBA's current web-based infrastructure--which is being deployed incrementally. In addition, SBA has awarded contracts to conduct assessments of work to be done for two other IIPs--addressing the conversion of code in a legacy mainframe environment to a nonproprietary platform and a migration of legacy database systems at its Denver office to its current database infrastructure. For the three remaining projects, the agency intends to build off of the work completed as a result of the first four projects identified earlier in this report. SBA has begun planning for one of these, and work has yet to begin for the remaining two IIPs. Even though the agency only received approval to pursue the IIPs in January 2011, the projects are already experiencing increased costs and schedule delays. Specifically, according to the most recent project schedule, dated August 2011, it completed one IIP in May 2011, 2 months later than planned. In addition, the agency expects five of the remaining six projects to finish between 4 and 11 months later than the dates reported to Congress in October 2010. Further, according to its most recent report to Congress, dated March 2011, the total cost of the IIPs increased approximately $5 million since October 2010, while the projected individual project cost for each of the seven projects had risen between approximately 3 and 53 percent. SBA plans to complete the seven projects at a total cost of approximately $28 million by July 2013, which is an overall increase of about 22 percent. Table 1 provides details on the status of the individual projects with contracts awarded. Table 1: IIP Initial and Current Expected Completion Dates and Projected Costs: LMAS-IIP: Oracle Upgrade; Current status: Completed in May 2011; Expected completion date as of October 2010: March 2011; Expected completion date as of August 2011: Completed in May 2011; Projected cost as of October 2010: $8.45 million; Projected cost as of March 2011: $8.66 million; Percentage increase in projected costs: 2.5%. LMAS-IIP: Migration of User Interfaces; Current status: Contract awarded and work in progress; Expected completion date as of October 2010: December 2011; Expected completion date as of August 2011: May 2012; Projected cost as of October 2010: $3.32 million; Projected cost as of March 2011: $3.76 million; Percentage increase in projected costs: 13.3%. LMAS-IIP: Migrate to New Version of COBOL; Current status: Contract awarded to conduct assessment; Expected completion date as of October 2010: May 2012; Expected completion date as of August 2011: April 2013; Projected cost as of October 2010: $6.05 million; Projected cost as of March 2011: $8.72 million; Percentage increase in projected costs: 44.1%. LMAS-IIP: Sybase to Oracle Migration; Current status: Contract awarded to conduct assessment; Expected completion date as of October 2010: October 2011; Expected completion date as of August 2011: September 2012; Projected cost as of October 2010: $2.51 million; Projected cost as of March 2011: $3.11 million; Percentage increase in projected costs: 23.9%. Source: GAO analysis of SBA data. [End of table] SBA has inconsistently implemented key practices for successfully managing and overseeing its LMAS modernization efforts; these practices include software requirements management, IT risk management, IT human capital management, enterprise architecture, and IT investment management: * Requirements management. SBA appropriately managed changes to requirements for the two projects for which this process would be appropriate; however, it did not validate the requirements for one of the ongoing IIPs. In addition, requirements were not documented for two of the ongoing projects. * Risk management. Risks were identified for three of four active projects; however, it did not fully prioritize risks related to one IIP or develop plans to mitigate them. * IT human capital management. SBA inventoried existing human capital capabilities; however, it did not fully identify gaps in project workforce skills and did not develop strategies to close them. * Enterprise architecture. SBA drafted target segment architectures for the IIPs; however, they have not been approved by the appropriate officials. In addition, the agency did not fully implement other basic enterprise architecture practices, including maintaining and prioritizing its segment architectures. * IT investment management. The agency had the overall direction of the IIP effort approved by an executive review committee. However, SBA did not address other capital planning requirements for the program, including approving a schedule baseline or reviewing its risk management plan, or provide evidence that it approved the subsequent changes to the budget estimates reported to Congress. Inconsistencies in SBA's application of IT management practices occurred, in part, because it did not provide adequate executive oversight through its investment management process, even though it is using two executive bodies to oversee the projects. While these bodies have overlapping responsibilities and lines of authority, several basic oversight responsibilities, including executive approval of the project's schedule, were left unaddressed by either body. In addition, the cost baselines approved by SBA's executive oversight body differ greatly from the projected costs reported to Congress 2 months later. According to SBA officials, additional oversight was provided through undocumented meetings and reviews of reports to Congress. These weaknesses in the use of basic management practices make it less likely that SBA will be able to complete the IIPs within the time, budget, and scope parameters originally planned. Conclusions: SBA has completed one of the seven IIPs, work is underway on one other, and contracts have been awarded for two more. However, most of the projects are already experiencing individual schedule delays of 4 to 11 months and an overall cost increase of about 22 percent, which increases the risk that SBA will not be able to deliver the projects as planned. SBA's likelihood of successfully completing the projects would improve if it more consistently applied basic IT management practices. SBA has taken a number of steps that are consistent with sound IT management. For example, it has identified and validated system requirements and has identified system development risks as well as plans to mitigate them, but it has not done so consistently for each of its ongoing projects. Also, it has taken several actions consistent with sound enterprise architecture and human capital management practices, including developing segment architectures and identifying staff positions needed to complete the IIPs. It has not, however, fully applied other sound practices in these areas, including maintaining and prioritizing the segment architectures and developing a strategy to meet outstanding human capital needs. Given that SBA has been unable to successfully complete prior efforts to modernize its loan systems, the consistent use of sound IT management practices will be critical to reducing the risk of its new approach encountering similar difficulties. Weaknesses in executive oversight of the IIPs have contributed to SBA's inconsistent use of sound IT management practices and increase the likelihood that the projects will experience delays or cost overruns. In particular, its use of two oversight bodies with overlapping responsibilities and lines of authority is likely to lead to continued duplication or gaps in oversight, such as the lack of documented schedule and cost baselines for the projects. The gaps, in particular, make it difficult for SBA to conduct the necessary oversight of project progress. In addition, addressing these weaknesses in executive oversight should result in more effective management of program progress and more timely decisions about adjustments needed to arrest or reverse the schedule delays and cost overruns that have already occurred. Recommendations for Executive Action: To better ensure that the loan management projects are completed as planned and provide anticipated capabilities, we are recommending that the Administrator of SBA direct the Chief Information Officer to ensure that SBA is applying the appropriate information technology management practices to the IIPs. Specifically, SBA should ensure that: * IIP requirements are managed appropriately, including elicitation, documentation, and verification and validation; * IT risks to the IIPs are adequately managed, including preparing for risk management, identifying and analyzing risks, mitigating risks, and providing executive oversight of risk management activities; * the human capital necessary for the IIPs is managed appropriately, including the determination of human capital needs, the identification of gaps between current capabilities and needs, the development of a strategy to close those gaps, and the documentation of these activities; and: * the enterprise architecture segments related to the IIPs are managed appropriately, including the development, prioritization, and maintenance of the segments. In addition, we recommend that the Administrator of SBA clarify the responsibilities of the executive bodies responsible for the IIPs and ensure they provide the appropriate oversight of the project's progress. Specifically, these executive bodies should conduct and document executive review and approval of the LMAS modernization's: * risk management approach; * target segment architectures; and: * cost and schedule baselines, including ongoing oversight of progress against those baselines. Agency Comments: In written comments on the draft of this report, the Small Business Administration’s Assistant Administrator, Office of Congressional and Legislative Affairs, stated that SBA generally agreed with our recommendations (see Appendix II). The Assistant Administrator also