This is the accessible text file for GAO report number GAO-06-12 entitled 'Information Technology: Centers for Medicare & Medicaid Services Needs to Establish Critical Investment Management Capabilities' which was released on November 28, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Finance, U.S. Senate: October 2005: Information Technology: Centers for Medicare & Medicaid Services Needs to Establish Critical Investment Management Capabilities: GAO-06-12: GAO Highlights: Highlights of GAO-06-12, a report to the Chairman, Committee on Finance, U.S. Senate: Why GAO Did This Study: To carry out its mission of ensuring health care security for beneficiaries, the Centers for Medicare & Medicaid Services (CMS) relies heavily on information technology (IT) systems. In fiscal year 2005, CMS’s total IT appropriations was about $2.55 billion, of which about $760 million, or 30 percent, was to support internal investments, and $1.79 billion was to fund the Medicaid Management Information Systems (MMIS) that states use to support their Medicaid programs. (GAO is using the term “internal” to refer to all of CMS’s IT investments excluding state MMISs.) In light of the size and significance of these investments, GAO’s objectives were to (1) evaluate CMS’s capabilities for managing its internal investments, (2) determine any plans the agency might have for improving these capabilities, and (3) examine CMS’s process for approving and monitoring state MMISs. What GAO Found: Judged against GAO’s framework for IT investment management, which measures the maturity of an organization’s investment management process, CMS’s capabilities for effectively managing its internal investments are limited. Specifically, the agency has established a little over half of the foundational practices it needs to manage individual investments (see figure below) and has executed 2 of the 27 key practices needed to manage investments as a portfolio. Until CMS fully establishes foundational and portfolio-level practices, executives will lack the assurance that they are managing the agency’s collection of investments in a manner that minimizes risks and maximizes returns. CMS has initiated steps to improve its investment management process; however, these steps do not fully address the weaknesses GAO identifies in this report, nor are they coordinated with other needed improvement efforts into a plan that (1) is based on an assessment of strengths and weaknesses; (2) specifies measurable goals, objectives, and milestones; (3) specifies needed resources; (4) assigns clear responsibility and accountability for accomplishing tasks; and (5) is approved by senior- level management. Without such a plan and procedures for implementing it, CMS will be challenged in sustaining the commitment it needs to fully establish its investment management process. The process for approving requests for federal funding of MMIS activities (including development, operations, and maintenance activities) is characterized by standard procedures, guidance, and reported information to CMS’s Center for Medicaid and State Operations. In contrast, the process for monitoring MMIS activities lacks standard procedures, guidance, and reporting requirements. Without these elements for monitoring MMIS activities, CMS may not be able to easily determine whether the state MMISs in which CMS invests close to $1.7 billion annually are facilitating the delivery of Medicaid benefits in the most effective and beneficial manner. Foundational Practices Implemented by CMS: [See PDF for image] [End of figure] What GAO Recommends: GAO recommends that the Secretary of Health and Human Services direct CMS’s Administrator to develop and implement a plan to (1) address the IT investment management weaknesses identified in this report and (2) take actions to better monitor MMISs. In response to a draft of this report, CMS described actions under way and plans to address GAO’s recommendations. www.gao.gov/cgi-bin/getrpt?GAO-06-12. To view the full product, including the scope and methodology, click on the link above. For more information, contact David A. Powner, (202) 512-9286, pownerd@gao.gov, or Leslie G. Aronovitz, (312) 220-7600, aronovitzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: CMS's Capabilities to Manage Its Internal Investments Are Limited: CMS Does Not Have a Comprehensive Plan to Coordinate and Guide Its Improvement Efforts: Process for Monitoring MMISs Could Benefit from Standard Procedures, Guidance, and Reporting Requirements: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Centers for Medicare & Medicaid Services: Appendix III: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Stage 2 Critical Processes--Building the Investment Foundation: Table 2: Instituting the Investment Board: Table 3: Meeting Business Needs: Table 4: Selecting an Investment: Table 5: Providing Investment Oversight: Table 6: Capturing Investment Information: Table 7: Stage 3 Critical Processes--Developing a Complete Investment Portfolio: Table 8: Frequency of Oversight Mechanisms Used by the 5 Regional Offices Interviewed: Figures: Figure 1: Distribution of CMS's Information Technology Budget, Fiscal Year 2005: Figure 2: CMS Selection Process for Internal IT Investments: Figure 3: The Five ITIM Stages of Maturity with Critical Processes: Figure 4: Summary of Results for Stage 2 Critical Processes and Key Practices for Internal IT Investments: Abbreviations: APD: advance planning document: CIO: Chief Information Officer: CMS: Centers for Medicare & Medicaid Services: ESC: Executive Steering Committee: HHS: Department of Health and Human Services: IT: information technology: ITIM: Information Technology Investment Management framework: ITIRB: Information Technology Investment Review Board: MMA: Medicare Prescription Drug, Improvement, and Modernization Act of 2003: MMIS: Medicaid Management Information Systems: Letter: October 28, 2005: The Honorable Charles E. Grassley: Chairman, Committee on Finance: United States Senate: Dear Mr. Chairman: The Centers for Medicare & Medicaid Services (CMS), formerly called the Health Care Financing Administration, within the Department of Health and Human Services (HHS), is responsible for overseeing the Medicare and Medicaid programs. In 1990, we designated the Medicare program as high-risk, in part, because of its sheer size and complexity. Similarly, in 2003, we placed the Medicaid program on our high-risk list, noting the growing concerns about the quality of fiscal oversight. In our latest high-risk series, issued in January 2005,[Footnote 1] we continued to designate both these programs as high risk. While the Medicare program is financed and administered by the federal government, the Medicaid program is jointly financed by the federal government and the states and is administered directly by the states.[Footnote 2] To carry out its responsibilities, CMS depends on hundreds of information technology (IT) systems to maintain information on Medicare beneficiaries, providers, and medical services provided as well as to carry out its oversight of the states' Medicaid programs for low-income Americans. For example, IT systems support the Medicare program, which enrolls about 41 million elderly and disabled beneficiaries and, in fiscal year 2004, had estimated outlays of $297 billion in health care benefits. The agency also provides funding assistance (through grants) to the states to develop and operate automated systems, known as Medicaid Management Information Systems (MMIS), to support their Medicaid programs.[Footnote 3] While the responsibility for managing CMS's internal[Footnote 4]IT investments falls to its Information Technology Investment Review Board, the responsibility for approving requests for federal funding of state MMIS activities and for monitoring these activities[Footnote 5] falls to CMS's Center for Medicaid and State Operations and the 10 regional offices. For fiscal year 2005, CMS's total IT appropriations was about $2.55 billion, of which about $1.79 billion, or 70 percent, was to be used to support Medicaid state IT investments. This report is one of two we prepared in response to your request that we review HHS's and CMS's IT management processes.[Footnote 6] It focuses on CMS's processes for making IT investment management decisions and evaluates how well these processes compare with the accepted practices presented in our IT Investment Management framework.[Footnote 7] This framework provides a method for evaluating and assessing how well an agency is selecting and managing its IT resources. As we agreed with your office, our objectives were to (1) evaluate CMS's capabilities for managing its internal IT investments, (2) determine any plans the agency might have for improving these capabilities, and (3) examine CMS's processes for approving and monitoring the state MMISs it funds. To address these objectives, we analyzed documents and interviewed agency officials to (1) validate and update CMS's self-assessment of key practices in the framework, (2) evaluate the agency's plans for improving its capabilities, and (3) examine CMS's processes for approving and monitoring the state MMISs. We performed our work from January 2005 through September 2005 in accordance with generally accepted government auditing standards. Appendix I contains further details on our objectives, scope, and methodology. Results in Brief: Judged against our framework for information technology investment management, which measures the maturity of an organization's investment management process, CMS's capabilities for effectively managing its internal investments are limited. Specifically, CMS has established a little over half of the foundational practices needed to manage its internal investments individually and 2 of the 27 key practices required to manage its investments as a portfolio--that is, an integrated, agencywide collection of investments that are assessed and managed collectively on the basis of common criteria. For example, CMS has established most of the practices for capturing investment information and many of the practices associated with instituting an investment board. However, weaknesses remain in several areas. Specifically: * the agency's investment management guide does not reflect current processes; * procedures for selecting and reselecting investments are not fully documented; * procedures for involving the board in efforts to systematically review the progress of IT projects and systems in meeting cost, schedule, risk, and benefit expectations have not been defined; and: * critical processes for defining portfolio criteria, creating the portfolio, evaluating the portfolio, and conducting the postimplementation reviews--necessary for portfolio management--have not been implemented. According to CMS officials, the agency's investment management capabilities are limited because investment management has only recently become an area of management focus. Until CMS implements all of the key practices it needs to build the investment foundation and manage its investments as a portfolio, executives cannot be assured that they are selecting and managing the mix of investments that best meets the agency's needs and priorities, or that its investment decisions will result in the most effective support and minimized risk for the multibillion-dollar Medicare and Medicaid programs. CMS has initiated steps to improve its investment management process; however, these steps do not fully address the weaknesses we identify in this report, nor are they coordinated with other needed improvement efforts into a plan that (1) is based on an assessment of strengths and weaknesses; (2) specifies measurable goals, objectives, and milestones; (3) specifies needed resources; (4) assigns clear responsibility and accountability for accomplishing tasks; and (5) is approved by senior- level management. Without such a plan and procedures for implementing it, CMS will be challenged in sustaining the commitment it needs to fully establish its investment management process. In approving funding for MMISs that CMS jointly funds with the states, regional office staff use standard procedures, rely on established guidance, and are required to report on their approval activities to CMS's Center for Medicaid and State Operations. In contrast, in monitoring MMIS activities, regional office staff lack standard procedures, guidance, and reporting requirements. Without these elements for monitoring MMIS activities, CMS may not be able to easily determine whether the state MMISs, in which CMS invests close to $1.7 billion annually, are facilitating the delivery of Medicaid benefits in the most effective and beneficial manner. To strengthen CMS's capability to manage its internal IT investments, we are recommending that the Secretary for Health and Human Services direct CMS's Administrator to develop and implement a plan aimed at addressing the weaknesses identified in this report. We also are making recommendations to improve CMS's process for monitoring the state MMISs that it funds. In commenting on a draft of this report, CMS provided information on actions it is taking or plans to take to address our recommendations. The agency, however, contended that many of the improvements to its IT investment management process were not fully reflected in the report. This is not accurate. The report sections in which we discuss the implementation of specific key practices associated with critical processes from our IT investment management framework each describe CMS's efforts and accomplishments to improve its IT investment management processes. In its written comments, CMS also took exception with our recommendation for up-to-date, documented processes to ensure consistency, and noted that the emphasis should be on strengthening these processes first, and updating the documentation later. As we note in the report, documenting processes does not preclude future revisions or improvements to them, and provides a basis for consistent implementation across the agency. Background: CMS has become the largest purchaser of health care in the United States, serving nearly 83 million Medicare and Medicaid beneficiaries.[Footnote 8] The agency administers the Medicare program, enacted in 1965, which provides health insurance to people who are aged 65 years and over and to some people with disabilities who are under aged 65 years. The agency also works with the states to administer the Medicaid program, enacted in 1965 as a jointly funded program in which the federal government matches state spending according to a formula to provide medical and health-related services to low-income Americans. In fiscal year 2005, CMS will reportedly spend about $519 billion: 63 percent for Medicare, 35 percent for Medicaid and Medicaid administration, and the remaining 2 percent for the State Children's Health Insurance Program and other administrative costs. CMS estimates that its total budget in fiscal year 2006 will be $622 billion. The agency carries out its responsibilities from its national headquarters located in Baltimore, Maryland, and its 10 regional offices located throughout the nation. It is organized around three centers (to support its key functions): the Center for Medicare Management, the Center for Beneficiary Choices, and the Center for Medicaid and State Operations.