Skip to main content

Information Technology: SSA Needs to Address Limitations in Management Controls and Human Capital Planning to Support Modernization Efforts

GAO-14-308 Published: May 08, 2014. Publicly Released: May 08, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Social Security Administration’s (SSA) selected information technology (IT) projects did not fully adhere to management controls called for by its IT project management guidance, which are essential to effectively oversee and monitor IT investments. Such controls include, among others, a cost-benefit analysis, risk mitigation plan, and project schedule. For the five projects selected, SSA developed the majority of the documents required to demonstrate adherence to management controls; however, most had limitations. One project that was required to complete 11 control documents had developed 5 without limitations, but the remaining 6 had limitations. For example, while certain risks to the project were identified, the documentation did not include risk mitigation plans, which are essential for avoiding, reducing, and controlling the probability of the occurrence of identified risks. Across the five projects, the most common limitations included a lack of traceability (which is needed to track project history and demonstrate that requirements are met) and inaccurate or incomplete information, such as project schedules that had inaccuracies in key milestone dates. The limitations could be attributed to, among other things, IT oversight systems that did not include all needed data or fully support traceability, and a quality assurance process that was not effectively implemented. The agency recently took steps that should help improve its quality assurance process.

Further, while SSA stated that its projects have resulted in improved services, it was not able to demonstrate this. In particular, while three of the five projects identified performance measures, these measures generally were not specific enough to determine projects’ contributions to improved services, and baselines against which to measure improvement were not established. Ensuring that management controls are consistently and effectively implemented would help ensure the efficient use of agency resources.

SSA’s IT human capital program has identified skills and competencies to support certain workforce needs, but lacks adequate planning for the future. The agency has developed IT human capital planning documents, such as its recent Information Resources Management plan and skills inventory gap reports, which identified near-term needs, such as skill sets for the following 2 years. Nevertheless, SSA has not adequately planned for longer-term needs because its human capital planning and analysis are not aligned with long-term goals and objectives and the agency does not have a current succession plan for its IT efforts. The agency has recognized challenges with regard to employee retirements and a recent hiring freeze, which have put constraints on resources for certain investments. While SSA officials stated that an updated human capital operating plan will be completed in June 2014, they could not specify how it would address future IT human capital needs. Until these needs are identified, SSA may lack critical plans for addressing IT resources and skills to support agency-wide IT investment goals.

Why GAO Did This Study

SSA relies on IT for delivering Social Security services to virtually every American. The agency reportedly spent about $1.5 billion for IT in fiscal year 2013, and it plans to continue modernizing its aging systems. Management controls and human capital are critical in helping ensure effective and efficient IT project implementation.

GAO was asked to examine SSA's IT modernization efforts. The study (1) assessed selected IT investments to determine the extent to which they adhere to SSA's investment management controls and are improving services and (2) determined how SSA's IT human capital program, including the identification and implementation of critical skills and competencies, is supporting its current and future modernization efforts. To do so, GAO reviewed key management controls for one project from each of five SSA-defined project types, including one project with the highest resources for its type and four randomly selected projects; compared human capital planning documents with relevant guidance; and interviewed relevant SSA officials.

Recommendations

GAO is recommending that SSA (1) perform effective oversight to ensure control documents are developed, complete, and accurate and that oversight systems include needed data and support traceability; (2) ensure project control documents identify specific performance measures and baselines; and (3) identify long-term IT needs in its updated human capital operating plan. SSA agreed with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Social Security Administration To address SSA's project management and human capital deficiencies for its IT modernization efforts, the Commissioner of Social Security should direct the Deputy Commissioner for Systems/Chief Information Officer to perform effective oversight to ensure that key management control documents for ongoing and future projects are developed, complete, accurate, and readily accessible in oversight systems to better support management, traceability, and project analysis of IT investments.
Closed – Implemented
In September 2016, we confirmed that SSA had taken steps that addressed the intent of our recommendation. For example, SSA established a requirement that all systems development projects approved by the investment review board (the Strategic Information Technology Assessment and Review board) undergo a quality assurance review. The purpose of this review is to determine if control documents are developed, readily available, and meet SSA processes and procedures. Further, in August 2016, SSA provided us three examples of quality assurance review results. One review was for the mandatory multifactor authentication system. The review evaluated control documents such as the business process description and the project schedule; it also documented system risks. At the conclusion of the review, non-compliance issues and opportunities for improvement were documented. If issues were identified, the project team was required to document a corrective action plan and expected implementation date within five business days. As a result of the agency's action, SSA is better positioned to effectively manage and execute projects based on defined and documented project details such as objectives, scope of work, schedules, costs, and requirements.
Social Security Administration To address SSA's project management and human capital deficiencies for its IT modernization efforts, the Commissioner of Social Security should direct the Deputy Commissioner for Systems/Chief Information Officer to assess control documents supporting the selection of investments, such as IT proposals, to ensure that they fully identify specific performance measures and baselines to gauge project success.
Closed – Implemented
In August 2016, we confirmed that the Social Security Administration's (SSA) capital planning and investment control process requires post-implementation reviews to assess whether IT investments meet performance measures and project baselines to gauge project success. The purpose of these reviews is to help determine whether an IT investment has achieved expected benefits, costs, schedules, performance and mission objectives, and a favorable level of stakeholder and user satisfaction. During the reviews, actual costs, benefits, schedules, and risks are compared to the original project estimates to assess the investment's performance and identify areas for improvement. For example, in June 2016, SSA conducted a post-implementation review of the mySSA 1099 system. The results included an analysis of how each identified business assumption was either satisfied or not satisfied with the implementation of the system, as well as a comparison of planned and actual costs and benefits and reasons for the variance, among other things.
Social Security Administration To address SSA's project management and human capital deficiencies for its IT modernization efforts, the Commissioner of Social Security should direct the Deputy Commissioner for Systems/Chief Information Officer to identify future IT needs, including skills needed to support long-term goals and priorities, in the agency's updated human capital operating plan and associated analysis.
Closed – Implemented
SSA conducted a skills gap analysis in fiscal year 2014 that identified several information technology (IT) skills and abilities that would be needed for fiscal years 2015 and 2016. The agency then discussed these future needs in its fiscal year 2016 IT addendum to the Human Capital Operating Plan. For example, SSA included analysis and design for agile development as a future need with one of the largest gaps. As a result of these actions, SSA is better positioned to make staffing decisions that will enable it to execute its long-range goals and objectives. SSA identified future IT needs in its fiscal year 2016 IT addendum to the Human Capital Operating Plan. For example, SSA conducted a skills gap analysis in fiscal year 2014 that identified several skills and abilities that would be needed for fiscal years 2015 and 2016. Specifically, SSA included analysis and design for agile development as a future need with one of the largest gaps. As a result, SSA is better positioned to make staffing decisions that will enable it to execute its long-range goals and objectives.

Full Report

GAO Contacts

Valerie C. Melvin
Managing Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Cost analysisHuman capital planningInformation technologyIT human capitalInternal controlsIT investment managementRisk managementTechnology modernization programsIT investmentsProject management