asked that we clarify two points. First, he stated that the costs of the LMAS modernization had not increased, and that the figures we included from an October 2010 report to Congress included only contractor costs while the figures from a March 2011 report included both contractor and government costs. However, the documents provided by SBA do not specify that the two reports describe different costs. Specifically, while the Congressional letter that requested the October 2010 report asked for “contract costs to date,” it also asked for “future obligations and expected future costs.” Also, the report itself does not state that the future costs include only contractor costs. We used these two reports as sources of cost data for the modernization because they were the only sources available at the time of our initial review. Further, this disagreement on the projected cost of the modernization reinforces the need for an approved cost and schedule baseline that can be used to evaluate program progress, as discussed in our briefing. Second, the Assistant Administrator stated that SBA’s executive oversight bodies reviewed the LMAS modernization’s overall schedule and cost estimates through both formal and informal discussions, including executive-level meetings in August and September 2010. We considered this information in our initial assessment, but do not believe that the records he cites demonstrate that SBA is maintaining current cost or schedule baselines. Our briefing notes the inclusion of initial cost estimates for each of the improvement projects in the August executive discussion. However, we also note that even though SBA reported different cost estimates in subsequent reports to Congress, we did not find evidence of executive approval of changes to the budget after August 2010. In addition, while the minutes of the August 2010 discussion include a single estimated completion date for the IIP effort, they do not specify the estimated completion dates for each project. The minutes of the September meeting did not include any specific information on the improvement projects’ costs or schedule. The Assistant Administrator stated that SBA is considering formalizing the currently-undocumented reviews. We agree that fully-documenting decisions about the projects’ costs and schedules would improve its ability to manage the improvement projects. A copy of the Assistant Administrator’s comments are included as Appendix II. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send a copy of this report to the Administrator of SBA. The report will also be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions concerning this report, please contact me at (202) 512-9286 or by e-mail at pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix II. Sincerely yours, Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Appendix I: Briefing to the Staff of the House Committee on Small Business: Information Technology: SBA Needs to Strengthen Its Capacity to Manage and Modernize Its Loan Management and Accounting Systems: Briefing for Staff Members of the Committee on Small Business, House of Representatives: November 18, 2011: Contents: * Introduction; * Objectives, Scope, and Methodology; * Results in Brief; * Background; * Results; * Conclusions; * Recommendations for Executive Action; * Agency Comments and Our Evaluation. [End of section] Introduction The Small Business Administration (SBA) performs a range of significant activities intended to strengthen small businesses. To accomplish these activities, SBA relies extensively on information technology (IT) systems. Among these are financial systems used to support loan accounting and track loans through origination, servicing, and liquidation. The loan systems, collectively called the Loan Accounting System, were implemented in the 1970s and run on outsourced mainframe hardware. SBA has been pursuing efforts to modernize its financial systems for several years. For example, SBA spent about $31 million over the last 4 years on a modernization effort called the Loan Management and Accounting System (LMAS) which experienced several schedule revisions. More recently, SBA began its next iteration of the LMAS modernization effort, a series of more focused development efforts, known as the LMAS-Incremental Improvement Projects (IIP), to improve its loan systems. [End of section] Objectives, Scope, and Methodology: Our objectives were to: * describe the status of SBA's LMAS modernization effort and, * determine whether SBA has adequate processes and procedures in place to manage and oversee its LMAS modernization effort. To describe the status of SBA's LMAS modernization effort, including its current scope, we analyzed pertinent SBA LMAS documentation, such as program schedules, plans, budget justifications, cost and schedule data, reports provided to congressional committees, and documents provided to the Office of Management and Budget (OMB), and we interviewed SBA officials. We then compared cost and schedule information to recently published reports to Congress to determine the progress to date of the program. To determine whether SBA has adequate processes and procedures in place to manage and oversee its LMAS modernization effort, we evaluated SBA capabilities to employ the following IT management controls, which are critical to the success of a systems modernization effort: software requirements management, IT risk management, IT human capital management, enterprise architecture (EA), and information technology investment management (ITIM). For each of these controls, we determined how SBA applied the practices to the four IIPs for which development efforts are complete, in progress, or contracts had been awarded by analyzing pertinent documentation, such as policies, procedures, plans, meeting minutes, risk logs, and software requirements, and by interviewing agency officials. We then compared the information collected to key aspects of federal guidance, best practices, and SBA policies. Specifically, to evaluate SBA's software requirements management and IT risk management practices, we compared the agency's activities to pertinent aspects of the Software Engineering Institute's[Footnote 2] (SEI) Capability Maturity Model® Integration[Footnote 3] (CMMI®); for IT human capital management practices, we evaluated SBA against GAO's Human Capital best practices guide;[Footnote 4] for enterprise architecture practices, we compared SBA's activities to OMB enterprise architecture guidance;[Footnote 5] and for IT investment management practices, we evaluated SBA's practices against its internal ITIM policies. We conducted this performance audit from February 2011 to November 2011, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Results in Brief: As of October 2011, SBA had completed one of the seven LMAS-Incremental Improvement Projects and awarded contracts for work on three others. However, the projects are experiencing increasing costs and schedule delays. Specifically, according to the most recent project schedule, dated August 2011, SBA completed one IIP in May 2011, 2 months later than planned. In addition, SBA expects five of the remaining six IIPs to finish between 4 and 11 months later than the dates reported to Congress in October 2010. Further, according to SBA's most recent report to Congress, dated March 2011, the total cost of the IIPs increased approximately $5 million since October 2010, while the projected individual project cost for each of the seven IIPs had risen between approximately 3 and 53 percent. SBA plans to complete the seven IIPs at a total cost of approximately $28 million by July 2013. SBA has inconsistently implemented key practices for successfully managing and overseeing its LMAS modernization efforts; these practices include software requirements management, IT risk management, IT human capital management, EA, and IT investment management. For example, SBA appropriately managed changes to IIP requirements, identified risks for three of four active IIPs, inventoried existing human capital capabilities, drafted target segment architectures, and had the overall direction of the IIP effort approved by an executive review committee. However, SBA has not fully implemented other key aspects of these practices and policies. For example, it did not validate the requirements for one of the ongoing IIPs. Also, SBA did not fully prioritize risks related to one IIP or plan to mitigate them. In addition, SBA did not fully identify gaps in project workforce skills and did not develop strategies to close them, and did not fully implement basic enterprise architecture practices, including maintaining and prioritizing its segment architectures. These weaknesses in the use of basic management practices make it less likely that SBA will be able to complete the IIPs within the time, budget, and scope parameters originally planned. Inconsistencies in SBA's application of IT management practices occurred, in part, because SBA did not provide adequate executive oversight through its investment management process, even though it is using two executive bodies to oversee the IIPs. While these bodies have overlapping responsibilities and lines of authority, several basic oversight responsibilities, including executive approval of the project's schedule, were left unaddressed by either body. In addition, the cost baselines approved by SBA's executive oversight body differ greatly from the projected costs reported to Congress 2 months later. According to SBA officials, additional oversight was provided through undocumented meetings and reviews of reports to Congress. However, without more specific oversight of the IIPs' progress and more consistent application of basic IT management practices, SBA is unlikely to stop or reverse the projects' early cost increases and schedule delays. To enhance SBA's ability to effectively monitor