Skip to main content

Information Technology: SSA Has Taken Key Steps for Managing Its Investments, but Needs to Strengthen Oversight and Fully Define Policies and Procedures

GAO-08-1020 Published: Sep 12, 2008. Publicly Released: Oct 14, 2008.
Jump To:
Skip to Highlights

Highlights

The Social Security Administration (SSA) spends about $1 billion annually to support its information technology (IT) needs. Given the size and significance of the agency's ongoing and future investments in IT, it is crucial that the agency manages these investments wisely. Accordingly, GAO was requested to determine whether SSA's investment management approach is consistent with leading investment management best practices. To accomplish this, GAO used its IT investment management framework and associated methodology, with a focus on the framework's Stages 2 and 3, which are based on the investment management provisions of the Clinger-Cohen Act of 1996.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish comprehensive policies and procedures for defining the investment governance process that specify (1) investment board operating procedures, (2) delegations of authority, and (3) criteria for prioritizing new and ongoing investments.
Closed – Implemented
SSA provided evidence of comprehensive policies and procedures defining the investment governance process that responded to each aspect of GAO's recommendation. Specifically, the agency provided evidence of investment board operating procedures, including procedures for the Strategic Information Technology Assessment and Review (SITAR) Board's composition on its involvement in SSA's May 2012 Capital Planning and Investment Control (CPIC) process. The Board's responsibilities and procedures outlined in the CPIC guide include ensuring all IT investment decisions are consistent with policies and guidelines, reviewing and approving changes to the current SSA IT plan, reallocation or adjustment of resources out of the investment cycle, consideration and approval/denial of emergency proposals, reviewing projects' health, and ensuring execution of its decisions. SSA's CPIC guidance, along with other documentation provided, outlines delegations of authority for the SITAR Board; Portfolio Executive Boards; and offices, such as the Office of Acquisitions and Grants. For example, SSA's SITAR Board charter explains that the SITAR Board acts as the executive body for SSA's initiatives and projects. Further, the delegations of authority outlined in the Board's charter and CPIC guidance provide the SITAR Board with centralized investment and portfolio management responsibilities which allow for more effective oversight of the CPIC process. SSA's CPIC guidance also includes information on the agency's criteria for prioritizing new and ongoing investments. According to the guidance, investments' cost, benefit, schedule, alignment with agency goals and risk information are assessed, validated, and used as core selection criteria in the select phase and then ranked against other investments. The prioritized list is then used by senior executives to make decisions on which investments will be submitted in portfolios to the SITAR for review and funding approval based on mission needs and agency priorities.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to strengthen and expand the board's oversight responsibilities for underperforming projects and evaluations of projects.
Closed – Implemented
SSA's Capital Planning and Investment Control (CPIC) guide outlines the board's oversight responsibilities for addressing underperforming projects. SSA's CPIC guidance outlines procedures for referring project performance problems to the Strategic Information Technology Assessment and Review (SITAR) board. Further, the guide outlines the board's participation in Techstat reviews. SSA TechStat reviews are not limited to major investments and any project that is not performing as expected can be selected for review of its program performance data and opportunities for corrective action. SSA explained that quarterly SITAR meetings include summary-level reviews of each of the agency's Major IT Initiatives, and the outcomes of the sessions are formalized and followed up through completion, with the goal of terminating or turning around underperforming IT investments. SITAR Board members are also responsible for reviewing verified data on IT investments' actual performance, including cost, schedule, benefit and risk performance. Also, the SITAR Board's role in Project Health Assessments is outlined in the CPIC guide. According to the guide, Project Health Assessments are conducted on a quarterly basis; include reviewing project issues related to design, scope, schedule, risk, functionality, and acceptance; and can be used to identify under-performing projects in need of corrective action.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish a mechanism for tracking corrective actions for underperforming investments.
Closed – Implemented
In response to our recommendation, the agency began using its Action Control Tracking System to track the status of corrective actions for underperforming IT projects. Specifically, corrective actions are entered and tracked in the system. In this regard, the system (1) allows for the automatic generation of emails requiring status updates that include a summary of the action items, (2) maintains a table showing staff assigned to make corrections, and (3) tracks the status of the corrective actions to completion.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish policies and procedures for defining the portfolio criteria.
Closed – Implemented