[Footnote 9] Numerous other offices throughout the agency support these centers. CMS's Use of Information Technology: IT systems play a vital role in helping CMS to fulfill its responsibilities in carrying out the Medicare and Medicaid programs. These systems help to maintain Medicare information on the millions of beneficiaries, providers, and medical services provided. For example, CMS's Medicare Fee-for-Service claims processing systems process more than 1 billion claims annually and make benefit payments for the 41 million elderly and disabled beneficiaries. In fiscal year 2004, the Medicare program had estimated outlays of $297 billion in health care benefits. Similarly, IT systems are relied on to manage the Medicaid program. In fiscal year 2003, this program provided benefits totaling about $261 billion to nearly 54 million people. Of this amount, the federal share was about $153 billion. To assist the states in developing and operating MMISs used to process Medicaid claims and administer the program, CMS provides funding assistance through grants. In fiscal year 2005, about $1.79 billion, or 70 percent, of CMS's nearly $2.55 billion total appropriations for IT went to support Medicaid state investments. The remaining approximately $0.76 billion, or 30 percent, was used for CMS's internal investments. Figure 1 shows the breakdown of this funding between CMS's internal IT investments and Medicaid state IT investments. Figure 1: Distribution of CMS's Information Technology Budget, Fiscal Year 2005: [See PDF for image] [End of figure] Weaknesses Previously Identified in CMS's IT Investment Management Processes: In September 2001,[Footnote 10] we reported that CMS's processes for managing its IT investments omitted key review, approval, and evaluation steps. We recognized that the agency was making efforts to strengthen its IT planning and had developed guidance for an improved management process, but stated that it would need to make considerable progress in implementing these changes to ensure that its ongoing modernization efforts stayed on track. To improve its investment management processes, we made several recommendations to the CMS Administrator, including establishing sufficient and written criteria to ensure a consistent process for funding IT projects agencywide, and establishing a systematic process for evaluating completed IT projects that included cost, milestone, and performance data. CMS's Approach to Investment Management: Several groups and individuals play a role in CMS's process to manage its internal IT investments, including an investment board for establishing the IT investment governance principles. However, a different process is used to oversee the Medicaid IT systems that the agency jointly funds with the states. This process is carried out by CMS's Center for Medicaid and State Operations and 10 regional offices. Both of these processes, along with the roles and responsibilities of the groups and individuals involved, are described below. Process for Managing Internal Investments: The groups and individuals who play a role in CMS's internal IT investment management process include the Information Technology Investment Review Board, Executive Steering Committees, Enterprise Architecture Group, and Component Leads. * Information Technology Investment Review Board (ITIRB). This board was established in January of 2004 to provide a corporate perspective in evaluating IT investments against CMS's business priorities. Its members consist of senior leadership from CMS centers, offices, and regional offices, and it is chaired by the agency's Chief Information Officer (CIO). Initially, the primary ITIRB responsibility was overseeing investments associated with the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) and with CMS's revitalization initiative.[Footnote 11] These investments made up about one-third of CMS's fiscal year 2005 Operating Plan for internal systems. In the spring of 2005, the role of the board was expanded to include all internal IT investments. To assist the ITIRB in its activities, CMS staff from the Office of Information Services and the Office of Financial Management provide administrative support. According to its charter, the board is responsible for: * establishing the criteria for the selection, control, and evaluation of CMS's portfolio of IT projects; * developing the agency's IT operation plan and responding to the President's budget request; * reviewing the performance of IT investments using the criteria and checkpoints in meeting cost, schedule, risk, and benefit expectations and taking corrective actions when expectations are not being met; * ensuring that IT investments in operation are periodically evaluated to determine whether they should be retained, modified, replaced, or terminated; and: * comparing the results of implemented investments with the expectations that were set for them and developing a set of lessons learned for future process improvement. * Executive Steering Committees (ESC). The ESCs were established to support the ITIRB in carrying out its responsibilities. Each ESC is responsible for managing IT projects (or investments) that are grouped together into a portfolio for each of CMS's business components. This responsibility includes maintaining the appropriate mix of IT investments in its portfolio, managing the investments in its portfolio, and providing funding recommendations to the ITIRB for these investments. The membership of each ESC depends on the IT investments contained in the portfolio, but, at a minimum, every CMS component that sponsors a project is to have a representative on the ESC. * Enterprise Architecture Group. This group, formally known as the IT Architecture Planning Staff, supports the IT investment management process, by, among other things, reviewing business case analyses for new investments and major enhancements to ensure that they are consistent with the enterprise architecture, by making recommendations based upon that review that are aimed at the optimal leveraging of assets. * Component Leads. These individuals provide support in the IT investment management process by serving as liaisons between the Office of Information Services and individual project managers. Component Leads are to assist project managers in understanding CMS's investment management process and other operational policies and processes. They can also provide project managers with key contacts for various IT services that project owners may require during implementation of a project. In the spring of 2005, CMS implemented a new budget formulation process and used it to select its IT investments. This process begins with an information request from the CIO asking that each component submit information on all of its investments, both new and ongoing. This information is to include (1) a score sheet for each investment that shows how it compared with prescribed criteria, such as alignment with business drivers and IT strategic goals, and (2) a prioritized list of all investments for the component. For new investments, the components also are to submit an IT Fact Sheet (an investment proposal) that the ITIRB support staff; the Enterprise Architecture Group; and, ultimately, the board review to determine if the need for the new investment is justified. If the need is found to be justified, project managers receive funding to develop a Business Case Analysis (smaller projects may not require such a document), which goes through the same review process as the IT Fact Sheet. The ITIRB support staff review all information submitted in response to the information request and prepare it for the ESCs' review. The ESCs reevaluate the investments against the criteria, making adjustments to the scoring if necessary, and make funding recommendations to the board. The ITIRB makes strategic and funding recommendations regarding CMS's IT capital investment portfolio to CMS's Chief Operating Officer who, in turn, provides recommendations to the CMS's Office of Financial Management for integration into the agency's overall budget. Figure 2 illustrates CMS's process for selecting its internal IT investments. Figure 2: CMS Selection Process for Internal IT Investments: [See PDF for image] [End of figure] To date, the ITIRB's role in controlling (overseeing) IT investments has been primarily limited to those associated with the MMA and revitalization initiatives. According to CMS officials, efforts to define procedures for the board to control all internal investments, in accordance with the responsibilities described in its charter, are currently under way. Process for Approving and Monitoring State Medicaid IT Investments: The ITIRB plays no role in approving and monitoring state Medicaid IT investments. Instead, the process for approving states' requests for matching funds for MMIS activities--including the design, development, and installation of new MMISs, and the operations, maintenance, and enhancement of existing MMISs--is the shared responsibility of CMS's Center for Medicaid and State Operations (hereafter referred to as the central office) and its 10 regional offices. According to regulations,[Footnote 12] the State Medicaid Manual,[Footnote 13] and officials we interviewed at CMS's central office and 5 regional offices, CMS's process for approving states' requests generally consists of the activities discussed below: * To request federal funds for state MMIS activities, states must prepare an advance planning document (APD), which identifies, among other things, the purpose, scope, benefits, and preliminary cost estimates for the activities they want to undertake. States submit this document to the regional office, which reviews the APD for completeness and technical content. Regional office staff generally ensure that requests support the Medicaid program, are in compliance with federal requirements, and represent cost-effective solutions. Also, the regional office may have suggestions for the states to improve their APDs. Some of the officials we interviewed told us that they work with the states to complete the APDs to expedite the review and approval process. * Once regional office staff determine that an APD adequately justifies the request for funding and the request is approved by that regional office's Associate Regional Administrator for Medicaid, the CMS central office and HHS are notified of the approval through a process referred to as the Office of the Secretary Notice process.[Footnote 14] Once the central office concurs, the regional office can send an approval letter to the state. * The states typically hire contractors to perform the MMIS activities. With the approval of an APD, a state is given the clearance to develop the request-for-proposals for soliciting contractor proposals. While the APD is a high-level justification for funding, the request-for- proposals is to contain the more detailed requirements of the MMIS activities. Before it is issued, the request-for-proposals must be approved by the CMS regional office through a process similar to that used for the APD. * The states review the proposals received and evaluate them in order to make the final selection. While regional office staff do not formally approve a state's evaluation process, they do review the process to ensure that it allows for open and free competition, to the maximum extent practicable. * The states draft a contract for the MMIS activities. Prior to its award, the contract is reviewed by regional office staff and approved by the Associate Regional Administrator for Medicaid. The state then makes an award to the contractor whose bid or offer is responsive to the solicitation and most advantageous to the state--considering price, quality, and other factors.[Footnote 15] * When the contracted MMIS activities start, regional office staff begin monitoring the status of these activities through a variety of mechanisms, including reviews of status reports; on-site visits; and meetings with external groups, such as industry associations, provider groups, and vendors. * Once MMISs are built and become operational, CMS establishes a team consisting of headquarters and regional office staff with expertise in relevant areas to do on-site reviews, referred to as certification reviews. During these reviews, which are to be conducted about 6 months after a system has been in operation, the team makes sure that the system satisfies the terms of the state's APD, meets minimal federal requirements, and complies with current regulations and policy. CMS has written guidance for conducting these reviews, which it is in the process of revising.[Footnote 16] * Regional office staff are to continue monitoring MMIS activities through the previously mentioned mechanisms. Information Technology Investment Management Maturity Framework: The Information Technology Investment Management (ITIM) framework is a maturity model comprising five progressive stages of maturity that an agency can achieve in its investment management capabilities.[Footnote 17] The ITIM framework was developed on the basis of our research into the IT investment management practices of leading private-and public- sector organizations. It identifies critical processes for making successful IT investments, organized into the five increasingly mature stages. These maturity stages are cumulative; that is, in order to attain a higher stage of maturity, the agency must have institutionalized all of the requirements for all of the lower stages in addition to the higher stage. The ITIM framework can be used to assess the maturity of an agency's investment management processes and as a tool for organizational improvement. The overriding purpose of the framework is to encourage investment processes that increase business value and mission performance, reduce risk, and increase accountability and transparency in the decision process. We have used the framework in several of our evaluations,[Footnote 18] and a number of agencies have adopted it. These agencies have used ITIM for purposes ranging from self-assessment to the redesign of their IT investment management processes. The ITIM framework's five maturity stages represent steps toward achieving stable and mature processes for managing IT investments. Each stage builds on the lower stages; the successful attainment of each stage leads to improvement in the organization's ability to manage its investments. With the exception of the first stage, each maturity stage is composed of "critical processes" that must be implemented and institutionalized in order for the organization to achieve that stage. These critical processes are further broken down into key practices that describe the types of activities that an organization should be performing to successfully implement each critical process. An organization may be performing key practices from more than one maturity stage at the same time. This is not unusual, but efforts to improve investment management capabilities should focus on becoming compliant with lower-stage practices before addressing higher-stage practices. Stage 2 of the ITIM framework encompasses building a sound investment management process by establishing basic capabilities for selecting new IT projects. It also involves developing the capability to control projects so that they finish predictably within established cost and schedule expectations and the capability to identify potential exposures to risk and put in place strategies to mitigate that risk. The basic selection processes established in Stage 2 lays the foundation for more mature selection capabilities in Stage 3. Stage 3 requires that an organization continually assess both proposed and ongoing projects as parts of a complete investment portfolio--an integrated and competing set of investment options. It focuses on establishing a consistent, well-defined perspective on the IT investment portfolio and maintaining mature, integrated selection (and reselection), control, and evaluation processes that can be evaluated during postimplementation reviews. This portfolio perspective allows decision makers to consider the interaction among investments and the contributions to organizational mission goals and strategies that could be made by alternative portfolio selections, rather than focusing exclusively on the balance between the costs and benefits of individual investments. Organizations implementing Stages 2 and 3 have in place the selection, control, and evaluation processes that are required by the Clinger-Cohen Act of 1996.