the progress of the LMAS-IIPs, we are recommending that the Administrator of SBA ensure that SBA is applying the appropriate IT management practices to the IIPs. We are also recommending that the Administrator clarify the responsibilities of the executive bodies responsible for the LMAS-IIPs and ensure they provide the appropriate oversight of their progress. We provided a draft of this briefing for review and comment to the Administrator of SBA. In e-mail comments, SBA's GAO liaison provided technical comments, which we addressed as appropriate. SBA did not comment on our recommendations. [End of section] Background SBA's mission is to aid, counsel, assist, and protect the interests of small business concerns; to preserve free competitive enterprise; and to maintain and strengthen the overall economy of the Unites States. One way that SBA works to grow businesses is through managing a $90 billion portfolio, which includes direct and guaranty loan programs that provide small businesses with access to capital. This portfolio includes disaster loans, in which SBA makes direct loans to individuals, small businesses, and non-profit organizations in declared disaster areas. The portfolio also includes loan guaranty programs, through which SBA guarantees loans to small businesses that private sector lending institutions would not make otherwise. To administer its loan programs, SBA relies on electronic systems to support the full life cycle of loans. SBA has made several attempts to upgrade its financial software and migrate it off a mainframe environment. The current effort to modernize SBA's loan systems was designed to, among other things, update and improve the agency's outdated Loan Accounting System (LAS).[Footnote 6] The legacy system, implemented in the 1970s, runs on outsourced mainframe software and hardware that requires costly contracts to use and maintain. This system is programmed in COBOL (Common Business Oriented Language), a business application programming language that was introduced in the 1960s and is now becoming obsolete and difficult to manage. It is the primary system used to manage and account for loans and loan-related activities for all SBA loan programs, including allotment of funds, loan origination, servicing, liquidation, collections, and disbursements. New technologies added to the loan accounting environment over the years have created a web of stove-piped systems and databases, causing issues with interoperability. Maintaining data integrity in such an environment requires SBA to employ expensive data reconciliations. The current effort to modernize the LAS dates to September 2005, when SBA's Office of Inspector General (OIG) raised concerns about the age of the LAS and information security risks in the system.[Footnote 7] It noted that SBA's contract with Unisys to support LAS mainframe operations was due to expire in February 2007. The OIG also identified the different goals and objectives of the multiple SBA program offices responsible for the various parts of LAS as impediments to its modernization. Consequently, the OIG determined that the modernization needed oversight from senior management, such as the Deputy Administrator, and recommended that SBA take immediate action to develop and deploy an effective LAS migration or modernization plan. In November 2005, SBA announced the initiation of the Loan Management and Accounting System (LMAS) program, with estimated total costs of approximately $217 million over a 9-year period. Its goal was to implement a single, integrated loan management and loan accounting solution that aligned with the agency's strategic goals. Specifically, SBA expected it to reduce the complexity of the technical environment by replacing three existing accounting systems (including LAS, which was made up of 19 different sub-systems that covered the full loan life cycle) with a single, integrated system that would provide comprehensive IT support to SBA's full loan life cycle for all direct and guaranty loan programs, the financial management and accounting operations for all of the loan programs, and SBA's financial reporting. One key goal of the modernization was the elimination of COBOL applications and mainframe hardware. SBA began work on the LMAS program in early 2006, but was unable to replace the legacy system prior to the expiration of the mainframe contract in February 2007, making it necessary for SBA to negotiate new contracts for mainframe and application services until December 2011 at a total cost of approximately $30 million. Subsequently, in May 2008, SBA's OIG recommended the migration of LAS prior to the expiration of the mainframe contracts in 2012 in order to reduce costs and mitigate security risks.[Footnote 8] In addition, OIG found deficiencies in the quality assurance monitoring of LMAS and recommended program management improvements, including outsourcing the quality assurance function for the program, which SBA subsequently implemented. LMAS remained in the planning phase until September 2008 when SBA awarded contracts to establish quality assurance monitoring and oversight, provide project management support, and provide systems integration services. However, in July 2009, SBA's OIG found several issues with the management of LMAS, including the lack of an independent quality assurance function, inadequate risk management practices, and past-due deliverables.[Footnote 9] With regard to past- due deliverables, the OIG reported that the prime LMAS contractor missed deliverable due dates, prompting SBA to move back its baseline schedule for contractor deliverables multiple times. Following recommendations from an outside study and two reviews by OMB, SBA reduced the overall scope of the LMAS modernization project and decided to pursue the modernization through a number of smaller projects with shorter time frames. In December 2009, McKinsey & Company, a contractor engaged by SBA, conducted a study of the LMAS implementation plan that raised significant issues concerning the likelihood of cost and schedule overruns. The report stated that LMAS would face significant risk because, among other reasons, it took over 3 years to move from LMAS's conception to having a draft blueprint that had not yet been fully developed. It also stated that LMAS plans were based upon old, incorrect depictions of systems and interfaces. Key recommendations included simplifying LMAS to focus on mainframe migration and improving communication across the project. In addition in April 2010, OMB conducted a TechStat review of LMAS. A TechStat review is a face-to-face, evidence-based review of an IT investment that is attended by OMB and agency leadership. TechStat reviews can be triggered by factors such as inconsistencies in data reported on OMB's IT Dashboard,[Footnote 10] recurring patterns of problems, or an OMB analyst's concerns with an investment. The goal of the review is to develop a clear course of corrective action for the project. As a result of the TechStat review, OMB raised significant concerns about LMAS's management. Among other things, it found that LMAS was not strategically aligned with SBA's business goals and that SBA lacked a target enterprise architecture for loan accounting and financial management. It also stated that the projected benefits from the program in terms of return on investment were unclear. To remedy these issues, SBA agreed to perform corrective actions, including performing a new cost-benefit analysis of LMAS. On June 28, 2010, OMB issued memorandum M-10-26[Footnote 11] with the primary goals to reduce costs, shorten timeframes, and reduce risks associated with agency financial system projects. OMB's June 2010 memorandum required agencies to (1) halt the issuance of new task orders or new procurements for all financial system projects with $20 million or more in planned spending on development or modernization expenses, pending review and approval from OMB; and (2) provide OMB with revised project plans within 60 days of the memorandum's issuance in accordance with three guiding principles using the provided template. The three guiding principles included (1) splitting financial system modernization projects into smaller, simpler segments with clear deliverables, (2) focusing on the most critical business needs first, and (3) providing ongoing, transparent project oversight. As part of the June 2010 memorandum, the Financial Systems Advisory Board (FSAB) was created by OMB to assist with reviewing financial systems modernization projects and providing recommendations, advice, and support to OMB on the existing and new plans. In September 2010, LMAS was reviewed by the FSAB. SBA used this review process to request OMB's approval to replace LMAS with a series of more focused projects: the LMAS-Incremental Improvement Projects (LMAS-IIP). SBA justified this request by projecting that the LMAS-IIPs would be less costly, less time- consuming, and less risky than LMAS. Since FSAB had found that dividing LMAS into smaller, simpler modernization projects was consistent with OMB's guidance, it recommended the approval of SBA's revised approach. In January 2011, SBA received formal written approval from OMB to proceed with its proposed incremental approach to loan system modernization. SBA reallocated the remaining LMAS funds to the new IIPs. The approved incremental approach consists of seven projects with a more limited scope than the former LMAS program, which was intended to provide end-to-end integration of all of SBA's loan management and accounting operations systems. Specifically, although SBA plans to move its software off its legacy mainframe environment, it no longer plans to replace its legacy COBOL software. In addition, it will upgrade two administrative accounting systems and develop new interfaces that are to interact with updated applications supporting the existing LAS. The approved improvement projects are: 1. Oracle Upgrade-—Upgrade SBA's internal administrative accounting and management system to Oracle Federal Financials Version R12, a newer version of an Oracle suite of database products used by federal agencies to track financial transactions. 