In response to this recommendation, SSA's updated CPIC guide outlines methods used to define portfolio criteria. Strategic Objective Portfolios are established and managed through SSA's CPIC process to ensure alignment with agency strategic planning, performance plan goals, and strategic IRM planning. Sections 2.2 of the CPIC Guide discuss SSA's IT Portfolio Management and explains that SSA utilizes a portfolio-based approach to investment management and review that supports agency strategic goals while minimizing redundancy between investments. Further, SSA's IT Portfolio management processes group IT investments into portfolios based on mission areas, strategic goals, objectives, and infrastructure requirements. SSA portfolios have established vision statements that include objectives that align with and help meet agency goals. Portfolio criteria are established in step one of the SSA IT Planning Process and SSA's IRM Strategic Plan outlines four strategic goals and their subordinate objectives. The plan also includes a chart outlining the performance management framework and how specific projects within portfolios support the prioritization of resources, performance measures, and strategic goals. SSA also provided a chart outlining its IT planning process which explains that the SITAR Board provides guidance on the agency's priorities, as well as makes recommendations to the Deputy Commissioner for Systems/CIO, who does a final review of the agency IT Plan, containing all proposed portfolios, prior to approval.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance.
Closed – Implemented
SSA has established portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance. SSA released an updated version of its Capital Planning and Investment Control (CPIC) Guidance in May 2012. This guidance included a comprehensive portfolio management process. The guide outlines both policies and procedures used for portfolio-level performance evaluations, as well as criteria for assessing portfolio performance. Comprehensive performance data development, collection, and review processes are outlined in the guidance for continuous review as part of the agency's CPIC process. These metrics and related procedures are applied to investments and carried up to support portfolio health assessments, and include cost benefit analyses, returns on investments, and benefit value scores; risk identification and assessment techniques; and criticality and urgency assessments. On a quarterly basis, the collection, review, and reporting on a project's health occurs with consideration given to performance indicators such as design, scope, schedule, risk, functionality, and acceptance. Portfolio executives meet with DCS Associate Commissioners supporting the portfolio to review and address any health issues. The results of the health collection process are stored on health dashboards. In addition, program managers document quarterly project accomplishments and any issues or risks. The SITAR Board's charter states that a main purpose of the board is to achieve the goals of the Agency Strategic Plan and meet the business needs of the agency; the Board is to meet quarterly. The Board also reviews verified data on IT investments' actual performance against stated expectations.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to evaluate quantitative measures during postimplementation reviews, and lessons learned for improving select, control, and evaluate processes.
Closed – Not Implemented
In May 2012, SSA issued its Capital Planning and Investment Control (CPIC) guide that describes planned procedures for Post-Implementation Reviews (PIRs). SSA has also identified the planned quantitative measures for improving the select, control, and evaluate processes and the process for documenting lessons learned. The quantitative measures and criteria for the PIR process include performance expectations and actual outcomes, actual versus estimated or initial budget costs, benefits, improved technical capability, return on investment, assessment of how the IT investment aligns with the agency's mission, and actual versus estimated schedule and planned benefits. The guide also explains the planned composition of the PIR team and states that the PIR is to be conducted 6 to 18 months after the IT investment becomes operational and, that the results are to be reviewed by the CIO. The PIR process in the guide includes a requirement for the collection and tracking of best practices for use in other investment decisions and for improving the CPIC process. The PIR also includes contingencies for an investment's termination, including a lessons learned collection. Also, the SITAR Board's charter states that it will review the CIO's recommendations on the results of PIRs to further strengthen the process through the board's involvement. Notwithstanding the current guidance, according to SSA officials, the PIR process is still in the early planning phase and post-implementation reviews have yet to be implemented. Thus, the agency is not yet positioned to evaluate quantitative measures or assess lessons learned from such reviews.
Social Security Administration To strengthen SSA's investment management capability and address weaknesses and to ensure senior management involvement and full accountability for the agency's investments, the Commissioner of Social Security should direct the Chief Information Officer to develop and implement policies and procedures to manage IT acquisitions as investments and manage them using the investment management framework.
Closed – Not Implemented
SSA's May 2012 Capital Planning and Investment Control (CPIC) guide addresses IT acquisitions, including hardware, software, and services--referred to as special expense items. In addition, the Deputy Commissioner for Systems/CIO, who chairs SSA's Strategic Information Technology Assessment and Review (SITAR) Board, is responsible for approving these items. However, these items are not approved through the SITAR pre-select, select, control, and evaluate processes. Further, IT acquisitions are not mentioned in the SITAR Board charter. As we reported in 2008, until the agency manages acquisitions within its IT Investment Management framework, it will be unable to consider its investments comprehensively, and ensure that the investments optimally address the organization's mission, strategic goals, and objectives.

Full Report

GAO Contacts

Topics

Agency missionsBest practicesCost analysisCost controlCost effectiveness analysisEvaluation criteriaFederal procurementFederal social security programsFinancial managementFunds managementFuture budget projectionsInformation technologyInternal controlsInvestment planningInvestmentsIT acquisitionsIT investment managementMission critical systemsMonitoringProgram evaluationRisk managementStrategic planningPolicies and procedures