[Footnote 19] Stages 4 and 5 require the use of evaluation techniques to continuously improve both the investment portfolio and the investment processes in order to better achieve strategic outcomes. At Stage 4 maturity, an organization has the capacity to conduct IT succession activities and, therefore, can plan and implement the deselection of obsolete, high- risk, or low-value IT investments. An organization with Stage 5 maturity conducts proactive monitoring for breakthrough information technologies that will enable it to change and improve its business performance. Stages 4 and 5 define key attributes that are associated with the most capable organizations. Figure 3 shows the five ITIM stages of maturity and the critical processes associated with each stage. Figure 3: The Five ITIM Stages of Maturity with Critical Processes: [See PDF for image] [End of figure] As defined by the model, each critical process consists of "key practices" that must be executed to implement the critical process. CMS's Capabilities to Manage Its Internal Investments Are Limited: In order to have the capabilities to effectively manage IT investments, an agency, at a minimum, should (1) build an investment foundation by putting basic, project-level control and selection practices in place (Stage 2 capabilities) and (2) manage its projects as a portfolio of investments, treating them as an integrated package of competing investment options and pursuing those that best meet the strategic goals, objectives, and mission of the agency (Stage 3 capabilities). CMS has executed 20 of the 38 key practices that are required to build a foundation for IT investment management. In addition, because CMS has focused primarily on establishing the Stage 2 practices, it has executed only 2 of the 27 Stage 3 key practices. Until CMS implements all of the key practices associated with building the investment foundation and managing its investments as a portfolio, the agency will not have much assurance that it has selected the mix of investments that best supports its strategic goals, or that it will be able to manage the investments to successful completion. CMS Has Established about Half of the Foundational Practices for Investment Management: At the ITIM Stage 2 level of maturity, an organization has attained repeatable, successful IT project-level investment control processes and basic selection processes. Through these processes, the organization can identify expectation gaps early and take the appropriate steps to address them. According to the ITIM framework, critical processes at Stage 2 include (1) defining IT investment board[Footnote 20] operations, (2) identifying the business needs for each IT investment, (3) developing a basic process for selecting new IT proposals and reselecting ongoing investments, (4) developing project- level investment control processes, and (5) collecting information about existing investments to inform investment management decisions. Table 1 describes the purpose of each of these Stage 2 critical processes. Table 1: Stage 2 Critical Processes--Building the Investment Foundation: Critical process: Instituting the investment board; Purpose: To define and establish an appropriate information technology (IT) investment management structure and the processes for selecting, controlling, and evaluating IT investments. Critical process: Meeting business needs; Purpose: To ensure that IT projects and systems support the organization's business needs and meet users' needs. Critical process: Selecting an investment; Purpose: To ensure that a well-defined and disciplined process is used to select new IT proposals and reselect ongoing investments. Critical process: Providing investment oversight; Purpose: To review the progress of IT projects and systems, using predefined criteria and checkpoints, in meeting cost, schedule, risk, and benefit expectations and to take corrective action when these expectations are not being met. Critical process: Capturing investment information; Purpose: To make available to decision makers information to evaluate the impacts and opportunities created by proposed (or continuing) IT investments. Source: GAO. [End of table] Because IT investment management has only recently become an area of management attention, CMS has put in place 20 of the 38 Stage 2 key practices required for basic project-level selection and control. The agency has satisfied the majority of the key practices associated with establishing an IT investment review board, capturing investment information, and meeting business needs. CMS also has recently established a process for selecting investments, but it has not yet established a process for the IT investment review board to provide investment oversight. Figure 4 summarizes the status of CMS's critical processes for Stage 2, showing how many key practices CMS has executed in managing its internal IT investments. Figure 4: Summary of Results for Stage 2 Critical Processes and Key Practices for Internal IT Investments: [See PDF for image] [End of figure] CMS Has an Investment Review Board, but its Investment Management Process Guide Is Not Current: The creation of decision-making bodies or boards is central to the IT investment management process. At the Stage 2 level of maturity, organizations define one or more boards, provide resources to support their operations, and appoint members who have expertise in both operational and technical aspects of the proposed investments. The boards operate according to a written IT investment process guide that is tailored to the organization's unique characteristics, thus ensuring that consistent and effective management practices are implemented across the organization. Once board members are selected, the organization ensures that they are knowledgeable about policies and procedures for managing investments. Organizations at the Stage 2 level of maturity also take steps to ensure that executives and line managers support and carry out the decisions of the investment board. According to the ITIM framework, an IT investment management process guide should (1) be a key authoritative document that the organization uses to initiate and manage IT investment processes and (2) provide a comprehensive foundation for policies and procedures developed for all other related processes. (The complete list of key practices is provided in table 2.) CMS has executed 5 of the 8 key practices for this critical process. For example, in January 2004, the agency established the ITIRB to manage internal investments and provide business-driven leadership to its operations and development. While the ITIRB was initially only responsible for overseeing MMA and revitalization initiatives, its responsibilities were expanded this past spring to include management and oversight responsibilities for all internal investments. ITIRB members are senior-level officials from both business and IT areas who understand board policies and procedures. The ITIRB is adequately resourced to maintain its operations. For example, the Program Management and Support Group within the Office of Information Services assists the board in such ways as coordinating and integrating the investment management process. This group serves as the principal contact and entry point for all new and proposed IT projects. In addition, nine Executive Steering Committees were recently established to support the work of the ITIRB by managing a subset of investments grouped together according to business function. Their responsibilities include, among other things, scoring and ranking IT investments, and recommending investments to the ITIRB for funding. Notwithstanding these strengths, CMS does not have an IT investment process guide that reflects the agency's current investment management practices. For example, the agency uses ESCs to work with the board on specific areas of IT investments, but its process guide does not identify this critical group. Moreover, the process guide does not mention the agency's move to classify its IT investments in line with the department's classification scheme. (The new classification scheme consists of three levels in which projects are rated as major, supporting, or tactical.) Instead, the process guide outlines a four- level classification scheme that identifies investments as A, B, C, or D, depending on the nature and sensitivity of the project. According to CMS officials, the guide has not yet been updated because the agency has made a priority of fully defining its processes before documenting them. Documenting the process, however, does not preclude it from future revisions or improvements, but does provide a basis for consistent implementation across the agency. Until CMS's documented IT investment process guidance is updated, executives are at risk of inconsistently performing key investment decision-making activities and inaccurately communicating management practices. Such updated guidance would also provide a process that could lead to greater accountability about future IT investment outcomes, which would be helpful to new members joining the board. Another key weakness is that CMS's ITIRB has not operated in accordance with its assigned roles and responsibilities. For example, the ITIRB has not yet been involved in systematically controlling investments nor has it actively maintained the documented investment management process. Until the ITIRB fully carries out its assigned roles and responsibilities, executives will not have assurance that the whole IT investment management process is functioning smoothly and effectively as intended. Table 2 shows the rating for each key practice required to implement the critical process for instituting the investment board at the Stage 2 level of maturity. Each of the "executed" ratings shown below represents instances where, on the basis of the evidence provided by CMS officials, we concluded that the specific key practices were executed by the agency. Table 2: Instituting the Investment Board: Type of practice: Organizational commitments; Key practice: 1. An enterprisewide IT investment board composed of senior executives from IT and business units is responsible for defining and implementing the organization's IT investment governance process; Rating: Executed; Summary of evidence: CMS has an enterprisewide IT investment board that is responsible for defining and implementing the organization's IT investment management process. The board consists of the agency's senior leadership from CMS centers, offices, and regional offices and is chaired by the Chief Information Officer. Key practice: Type of practice: Organizational commitments; 2. The organization has a documented IT investment process directing each investment board's operations; Rating: Not executed; Summary of evidence: Although CMS has a documented IT investment management process guide, this guide has not been updated to reflect current investment management processes. For example, CMS has established several working groups supporting the investment management process--for example, the Executive Steering Committees--which are not identified in the IT investment management process guide. According to officials, CMS plans to update its process guide in the near future. Type of practice: Prerequisites; Key practice: 1. Adequate resources, including people, funding, and tools, are provided for supporting the operations of each IT investment board; Rating: Executed; Summary of evidence: According to CMS officials, adequate resources are provided to support board operations. For example, to support the work of the ITIRB, the agency has established Executive Steering Committees. In addition, the Planning, Management, and Support Group serves as the principal contact and entry point for all new and proposed IT projects. CMS also has an ITIRB support group to support the operations of the ITIRB. Type of practice: Prerequisites; Key practice: 2. The board members understand the organization's IT investment management policies and procedures and the tools and techniques used in the board's decision-making process; Rating: Executed; Summary of evidence: ITIRB members are senior-level managers who understand CMS's investment management policies and procedures as they currently stand. Board members have also undertaken activities that would contribute to their understanding of board policies and procedures, including attending a 2-day retreat and monthly meetings. Type of practice: Prerequisites; Key practice: 3. Each board's span of authority and responsibility is defined to minimize overlaps or gaps among the boards; Rating: Executed; Summary of evidence: CMS's enterprisewide investment board is responsible for defining and implementing the investment management process. Type of practice: Activities; Key practice: 1. The enterprisewide investment board has oversight responsibilities for the development and maintenance of the organization's documented IT investment process; Rating: Not executed; Summary of evidence: Although the ITIRB has responsibility for developing and maintaining the documented investment management process, it has not been actively maintaining this process. Type of practice: Activities; Key practice: 2. Each investment board operates in accordance with its assigned authority and responsibility; Rating: Not