2. Migration of User Interfaces—-Migrate user interfaces from the Unisys legacy mainframe platform to SBA's current web-based infrastructure. These new interfaces, which allow SBA and lenders to enter information about loans into SBA's loan databases, are intended to provide capabilities for loan centers and lending partners. 3. Migrate to New Version of COBOL—-Convert a version of COBOL used in SBA's Unisys legacy mainframe environment to a version of COBOL compatible with UNIX. SBA expects that this project will allow for simpler maintenance and new and improved capabilities for loan data analysis. 4. Sybase to Oracle Migration—-Migrate SBA's legacy database systems at its Denver office to its current database (Oracle) infrastructure. SBA expects that this migration will facilitate better integration with other SBA systems and future system migrations. 5. Root Cause Analyses-—Analyze remaining issues and develop plans to prioritize additional projects to address SBA's most important business needs. By defining issues that need attention, this process is designed to lead to process improvements, avoid costs associated with not implementing the ideal solutions, and align efforts and resources with business needs. 6. Implement Improvements—-Implement the improvements identified by the root cause analyses and by the analysis of the new processes. 7. Document Loan Accounting—Document the new processes in order to capture and transfer knowledge about the new loan management and accounting system environment. Project ownership for the IIPs belongs to two of SBA's offices—the Office of the Chief Financial Officer and the Office of Capital Access, which is responsible for SBA efforts to expand available capital to small businesses. The two responsible offices have both established program management offices to run the day-to-day operations for the improvement projects within their areas of responsibility. To provide oversight of the offices' efforts, SBA established an Executive Steering Committee to oversee SBA's loan and financial systems environment and ensure that SBA's loan and financial management systems meet the agency's goals and objectives. Among the membership in this committee is the Chief Information Officer, whose involvement with the IIPs includes providing advice to the committee and voting on issues raised by the program management offices. In addition, SBA uses a second executive body to provide oversight of the IIPs—-the Business Technology Investment Council, which includes the Chief Information Officer, the Chief Financial Officer, the Deputy Administrator, and the most senior member of selected offices and components within SBA. This council is required by SBA policy to conduct initial approval and periodic review of the progress of IT projects, such as the IIPs. The project owner for each IIP is identified in table 1, below. Table 1: LMAS-IIPs and Their Owners: LMAS-IIP: Oracle Upgrade; Project owner: Office of the Chief Financial Officer. LMAS-IIP: Migration of User Interfaces; Project owner: Office of Capital Access. LMAS-IIP: Migrate to New Version of COBOL; Project owner: Office of Capital Access. LMAS-IIP: Sybase to Oracle Migration; Project owner: Office of the Chief Financial Officer. LMAS-IIP: Root Cause Analyses; Project owner: Office of the Chief Financial Officer. LMAS-IIP: Implement Improvements; Project owner: Office of the Chief Financial Officer. LMAS-IIP: Document Loan Accounting; Project owner: Office of Capital Access. Source: GAO Analysis of SBA data. [End of table] [End of section] Results: Status of LMAS Modernization Efforts: As of September 2011, SBA had completed one of the seven IIPs and begun work on another. Development work is yet to begin for the remaining five IIPs. Specifically, * one IIP has been completed; * SBA has awarded a contract for one HP and the results are being deployed incrementally; * SBA has awarded contracts to conduct assessments of work to be conducted for two IIPs; * SBA has begun planning for one other IIP; and; * two have yet to begin. SBA expects one HP to be completed earlier than it reported to Congress in October 2010, while the remaining five incomplete IIPs are expected to be completed later than reported, with delays ranging from 4 to 11 months. In addition, according to SBA's most recent report to Congress, dated March 2011, costs for six of the seven IIPs had risen by between approximately $200,000 and $600,000, and the seventh IIP's projected costs had risen by approximately $2.7 million. Table 2 provides details on the status of the individual IIPs. Table 2: IIP Initial and Current Expected Completion Dates and Projected Costs: LMAS-IIP: Oracle Upgrade; Current status: Completed in May 2011; Expected completion date as of October 2010: March 2011; Expected completion date as of August 2011: Completed in May 2011; Projected cost as of cost as of October 2010: $8.45 million; Projected cost as of cost as of March 2011: $8.66 million; Percentage increase in projected costs: 2.5%. LMAS-IIP: Migration of User Interfaces; Current status: Contract awarded and work in progress; Expected completion date as of October 2010: December 2011; Expected completion date as of August 2011: May 2012; Projected cost as of cost as of October 2010: $3.32 million; Projected cost as of cost as of March 2011: $3.76 million; Percentage increase in projected costs: 13.3%. LMAS-IIP: Migrate to New Version of COBOL; Current status: Contract awarded to conduct assessment; Expected completion date as of October 2010: May 2012; Expected completion date as of August 2011: April 2013; Projected cost as of cost as of October 2010: $6.05 million; Projected cost as of cost as of March 2011: $8.72 million; Percentage increase in projected costs: 44.1%. LMAS-IIP: Sybase to Oracle Migration; Current status: Contract awarded to conduct assessment; Expected completion date as of October 2010: October 2011; Expected completion date as of August 2011: September 2012; Projected cost as of cost as of October 2010: $2.51 million; Projected cost as of cost as of March 2011: $3.11 million; Percentage increase in projected costs: 23.9%. LMAS-IIP: Root Cause Analyses; Current status: Planning initiated; Expected completion date as of October 2010: October 2011; Expected completion date as of August 2011: June 2012; Projected cost as of cost as of October 2010: n/a; Projected cost as of cost as of March 2011: n/a; Percentage increase in projected costs: 41.0%. LMAS-IIP: Implement Improvements; Current status: Expected to start in March 2012 Expected completion date as of October 2010: March 2013; Expected completion date as of August 2011: July 2013; Projected cost as of cost as of October 2010: n/a; Projected cost as of cost as of March 2011: n/a; Percentage increase in projected costs: 47.8%. LMAS-IIP: Document Loan Accounting; Current status: Expected to start in November 2011; Expected completion date as of October 2010: March 2013; Expected completion date as of August 2011: January 2013; Projected cost as of cost as of October 2010: n/a; Projected cost as of cost as of March 2011: n/a; Percentage increase in projected costs: 52.5%. Source: GAO analysis of SBA data. Data identified as n/a are potentially sensitive cost estimates, and therefore are not printed here. [End of table] Taken together, SBA expects the seven IIPs to be completed by July 2013, 4 months later than the March 2013 completion date reported to Congress in October 2010. In addition, according to its report to Congress dated March 2011, the total estimated cost of the IIPs increased to a total of about $28 million,[Footnote 12] approximately $5 million more than reported in October 2010, an overall increase of about 22 percent in 5 months. Results: Management Controls: SBA has not fully implemented key practices for successfully managing and overseeing its LMAS modernization efforts. The success of large IT projects is dependent on agencies' implementing key management capabilities in areas that include software requirements management, IT risk management, IT human capital management, and enterprise architecture (EA). In addition, IT investment management (ITIM), which constitutes effective institutional oversight, is necessary to ensure that projects adhere to these management capabilities and achieve expected results. However, in its management of the IIPs, SBA has not consistently followed relevant federal guidance, best practices, and SBA internal guidance in these areas. These management weaknesses can be traced, in part, to inadequate executive oversight of the LMAS modernization. Until SBA improves its project oversight and fully implements basic IT management capabilities, it will face an increased risk of not meeting the IIPs' cost and schedule goals. Results: Management Controls: Requirements: A disciplined process for developing[Footnote 13] and managing [Footnote 14] requirements can help reduce the risks of developing or acquiring a system. A well-defined and managed requirements baseline can, in addition, improve understanding among stakeholders and increase stakeholder buy-in and acceptance of the resulting system. According to the Software Engineering Institute's (SEI) Capability Maturity Model Integration[Footnote 15] (CMMI), the requirements for a system describe the functionality needed to meet user needs and perform as intended in the operational environment. The practices underlying requirements development and management can be grouped into four key process areas: eliciting, documenting, verifying and validating, and managing change to the requirements through the system's life