executed; Summary of evidence: CMS's enterprisewide investment board is not yet fully carrying out the scope of its responsibilities. To date, board members have selected investments for inclusion in the fiscal year 2007 budget, but the board has not yet been involved in systematically controlling investments. In addition, the board has not been actively maintaining the organization's documented IT investment management process. Type of practice: Activities; Key practice: 3. The organization has established management controls for ensuring that investment boards' decisions are carried out; Rating: Executed; Summary of evidence: The ITIRB develops the agency's operating plan, and, according to officials, only investments listed in the operating plan are funded. Source: GAO. [End of table] CMS Has a Process for Ensuring That Projects Align with Business Needs and Meet Users' Needs: Defining business needs for each IT project helps to ensure that projects and systems support the organization's business needs and meet users' needs. This critical process ensures that a link exists between the organization's business objectives and its IT management strategy. According to the ITIM, effectively meeting business needs requires, among other things, (1) documenting business needs with stated goals and objectives, (2) identifying specific users and other beneficiaries of IT projects and systems, (3) providing adequate resources to ensure that projects and systems support the organization's business needs and meet users' needs, and (4) periodically evaluating the alignment of IT projects and systems with the organization's strategic goals and objectives. (The complete list of key practices is provided in table 3.) CMS has in place 5 of the 7 key practices for meeting business needs. The agency's IT Investment Management Process Guide and Business Case Analysis Development Guide require business needs for both proposed and ongoing IT projects and systems to be identified in an IT fact sheet and, in some instances, a business case analysis document. The agency also has detailed procedures for developing these documents that call for identifying users. We verified that the four projects we reviewed identified specific users and also documented how the projects linked back to CMS business needs.[Footnote 21] Resources for ensuring that IT projects and systems support the organization's business needs and meet users' needs include Component Leads, the Enterprise Architecture Group, and detailed procedures and associated templates for developing the IT fact sheet and business case analysis document. Although CMS has performed most of the key practices associated with meeting business needs, a few weaknesses remain. Specifically, officials told us they rely on the HHS strategic plan to guide their efforts because CMS's strategic plan documenting the agency's business mission, goals, and objectives is outdated.[Footnote 22] However, the primary tool used to justify funding for investments does not tie into the HHS plan but provides high-level business drivers[Footnote 23] for aligning these investments with business needs. While, according to agency officials, these business drivers reflect a common understanding of the agency's goals and objectives, they are not descriptive enough to drive IT investments. Until CMS develops a current strategic plan or other detailed statement of business mission with supporting goals and objectives, the agency is at risk of not being able to thoroughly communicate critical information on its goals and objectives or to provide clear and transparent direction for its IT investment management process. Finally, CMS's budget formulation process serves as a mechanism to reevaluate the alignment of projects and systems with the organization's goals and objectives. However, the ITIRB selected investments for the first time this past spring and, therefore, has not yet had to reevaluate projects' and systems' alignment with organizational goals and objectives. When CMS executes all key practices associated with this critical process, it will have greater assurance that its projects effectively meet the agency's business needs. Table 3 shows the rating for each key practice required to implement the critical process for meeting business needs at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 3: Meeting Business Needs: Type of practice: Organizational commitments; Key practice: 1. The organization has documented policies and procedures for identifying IT projects or systems that support the organization's ongoing and future business needs; Rating: Executed; Summary of evidence: The IT Investment Management Process Guide and the Business Case Analysis Development Guide both document procedures for ensuring that IT projects and systems support the organization's business needs. Type of practice: Prerequisites; Key practice: 1. The organization has a documented business mission with stated goals and objectives; Rating: Not executed; Summary of evidence: CMS does not have an updated strategic plan or other detailed statement of business mission with supporting goals and objectives. Instead, the agency uses a list of business drivers to align IT projects and systems with business needs. Although these business drivers may reflect a common understanding of the agency's business drivers, they are not descriptive enough to drive IT investments. Type of practice: Prerequisites; Key practice: 2. Adequate resources, including people, funding, and tools, are provided for ensuring that IT projects and systems support the organization's business needs and meet users' needs; Rating: Executed; Summary of evidence: According to CMS officials, adequate resources have been provided for ensuring that IT investment systems meet business and users' needs. These resources include the Component Leads, the Enterprise Architecture Group, and detailed procedures and associated templates for developing the IT fact sheet and business case analysis. Type of practice: Activities; Key practice: 1. The organization defines and documents business needs for both proposed and ongoing IT projects and systems; Rating: Executed; Summary of evidence: CMS requires that all projects have an IT fact sheet and, in some instances, a business case analysis. These two documents identify the business needs for both proposed and ongoing IT projects and systems. We verified that business needs were documented for the four projects we reviewed. Type of practice: Activities; Key practice: 2. The organization identifies specific users and other beneficiaries of IT projects and systems; Rating: Executed; Summary of evidence: CMS requires that users be identified in the business case analysis and an IT fact sheet. We verified that specific users were documented for the four projects we reviewed. Type of practice: Activities; Key practice: 3. Users participate in project management throughout an IT project's or system's life cycle; Rating: Executed; Summary of evidence: CMS has procedures specifying the involvement of users in project management throughout a project's life cycle. We verified that for the four projects we reviewed, users participated in project management throughout the projects' life cycles. Type of practice: Activities; Key practice: 4. The investment board periodically evaluates the alignment of its IT projects and systems with the organization's strategic goals and objectives and takes corrective actions when misalignment occurs; Rating: Not executed; Summary of evidence: CMS's budget formulation process serves as a mechanism to reevaluate the alignment of projects and systems with the organization's goals and objectives. The ITIRB, however, selected investments for the first time this past spring and, therefore, has not yet had to reevaluate projects' and systems' alignment with organizational goals and objectives. Source: GAO. [End of table] CMS Has Processes to Select Investments, but Selection Criteria Do Not Consider Critical Factors: Selecting new IT proposals and reselecting ongoing investments require a well-defined and disciplined process to provide the agency's investment board, business units, and developers with a common understanding of the process and the cost, benefit, schedule, and risk criteria that will be used both to select new projects and to reselect ongoing projects for continued funding. According to the ITIM, this critical process requires, among other things, (1) making funding decisions for new proposals according to an established process; (2) providing adequate resources for investment selection activities; (3) using a defined selection process to select new investments and reselect ongoing investments; (4) establishing criteria for analyzing, prioritizing, and selecting new IT investments and for reselecting ongoing investments; and (5) creating a process for ensuring that the criteria change as organizational objectives change. (The complete list of key practices is provided in table 4.) CMS has executed 4 of the 10 key practices associated with selecting an investment. Specifically, CMS used a process it defined in February 2005--its budget formulation process--to select new investments and reselect existing investments using a set of limited criteria. We confirmed that the four projects we reviewed were reselected using this new process. In addition, by using the budget formulation process to select investments, executives had assurance that funding decisions were aligned with selection decisions. Officials indicated that adequate resources were provided for identifying and selecting investments. However, weaknesses remain in the selection area. Although CMS has a number of documents that address investment selection and reselection, these documents are not linked to provide a clear understanding of the selection and reselection process. In addition, they do not define (1) the roles and responsibilities for each participating unit involved in the project selection process and (2) the decision-making procedures. CMS officials told us they chose to first implement the selection process and then go back to document it. Another key weakness in the selection area is that, although selection and reselection criteria have been defined, they do not include cost, benefit, schedule, and risk factors. Officials indicated that because the Executive Steering Committees and the ITIRB had a short amount of time to perform selection activities this year, they defined a limited set of criteria to evaluate projects. Further, CMS does not have a mechanism to ensure that its selection criteria continue to reflect organizational objectives. Until CMS implements all of the key practices associated with selecting investments, executives will not be adequately assured that they are consistently and objectively selecting projects that meet the needs and priorities of the agency in a cost-effective and risk-insured manner. Table 4 shows the rating for each key practice required to implement the critical process for selecting an investment at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 4: Selecting an Investment: Type of practice: Organizational commitments; Key practice: 1. The organization has documented policies and procedures for selecting new IT proposals; Rating: Not executed; Summary of evidence: Although CMS has a number of documents that address investment selection, they are not linked to provide a clear understanding of the selection process. In addition, these documents do not define the roles and responsibilities for each participating unit involved in the project selection process, nor do they define the decision-making procedures. Type of practice: Organizational commitments; Key practice: 2. The organization has documented policies and procedures for reselecting ongoing IT investments; Rating: Type of practice: Not executed; Summary of evidence: Type of practice: Although CMS has a number of documents that address investment reselection, they are not linked to provide a clear understanding of the reselection process. In addition, they do not define the roles and responsibilities for each participating unit involved in the project reselection process, nor do they define the decision-making procedures. Type of practice: Organizational commitments; Key practice: 3. The organization has documented policies and procedures for integrating funding with the process of selecting an investment; Rating: Not executed; Summary of evidence: Although the process used to formulate the budget for the fiscal year 2006/2007 budget cycle integrated funding with selection, there are no policies and procedures documenting this integration. Type of practice: Prerequisites; Key practice: 1. Adequate resources, including people, funding, and tools, are provided for identifying and selecting IT projects and systems; Rating: Executed; Summary of evidence: According to the CMS Director of Investment Tracking and Assessment, there were adequate resources to support selection activities this year. For example, the Office of Financial Management provided some staff resources, as did the Office of Information Services. Type of practice: Prerequisites; Key practice: 2. Criteria for analyzing, prioritizing, and selecting new IT investment opportunities have been established; Rating: Type of practice: Not executed; Summary of evidence: Type of practice: For the fiscal year 2006/2007 budget cycle, CMS's ITIRB developed and used criteria, including alignment with IT strategic goals and primary business drivers, for the selection process. However, these criteria did not include cost, benefit, schedule, and risk factors. Type of practice: Prerequisites; Key practice: 3. Criteria for analyzing, prioritizing, and reselecting[A] IT investment opportunities have been established; Rating: Type of practice: Not executed; Summary of evidence: Type of practice: For the fiscal year 2006/2007 budget cycle, CMS's ITIRB developed and used criteria, including alignment with IT strategic goals and primary business drivers for the reselection process. However, these criteria did not include cost, benefit, schedule, and risk factors. Type of practice: Prerequisites; Key practice: 4. A mechanism exists to ensure that the criteria continue to reflect organizational objectives; Rating: Not executed; Summary of evidence: CMS reported in its self- assessment that there are no mechanisms to ensure that the selection criteria continue to reflect organizational objectives. Type of practice: Activities; Key practice: 1. The organization uses its defined selection process, including predefined selection criteria, to select new IT investments; Rating: Executed; Summary of evidence: This past spring, CMS used its defined selection process, including a limited set of predefined selection criteria, to select new IT investments. Type of practice: Activities; Key practice: 2. The organization uses its defined selection process, including predefined selection criteria, to reselect[A] ongoing IT investments; Rating: Type of practice: Executed; Summary of evidence: Type of practice: For the fiscal year 2006/2007 budget cycle, CMS began using a new budget formulation process, including a limited set of predefined criteria, to reselect ongoing IT investments. We verified that the four projects we reviewed were reselected using this process. Type of practice: Activities; Key practice: 3. Executives' funding decisions are aligned with selection decisions; Rating: Executed; Summary of evidence: Because CMS uses its budget formulation process to select investments, executives' funding decisions are aligned with selection decisions. Source: GAO. [A] According to the GAO Information Technology Investment Management framework, "reselecting" is the periodic reconsideration of an investment's continuing value to the organization and the decision to continue funding. It is a recurring process that continues for as long as a project is receiving funding. [End of table] CMS Has Not Defined Procedures for Management Oversight of IT Projects and Systems: An organization should provide effective oversight for its IT projects throughout all phases of their life cycles. Its investment board should maintain adequate oversight and observe each project's performance and progress toward predefined cost and schedule expectations as well as each project's anticipated benefits and risk exposure. The investment board should also employ early warning systems that enable it to take corrective action at the first sign of cost, schedule, or performance slippages. This board has ultimate responsibility for the activities within this critical process. According to the ITIM framework, effective project oversight requires, among other things, (1) having written policies and procedures for management oversight; (2) developing and maintaining an approved management plan for each IT project; (3) making up-to-date cost and schedule data for each project available to the oversight boards; (4) having regular reviews by each investment board of each project's performance against stated expectations; and (5) ensuring that corrective actions for each underperforming project are documented, agreed to, implemented, and tracked until the desired outcome is achieved. (The complete list of key practices is provided in table 5.) CMS has only executed 1 of the 7 key practices associated with effective project oversight. While CMS's IT Investment Management Process Guide addresses management oversight of IT projects and systems, it does not include specific procedures for the ITIRB's oversight of IT projects and systems. In addition, while the board is receiving performance data for some investments, including revitalization investments, it is not yet performing oversight of projects on a systematic basis. CMS officials indicated that the ITIRB's involvement in overseeing investments to date has been limited because the board was first focusing on selecting investments. However, CMS recognizes the importance of the ITIRB's involvement in oversight of IT investments, and, according to officials, the agency is currently developing an approach to address this issue. While CMS is in the process of developing a structured process for the ITIRB to oversee investments, other entities are involved in the oversight of projects. For example, performance information for one of the projects we reviewed was not provided to CMS's ITIRB, but instead was provided to senior-level management, such as the Chief Technology Officer and directors from some CMS components. Until the ITIRB systematically oversees CMS's investments, the oversight process will not benefit from the corporate perspective that is gained by having an enterprisewide board. As a result, executives may not be able to easily determine the impact individual project decisions may have on other projects and on the attainment of organizational goals and objectives. Table 5 shows the rating for each key practice that is required to implement the critical process for project oversight at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 5: Providing Investment Oversight: Type of practice: Organizational commitment; Key practice: 1. The organization has documented policies and procedures for management oversight of IT projects and systems; Rating: Not executed; Summary of evidence: CMS's IT Investment Management Process Guide addresses management oversight of IT projects and systems, but it does not include specific procedures for the ITIRB's oversight of IT projects and systems. According to CMS officials, these procedures are currently being defined. Type of practice: Prerequisites; Key practice: 1. Adequate resources, including people, funding, and tools, are provided for IT project oversight; Rating: Not executed; Summary of evidence: According to CMS officials, CMS does not have the resources it needs to oversee IT projects and systems. For example, they reported that additional skilled staff are needed to perform oversight activities. Type of practice: Prerequisites; Key practice: 2. IT projects and systems, including those in steady state (operations and maintenance), maintain approved project management plans that include expected cost and schedule milestones and measurable benefit and risk expectations; Rating: Executed; Summary of evidence: CMS IT projects and systems, including those in operations and maintenance, maintain approved project management plans that include cost, schedule, benefit, and risk expectations. We verified that the case-study projects we reviewed maintained project management plans that include these expectations. Type of practice: Activities; Key practice: 1. Data on actual performance, including cost, schedule, benefit, and risk performance, are provided to the appropriate IT investment board; Rating: Not executed; Summary of evidence: Although data on actual performance are being provided to the ITIRB for some projects, there are no standard procedures for involving the ITIRB in investment oversight. According to CMS officials, these procedures are currently being determined. Type of practice: Activities; Key practice: 2. Using verified data, each investment board regularly reviews the performance of IT projects and systems against stated expectations; Rating: Not executed; Summary of evidence: The ITIRB has begun to review the performance of some IT projects and systems against stated expectations. For example, the ITIRB has recently begun to review the performance of the National Plan and Provider Enumeration System. According to CMS officials, procedures for the ITIRB to do this on a more systematic basis are currently being determined. Type of practice: Activities; Key practice: 3. For each underperforming IT project or system, appropriate actions are taken to correct or terminate the project or system in accordance with defined criteria and the documented policies and procedures for management oversight; Rating: Type of practice: Not executed; Summary of evidence: Type of practice: According to CMS officials, procedures for involving the ITIRB in investment oversight, including procedures for taking corrective actions, are currently being determined. Type of practice: Activities; Key practice: 4. The investment board regularly tracks the implementation of corrective actions for each underperforming project until the actions are completed; Rating: Not executed; Summary of evidence: According to CMS officials, procedures for involving the ITIRB in investment oversight, including procedures for tracking the implementation of corrective actions for underperforming projects, are currently being determined. Source: GAO. [End of table] CMS Has a Collection of Information to Support Investment Management Decisions: To make good IT investment decisions, an organization must be able to acquire pertinent information about each investment and store that information in a retrievable format. During this critical process, an organization identifies its IT assets and creates a comprehensive repository of investment information. This repository provides information to investment decision makers to help them evaluate the impacts and opportunities that would be created by proposed or continuing investments. It can provide insights and trends about major IT cost and management drivers. The repository can take many forms and does not have to be centrally located, but the collection method should identify each IT investment and its associated components. This critical process may be satisfied by the information contained in the organization's current enterprise architecture, augmented by additional information--such as financial information and information on risk and benefits--that the investment board may require to ensure that informed decisions are being made. According to the ITIM framework, effectively managing this repository requires, among other things, (1) developing written policies and procedures for identifying and collecting the information, (2) assigning responsibility for ensuring that the information being collected meets the needs of the investment management process, (3) identifying IT projects and systems and collecting relevant information to support decisions about them, and (4) making the information easily accessible to decision makers and others. (The complete list of key practices is provided in table 6.) CMS has in place 5 of the 6 key practices associated with capturing investment information. For example, CMS's IT Investment Management Process Guide identifies specific information that is needed in the investment management process, such as how each IT project relates to the business needs of CMS. According to officials, adequate resources are provided to support the collection of investment information, such as the agency's IT Investment Tracking Database, and an individual assigned responsibility for ensuring that the necessary information is collected to meet the needs of the investment management process. CMS is collecting specific information about IT investments to support decisions about these investments, including projects' scores against selection criteria and earned value management[Footnote 24] information. We verified that this information was collected for the four projects we reviewed. However, although the ITIRB has used investment information to support selection decisions, it has not yet used it to systematically oversee projects. According to CMS officials, specific procedures for the ITIRB's oversight of IT projects and systems are currently being defined. Table 6 shows the rating for each key practice required to implement the critical process for capturing investment information at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 6: Capturing Investment Information: Type of practice: Organizational commitments; Key practice: 1. The organization has documented policies and procedures for identifying and collecting information about IT projects and systems to support the investment management process; Rating: Executed; Summary of evidence: CMS's IT Investment Management Process Guide defines procedures for identifying and collecting information in a database to support the investment management process. Type of practice: Organizational commitments; Key practice: 2. An official is assigned responsibility for ensuring that the information collected during project and systems identification meets the needs of the investment management process; Rating: Executed; Summary of evidence: The director of CMS's Division of Investment Analysis and Budget in the Planning, Management, and Support Group of the CIO's office is responsible for ensuring that the information collected about IT projects and systems meets the needs of the investment management process. Type of practice: Prerequisite; Key practice: 1. Adequate resources, including people, funding, and tools, are provided for identifying IT projects and systems and collecting relevant investment information about them; Rating: Executed; Summary of evidence: According to CMS officials, there are adequate resources in this area, including staff in the Planning, Management, and Support Group of CMS's Office of Information Services and an IT Investment Tracking Database. Type of practice: Activities; Key practice: 1. The organization's IT projects and systems are identified, and specific information is collected to support decisions about them; Rating: Executed; Summary of evidence: IT projects and systems are identified and specific information is collected about them in an IT Investment Tracking Database and Excel spreadsheets. We verified that information about our four case-study projects was collected to support the selection and control processes. Type of practice: Activities; Key practice: 2. The information that has been collected is easily accessible and understandable to decision makers and others; Rating: Type of practice: Executed; Summary of evidence: Type of practice: CMS collects information about IT projects and systems and makes it available to decision makers and other stakeholders in various forms, such as in spreadsheets and graphs. The director of CMS's Division of Investment Analysis and Budget in the Planning, Management, and Support Group of the CIO's office ensures that the ITIRB has all the relevant information for IT investment decision making, and that it is in a format that the ITIRB is able to easily use. Type of practice: Activities; Key practice: 3. The information repository is used by investment decision makers and others to support investment management; Rating: Not executed; Summary of evidence: Although the board is using investment information to support selection decisions, procedures have not yet been defined for the board to use this information to support control decisions. Source: GAO. [End of table] CMS Lacks the Key Capabilities Needed to Manage Its Investments as a Portfolio: During Stage 3, the investment board enhances the investment management process by developing a complete investment portfolio. An investment portfolio is an integrated, agencywide collection of investments that are assessed and managed collectively on the basis of common criteria. Managing investments within the context of such a portfolio is a conscious, continuous, and proactive approach to expending limited resources on an organization's competing initiatives in light of the relative benefits expected from these investments. Taking an agencywide perspective enables an organization to consider its investments comprehensively, so that, collectively, the investments optimally address the organization's missions, strategic goals, and objectives. Managing investments with a portfolio approach also allows an organization to determine priorities and make decisions about which projects to fund, and continue to fund, on the basis of analyses of the relative organizational value and risks of all projects, including projects that are proposed, under development, and in operation. For an organization to reap the full benefits of the portfolio process, it should collect all of its investments into an enterprise-level portfolio that is overseen by its senior investment board. Although investments may initially be selected into subordinate portfolios--on the basis of, for example, the lines of business or life-cycle stages- --and managed by subordinate investment boards, they should ultimately be aggregated into this enterprise-level portfolio. According to our ITIM framework, critical processes performed by Stage 3 organizations include (1) defining the portfolio criteria, (2) creating the portfolio, (3) evaluating the portfolio, and (4) conducting postimplementation reviews.