cycle. These processes translate customer needs from statements of high-level business requirements into validated, testable system requirements. SBA's software development method also calls for projects to elicit, document, verify and validate, and manage requirements. For example, SBA's guidance requires reviews with stakeholders to ensure that deliverables for each phase of a project include the necessary level of detail and meet applicable SBA standards and guidelines. SBA has partially satisfied disciplined requirements development and management practices in three of the four process areas and fully satisfied the remaining process area in its management of the four IIPs with work completed, underway, or with awarded contracts. SBA's implementation of these key practices is summarized in table 3 below. Table 3: Summary of SBA Implementation of Key Requirements Development and Management Practices: Process: Elicitation; Specific practices: * Identify stakeholders who may be affected by or who may affect the product; * Work with stakeholders to gather needs, problems, and expectations; Rating: Partially satisfied. Process: Documentation; Specific practices: * Analyze requirements to determine if they will satisfy stakeholders' needs; * Decompose business requirements into system requirements (e.g., functional, nonfunctional, interface); * Obtain agreements on requirements from stakeholders; * Record approved baseline requirements and place under change control. Rating: Partially satisfied. Process: Verification and Validation; Specific practices: * Verify requirements to ensure they will meet stakeholder needs; * Validate requirements to demonstrate requirements fulfill intended uses; * Conduct testing against requirements (unit, system integration, user acceptance, regression); * Document results of testing. Rating: Partially satisfied. Process: Change Management; Specific practices: * Manage changes to requirements throughout the life cycle; * Document rationale for change and analyze impact; Rating: Satisfied. Source: GAO analysis of SBA data. [End of table] SBA varied in the extent to which it followed disciplined requirements practices for the four IIPs with work completed, underway, or with awarded contracts. * Elicitation—-SBA identified internal stakeholders, such as offices within SBA, and external stakeholders, such as lending institutions and loan holders; however, SBA did not document the extent to which the program offices worked with stakeholders to determine the needs of the IIPs. Officials stated that reviews with stakeholders occurred when a contractor performed an assessment of LMAS in December 2009; however, this was done prior to the initiation of the current IIPs. * Documentation—-The documentation of requirements was partially satisfied for the four IIPs at the stage for which documented requirements would be appropriate—that is, projects that have moved beyond the initial planning stage. Specifically, for the Oracle upgrade that has been deployed, SBA identified key business requirements and gaps between them and standard application functionality. For the migration of user interfaces projects, requirements have only been documented for the two interfaces that have been migrated, however, they have not for the others that are planned for migration. Officials stated that requirements already exist within the old system. However, they did not provide documentation of them. SBA did not develop requirements for the IIP that will deal with migrating mainframe COBOL to UNIX. Officials stated they expect to develop requirements after reviewing an assessment that is to be completed by a contractor. * Verification and Validation—-The verification and validation of requirements were partially satisfied for the two IIPs that were at the stage for which this process would be appropriate. For the Oracle upgrade, SBA has completed verification and validation and testing, and it has documented the results. However, for the project consisting of the migration of user interfaces, the two new user interfaces that have been migrated have not yet undergone verification and validation or testing. * Change Management-—The management of changes in the system requirements was satisfied for the two IIPs at the stage for which this process would be appropriate. SBA has effectively managed and documented, for instance, the rationale behind changes for the Oracle upgrade deployed in May 2011. For that IIP, SBA provided documentation of changes to the upgraded version from the previous version of Oracle as well as details on the automated tool it used to manage change. In addition, SBA provided contractor-developed documentation of the change management procedures being used for the migration of user interfaces which include the full life cycle of change management from the introduction of change to closing. According to SEI, the purpose of risk management is to identify potential problems before they occur. When problems are identified, risk-handling activities can be planned and invoked as needed across the life of a project in order to mitigate adverse impacts on objectives. Effective risk management involves early and aggressive risk identification through the collaboration and involvement of relevant stakeholders. Based on SEI's CMMI, IT risk management activities can be divided into four key areas: preparing for risk management, identifying and analyzing risks, mitigating risks, and executive oversight. SBA's risk management guidance and plans also call for risk management preparation, identification and analysis of risk, mitigation of risk, and executive oversight. For example, SBA's guidance requires that each major risk be assigned a project team member for monitoring purposes and that project risk level be tracked, monitored, and reported to senior management. In addition, it requires that risks be categorized according to predefined categories such as schedule, life-cycle costs, and security. The SBA offices managing the four IIPs with work completed, underway, or with awarded contracts have partially satisfied disciplined IT risk management practices in each of the four process areas, as identified in table 4 below. Table 4: Summary of SBA Implementation of Key Risk Management Practices: Process: Prepare for risk management; Specific practices: * Determine risk sources and categories; * Define parameters used to analyze and categorize risks and parameters used to satisfied control risk management efforts; * Establish and maintain the strategy to be used for risk management; * Identify and involve the relevant stakeholders of the risk management process as planned; Rating: Partially satisfied. Process: Identify and analyze risks; Specific practices: * Identify and document the risks; * Evaluate and categorize each identified risk using the defined risk categories and satisfied parameters, and determine its relative priority; Rating: Partially satisfied. Process: Mitigate risks; Specific practices: * Develop a risk mitigation plan for the most important risks to the project, as defined by the risk management strategy; * Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate; Rating: Partially satisfied. Process: Executive oversight; Specific practices: * Review the activities, status, and results of the risk management process with executive-level management, and resolve issues; Rating: Partially satisfied. Source: GAO analysis of SBA data. [End of table] * Preparation-—SBA has generally identified parameters used to analyze and categorize risks, such as risk categories, factors that would trigger the execution of a mitigation plan, and risk probability and impact. However, the Office of Capital Access, which manages two of the four active IIPs, has not identified risk categories to be used in its risk management plan, which is inconsistent with SBA guidance. * Identification and analysis-—SBA identified, categorized, and prioritized risks for three of the four active IIPs. For example, the Office of the Chief Financial Officer has identified risks such as contractor resources not being available to work when scheduled, which is categorized as a schedule-related risk and has a moderate priority. Another identified risk, namely that the migration approach recommended by the vendor at the end of an assessment phase may require a change in cost or schedule, was categorized as related to life-cycle costs and given a moderate priority. However, in the case of another I IP, approximately two thirds of the risks are not categorized according to SBA guidance as described above, and none are prioritized. * Mitigation-—SBA has identified risk mitigation plans for most of the identified IIP risks; however, some risks are accepted without documented rationale, and others have unclearly defined triggers to execute mitigation plans. For example, the risk of government and contractor resources not being available does not have a mitigation strategy for one IR In addition, two IIPs have risks SBA has accepted without documented rationales. These include the inability to obtain data from a team of contractors and the inability to secure space and equipment for employees. Further, another I IP has risks that have vaguely defined mitigation strategy triggers. For instance, one trigger is a delay in the clearance process; however, the risk log does not specify how long a delay must exist (e.g., in number of days) before the mitigation plan is activated. * Executive oversight-—Executive oversight of the IIPs is the responsibility of SBA's Executive Steering Committee. However, only one of the five documented meetings of the committee included a discussion related to risk management. In that meeting, one risk and an associated mitigation strategy were discussed. The meeting minutes do not indicate that the committee discussed the outcome of the risk management process. Results: Management Controls: IT Human Capital: Effective human capital management requires a strategic and proactive approach to meeting current and future human capital needs. By employing such an approach, organizations can be better positioned to have the people with the right knowledge, skills, and abilities to support mission operations both today and in the future. The success or failure of federal programs depends, in large part, on having the right number of people with the right mix of knowledge and skills. Since 2001, we have designated the strategic management of human capital as a governmentwide high-risk area.[Footnote 16] We have previously reported on principles for strategic workforce planning,[Footnote 17] which outline guidance for human capital management. Strategic workforce planning involves (1) determining the critical skills and competencies needed to achieve current and future program results, (2) analyzing the gaps between current skills and future needs, and (3) developing strategies for filling gaps. If performed effectively, these activities can collectively create a strategic and proactive approach to human capital management. SBA has partially satisfied two of the IT human capital management best practices in its management of the four IIPs with work completed, underway, or with awarded contracts but did not implement one other practice, as identified in table 5 below. Table 5: Summary of SBA Implementation of Key IT Human Capital Management Practices: Practice: Determine needs: determine the critical skills and competencies needed to achieve current and future program results; Rating: Partially satisfied. Practice: Inventory/gap analysis: inventory current staff skills and analyze the gaps between current skills and future needs; Rating: Partially satisfied. Practice: Strategy: develop strategies for filling gaps; Rating: Not satisfied. Source: GAO analysis of SBA data. [End of table] * Determine needs—-SBA determined, by name and job function, the positions needed to complete the four active IIPs, but did not specifically identify the needed skills or competencies needed to complete the IIPs. SBA also identified a list of training courses necessary for staff working on two of the active IIPs, but did not have a similar list for the other active IIPs. * Inventory/gap analysis—-SBA's skills inventory consists of the list of existing job functions, discussed above, needed to complete the four active IIPs. SBA has not, however, identified future needs or analyzed the gap between the current skills of its staff and current or future needs. * Strategy—-SBA has not taken a strategic approach to addressing its human capital needs related to the IIPs. Although SBA has a contract with a vendor to provide Oracle training to SBA personnel and has assigned responsibility for training staff to use one of the new systems, it does not have a plan to ensure that gaps in necessary skills are filled. According to SBA officials, program managers have adequately managed human capital needs, but have not documented their efforts. However, without proper documentation of how it attempted to close the gaps between program needs and staff skills throughout the LMAS effort, SBA has a limited ability to measure its progress toward putting together the workforce it needs to carry out the modernization and to take appropriate corrective actions if needed. Results: Management Controls: Enterprise Architecture: A well-defined enterprise architecture[Footnote 18] is an essential tool for leveraging IT in the transformation of business and mission operations. Our experience with federal departments and agencies has shown that attempting to modernize and evolve IT systems without an enterprise architecture to guide and constrain investments often results in operations and systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Moreover, the development, implementation, and maintenance of architectures are widely recognized as hallmarks of successful public and private organizations, and their use is required by the Clinger-Cohen Act[Footnote 19] and OMB. The GAO Enterprise Architecture Management Maturity Framework (EAMMF) version 2.0[Footnote 20] consists of seven hierarchal stages of EA management maturity, made up of 59 core elements: EA practices or conditions that should be performed or met. Of these core elements, the ones most appropriate for managing a modernization effort at the project level deal with the development, prioritization, and maintenance of segment architectures,[Footnote 21] which can be viewed as subsets of an EA or a bridge between the EA and IT investments. Similarly, OMB guidance[Footnote 22] calls on agencies to (1) define enterprise segments as components of their EA planning activities, (2) prioritize segments by focusing first on those that will help the agency perform its mission most effectively, and (3) maintain these segment architectures. SBA partially addressed the guidance on defining, prioritizing, and maintaining segment architectures for its IIPs. Specifically, SBA developed target architectures for the financial management and financial assistance segments, which include the functions of the existing loan systems and the IIPs. These target architectures were drafted in February and March 2010. However, they have not been approved by the appropriate SBA officials. SBA attributed the lack of approval to the change in approach from the overall LMAS project to the IIPs. In addition, SBA has not prioritized the draft segment architectures. Officials attributed the lack of prioritization to the segments being too closely related and having too much overlap to prioritize one over another. Finally, the target architectures have not been updated since the revised LMAS program scope consisting of the IIPs was approved by OMB in January 2011. As a result, they still describe the comprehensive approach SBA planned to take with the previously planned LMAS modernization effort. SBA expects the revised target architectures to be approved by March 2012. Results: Management Controls: IT Investment Management: IT investment management links investment decisions to an organization's strategic objectives and business plans. The Clinger- Cohen Act requires an agency to select and control IT projects as investments in a manner that manages risks while maximizing the return. Projects should be seen as investments and are to be selected and managed on the basis of cost, benefit, risk, and organizational priorities by an investment board made up of senior agency managers. Once a project is under way, the organization manages project schedules, costs, benefits, and risks to ensure that the project meets mission needs within cost and schedule expectations. SBA policy further defines how it manages IT projects as investments. Specifically, its Capital Planning and Investment Control Policy requires initial approval and periodic review of the progress of IT projects by the Business Technology Investment Council (BTIC), which includes the Chief Information Officer, Chief Financial Officer, Deputy Administrator, and the most senior member of selected offices and components within SBA. When presented for approval, the BTIC should be provided with information on the project's schedule and milestones, budget, risk management plan, and an alternatives analysis. Also, SBA's IT Investment Performance Baseline Management Policy requires the development and updating of cost, schedule, and scope baselines for major IT projects, and requires approval of changes beyond a defined threshold. The use of cost and schedule baselines ensures better execution and improved performance of IT projects, as well as promoting effective oversight. In practice, SBA partially applied its investment management policies to the IIPs. Consistent with SBA policy, the BTIC was briefed on the current IIP approach in August 2010, and the budget for the revised project was approved in September 2010 as part of SBA's overall IT investment portfolio. However, while the records of the BTIC meetings indicate that it received information on the IIPs' overall approach, there is no record that the BTIC approved the IIPs' specific schedule baseline or that it received the required information on the projects' risk management approach or alternatives analysis. In addition, while the BTIC was briefed on the estimated costs of the individual IIPs, the estimates differ from those provided to Congress in reports dated October 2010 and March 2011, as outlined in table 6 below. As a result, there is no evidence that the projects have an approved cost baseline. Table 6: IIP Comparison of IIP Project Costs Approved By BTIC to Projected Costs Provided to Congress: LMAS-IIP: Oracle Upgrade; Projected cost of IIPs as reported to BTIC in August 2010: $7.64 million; Projected cost of IIPs as of October 2010, as reported to Congress: $8.45 million; Projected cost of IIPs as of March 2011, as reported to Congress: $8.66 million. LMAS-IIP: Migration of User Interfaces; Projected cost of IIPs as reported to BTIC in August 2010: $2.23 million; Projected cost of IIPs as of October 2010, as reported to Congress: $3.32 million; Projected cost of IIPs as of March 2011, as reported to Congress: $3.76 million. LMAS-IIP: Migrate to New Version of COBOL; Projected cost of IIPs as reported to BTIC in August 2010: $22.13 million; Projected cost of IIPs as of October 2010, as reported to Congress: $6.05 million; Projected cost of IIPs as of March 2011, as reported to Congress: $8.72 million. LMAS-IIP: Sybase to Oracle Migration; Projected cost of IIPs as reported to BTIC in August 2010: $2.13 million; Projected cost of IIPs as of October 2010, as reported to Congress: $2.51 million; Projected cost of IIPs as of March 2011, as reported to Congress: $3.11 million. Source: GAO analysis of SBA data. [End of table] SBA also conducted executive oversight using a second