[Footnote 25] Table 7 shows the purpose of each critical process in Stage 3. Table 7: Stage 3 Critical Processes--Developing a Complete Investment Portfolio: Critical process: Defining the portfolio criteria; Purpose: To ensure that the organization develops and maintains IT portfolio selection criteria that support its mission, organizational strategies, and business priorities. Critical process: Creating the portfolio; Purpose: To ensure that IT investments are analyzed according to the organization's portfolio selection criteria, and that an optimal IT investment portfolio with manageable risks and returns is selected and funded. Critical process: Evaluating the portfolio; Purpose: To review the performance of the organization's investment portfolio(s) at agreed- upon intervals, and to adjust the allocation of resources among investments as necessary. Critical process: Conducting postimplementation reviews; Purpose: To compare the results of recently implemented investments with the expectations that were set for them, and to develop a set of lessons learned from these reviews. Source: GAO. [End of table] CMS has executed very few key practices--2 of 27--associated with Stage 3 critical processes. Specifically, under the critical process for defining the portfolio criteria, CMS provided evidence that it had designated a working group to be responsible for developing and modifying portfolio selection criteria. Under the critical process for creating the portfolio, CMS provided evidence that it was capturing and maintaining investment information for future reference. In its self- assessment, the agency stated that it was not executing any other Stage 3 key practices. According to officials, CMS has not concentrated on implementing Stage 3 key practices because the agency is first focusing its resources on establishing the practices associated with Stage 2. Until CMS fully implements the critical processes associated with managing its investments as a complete portfolio, it will not have the data or enterprisewide perspective it needs to make informed decisions about its collection of investments. CMS Does Not Have a Comprehensive Plan to Coordinate and Guide Its Improvement Efforts: CMS has initiated efforts to improve its investment management process. While these efforts do not fully address any of the weaknesses we identify in this report, they enhance the agency's ability to perform key activities. Specifically: * CMS has begun to implement a tool for capturing project information. According to officials, the tool will bring together investment information currently residing in various locations, including project description information captured in its IT Investment Tracking Database, information such as project scores collected to support project selection activities, and earned value management data. Although information to support investment decisions does not have to be in one location, doing so will improve accessibility and facilitate its use by decision makers. * CMS recently established Executive Steering Committees to support the ITIRB in carrying out its investment management responsibilities. These groups played a key role in selecting investments for the fiscal year 2007 budget by reviewing investment information and making recommendations for funding to the investment board. They are currently determining procedures for overseeing investments. According to officials, once procedures for the Executive Steering Committee oversight have been determined, CMS plans to focus on defining procedures for determining how and when to involve the investment board in oversight--a key weakness identified in this report. Although CMS has initiated these improvement efforts, it has not coordinated them with the additional efforts needed to address the weaknesses identified in this report in a comprehensive plan that (1) specifies measurable goals, objectives, and milestones; (2) specifies needed resources; (3) assigns clear responsibility and accountability for accomplishing tasks; and (4) is approved by senior- level management. We have previously reported that such a plan is instrumental in helping agencies coordinate and guide improvement efforts. CMS officials recognize the value of having a comprehensive plan and told us they have begun to develop one; however, a time frame for completing the plan has not been established. Until CMS develops this plan, the agency risks not being able to put in place an effective management process that will provide appropriate executive-level oversight for minimizing risks and maximizing returns. Process for Monitoring MMISs Could Benefit from Standard Procedures, Guidance, and Reporting Requirements: As we previously noted, the responsibility for approving and monitoring MMISs that CMS funds jointly with the states falls to CMS's central office and its 10 regional offices, with the bulk of the activities being performed by the regional offices. Although the process for approving states' funding requests for MMIS activities is characterized by (1) standard procedures performed consistently across the regional offices, (2) guidance that staff can rely on in carrying out their duties, and (3) requirements for reporting information to the central office, the process for monitoring MMIS activities is not. Standard Procedures, Guidance, and Reporting Requirements Exist for the Approval Process: The process for approving states' requests for federal funding of MMISs is characterized by a defined set of activities that are performed consistently across the regional offices. These activities include regional office staff review and approval of the standard documentation (i.e., the APDs, request-for-proposals, and contracts) that the states prepare to justify their requests. Specifically, as we previously described: * States prepare an APD to request funding for MMISs. Regional office staff review the document to ensure that states' requests support the Medicaid program, are in compliance with federal requirements, and represent cost-effective solutions. Once regional office staff determine that the APD adequately justifies the request, they issue a formal approval letter to the states (with concurrence from CMS's central office). * The request-for-proposals that the states prepare to solicit contractor bids for MMIS activities, including development and operations, is reviewed and approved by regional office staff through a process similar to that used to approve the APDs. * Regional office staff review the states' process for reviewing contractors' proposed bids. * Regional office staff review and approve the contract, after which the state makes an award to the contractor whose bid or offer is responsive to the solicitation and is most advantageous to the state-- considering price, quality, and other factors. Regional office staff told us that they rely on the State Medicaid Manual and the Code of Federal Regulation for guidance in performing activities for approving states' requests for federal funding. Regional staff are also required to inform the CMS central office of all approval actions through the Office of the Secretary Notice process previously mentioned. Process for Monitoring State MMISs Lacks Standard Procedures, Guidance, and Reporting Requirements: In contrast to the approval process, the process for monitoring MMIS activities lacks (1) standard procedures regional office staff must perform to carry out their responsibilities, (2) guidance for staff to rely on, and (3) requirements for staff to report on the results of their monitoring efforts to the central office. First, regional office staff use a variety of mechanisms to monitor MMIS activities. These mechanisms include reviews of project status reports; site visits; telephone calls; and meetings with external groups, such as industry associations, provider groups, and vendors. In addition, regional office staff determine if and when to use these mechanisms. Table 8 shows the different mechanisms used by the regional office staff we interviewed and the number of regional offices who used them. Table 8: Frequency of Oversight Mechanisms Used by the 5 Regional Offices Interviewed: Mechanism: Reviews of status reports; Number of regional offices claiming use of mechanism: 5. Mechanism: Site visits; Number of regional offices claiming use of mechanism: 3. Mechanism: Meetings with provider community; Number of regional offices claiming use of mechanism: 2. Mechanism: In-process reviews; Number of regional offices claiming use of mechanism: 1. Mechanism: Meeting with vendors; Number of regional offices claiming use of mechanism: 1. Mechanism: Participation in status meetings; Number of regional offices claiming use of mechanism: 1. Mechanism: Contact with state medical society; Number of regional offices claiming use of mechanism: 1. Mechanism: Assistance from National Account Representatives[A]; Number of regional offices claiming use of mechanism: 1. Source: GAO. [A] Philadelphia office regional staff told us their office staff includes these representatives. They are responsible for staying abreast of state Medicaid activities. In performing their work, they communicate with the states' Medicaid director and perform at least two visits a year to each state. [End of table] Second, CMS has no guidance for regional office staff to use in monitoring MMIS activities. While CMS has a Regional Office Manual that includes guidance for monitoring MMIS activities, this manual is not used by regional office staff because, according to officials, it has not been maintained throughout the years, and it no longer reflects current processes. Third, there are no requirements for regional office staff to report to CMS's central office on their monitoring of states' federally funded MMISs activities. Monthly teleconferences are conducted between the central office and regional offices to discuss activities performed by these offices, including activities to monitor state MMISs. According to CMS officials, there is some communication outside of the scheduled teleconferences to discuss any issues that might arise regarding the status of state MMISs. In addition, according to officials, the certification reviews performed about 6 months after the MMISs have become operational provide opportunities to determine firsthand how systems are performing. Despite these mechanisms, the central office has no requirements for regional office staff to regularly report on the results of their efforts to monitor MMIS activities. According to CMS officials, the central office has traditionally placed greater emphasis on the front-end approval of requests for federal funding. The central office, however, now recognizes the need for and value of adopting an approach for maintaining the visibility of MMISs from beginning to end. To address this need, central office staff told us that they plan to ask the regional offices to provide them with quarterly reports on the status of MMIS activities in their states as part of a broader effort that is currently under way to improve the administration of the Medicaid program.[Footnote 26] Central office staff stated this effort would also result in standard procedures and guidance to support regional office staff's monitoring efforts. While these activities would strengthen the monitoring process, during our review central office staff did not yet have specific plans or time frames for implementing them. Until CMS defines standard procedures for monitoring MMIS activities, guidance for staff to rely on, and reporting requirements, CMS's central office may not be able to easily determine whether state MMISs are facilitating the delivery of Medicaid benefits in the most effective and beneficial manner. Conclusions: Because IT investment management has only recently become an area of management focus, CMS capabilities to manage its internal investments are limited. Specifically, the agency has established about half of the practices for building the investment foundation, but few practices to manage its investments as a portfolio. Although the foundational practices have equipped CMS with the capabilities it needs to improve its management of individual investments, the agency is hampered in its ability to manage them as a portfolio because it has not implemented the practices for doing so. Until CMS fully establishes the key practices required to build the investment foundation and manage its investments as a portfolio, it will not have the capabilities it needs to ensure that investments supporting its multibillion-dollar Medicare and Medicaid programs are being managed to minimize risks and maximize returns. Critical to CMS's success in going forward will be the development of an implementation plan that (1) is based on an assessment of strengths and weaknesses; (2) specifies measurable goals, objectives, and milestones; (3) specifies needed resources; (4) assigns clear responsibility and accountability for accomplishing tasks; and (5) is approved by senior-level management. Although the agency has initiated improvement efforts, it has not developed a comprehensive plan to guide these and other efforts needed to improve its investment management process. Without such a plan and procedures for implementing it, CMS will be challenged in sustaining the commitment it needs to fully establish its investment management process. Finally, the process for approving states' funding requests for MMIS activities is characterized by standard procedures that are performed consistently across the regional offices, guidance, and requirements for informing the central office of regional office staff activities. The process for monitoring the development and operations of state MMIS, on the other hand, has no standard procedures for regional office staff, no guidance, and no requirement to report information to the central office. Without these elements for monitoring MMIS activities, CMS's central office may not be able to easily determine whether state MMISs are facilitating the delivery of Medicaid benefits in the most effective and beneficial manner. Recommendations for Executive Action: To strengthen CMS's capability to manage its internal IT investments and address the related weaknesses addressed in this report, we recommend that the Secretary of the Department of Health and Human Services direct the CMS Administrator to develop and implement a plan for improving CMS's IT investment management processes. The plan should address the weaknesses described in this report. The plan should (1) first focus on correcting the weaknesses in Stage 2 critical processes, and next focus on the Stage 3 critical processes, and (2) at a minimum, provide for accomplishing the following 12 actions: In Stage 2: * Update the agency's investment management guide to reflect current investment management processes. * Establish a process for the board to actively maintain the agency's documented investment management process. * Use an updated strategic plan or other detailed statement of business mission with supporting goals and objectives to align investments with business needs. * Ensure that the board periodically evaluates the alignment of IT projects and systems with strategic goals and objectives and take corrective actions when misalignment occurs. * Fully document procedures that address investment selection and reselection and (1) provide a clear understanding of the selection and reselection process, (2) define the roles and responsibilities for each participating unit involved in the project reselection process, and (3) define the decision-making procedures. * Document procedures for integrating funding with investment selection. * Revise the ITIRB's selection and reselection criteria to include cost, benefit, schedule, and risk factors, and establish a mechanism to ensure these criteria continue to reflect organizational objectives. * Define, document, and implement procedures for the ITIRB's oversight of projects and systems. * Implement processes to use investment information to fully support investment management decisions. In Stage 3: * Implement the Stage 3 critical processes for defining portfolio criteria, creating the portfolio, evaluating the portfolio, and conducting postimplementation reviews, which are necessary for portfolio management. We also recommend that the Secretary for Health and Human Services direct the CMS Administrator to ensure that the plan draw together ongoing efforts and additional efforts that are needed to address the weaknesses identified in this report. The plan should also (1) specify measurable goals, objectives, and milestones; (2) specify needed resources; (3) assign clear responsibility and accountability for accomplishing tasks; and (4) be approved by senior-level management. In implementing the plan, the Administrator should ensure that progress is measured and reported periodically to the Secretary of Health and Human Services. To improve CMS's process for monitoring states' progress in developing and maintaining Medicaid management information systems, we are recommending that the Secretary of the Department of Health and Human Services direct the CMS Administrator to take the following two actions: * Define standard procedures and supporting guidance for regional offices to monitor MMIS activities. * Require regional offices to regularly report on their MMIS monitoring activities to CMS's central office. Agency Comments and Our Evaluation: The Administrator of CMS provided written comments on a draft of this report (reprinted in app. II). In these comments, CMS identified actions it is taking or plans to take to address our recommendations and stated that effective management of IT investments is a critical priority at the agency. CMS contended that many of the agency's improvements to its IT investment management process were not fully reflected in the report, and took exception with the need for up-to- date, documented processes to ensure consistency. Concerning our description of progress in implementing investment management processes, CMS commented that the report indicates that the agency has only established 2 out of 27 key practices needed to manage investments as a portfolio. CMS stated that this is misleading since the report also indicates that the agency has accomplished 20 of 38 foundational IT investment management practices. CMS also provided examples of the practices it has implemented, such as establishing an investment review board. In our report, we make a distinction between foundational practices, which are the Stage 2 key practices for establishing basic project-level selection and control capabilities, and portfolio-level practices, which are the Stage 3 key practices for managing investments as an integrated set of competing options. We also note that both of these sets of key practices are needed to implement the processes required by the Clinger-Cohen Act of 1996. On the basis of this, we state that CMS does not have the full suite of capabilities to manage its internal investments because it has only established a little over half of the foundational practices and 2 of 27 portfolio- level key practices, and we reiterate the need to fully establish both sets of practices to increase assurance that executives are selecting and managing the mix of investments that best meets the agency's needs and priorities. In our report, the sections in which we discuss the implementation of specific key practices associated with critical processes from our IT investment management framework each describe CMS's efforts and accomplishments to improve its IT investment management processes. These include all of the examples of accomplishments CMS provided in its comments. In its comments, CMS took issue with our reporting that its IT investment management guide did not reflect the current process, and that its procedures for selecting and reselecting IT investments were not fully documented. Although the agency fully agreed that an up-to- date guide would constitute a piece of an effective process, it commented that the emphasis should be on strengthening the process first and updating documentation later. CMS made three points: (1) it is not practical to publish an updated guide without having the effective and repeatable underlying process in place and noted that it is not provided the latitude to do this; (2) in the section of the report discussing instituting the investment board, the noted successful execution of key practices appears to be negated by the statement that the investment management processes are not documented; and (3) in the same section of the report, we are implying that an updated guide would improve rather than explain the process. We disagree with CMS that the process needs to be repeatable and strengthened before it can be documented. Documented procedures could actually serve to strengthen and improve the process by ensuring it is performed consistently. Finally, we are not negating the successful implementation of key practices to institute the investment board. We are simply emphasizing the importance of having documentation to drive the investment management process. In its comments, CMS also noted actions it is taking to (1) develop a plan to implement key practices in Stages 2 and 3; (2) revise existing documentation to reflect processes in place that are not formally documented; and (3) develop a plan that will be approved by senior management that will incorporate goals, objectives, and milestones required to further close the gaps between existing processes and our ITIM framework. Regarding our recommendation to improve its process for monitoring state MMIS activities and reporting to the central office, CMS stated that it is developing standard procedures and supporting guidance for the regional office(s) for monitoring these systems activities and reporting to the central office. We agree with CMS that these actions would address many of the weaknesses we identify in this report. CMS also provided some technical comments, which we have incorporated into the report as appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the date of this letter. At that time, we will send copies to other interested congressional committees, the Secretary of Health and Human Services, the CMS Administrator, the CMS Chief Information Officer, and other interested parties. Copies will also be made available at no charge on our Web site at [Hyperlink, http://www.gao.gov]. If you have any questions on matters discussed in this report, please contact David A. Powner at (202) 512- 9286, or at [Hyperlink, pownerd@gao.gov], or Leslie G. Aronovitz at (312) 220-7600, or at [Hyperlink, aronovitzl@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: David A. Powner: Director, Information Technology Management Issues: Signed by: Leslie G. Aronovitz: Director, Health Care: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to (1) evaluate Centers for Medicare & Medicaid Services (CMS) capabilities for managing its internal information technology (IT) investments, (2) determine any plans the agency might have for improving these capabilities, and (3) examine CMS's process for approving and monitoring the state Medicaid management systems it funds. To address our first objective, we reviewed the results of the agency's self-assessment of Stages 2 and 3 practices using our Information Technology Investment Management framework (ITIM) and validated and updated the results of the self-assessment through document reviews and interviews with officials. We reviewed written policies, procedures, and guidance and other documentation providing evidence of executed practices, including CMS's IT Investment Management Process Guide, CMS's Policy for IT Investment Management, and CMS's fiscal year 2006/2007 budget process. We also reviewed the CMS Information Technology Investment Review Board (ITIRB) meeting minutes. We did not assess CMS's progress in establishing the capabilities found in Stages 4 and 5 of the ITIM framework because CMS acknowledged that it had not executed any of the key practices in these higher maturity stages. In addition, we conducted interviews with officials from the Office of Information Services who have responsibility for the development and implementation of CMS's IT investment management process. We compared the evidence collected from our document reviews and interviews with the key practices in our ITIM framework. We rated the key practices as "executed" on the basis of whether the agency demonstrated (by providing evidence of performance) that it had met the criteria of the key practice. A key practice was rated as "not executed" when we found insufficient evidence of a practice being executed or when we determined that there were significant weaknesses in CMS's execution of the key practice. In addition, CMS was provided with the opportunity to produce evidence for key practices rated as "not executed." As part of our analysis, we selected four CMS IT projects as case studies to verify that the critical processes and key practices were being applied. The projects were selected because they (1) supported different functional areas, (2) were in various life-cycle phases, and (3) required different levels of funding. The four projects are described below: * Healthcare Integrated General Ledger Accounting System--The project is intended to standardize the collection, recording, and reporting of Medicare financial information by contractors. It is to replace the cumbersome ad hoc spreadsheets and "cuff" systems being used by Medicare contractors to accumulate and report financial information to CMS. The project's life-cycle cost is estimated at about $567 million. * Medicare Claims Processing Redesign--This project is intended to integrate and modernize the Common Working File system and Redesign and the Medicare Shared Systems enterprise claims processing applications and data systems. The modernization and unification of these systems is to allow CMS to significantly enhance program capabilities, integrity, performance, efficiencies, and maintainability; reduce program change implementation time frames; improve accuracy, timeliness, and quality of Medicare transaction processing; reduce system exposure to security risks; and facilitate use of the Internet. The project's life-cycle cost is estimated at nearly $494 million. * Medicare Managed Care System--This project is intended to cover the redesign of CMS's managed care family of systems, including the legacy Group Health Plan system. It is to provide the platform for implementing requirements under the MMA. The project is intended to replace aging operations and to continue to support the agency's managed care business needs until all functions are migrated to a new system. Its life-cycle cost is estimated at about $111 million. * National Plan and Provider Enumeration System--The project is intended to implement a Health Insurance Portability and Accountability Act requirement to issue a unique identifier to each covered health care provider in the United States. It is expected to result in administrative savings by simplifying a complicated, multifaceted enumeration scheme, whereby a provider is issued different identifiers for electronic transactions by each health plan with which it does business, and sometimes multiple identifiers from a single plan. It will impact several million providers and health plans in the nation. The project's life-cycle cost is estimated at about $38 million. For these projects, we reviewed project management documentation, such as project plans, business cases, status reports, and documentation on how these projects were selected by the ITIRB. We also interviewed the project managers for these projects. To address our second objective, we examined documentation on what management actions had been taken and what initiatives had been planned by the agency. This documentation included a requirements document for a tool CMS is currently implementing that is to help the agency with IT investment management, among other things. We also interviewed officials from the Office of Information Services to determine what efforts CMS had undertaken to improve IT investment management processes. To address our third objective, we reviewed documentation supporting CMS's implementation of processes for (1) approving states' requests for funding their Medicaid Management Information Systems (MMIS) and (2) monitoring these MMISs, including related legislation, policy, and implementing guidance. We also interviewed officials at CMS headquarters and at the 5 CMS regional offices with the highest fiscal year 2004 expenditures for administrative services, which includes MMISs. We conducted our work at CMS headquarters in Washington, D.C., and at 5 CMS regional offices located in New York, New York; Philadelphia, Pennsylvania; Chicago, Illinois; San Francisco, California; and Atlanta, Georgia, from January 2005 through September 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Centers for Medicare & Medicaid Services: Department Of Health & Human Services: Centers for Medicare & Medicaid Services: Administrator: Washington, DC 20201: October 14 2005: Date: TO: David A. Powner: Director, Information Technology Management Issues: Government Accountability Office: FROM: Mark B. McClellan, MD., Ph.D.: Administrator: SUBJECT: Government Accountability Office's (GAO) Draft Report: INFORMATION TECHNOLOGY: Centers for Medicare & Medicaid Services Need to Establish Critical Investment Management Capabilities (GAO-06-12): Thank you for the opportunity to review and comment on the above GAO draft report. The GAO evaluated the Centers for Medicare & Medicaid Services' (CMS) capabilities for managing its information technology investments, determined any plans CMS might have for improving capabilities, and examined CMS' process for approving and monitoring the State Medicaid management information systems. Effective management of IT investments is a critical priority at CMS. This includes many improvements to our IT investment process that were not fully reflected in GAO's report. It is also reflected in strong leadership at CMS. This year, Mr. Dean Mesterharm, former CIO of the Social Security Administration, joined our senior management team with the strategic objective of strengthening our IT investment and management control. We have taken many steps to achieve this objective. The report appears to indicate that CMS has just established 2 out of 27 key IT management practices. This is misleading, since according to the report, CMS has already accomplished 20 of the 38 foundational IT investment management practices. In addition, as noted in our response, CMS has many further steps underway to advance IT investment and management control. We appreciate the time and effort that went into this GAO report. Attached are the detailed comments to the GAO's recommendations and concerns. Centers for Medicare & Medicaid Services' (CMS) Comments to the Government Accountability Office's (GAO) Draft Report: INFORMATION TECHNOLOGY.