body created specifically for the modernization effort. Called the Executive Steering Committee, the second body includes the Deputy Administrator, the Chief Information Officer, the Chief Financial Officer, the LMAS-I IP Program Manager, and the Associate Administrator of the Office of Capital Access. Between July 2010 and July 2011, this committee held five documented meetings in which the progress of the IIPs was discussed. However, there is no evidence in the Committee's meeting minutes that it addressed the outstanding capital planning requirements for the program, including its schedule baseline or risk management plan, or that it approved the subsequent changes to the budget estimates reported to Congress. According to SBA officials, the Committee held additional undocumented meetings in which some of those issues could have been discussed. They also said that oversight occurs when agency officials review reports to Congress prior to their release. However, without fully documenting the results of executive oversight activities, SBA limits its ability to identify deviations from approved cost and schedule targets and to take action to remedy significant deviations. Similarities in the scope and responsibility of the two executive oversight bodies likely contributed to the gaps in required investment management oversight. As we have previously reported,[Footnote 23] the lack of clarity and definition for the roles of project oversight and governance bodies may result in duplication or gaps in program oversight. SBA's two oversight bodies have similar responsibilities for overseeing the IIPs' overall progress. Specifically, the BTIC's responsibilities include ensuring the agency's investment decisions reflect its business needs, mission, objectives and strategic goals and are in compliance with the enterprise architecture. The Executive Steering Committee's responsibilities include providing executive leadership in overseeing SBA's loan and financial management systems environment and ensuring that SBA's loan and financial management systems meet the agency's goals and objectives. However, neither was specifically tasked with reviewing or approving the cost or schedule baselines or subsequent changes to them. Weaknesses in executive management also contributed to the deficiencies identified in the other management practices we evaluated. For example, even though SBA policy requires alignment between investment reviews and enterprise architecture, the records of the oversight bodies do not indicate that they considered EA alignment as part of their reviews. Similarly, there was no evidence that the bodies conducted the required oversight of IIP risk management or that they reviewed the adequacy of planned human capital capabilities. Without more focused, consistent, and ongoing oversight of the IIPs, SBA is unlikely to improve and sustain the management practices that lead to successful completion of IT projects. In turn, weaknesses in the use of basic management practices make it less likely that SBA will be able to complete the IIPs within the time, budget, and scope parameters originally identified. [End of section] Conclusions: SBA has completed one of the seven Incremental Improvement Projects intended to modernize its loan management and accounting systems, work is underway on one other, and contracts have been awarded for two more. However, most of the IIPs are already experiencing individual schedule delays of 4 to 11 months and an overall cost increase of about 22 percent, which increases the risk that SBA will not be able to deliver the projects as planned. SBA's likelihood of successfully completing the IIPs would improve if it more consistently applied basic IT management practices. SBA has taken a number of steps that are consistent with sound IT management. For example, it has identified and validated system requirements and has identified system development risks as well as plans to mitigate them, but it has not done so consistently for each of its ongoing IIPs. Also, it has taken several actions consistent with sound enterprise architecture and human capital management practices, including developing segment architectures and identifying staff positions needed to complete the IIPs. It has not, however, fully applied other sound practices in these areas, including maintaining and prioritizing the segment architectures and developing a strategy to meet outstanding human capital needs. Given that SBA has been unable to successfully complete prior efforts to modernize its loan systems, the consistent use of sound IT management practices will be critical to reducing the risk of its new approach encountering similar difficulties. Weaknesses in executive oversight of the IIPs have contributed to SBA's inconsistent use of sound IT management practices and increase the likelihood that the projects will experience delays or cost overruns. In particular, its use of two oversight bodies with overlapping responsibilities and lines of authority is likely to lead to continued duplication or gaps in oversight, such as the lack of documented schedule and cost baselines for the IIPs. The gaps, in particular, make it difficult for SBA to conduct the necessary oversight of project progress. In addition, addressing these weaknesses in executive oversight should result in more effective management of program progress and more timely decisions about adjustments needed to arrest or reverse the schedule delays and cost overruns that have already occurred. [End of section] Recommendations for Executive Action: To better ensure that the loan management Incremental Improvement Projects are completed as planned and provide anticipated capabilities, we are recommending that the Administrator of the SBA direct the Chief Information Officer to ensure that SBA is applying the appropriate information technology management practices to the IIPs. Specifically, SBA should ensure that: * IIP requirements are managed appropriately, including elicitation, documentation, and verification and validation; * IT risks to the IIPs are adequately managed, including preparing for risk management, identifying and analyzing risks, mitigating risks, and providing executive oversight of risk management activities; * the human capital necessary for the IIPs is managed appropriately, including the determination of human capital needs, the identification of gaps between current capabilities and needs, the development of a strategy to close those gaps, and the documentation of these activities; and; * the enterprise architecture segments related to the IIPs are managed appropriately, including the development, prioritization, and maintenance of the segments. In addition, we recommend that the Administrator of the SBA clarify the responsibilities of the executive bodies responsible for the IIPs and ensure they provide the appropriate oversight of their progress. Specifically, these executive bodies should conduct and document executive review and approval of the LMAS modernization's: * risk management approach; * target segment architectures; and; * cost and schedule baselines, including ongoing oversight of progress against those baselines. Agency Comments and Our Evaluation: We provided a draft of this briefing for review and comment to the Administrator of the Small Business Administration. In e-mail comments on a draft of this briefing, the Small Business Administration's GAO liaison provided clarifying and technical comments, which we addressed, as appropriate. However, SBA did not comment on our recommendations. [End of section] Appendix II: Comments from the Small Business Administration: U.S. Small Business Administration: Washington, D.C. 20416: January 13, 2012: Mr. David A. Powner: Director: Information Technology Management Issues: U.S. Government Accountability Office: 441 G Street, NW, Room 4T21B: Washington, DC 20548: Dear Mr. Powner: Thank you for the opportunity to comment on the Government Accountability Office (GAO) draft report titled "Information Technology: SBA Needs to Strengthen Oversight of Its Loan Management and Accounting System Modernization" (GAO-12-295). The U.S. Small Business Administration (SBA) reviewed the draft report and concurs, in general, with the Recommendations for Executive Action, but respectfully requests that certain clarifications be made to the report. The SBA has already taken steps to improve the consistency with which our Incremental Improvement Projects (IIPs) are managed, and we will continue to work toward implementing the five Executive Actions identified in the report. SBA respectfully submits the following comments to portions of the draft report that we believe are not accurate or require further clarification: Page 3: "Further, according to its most recent report to Congress, dated March 2011, the total cost of the IIPs increased approximately $5 million since October 2010, while the projected individual cost of each of the seven projects had risen between approximately 3 and 53 percent". SBA Comment: The costs for the IIPs did not increase between October 2010 and March 2011. SBA believes GAO may have concluded that there was an increase in the cost of the IIPs because it compared two different data sets submitted by SBA in separate documents. Specifically, on October 20, 2010, the U.S. House of Representatives Committee on Small Business requested additional information concerning LMAS. The Committee requested, among other things, an itemized list of all LMAS contract costs to date, future obligations, and expected future costs and a breakdown of the original LMAS budget and the revised budget addressing the IIPs. The SBA responded to this request with an itemized budget summary setting forth the contract costs to date and future contract obligations, as well as the original LMAS budget and revised IIP budget, as requested. The itemized budget summary and revised IIP budget submitted in this response did not address noncontract related costs, because they were not requested. In March of 2011, the SBA submitted its Quarterly Congressional Report to Congress. The report responded to a request set forth in the Congressional Record by the House Committee on Appropriations that SBA submit a quarterly report summarizing its progress regarding the modernization of the Agency's loan and accounting systems. This quarterly report showed the costs to date for the projects, and included contract and non-contract related costs, which was the same format used by SBA for all of its prior quarterly reports. As a result, the total costs reported in March 2011 were different, and higher, than the contract-related costs reported in October 2010. Thus, the difference and alleged increase in the IIP budget identified in the GAO's draft report was a result of comparing two different data sets and was not the result of any increase in the IIP budget. Page 5: "Inconsistencies in SBA's applications of IT management practices occurred, in part, because (SBA) did not provide adequate executive oversight through its investment management process even though it is using two executive bodies to oversee the (IIPs)... While these bodies have overlapping responsibilities and lines of authority, several basic oversight responsibilities, including executive approval of the project's schedule, were left unaddressed by either body. In addition, the cost baselines approved by SBA's executive oversight body differ greatly from the projected costs reported to Congress 2 months later. According to SBA officials, additional oversight was provided through undocumented meetings and reviews of reports to Congress...." SBA Comment: The SBA believes that it has provided GAO with documents to support the fact that the project's overall schedule was reviewed by an executive oversight body. As the GAO's report explains, the Office of the Chief Financial Officer (OCFO) and the Office of Capital Access (OCA) each manage certain IIP projects. As a result, SBA created the Executive Steering Council (ESC) to oversee and coordinate the efforts of ()CFO and OCA. The ESC's members include the Deputy Administrator, Chief Information Officer (CIO), Chief Financial Officer (CFO), and Associate Administrator of OCA. All of these individuals are also members of the SBA's Business Technology Investment Council (BTIC). The BTIC is SBA's chartered executive oversight body for the Agency's Information Technology Investment Management processes. The BTIC is chaired by SBA's CIO and CFO. The SBA's Deputy Administrator serves as the permanent ex-officio member of the Council. The SBA presented GAO information showing that on August 19, 2010, a member of the ESC presented the BTIC with the revised direction for LMAS, along with the revised budget, as noted by GAO in the report. During that same meeting, the BTIC reviewed the revised overall schedule, as well. Only a few weeks later, on September 3, 2010, the BTIC met again to further discuss and approve the re-baselining of the Agency's IT projects, including LMAS, as part of the Agency's Exhibit 53. Consequently, the information presented shows that both the ESC and BTIC reviewed and approved the schedule and budget. The SBA notes that additional oversight of these projects was and continues to be provided through various meetings and reviews. In fact, the IIPs are routinely discussed with executives who have oversight responsibilities and participate in the oversight committees. The SBA acknowledges, however, that there are no formal meeting minutes for many of these meetings, since the principals engaged in the IIPs are co-located in the same building and the meetings happen frequently. The SBA is considering formalizing these processes in the future and has begun working on a formal charter for the ESC. Finally, the SBA has explained above the alleged discrepancy in costs approved by SBA's executive oversight body as compared to the projected costs reported to Congress two months later. The reported costs that had been approved included both contractor and personnel costs while the costs reported to Congress in October 2010 only included the contractor costs. The SBA is committed to strengthening oversight of the IIPs to achieve the goals of modernizing its systems. We appreciate the opportunity to provide these comments to you, and we look forward to answering any questions you may have. If you require additional information, please contact Shawn McKeehan, SBA GAO Liaison, at (202) 205-7729. Sincerely, Signed by: Nicholas Coutsos: Assistant Administrator: Office of Congressional and Legislative Affairs: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286 or pownerd@gao.gov: Staff Acknowledgments: In addition to the individual named above, James R. Sweetman, Jr., Assistant Director; Eric Costello; Franklin Jackson; Lee McCracken; Meredith Raymond; Karl Seifert; and Dan Wexler made key contributions to this report. [End of section] Footnotes: [1] In comments on the original briefing reprinted in appendix I, officials cited concerns with publicly releasing estimates for contracts not yet awarded by SBA. Accordingly, we redacted this information from the attached briefing. [2] SEI is a federally funded research and development center whose mission is to advance software engineering and related disciplines to ensure the development and operation of systems with predictable and improved cost, schedule, and quality. [3] The CMMI is SEI's process model, which describes how to develop the processes needed for software development and specific practices that organizations should follow. [4] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11, 2003). [5] OMB, Improving Agency Performance Using Information and Information Technology (Enterprise Architecture Assessment Framework v3.1) (June 2009); OMB, Federal Enterprise Architecture Practice Guidance (November 2007). [6] SBA uses a separate system, the Loan and Lender Monitoring System (L/LMS), to manage risks in its loan portfolio using information to identify underwriting, collections, recovery and liquidation problems with certain loans. We have previously reported on L/LMS in GAO, Small Business Administration: Actions Needed to Improve the Usefulness of the Agency's Lender Risk Rating System, [hyperlink, http://www.gao.gov/products/GAO-10-53] (Washington, D.C.: Nov. 06, 2009) and Loan Monitoring System: SBA Needs to Evaluate Use of Software, [hyperlink, http://www.gao.gov/products/GAO-02-188] (Washington, D.C.: Nov. 30, 2001). [7] SBA Office of Inspector General, Memorandum Advisory Report: SBA Needs To Implement A Viable Solution To Its Loan Accounting System Migration Problem, Audit Report No. 05-29 (Washington, D.C.: Sept. 30, 2005). [8] SBA Office of Inspector General, Planning For The Loan Management And Accounting System Modernization and Development Effort, Audit Report No. 8-13, (Washington, D.C.: May 14, 2008). [9] SBA Office of Inspector General, Review of Allegations Concerning How the Loan Management and Accounting System Modernization Project is Being Managed, Audit Report No. 9-17 (Washington, D.C.: July 30, 2009). [10] OMB's IT Dashboard is a public website that provides detailed information on approximately 800 major federal IT investments, including assessments of these investments' performance against cost and schedule targets. [11] OMB Memorandum M-10-26, "Immediate Review of Financial Systems IT Projects" (Washington, D.C., June 28, 2010). [12] This figure includes the $8.66 million in funds already expended on the completed IIP, the Oracle Upgrade, as indicated in table 2. [13] 1n requirements development, an organization gathers, generates, and analyzes customer, product, and product-component requirements. This includes elicitation, analysis, and communication of customer and stakeholder requirements as well as technical requirements. [14] In requirements management, an organization manages the business and system requirements and identifies inconsistencies among requirements and the project's plans and work products. This includes managing all technical and non-technical requirements through the life cycle as well as any changes to the requirements as they evolve. [15] The CMMI is SEI's process model, which describes how to develop the processes needed for software development and specific practices that organizations should follow. [16] See GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-01-263] (Washington, D.C.: January 2001) and High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [17] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11, 2003). [18] An enterprise architecture is a blueprint for organizational change defined in models that describe (in both business and technology terms) how the entity operates today and how it intends to operate in the future; it also includes a plan for transitioning to this future state. [19] 40 U.S.C. & 11315(b)(2). [20] GA0, Organizational Transformation: A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0) (Supersedes GAO-03-584G), [hyperlink, http://www.gao.gov/products/GAO-10-846G] (Washington, D.C.: Aug. 05, 2010). [21] In segment architecture, an organization is divided into multiple portions, called segments, that correspond to mission areas, business services (including shared business services), or enterprise services (including shared IT services). [22] OMB, Improving Agency Performance Using Information and Information Technology (Enterprise Architecture Assessment Framework 3.0) (December 2008); OMB, Federal Enterprise Architecture Practice Guidance (November 2007). [23] GA0, USDA Systems Modernization: Management and Oversight Improvements Are Needed, [hyperlink, http://www.gao.gov/products/GAO-11-586] (Washington, D.C.: July 20, 2011). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.