-Centers for Medicare & Medicaid Services Need to Establish Critical In vestment Management Capabilities (GAO-06-12): GAO Concern: The GAO asserts that because the process is not fully mature, CMS does not have the capability to manage its internal investments. For example on the cover page it states, "Until CMS fully establishes foundational and portfolio-level practices, executives will lack the assurance that they are managing the agency's collection of investments in a manner that minimizes risks and maximizes returns." This thought is repeated throughout the report. CMS Response: This is not an accurate description of CMS' IT investment management program. Specifically, the report states that CMS has "executed 2 of the 27 key practices needed to manage investments as a portfolio." This is misleading since, as cited in the GAO report, CMS has established 20 of the 38 foundational IT investment management practices. These include establishing an Information Technology Investment Review Board (ITIRB) comprised of office directors from every business area in CMS. This board is chaired by the CMS Chief Information Officer (CIO), who previously served as the CIO of the Social Security Administration. For Fiscal Years 2006 and 2007 IT investments, the ITIRB ranked and prioritized CMS' IT investments against agency goals, and reviewed and approved funding levels. As a result, CMS executives have increased assurance that their IT investments are better aligned with agency priorities. GAO Concern: GAO criticizes CMS in several places for not having an updated process guide or other documentation and frequent calls for updating the guide to reflect the current process. The lack of an updated guide leads to three separate criticisms. CMS Response: First, on page 6, the first two bullets note that the Agency's investment management guide does not reflect current processes and procedures for selecting and reselecting investments that are not fully documented. Although we fully understand the need for a process guide, we do not feel it is practical to publish one without having the effective and repeatable underlying process in place. It is acknowledged in the section entitled, CMS's Approach to Investment Management that our process is in flux, but we are not provided the latitude to codify the new process before describing it. Based on lessons learned, CMS likely will modify some activities carried out last year in order to improve them. Second, on page 23 the report states, "Notwithstanding these strengths, CMS does not have an IT investment process guide which reflects the agency's current investment management practices." This statement implies that the successful execution of key practices cited earlier in the section are negated because they are not yet documented. Third, GAO implies that an updated guide would improve the process, rather than the guide explaining the process. On pages 23-24 the report states, "According to CMS officials, the guide has not yet been updated because the agency has made a priority of fully defining its processes before documenting them. Until CMS's documented IT investment process guidance is updated, executives are at risk of performing key investment decision-making activities inconsistently and communicating management practices inaccurately. Such updated guidance would also provide a process that could lead to greater accountability about future IT investment outcomes that would be helpful to new members joining the board." We contend that a comprehensive and repeatable process, not a document, ensures that executives are managing projects consistently. We fully agree that an up-to-date guide would constitute a piece of an effective process, but we feel that the emphasis should be on strengthening the process first and updating documentation later. GAO Recommendation: Recommend that the Secretary of the Department of Health and Human Services direct the CMS Administrator to develop and implement a plan for improving CMS's IT investment management processes and to ensure that the plan draw together ongoing efforts and additional efforts that are needed to addresses the weaknesses identified in this report. CMS Response: CMS is already developing a plan to implement additional key practices in Stages 2 and 3. CMS is to revising existing documentation to reflect processes in place that are not formally documented. CMS will develop a plan that will be approved by senior management that will incorporate goals, objectives, and milestones required to further close the gaps between existing processes and GAO's framework. GAO Recommendation: Recommend that the Secretary of the Department of Health and Human Services direct the CMS Administrator to take the following actions: * Define standard procedures and supporting guidance for regional offices to monitor MMIS activities; * Require regional offices to regularly report on their MMIS monitoring activities to CMS's central office. CMS Response: The CMS is developing standard procedures and provide supporting guidance to the regional office for monitoring the Medicaid management information systems (MMIS) activities and reporting to CMS central office. The regional office manual was published in 1992 and has not been updated. New guidelines for monitoring progress of State advance planning document (APD) projects and periodic progress reporting to central office is in process and scheduled for the 4th quarter of fiscal year (FY) 2006. Plans are in place to incorporate new procedures into the MMIS Certification Toolkit, currently under development. The MMIS Certification project was undertaken in FY 2005 with contractor assistance in order to transform the current certification process from a single focal event occurring after the implementation of a new MMIS to one that flows from initial planning, throughout design, development and installation (DDI) of an MMIS. Included in the toolkit will be checklists for communications regarding progress throughout the DDI period. The State agency will provide progress reports to the regional offices from approval of the original APD, the issuance of the request for proposal, and the DDI activities until the systems are ready for certification. In turn, progress reports will be submitted, from the regions, to central office so that an annual aggregate report can be produced summarizing activities across the regions. Periodic state progress reports and regional office monitoring of approved ADP activities and plans will be guided by the size, scope and complexity of the activity and/or project. At a minimum state progress reports and regional office monitoring will provide sufficient information to support quarterly progress reports to central office. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: David A. Powner, (202) 512-9286, [Hyperlink, pownerd@gao.gov] ownerd@gao.gov Leslie G. Aronovitz, (312) 220-7600, [Hyperlink, aronovitzl@gao.gov]: Staff Acknowledgments: In addition to the persons named above, William G. Barrick, Shaunessye Curry, Mary Beth McClanahan, Sabine R. Paul, and Amos Tevelow made key contributions to this report. (310480): FOOTNOTES [1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [2] Medicaid consists of 56 distinct state-level programs, including 1 for each of the 50 states; the District of Columbia; Puerto Rico; and the U.S. territories of American Samoa, Guam, the Northern Mariana Islands, and the Virgin Islands. Hereafter, these 56 entities are referred to as states. Within broad federal guidelines, each program establishes its own eligibility standards; determines the type, amount, duration, and scope of covered services; and sets payment rates. [3] The Medicaid Management Information System is the primary claims processing and information retrieval system, which states are required to have. [4] We are using the term "internal" to refer to all of CMS's IT investments, excluding the state MMISs. Internal investments include Medicare claims processing systems used by contractors. [5] States request funding for the design, development, and installation of a new MMIS or for the operations and maintenance of or enhancement to an existing MMIS. [6] Our second report, Information Technology: HHS Has Several Investment Management Capabilities in Place, but Needs to Address Key Weaknesses, GAO-06-11 (Washington, D.C.: Oct. 28, 2005), addresses HHS's (1) capabilities for managing its IT investments and (2) plans for improving those capabilities. [7] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (Washington, D.C.: March 2004). [8] Of these nearly 83 million beneficiaries, more than 6 million are children covered by the State Children's Health Insurance Program. [9] The Center for Medicare Management is responsible for the Medicare Fee-for-Service program. The Center for Beneficiary Choices is responsible for Medicare's managed care program and also focuses on beneficiary educational efforts. The Center for Medicaid and State Operations focuses on programs administered by the states, such as Medicaid. [10] GAO, Medicare: Information Systems Modernization Needs Stronger Management and Support, GAO-01-824 (Washington, D.C.: Sept. 20, 2001). [11] The Medicare Prescription Drug, Improvement, and Modernization Act of 2003, Pub. L. No. 108-173, is to provide seniors and individuals with disabilities with prescription drug benefits, more choices, and better benefits under Medicare. CMS's revitalization initiative is the agency's effort to address long-term IT issues. [12] Medicaid regulations are in 42 C.F.R. Ch. IV. Regulations pertaining to the advance planning document process are set forth at 45 C.F.R. Part 95. [13] The State Medicaid Manual provides instructions, regulatory citations, and information for carrying out the Medicaid program. [14] The Office of the Secretary Notices are one-page summaries of the reviews performed by CMS regional office staff of documentation (APDs, request-for-proposals, and contracts) submitted by a state for MMIS funding assistance. The summaries are submitted to CMS's Center for Medicaid and State Operations, which must review and "clear" them before the regional office can release the official approval letter to the state. [15] 45 C.F.R. 95.613(b) and 45 C.F.R. 74.43. [16] CMS's certification guidance is defined in the agency's Medicaid Management Information System Certification Review Protocol. [17] GAO-04-394G. [18] GAO, Information Technology: DLA Needs to Strengthen Its Investment Management Capability, GAO-02-314 (Washington, D.C.: Mar. 15, 2002); United States Postal Service: Opportunities to Strengthen IT Investment Management Capabilities, GAO-03-3 (Washington D.C.: Oct. 15, 2002); Information Technology: Departmental Leadership Crucial to Success of Investment Reforms at Interior, GAO-03-1028 (Washington, D.C.: Sept. 12, 2003); Bureau of Land Management: Plan Needed to Sustain Progress in Establishing IT Investment Management Capabilities, GAO-03-1025 (Washington, D.C.: Sept. 12, 2003); and Information Technology: FAA Has Many Investment Management Capabilities in Place, but More Oversight of Operational Systems Is Needed, GAO-04-822 (Washington, D.C.: Aug. 20, 2004). [19] 40 U.S.C. § 11312(b)(1). [20] An IT investment board is a decision-making body--made up of senior program, financial, and information managers--that is responsible for making decisions about IT projects and systems on the basis of comparisons and trade-offs among competing projects, with an emphasis on meeting mission goals. [21] The four projects we reviewed--Healthcare Integrated General Ledger Accounting System, Medicare Claims Processing Redesign, Medicare Managed Care System, and National Plan and Provider Enumeration System- -are described in appendix I. [22] According to the Director of Investment Tracking and Assessment, the strategic plan has not been updated because of turnover in upper- level management. [23] The tool lists the following four business drivers: (1) beneficiary health and satisfaction, (2) efficiency and integrity of operations, (3) health care delivery, and (4) health care quality. [24] "Earned value management" is a project management tool that integrates the investment scope of work with schedule and cost elements for investment planning and control. This method compares the value of work accomplished during a given period with the value of the work expected in the period. Differences in expectations are measured in both cost and schedule variances. [25] The purpose of a postimplementation review is to evaluate an investment after its development has been completed (i.e., after its transition from the implementation phase to the in-service management phase) in order to validate actual investment results. This review is conducted to (1) examine differences between estimated and actual investment costs and benefits and their possible ramifications for unplanned funding needs in the future and (2) extract "lessons learned" about the investment selection and control processes that can be used as the basis for management improvements. Similarly, postimplementation reviews should be conducted for investment projects that were terminated before completion, to help to readily identify potential management and process improvements. [26] This effort, known as the "Medicaid Information Technology Architecture initiative," involves the development of a framework of enabling technologies and processes intended to improve the administration of the Medicaid program. CMS expects to complete this initiative within the next 2 years. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: