This is the accessible text file for GAO report number GAO-11-194 entitled 'Department of Education: Improved Oversight and Controls Could Help Education Better Respond to Evolving Priorities' which was released on February 10, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Ranking Member, Committee on Education and the Workforce, House of Representatives: February 2011: Department of Education: Improved Oversight and Controls Could Help Education Better Respond to Evolving Priorities: GAO-11-194: GAO Highlights: Highlights of GAO-11-194, a report to the Ranking Member, Committee on Education and the Workforce, House of Representatives. Why GAO Did This Study: The U.S. Department of Education (Education) manages one of the largest discretionary appropriations of any federal agency, and plays a key role in supporting efforts to meet the nation’s education goals. While Education managed a discretionary appropriation of over $160 billion in fiscal year 2009 and was responsible for administering about 200 grant programs, it has the smallest workforce of any cabinet agency. As requested, this report examines (1) the key high-level management challenges facing Education, (2) Education’s strategic management of its workforce, (3) Education’s design of internal controls to help ensure accountability over contracts and student aid grants, and (4) Education’s information technology (IT) management controls. To do this, GAO reviewed relevant Education documents and interviewed Education program and management officials about strategic workforce management, IT, contracts, and Pell Grants. What GAO Found: Education faces challenges in managing expanded responsibilities and evolving program priorities. In recent years Education has faced a large increase in the amount of grant funding and programs that it is responsible for managing. Education’s annual budget increased by nearly 36 percent in real terms between fiscal years 2000 and 2008, and Congress authorized additional funds under the American Recovery and Reinvestment Act of 2009 (Recovery Act). Education will be further challenged to administer additional competitive programs under the Recovery Act, and current legislative proposals may shift additional programs to competitive award processes. This new emphasis on competitive programs may change job requirements for grants managers and increase demands on staff to monitor these programs. Education has improved its strategic workforce planning and performance management systems, but lacks workload data and sufficient oversight of performance standards and appraisals. Education has addressed many key elements of effective strategic workforce planning identified by GAO. However, a lack of reliable data on workload has limited the ability of the agency to accurately estimate resource needs and inform workforce planning efforts. Education has recently made improvements to its performance management system, but the system lacks sufficient oversight to ensure that performance standards and appraisals are consistent across the department. Education has developed overall guidance directed at maintaining financial accountability over two of its challenging resource management areas—contract monitoring and Pell Grants. However, Education has not yet developed and implemented detailed procedures for all control activities essential to ensuring that its contract monitoring policy directives are effectively carried out, including conducting supervisory reviews and documenting contract monitoring activity. Such deficiencies impair Education’s ability to maintain effective financial accountability over its significant contract resource investment. GAO’s review of internal controls over its Pell Grants program did not identify any flaws in their overall design. Education has developed key IT management controls, but still faces challenges with planning and investment management. Education has developed an information resources management strategic plan as required, but did so prior to the development of an updated department strategic plan, and without incorporating the IT goals from other key planning documents. In addition, Education has established controls to evaluate its IT investments, but has not conducted postimplementation reviews as required. Education has taken steps to improve IT security and privacy, but is still working to address a 2009 recommendation by the Education Office of the Inspector General about implementing appropriate security controls. What GAO Recommends: GAO recommends that Education take steps to better estimate workloads; strengthen safeguards over its performance management system; properly implement established contract monitoring guidelines; and improve its management controls over IT resources. Education generally agreed with our recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-194] or key components. For more information, contact George A. Scott at (202) 512- 7215 or scottg@gao.gov. [End of section] Contents: Letter: Background: Education Faces Challenges in Managing Added Responsibilities and Shifting Program Priorities: Education Has Implemented Workforce Management Initiatives but Lacks Workload Data and Sufficient Performance Management Oversight: Education Has Policies over Contract Monitoring and Pell Grants, but FSA's Contract Monitoring Procedures Are Insufficient: Education Has Established Important Information Technology Management Controls, but Planning And Investment Management Challenges Remain: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Summary of Changes to Education's Performance Management System, Implemented in 2010: Appendix III: Education IT Governance Structure: Appendix IV: Comments from the Department of Education: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Key Principles for Effective Strategic Workforce Planning and Key Education Efforts, Fiscal Years 2001 through 2010: Table 2: Key Pell Grant Program Financial Accountability Controls: Figures: Figure 1: Organizational Structure of Education Offices Included in GAO Review: Figure 2: Education Grants Awarded and Staffing Levels, Fiscal Years 2000 through 2010: Figure 3: Education Department Offices Included in Our Review of Strategic Workforce Planning and Employee Performance Management: Figure 4: Education Department Offices Related to Our Review of Information Technology Controls and Management, Fiscal Year 2010: Figure 5: Education IT Governance Process: Abbreviations: EDPAS: Education Department Performance Appraisal System: Education: Department of Education: FISMA: Federal Information Security Management Act: FSA: Federal Student Aid: IRM: Information Resources Management: IT: information technology: OCIO: Office of the Chief Information Officer: OIG: Office of Inspector General: OPM: Office of Personnel Management: OMB: Office of Management and Budget: PAAT: Performance Assessment and Accountability Tool: REACH: Results Achieved: Recovery Act: American Recovery and Reinvestment Act of 2009: [End of section] United States Government Accountability Office: Washington, DC 20548: February 10, 2011: The Honorable George Miller: Ranking Member: Committee on Education and the Workforce: House of Representatives: Dear Mr. Miller: The U.S. Department of Education (Education) is responsible for managing one of the largest discretionary appropriations of any federal agency and plays a key role in kindergarten through grade 12 (K-12) and postsecondary education by supporting and funding efforts to improve student achievement and ensure equal access.[Footnote 1] During fiscal year 2009, Education managed a discretionary appropriation in excess of $160 billion--an increase of approximately 170 percent over the previous fiscal year, primarily due to $98.2 billion in additional funding provided by the American Recovery and Reinvestment Act of 2009 (Recovery Act).[Footnote 2] Education administers about 200 programs that award grants for K-12 and higher education to grantees that include states, school districts, and institutions of higher education. Education is also responsible for administering student financial aid for more than 14 million postsecondary students through loans, grants, and other assistance, including Pell Grants, which are grants to low-income students to promote access to higher education. Despite a large discretionary budget relative to most federal agencies, Education has the smallest workforce of any cabinet-level agency. In fiscal year 2010, Education had approximately 4,200 employees in headquarters and field offices, and the number has decreased over the past decade. The department has over 20 offices, including those responsible for programs and research (program offices) and for management and business operations (management offices) to support program activities. Given the increasing amount of federal funding it is responsible for administering and its decreasing staff resources, Education must rely on effective management of resources, including human capital, grants and contracts, and information technology (IT), to accomplish its diverse goals. In prior reports, GAO and Education's Office of Inspector General (OIG) have identified issues with Education's management of these resources. In response to your request, we addressed the following questions: (1) What key, high-level management challenges does Education face? (2) To what extent does Education have human capital strategic planning and management strategies to meet its workforce needs? (3) To what extent has Education designed internal controls to help ensure accountability over contracts and student aid grants? (4) To what extent has Education established management controls needed to oversee, manage, and modernize its IT to support its mission? To identify key, high-level management challenges faced by Education, we reviewed Education's historical budget and staffing information, the department's budget request and program proposals, and previous relevant OIG and GAO reports. We interviewed officials at Education, the federal Office of Personnel Management (OPM) and Office of Management and Budget (OMB), and former high-ranking Education managers. We also reviewed grant award and student loan data. We assessed the reliability of Education data by interviewing agency officials knowledgeable about the data and determined that the data were sufficiently reliable for the purposes of this report. For human capital strategic planning and performance management, we reviewed Education documents that included the Human Capital Management plan, performance management policies, and sample performance expectations. We interviewed Education officials responsible for overall management of the department, officials from five selected Education program offices,[Footnote 3] former Education officials, and a senior official from Education's labor union. To determine whether the design of Education's internal controls was adequate to help ensure accountability over contracts and student aid grants, we focused our review on key internal control activities at Education's Office of Federal Student Aid (FSA) because it administers student aid grants and incurred approximately 58 percent of Education's contract obligations in fiscal year 2009.[Footnote 4] For contracts, we focused our review on the design of controls over contract monitoring because it has been a long-standing management challenge for the department. To examine the design of controls over contract monitoring processes, we assessed related policies and procedures using governmentwide internal controls standards, interviewed officials in FSA, and reviewed a nongeneralizable sample of 28 contracts[Footnote 5] and two interagency acquisitions[Footnote 6] from fiscal year 2009. To review the design of controls for student aid grants, we focused on Pell Grants because this program accounted for over 91 percent of all student aid grant disbursements in fiscal year 2009 and because this program was not covered in a recent GAO study that examined internal controls for other Education grants.[Footnote 7] To obtain an understanding of the design of controls over Pell Grants, we analyzed FSA's policies and procedures using GAO's Standards for Internal Controls in the Federal Government.[Footnote 8] We also reviewed Education's and FSA's assessment of their internal controls under the requirements of OMB Circular No. A-123. To assess IT management, we reviewed Education's IT strategic plans, investment controls, and information security and privacy plans, and interviewed officials responsible for IT functions in seven management and program offices.[Footnote 9] We also selected and assessed 12 investments, representing about 73 percent of the department's total IT budget, to determine the extent to which Education has established management controls needed to oversee, manage, and modernize its IT to support its mission.[Footnote 10] We interviewed officials in Education's Office of the Chief Information Officer (OCIO), Education's OIG, and Office of Management responsible for IT security and privacy programs. We also reviewed relevant federal laws and regulations. Appendix I provides a detailed description of our scope and methodology. We conducted this performance audit from October 2009 to February 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: The Department of Education was established in 1980 and designated by the President as a cabinet-level agency to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring access to equal educational opportunity. [Footnote 11] In 2009, the department reported that its elementary and secondary programs provided funding to more than 14,000 school districts serving approximately 56 million students attending some 97,000 public schools and 28,000 private schools. As part of this effort, Education provides funds to support the education of low- income students, students with disabilities, and others, and oversees certain education-related civil rights issues. Department programs also provide assistance to postsecondary students, and financial and other supports to postsecondary institutions. Education's program offices--such as the Office of Elementary and Secondary Education and the Office of Postsecondary Education-- administer grants to entities that provide education or education- related services to students. Management offices--such as the Chief Financial Officer--provide technical assistance and guidance to the program offices, and have overall responsibility for managing key support functions at Education. For example, the Office of Management has primary responsibility for human capital management at Education. The organizational structure of Education offices included in our review is shown in figure 1. Figure 1: Organizational Structure of Education Offices Included in GAO Review: [Refer to PDF for image: illustration] Management offices: * Budget Service: * Chief Financial Officer: * Communications and Outreach: * Inspector General: * Office of Management: Management Offices: Provides technical assistance, guidance, and oversight to Program offices. Program Offices: * Civil Rights: * Elementary and Secondary Education: * Federal Student Aid: * Institute of Education Sciences: * Postsecondary Education: * Special Education and Rehabilitative Services: * White House Initiatives: Program Offices: Reports staffing, resource,and policy information to Management Offices. Program Offices: Administer Education programs. Source: GAO analysis of Education documents. [End of figure] Different offices have responsibility for human capital management, financial management, and information technology. A description of how each of these support functions is managed at Education is below. Human Capital Management: The Office of Management has primary responsibility for Education's human capital management and is composed of six organizations, such as Human Capital and Client Services, and Security Services. The Office of Management's human capital responsibilities include strategic workforce planning, which is the systematic assessment of current and future workforce needs and implementation of strategies to fill gaps in staff and skills, and performance management for Education staff. The Office of Management coordinates with other management and program offices that also play important roles in human capital management. For example, the Office of Management provides advice and guidance to program offices on regulatory and policy requirements regarding the performance management system. Financial Management: Education's Chief Financial Officer is charged with overall responsibility for developing and implementing sound financial management policies, procedures, systems, and program controls throughout Education. Education's Chief Financial Officer's responsibilities include leading Education's implementation of key governmentwide financial management reform legislation, including the Chief Financial Officers Act of 1990[Footnote 12] and the Federal Managers' Financial Integrity Act of 1982[Footnote 13] (along with OMB's implementing guidance in Circular No. A-123). Specifically, in accordance with this and other legislation, Education's Chief Financial Officer is responsible for preparing and submitting Education's overall financial statements for annual audit and for directing the establishment of systems and controls necessary to provide financial accountability over Education's programs and resources. Since fiscal year 2002, Education has consistently received unqualified audit opinions on its financial statements. However, in its 2009 report on the department's management challenges, Education's OIG also noted that Education faced challenges in effectively managing key resources, such as in the areas of student aid grants and contract monitoring.[Footnote 14] Led by its Chief Operating Officer, FSA manages and administers student financial aid programs authorized under Title IV of the Higher Education Act of 1965, as amended.[Footnote 15] FSA contracts with a range of service providers for operational needs, such as managing FSA systems for processing student aid applications, disbursing student aid, and servicing student loans. In fiscal year 2009, FSA reported obligating over $870 million under contracts, or approximately 58 percent of Education's total contract obligations.[Footnote 16] FSA is required to follow requirements set forth in applicable procurement laws, in the Federal Acquisition Regulation,[Footnote 17] and in Education's directives and policies and procedures, but also has the authority to create its own policies and procedures. FSA's contract management staff includes contracting officers, contract specialists, and contracting officers' representatives. According to Education's Departmental Directive--OCFO 02-108, Contract Monitoring for Program Officials--the contracting officer is responsible for the overall monitoring and administration of contracts, including ensuring both parties perform under applicable contract terms and conditions. [Footnote 18] To assist in monitoring activities, such as assessing a contractor's compliance with contract requirements, a contracting officer may appoint, in writing, a contracting officer's representative. Contracting officers' representatives report to applicable program offices and assist with technical oversight and administration of a specific contract. For example, according to the Departmental Directive, contracting officers' representatives should monitor individual contracts to ensure technical performance of a contractor and should review and make timely recommendations to the contracting officer on actions related to payment requests (invoices), deliverables (goods or services provided by contractor), and status reports. FSA's responsibilities include program administration and monitoring of Pell Grants. For the 2009-2010 award year, FSA reported disbursing $29 billion in Pell Grants to approximately 8 million students, with an average award of $3,591.[Footnote 19] Pell Grant amounts to students vary based on student and family expected contribution, cost of attendance, and enrollment status (full-time or part-time). Pell Grants are awarded to students through nearly 5,400 participating schools. Information Technology Management: Education has established three primary IT goals: * ensuring that IT investments support the department's mission objectives; * sharing technology services, in addition to providing basic infrastructure services; and: * ensuring the effectiveness of IT governance, information processing, and technology utilization. The OCIO has primary responsibility for ensuring that Education's IT is acquired and managed consistent with requirements and priorities, providing management advice and assistance on investments and operations, and providing services to effectively manage information. The office focuses on the deployment, operation, and maintenance of the department's technical infrastructure. Education's fiscal year 2010 budget for IT was approximately $814 million, with $53 million for development and modernization and $762 million for maintenance. This included 210 investments, with 26 of those classified as major investments.[Footnote 20] From fiscal years 2006 through 2009, Education reported spending over $2.2 billion on IT investments, comprised of approximately $231 million for development and modernization and approximately $2 billion for maintenance. Education Faces Challenges in Managing Added Responsibilities and Shifting Program Priorities: In recent years, Education has faced expanded responsibilities that have challenged the department to strategically allocate resources to balance new duties with ongoing ones. The nearly $100 billion in additional funding appropriated under the Recovery Act added significantly to Education's responsibilities temporarily,[Footnote 21] but increases in program funds it administers and program activities have occurred for a decade, reflecting a longer-term trend of increasing responsibilities. Prior to the Recovery Act, from fiscal years 2000 through 2008, Education's annual budget increased by nearly 36 percent in real terms, from approximately $44 billion to $60 billion in 2008 dollars.[Footnote 22] Further, the number of grants it awarded increased from about 14,000 in 2000 to about 21,000 just 2 years later and has since remained around 18,000,[Footnote 23] even as the number of full-time equivalent staff decreased by 13 percent from fiscal years 2000 to 2009. In addition, FSA became the sole lender for all new federal student loans as of July 2010. This new responsibility is projected by Education to increase the Direct Loan portfolio that Education originates and services by approximately 127 percent between the end of FY 2009 and FY 2011.[Footnote 24] The changes in Education's responsibilities and staffing are shown in figure 2. Figure 2: Education Grants Awarded and Staffing Levels, Fiscal Years 2000 through 2010: [Refer to PDF for image: two vertical bar graphs; data combined below] Fiscal year: 2000; Number of grants awarded[A]: 14,100; Staffing: 4,600. Fiscal year: 2001; Number of grants awarded[A]: 16,600; Staffing: 4,600. Fiscal year: 2002; Number of grants awarded[A]: 20,800; Staffing: 4,500. Fiscal year: 2003; Number of grants awarded[A]: 20,200; Staffing: 4,500. Fiscal year: 2004; Number of grants awarded[A]: 18,900; Staffing: 4,400. Fiscal year: 2005; Number of grants awarded[A]: 18,800; Staffing: 4,300. Fiscal year: 2006; Number of grants awarded[A]: 17,100; Staffing: 4,200. Fiscal year: 2007; Number of grants awarded[A]: 16,900; Staffing: 4,100. Fiscal year: 2008; Number of grants awarded[A]: 17,900; Staffing: 4,100. Fiscal year: 2009; Number of grants awarded[A]: 19,100; Staffing: 4,000. Fiscal year: 2010; Number of grants awarded[A]: 18,200; Staffing: 4,200. Source: Education data from the Grant Administration and Payment System and the Federal Personnel Payroll System. [A] The number of grants awarded excludes Pell Grants. [End of figure] Legislative changes have further affected workloads in some Education offices. For example, primarily due to the large but temporary increase in Education funding under the Recovery Act, the Office of Elementary and Secondary Education was responsible for managing approximately $45 billion in additional grant funding and over 700 more grants in fiscal year 2009 compared to 2008. In addition, according to Education officials, the reauthorization of the Higher Education Act of 1965 in August 2008[Footnote 25] and enactment of the Consolidated Appropriations Act, 2010 in December 2009[Footnote 26] added four new programs in the Office of Postsecondary Education for fiscal year 2009, resulting in nearly 103 new grant applications for review and 66 new grant awards to monitor. New programs and changes to existing programs often increased Education's workload, requiring staff to develop new guidance and provide technical assistance to program participants. To meet these new legislative requirements, Education officials told us they reassigned staff but expressed concerns that ongoing responsibilities and longer-term department goals may suffer as a result. Previously, we reported that Education officials said some efforts related to the Recovery Act, such as issuing written guidance, had strained staff capacity,[Footnote 27] and officials in the Offices of Elementary and Secondary Education and Postsecondary Education described reassigning staff from longer-term efforts to meet immediate needs associated with new programs. For example, a Postsecondary Education manager told us that staff were reassigned from strategic planning to grant management. These increased responsibilities also increase risk in managing grants and contracts, identified as long-standing weaknesses in our previous work[Footnote 28] and by Education's OIG.[Footnote 29] For example, we previously reported that Education was unable to perform necessary grant follow-up and monitoring and recommended that Education improve its oversight of risk management, increase financial expertise among its grant monitoring staff, and develop an accessible mechanism to share information. In addition, Education increasingly relies on contractors, many of them for IT services, to fulfill its responsibilities.[Footnote 30] In fiscal year 2010, Education had nearly $1.8 billion in contract obligations, which is about a 22 percent increase over the fiscal year 2009 level. Education is taking steps to improve grant and contract monitoring, but has cited limited resources and staff expertise as impediments to addressing recommendations from GAO and OIG reports. Shifting program priorities also would demand different skills of employees. In the Recovery Act, Congress authorized two new competitive grant programs for K-12 schools, including the $4.35 billion Race to the Top Fund, through which grants are awarded to individual states based on selection criteria such as how well proposals address education reform. Education has proposed further transitions from formula grant programs--which calculate grant amounts based on factors identified by law, such as high concentrations of students from families living in poverty--to competitive grant programs in which states or other entities compete against each other for limited funds awarded on the merits of their proposals.[Footnote 31] Competitive grants may change job requirements for grants managers and increase demands on staff for reviewing applications and monitoring grantees. According to Education and OMB officials, administering competitive grants requires analytical skills and greater program expertise of staff, who must evaluate applications and select a limited number of recipients as opposed to granting awards on a formula set by law. For example, the Race to the Top Fund required staff to develop guidance on selection criteria and provide technical assistance on reporting requirements. Education managers told us that competitive grant programs will require the department to hire staff with appropriate skills and train existing staff. Education Has Implemented Workforce Management Initiatives but Lacks Workload Data and Sufficient Performance Management Oversight: Education has implemented many new workforce management initiatives, but it lacks critical data on employee workloads to guide its strategic planning and does not provide sufficient oversight of its process for managing individual employee performance to ensure consistency across the department. Strategic workforce planning and employee performance management are important because Education's staff has decreased even as department responsibilities have grown. We evaluated Education's strategic workforce planning and performance management practices and procedures, as well as their implementation in five program offices: the Office for Civil Rights, the Office of Elementary and Secondary Education, the Office of Postsecondary Education, the Office of Special Education and Rehabilitative Services, and the White House Initiative on Educational Excellence for Hispanic Americans. The organizational structure of the offices included in our review is shown in figure 3. Figure 3: Education Department Offices Included in Our Review of Strategic Workforce Planning and Employee Performance Management: [Refer to PDF for image: illustration] Management Offices: * Office of Management; * Budget Service. Management Offices: Provides technical assistance, guidance, and oversight to Program Offices. Program Offices: * Elementary and Secondary Education; * Postsecondary Education; * Special Education and Rehabilitative Services; * Civil Rights; * White House Initiative on Educational Excellence for Hispanic Americans. Program Offices: Reports staffing, resource,and policy information to Management Offices. Program Offices: Administer Education programs. Source: GAO analysis of Education documents. [End of figure] Education Has Implemented Strategic Workforce Planning but Lacks Reliable Workload Data to Better Meet Shifting Priorities: Education has developed and implemented initiatives that address many of our key principles for effective strategic workforce planning, [Footnote 32] including identifying workforce needs and developing ways to attract and train staff to meet those needs across the department. Education has worked to involve staff and top management in planning, and its Office of Management has taken a lead role. In fiscal year 2009, Education began quarterly workforce meetings led by senior managers[Footnote 33] to increase communication with program offices on human capital challenges and workforce needs, as well as to increase program office accountability for strategic workforce planning. Managers told us the reviews have spurred planning efforts within some program offices, and focused attention on hiring, succession planning, and organizational restructuring to help meet workforce needs. Education also established a human capital policy group in 2010 to advise senior leadership on strategies and to foster collaboration across the department. Education management has identified core competencies for its mission- critical occupations and begun to develop strategies to address gaps in employee skills, a key principle of effective strategic workforce planning.[Footnote 34] Since fiscal year 2003, Education identified competencies for its 14 mission-critical occupations, such as vocational rehabilitation specialist, management/program analyst, and financial management specialist/accountant/auditor, and assessed the skills of over 1,400 employees in these occupations. Education also used the results of a skills-gap analysis to develop targeted training. For example, in 2009, within three mission-critical occupations, Education identified large gaps in written and oral communications and in project and time management, and used this information to determine that these skill gaps should be closed through hiring and training. Education offered training courses in grants monitoring, technical writing, and presentation skills to help close gaps identified in 2009 and reported that it met its goal of closing at least 50 percent of the gaps in these competencies by September 30, 2010. Education is also engaged in succession planning and recruitment efforts intended to develop a pipeline of high-quality and diverse candidates. Education anticipates 35 percent of its permanent workforce will be eligible to retire by fiscal year 2012. In fiscal year 2008, Education created a departmentwide leadership succession plan and created additional incentives for prospective employees. In 2010, it launched a 9 month training and development program for new managers. We have previously reported that successful organizations use strategic workforce planning to identify current needs and anticipate human capital issues, such as changes in mission-critical skills that could jeopardize organization goals.[Footnote 35] More information about Education's strategic workforce planning efforts is shown in table 1. Table 1: Key Principles for Effective Strategic Workforce Planning and Key Education Efforts, Fiscal Years 2001 through 2010: Key principle: Involve top management, employees, and other stakeholders in developing, communicating, and implementing strategic workforce plan; Key Department of Education efforts: Quarterly Workforce Review-- Education's top-level management across the agency hold quarterly meetings in order to increase coordination and communication across program offices, increase offices' accountability for strategic workforce planning, and align human capital needs with the budget; Fiscal year implemented: 2009. Key principle: Involve top management, employees, and other stakeholders in developing, communicating, and implementing strategic workforce plan; Key Department of Education efforts: Human Capital Policy Group--This high-level management advisory group was created to assist senior leadership in setting human capital strategies for Education's employees, foster collaboration across organizational boundaries, and facilitate a coordinated corporate approach; Fiscal year implemented: 2010. Key principle: Determine critical skills and competencies needed to achieve current and future programmatic results; Key Department of Education efforts: Updated Mission-Critical Occupations--Identified 11 mission-critical occupations for the department and 3 governmentwide; identified general and technical competencies (e.g., reading a financial statement) for each occupation using focus groups; updated these occupations in 2009 to include grants management specialist; Fiscal year implemented: 2009. Key principle: Determine critical skills and competencies needed to achieve current and future programmatic results; Key Department of Education efforts: Mission-Critical Occupation Competency Model--Established descriptions of skill levels for each competency in mission-critical occupations and guidance for supervisors on proficiency targets for each; Fiscal year implemented: 2003. Key principle: Develop strategies tailored to address gaps in number, deployment, and alignment of workforce to enable and sustain critical skills and competencies; Key Department of Education efforts: Leadership Succession Plan-- Prepared for planned and unplanned attrition, loss of institutional knowledge, and leadership transitions; Fiscal year implemented: 2006-2007; updated in 2008-2009, revision expected in March 2011; * Leadership Succession Review Pilot Program--Designed to build a talent pool for leadership continuity, develop potential successors, identify best candidates for positions and promotion, and to strategically direct resources for talent development to yield greater return on investment in each program office; Fiscal year implemented: 2010; * Pathways to Leadership Program--Designed to develop leadership pipeline for mid-level employees who aspire to supervising, managing, and leading others; Fiscal year implemented: 2009; * Transition to Supervisor Training--Created new 9 month program that develops new supervisors, team leaders, and managers; Fiscal year implemented: 2010. Key principle: Develop strategies tailored to address gaps in number, deployment, and alignment of workforce to enable and sustain critical skills and competencies; Key Department of Education efforts: Talent Enhancement Program-- Created new career development and mentoring programs and leadership succession strategy so employees can gain experience in other offices and programs; Fiscal year implemented: In development. Key principle: Build capacity needed to address administrative, educational, and other requirements to support workforce planning strategies; Key Department of Education efforts: Hiring Plan & Corporate Recruitment Strategy--Human resource specialists consulted with hiring officials on recruitment options and incentives available to attract best-qualified candidates, including hiring incentives, retention allowance, student loan repayment, tuition reimbursement, and others; Fiscal year implemented: 2009. Key principle: Monitor and evaluate progress toward human capital goals and contribution of those results to achieving programmatic results; Key Department of Education efforts: Human Capital Management Plan-- Requires an annual tactical roadmap that provides a framework to monitor and evaluate results of Human Capital Management Plan which are reported in the Human Capital Management Report; Fiscal year implemented: 2008. Key principle: Monitor and evaluate progress toward human capital goals and contribution of those results to achieving programmatic results; Key Department of Education efforts: Mission Critical Occupations Gap Analysis & Leadership Competency Gap Analysis Report--Summarized results of 2009 Mission Critical Occupations Competency Assessment and Leadership Competency Assessment to identify the strengths and developmental needs of workforce; Fiscal year implemented: 2010. Source: GAO analysis of Education Documents. [End of table] Education has begun taking steps to use data about workloads for individuals and offices to allocate staff and estimate budget requests, but these efforts are in the early stages. Our work on strategic workforce planning states that staffing decisions should be based on valid and reliable data, and in prior reports, we found that workload data help decision makers determine how to allocate resources effectively, justify staffing requests, and streamline administrative processes to improve efficiency.[Footnote 36] Valid and reliable data are critical in helping agencies develop credible cost estimates so managers can evaluate affordability and performance relative to project plans and to support budget estimates. Managers in Education's Budget Service Office said they initiated a project in 2009 to analyze workload data and identify indicators that affect workload for grant programs across Education offices. The managers said this information will help them estimate workforce needs and improve budget projections, and may allow comparisons of workloads of employees with similar job titles and responsibilities in different Education offices so offices can better justify staffing requests. In addition, two program offices--the Office of Special Education and Rehabilitative Services and the Office of Elementary and Secondary Education--hired a contractor in September 2010 for an additional study of workload specific to their offices' unique needs to determine an optimal number and mix of full-time employees based on data about workload and current skills. Education managers told us that they plan to use the results of the workload study to inform the Budget Service analysis. The Budget Service Office has not established a timeline for completion or implementation of its analysis, and results of the workload study conducted by the two program offices are expected in late 2011. While the Budget Service Office plans to analyze workload data when new types of programs are initiated to determine staffing needs, Budget Service officials told us that using this data has been a challenge because Education's programs vary in terms of complexity. Education officials indicated that Education does not provide guidance to program offices about how to use this information to estimate workloads and incorporate workload data into workforce planning. Program offices typically estimate workforce needs using data such as retirement eligibility, the number of grants administered, and grant size, but program managers told us they lack a reliable method for estimating workforce needs based on key indicators that drive workload. For example, program offices do not systematically analyze the level of skill needed and the amount of work involved for key steps in the grant-making process such as providing technical assistance to grantees. As a result, program offices estimate workloads inconsistently and based on historical precedents and professional judgment. This has created challenges for the department, according to senior managers. For example, when staff members were shifted to the Office of Elementary and Secondary Education to administer newly added Recovery Act programs, there was no reliable way to estimate workload. Education managers said they relied on professional judgment to estimate how many staff members were needed and how it would affect other program offices. In addition, these managers told us a shift from formula to competitive grants will have a major impact on workload, but they do not currently have data necessary to estimate the impact on Education's workload in order to plan for such a shift. For example, managers told us that competitive grants require more staff time for making decisions about which applicants receive grants, but could not estimate how much more staff time. Education Has Taken Steps to Improve Management of Employee Performance but Lacks Sufficient Oversight to Ensure Consistency in Standards and Appraisals: In fall 2010, Education implemented a modified performance management system, Results Achieved (REACH), in order to improve employee satisfaction with the process and encourage feedback to employees on their performance throughout the year. Prior to the implementation of the new system, the 2008 Federal Human Capital Survey[Footnote 37] found 57 percent of Education employees said their appraisals were fair reflections of their performance, and approximately 53 percent reported understanding what they were expected to do to receive certain ratings. Education's results for these two questions were lower than the average for all federal agencies, which were 63.2 percent and 64.3 percent, respectively. Education's former performance management system--Education Department Performance Appraisal System (EDPAS)--did not require managers to provide ongoing feedback and coaching to employees except at the annual midpoint and year-end appraisal period. REACH emphasizes the need to provide feedback throughout the year. We previously reported that effective performance management systems provide candid and constructive feedback throughout the performance management process to help individuals maximize their contribution to and understanding of an agency's goals and objectives. [Footnote 38] Education's modified performance management system is also designed to improve the clarity of individual performance standards and better align them with organizational goals. Although Education had developed extensive requirements on the EDPAS system, REACH introduces a requirement for measurable, aligned, specific, realistic, and time- based performance standards that clearly define the performance necessary to accomplish ratings at the satisfactory level.[Footnote 39] Management officials told us supervisors struggled under the previous system with writing clear and measurable standards to distinguish achievements of individuals, making it difficult to justify ratings. We previously found that agencies should set standards that allow for distinctions in performance. In addition, REACH emphasizes alignment between individual standards and organizational goals. We previously reported that an explicit alignment of daily activities with broader results helps individuals see a connection between their work and organizational goals.[Footnote 40] For a summary of changes to Education's performance management system, see appendix II. In modifying its performance management system, Education sought input from employees and stakeholders through internal focus groups, and created a stakeholder input team to receive contributions from employees, program offices, and managers. Education made several changes based on employee feedback, such as shifting from a paper to electronic system. Education managers told us that the paper-based system was cumbersome. Senior managers also sought union input, and a union official told us senior managers solicited feedback on how the new system could be better implemented. While the REACH performance management system made many positive changes, Education retained its procedures for upper management review of performance standards and employee appraisals for employees at the satisfactory level or higher. The system requires a supervisor's review before employees' performance standards and appraisals are final. After the supervisor develops performance standards and appraisals, the approving official--the second-level supervisor--must sign off. Management also periodically reviews the distribution of appraisal scores within program offices. For example, managers told us they compare average appraisal scores in an office to an analysis of whether the office met its annual objectives. If, for example, the office met its objectives but staff received low appraisals relative to other offices, officials said this is an issue for senior managers to explain. In addition, Education periodically reviews its appraisal system, including a random sample of performance standards, using OPM's Performance Assessment and Accountability Tool (PAAT).[Footnote 41] An OPM official told us that Education's current performance management system meets regulatory requirements.[Footnote 42] Even with these efforts, Education does not have adequate safeguards to ensure consistency in performance standards and appraisals across the department. Education does not have a formal review process to determine whether standards and ratings for employees in one office are consistent with those of employees in other program or regional offices with similar job titles and responsibilities. Although Education requires review by a second-level supervisor, ratings of satisfactory or higher are not subject to higher-level review by someone with a departmentwide perspective. As a result, Education is unable to ensure that employees with the same job title and responsibilities are rated consistently. For example, one regional manager said that although they make an effort to ensure consistency in performance standards and appraisals within their office, there is no effort to ensure consistency with other regional offices and headquarters. Education managers said that several years ago, in an attempt to promote consistency, Office of Management officials reviewed and scored a sample of performance standards in each program office and found inconsistency among supervisors. However, these managers said that the Office of Management ended these reviews due to resistance from supervisors who had concerns that reviewers did not have adequate understanding of employees' work. We have previously reported that agencies should have safeguards to achieve consistency in a performance management system.[Footnote 43] At other agencies, we found this type of review applied as a part of performance management decisions in order to better ensure consistency. For example, several federal financial regulatory agencies provide agencywide reviews by offices outside an employee's work unit, such as the human capital office, for individual performance appraisals.[Footnote 44] Education Has Policies over Contract Monitoring and Pell Grants, but FSA's Contract Monitoring Procedures Are Insufficient: Education has policies that are designed to help ensure accountability over contract monitoring and Pell Grants, but FSA did not have sufficient procedures and guidance to implement Education's Departmental Directive on contract monitoring, which resulted in contract files that were missing key documentation and inconsistencies in how contract monitoring activities were documented. While contracting and grant programs are spread across Education offices, we focused our work on FSA because it obligated over $870 million under contracts or approximately 58 percent of Education's total contract obligations in fiscal year 2009 and is responsible for administering Pell Grants.[Footnote 45] FSA Procedures and Guidance are Insufficient to Implement Education's Contract Monitoring Directive: FSA has not fully developed detailed guidance or procedures to implement Education's Departmental Directive and other policies for contract monitoring, resulting in inconsistencies in how certain control activities were performed. Education has issued its Departmental Directive to manage its contract monitoring responsibilities. In addition, Education has also issued certain operating procedures for documenting past performance reports and for writing contract monitoring plans.[Footnote 46] However, as detailed below, our analysis of FSA's policies and procedures and our review of 28 FSA contract files[Footnote 47] and two FSA interagency acquisition files showed that FSA did not have (1) adequate guidance on how to document and file evidence of inspection of contracted goods and services; (2) clear guidance on how, when, and where monitoring activities and results should be documented and retained; and (3) quality control procedures to help ensure that contract file documentation and contractor's past performance reports were completed and documented in a timely manner. A 2007 report by Education's OIG also cited similar deficiencies related to two of our findings on improper communication of acceptance and rejection of deliverables and on instances of missing contracting officers' representatives appointment memoranda.[Footnote 48] GAO's Standards for Internal Control in the Federal Government provides that management should establish control mechanisms and activities, and monitor and evaluate these controls. Therefore, clear guidance and quality controls such as qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. In addition, without clear guidance and quality control procedures, FSA may not be able to effectively and efficiently maintain financial accountability over its significant contract obligations. FSA could improve its guidance on how to document and file evidence of deliverables inspection. The Federal Acquisition Regulation requires that agencies prescribe procedures and instructions for the use, preparation, and distribution of material inspection and for receiving reports to evidence government inspection. According to FSA's procedures, inspections of contract deliverables are acknowledged in Education's Financial Management Support System by entering receipt information into the system. However, these procedures do not provide for obtaining and retaining documentation of activities related to inspection of deliverables performed by the contracting officer or the delegated contracting officers' representatives. In addition, these procedures do not provide for retaining a record when deliverables are recommended for rejection by the contracting officer's representative. [Footnote 49] Also, according to FSA Acquisition officials, the Financial Management Support System lacks adequate controls to ensure that only designated contracting officers' representatives knowledgeable about the specific contract enter the receipt in the system certifying the inspection and recommendation of acceptance of deliverables. Without adequate policies and procedures for documenting inspection of deliverables, FSA management may not be able to determine if the contracting officers confirmed whether deliverables were received or inspected for conformance with contract terms and conditions by the designated staff prior to accepting goods and services. Also, the lack of controls to ensure only designated representatives enter receipts in the Financial Management Support System increases the risk of improper payments of vendor's invoices. In addition, the lack of clear guidance on the information and documentation that should be maintained increases the risk that FSA may not be maintaining key documentation which could impede FSA's ability to hold contractors accountable as well as its ability to readily identify contractor performance issues. While we found that contracting officers and contracting officers' representatives were performing monitoring activities, FSA did not have clear guidance on how, when, and where contract monitoring activities and results should be documented in the contracting officer's representative's file and the official contract file. As a result, monitoring activities and results were inconsistently documented and it was difficult to readily obtain consistent insight into the status of contract monitoring activities. FSA's file management policy establishes a formal system for the maintenance and filing of official contract records, including documentation checklists that are organized by specific categories.[Footnote 50] For example, the policy states that section III of the contract file should be used for contract administration documentation, which includes monitoring activities such as periodic technical reports, inspection, acceptance and shipping reports, invoices, progress payments, and contract payment information. However, we found that this policy does not address where to file certain monitoring documentation such as contract monitoring plans, evaluations of technical reports, and documentation of site visits. Except for reviews of invoices, we could not find evidence of contract monitoring results in the 28 contract files we reviewed. Through interviews with contracting officers' representatives, we found that monitoring results documentation was maintained on their computers or in hard copies in their offices. According to the Departmental Directive, if the contracting officer's representative deems certain monitoring documentation significant, such documentation is to be placed in the program office contract file and a copy of the documentation is to be sent to the contracting officer for entry into the official contract file.[Footnote 51] However, the lack of clear procedural guidance on what contract monitoring documentation should be kept in the official contract file made it difficult to have a central point of reference from which to readily obtain up-to-date monitoring results such as received deliverables or performance issues, without continued assistance from the contracting officer's representative. FSA contracting officials informed us they did not have a formal system in place to document ongoing contractor performance issues and that sharing of contract monitoring activities and results was done through communications between the contracting officer and the contracting officer's representative. According to the Departmental Directive, the purpose of detailed record-keeping is to build a complete history of each project so that information is not lost or forgotten, and so that others (e.g., a supervisor or a newly designated contracting officer's representative) could get a clear picture of what has occurred during the life of the contract. Without clear guidance and procedures for documenting and retaining contract monitoring activities and results, Education's management may not have sufficient support in a government action against a contractor for failing to meet contract objectives and diminishes its ability to share contract monitoring information in the case of staff attrition. We also found that while FSA had quality control policies and procedures in place, they were insufficient to help ensure contract files were complete. FSA Acquisition management stated that they perform contract review procedures as part of staff performance evaluations, Contract Review Boards, and contract management reviews. However, these reviews do not require a review of the contract files in their entirety. In addition, these review procedures do not specify what key contract monitoring documentation should be considered as a part of their review. As a result, we found instances in which the 28 contract files we reviewed did not always contain evidence of key contract monitoring activities such as contractor's performance evaluations, contract monitoring plans, and memoranda documenting the appointment of a contracting officer's representative,[Footnote 52] as described below. * Five contracts, for which a performance evaluation was required, did not have them.[Footnote 53] Education's procedures provide that for contracts in excess of $100,000 contracting officers and contracting officers' representatives are to evaluate and document whether the contractor performed in accordance with contract terms annually. However, without fully completed contractor's evaluations, FSA is at risk of not having pertinent performance information to address problems or concerns with a contractor, to make proper decisions on whether to extend a contract with a current contractor, or to share information about contractor's performance. * Twenty-six contracts did not have a stand-alone written contract monitoring plan which was required, even though we found that contracts were being monitored through various methods. These contracts ranged from approximately $10,000 to over $41 million in obligated funds for a total of approximately $130 million for all 26 contracts. The Departmental Directive and other related guidance provide that all contracts[Footnote 54] must have a contract monitoring plan that includes information such as reporting and compliance requirements, and the methods of tracking, inspecting, and accepting deliverables.[Footnote 55] Without written monitoring plans, FSA lacks an effective tool to determine the types of monitoring activities planned and whether monitoring activities had occurred in accordance with established policies and procedures. * Nine contracts reviewed were missing contracting officer's representative appointment memoranda. For five of these nine contracts, an employee who was not designated by an appointment memorandum was acting as a representative, routinely entering receipts for contracted goods and services and recommending the acceptance of deliverables. For the other four contracts, an employee was acting as the backup for the appointed contracting officer's representative during the absence of the designated representative without an appointment memorandum.[Footnote 56] Because contracting officers' representatives are the designated representatives in charge of monitoring contract performance, it is important that their designations are clear, and that related duties and responsibilities are adequately defined. In addition, because contracting officers rely on the representatives' recommendations to accept deliverables and approve invoices, it is important that only designated officials with contract knowledge perform inspections and recommendations. Without review procedures to ensure that all contracting officers' representatives have proper designations of duties and responsibilities, FSA is at risk of not knowing whether contracting officers' representatives acted within the scope of their duties, and whether inspections of the deliverables were performed by the designated and knowledgeable staff. FSA management informed us that it performed contract review procedures as part of staff performance evaluations, Contract Review Boards, and contract management reviews. However, these reviews, while they serve other purposes, do not provide ongoing assessments for FSA to take necessary corrective actions to best ensure timely implementation of contract monitoring controls. Pell Grant Controls Designed to Provide Financial Accountability: Our review of internal controls over FSA's Pell Grant program did not identify any flaws in overall design. Consequently, if fully and effectively implemented, the controls should provide reasonable assurance that Education can adequately maintain financial accountability over the billions of dollars it disburses annually to participating schools on behalf of eligible postsecondary students. Specifically, our review of FSA's policies, procedures, and additional related supporting documentation showed that FSA has a range of internal control activities designed to provide financial accountability over Pell Grant resources, including key financial controls summarized in table 2. Table 2: Key Pell Grant Program Financial Accountability Controls: Process: Student eligibility[A]; Internal control activity: To verify student eligibility, FSA's Central Processing System is used to compute the amount of Pell Grants for which a student is eligible and perform matches with other federal agency records. For example, the Central Processing System data is matched with Social Security Administration data to ensure that applicants and their parents have a valid social security number and to verify the applicant's citizenship status. (2009-2010 Federal Student Aid Handbook, Volume 1, Chapter 1, The Application Process: FAFSA to ISIR and Chapter 2, Citizenship). Process: School eligibility; Internal control activity: FSA developed controls to help ensure that only schools meeting program requirements participate in the Pell Grant program. One of the key controls calls for FSA staff to review school applications, and supporting documentation, including accreditations, state licenses, and audited financial statements to assess the initial and continuing eligibility of schools participating in the program. (2009-2010 Federal Student Aid Handbook, Volume 2, School Eligibility and Operations, 2009-2010). Process: Disbursements and reconciliations; Internal control activity: FSA's Common Origination and Disbursement System includes various edit checks on disbursement records to help ensure that records are complete, accurate, and from eligible schools. FSA staff also perform monthly and year-end reconciliations of Pell Grants received by schools to amounts disbursed to students. (2009- 2010 COD Technical Reference, Volume 2, Common Record Technical Reference, Section 4, Edits, April 2010 and Grant Reconciliation Procedures, September 9, 2010). Source: GAO analysis of Department of Education's policies and procedures. [A] In addition to FSA controls, schools have a role in determining and verifying student eligibility and application data, and making accurate award computations and disbursements. [End of table] In addition, FSA, based on its OMB Circular No. A-123 assessment, provided reasonable assurance that its internal controls over Pell Grant financial reporting as of June 30, 2010, were operating effectively and no material weaknesses or reportable conditions were found in the design of financial reporting internal controls. FSA's assessment included all of the key controls processes discussed in table 2, including controls over student eligibility, school eligibility, disbursements, and reconciliations. FSA has designed controls over the Pell Grant process to help protect the government's interest in providing financial aid, but the program is heavily dependent on schools establishing their own companion controls to help assure Pell Grants are proper and in correct amounts. Specifically, risks still exist in the Pell Grant process due to the role of schools in determining and verifying student eligibility and application data, and making accurate award computations and disbursements. For example, fiscal year 2009 audits of two schools by Education's OIG found that these schools did not have adequate procedures, which resulted in improper disbursements of federal student aid to students who attended ineligible locations of an eligible school and in failure to return funds that were disbursed to students who withdrew from school.[Footnote 57] Education's OIG found that these schools had breakdowns in controls that did not prevent or detect improper disbursements. Also, in Education's fiscal year 2010 Agency Financial Report,[Footnote 58] Education reported an estimate of over $1 billion of improper payments caused in part by applicants who incorrectly report their income on student aid applications. [Footnote 59] To help address this problem, Education's fiscal year 2010 Agency Financial Report noted that FSA implemented a process for applicants to transfer certain tax return data from an Internal Revenue Service Web site to their online student aid applications. This process was piloted on January 28, 2010, and went live in September 2010. Additionally, FSA reported that it continues to explore ways to facilitate the detection of errors and simplify the application process. While the focus of our work was on whether FSA's financial controls over Pell Grants were designed to provide reasonable assurance that it can maintain effective accountability over its significant grant resources, we did identify a deficiency in the reconciliation process, which resulted in a relatively minor (approximately $12,000) unreconciled disbursement transaction that existing controls detected but did not correct. FSA subsequently developed a corrective action plan with an estimated completion date of March 18, 2011, to correct the unreconciled amount and to establish an additional control to timely and properly research and resolve any such unreconciled differences in the future. Further, FSA's 2010 assessment conducted in accordance with OMB Circular No. A-123 also identified some relatively minor deficiencies in the implementation of its Pell Grant controls for which it has already developed and implemented corrective actions. [Footnote 60] Education Has Established Important Information Technology Management Controls, but Planning And Investment Management Challenges Remain: Education has established IT strategic planning and management controls, but challenges remain in some areas of its management, including the effective use of an information resources management (IRM) strategic plan to guide its efforts. Specifically, the department is relying on an IRM strategic plan that was prepared without the benefit of being informed by a current departmentwide strategic plan and that did not reflect how IT activities will support critical goals from other departmental planning documents. In addition, Education has inconsistently implemented OMB's and its own guidelines for investment management. Without effective IT strategic planning and investment management controls, Education jeopardizes its ability to effectively support its mission and efficiently use its $3 billion IT investment. To review Education's IT management, we focused on seven program and management offices and 12 selected investments representing about 73 percent of the department's total IT budget. The organizational structure of the offices and the IT investments included in our review are shown in figure 4. Figure 4: Education Department Offices Related to Our Review of Information Technology Controls and Management, Fiscal Year 2010: [Refer to PDF for image: illustration] Management Offices: * Chief Information Officer [3, 4, 5, 6]; * Planning, Evaluation, and Policy {5, 8]; * Communications and Outreach; * Office of Management[A]; * Inspector General. Program Offices: * Federal Student Aid [9, 10, 11, 12]; * Elementary and Secondary Education: - Migrant Education [1]; * Institute of Education Sciences: - National Center for Education Statistics: Assessment Division [2]. Management Offices: Provides technical assistance, guidance, and oversight to Program Offices. Program Offices: Reports staffing, resource,and policy information to Management Offices. Program Offices: Administer Education programs. Source: GAO analysis of Education documents. Note: The 12 investments are the (1) Migrant Student Information Exchange; (2) National Assessment of Educational Progress; (3) Contracts and Purchasing Support System; (4) Education Department Utility for Communications, Applications, and Technical Environment; (5) Budget Formulation and Execution Line of Business; (6) G-5 Grants Management; (7) Integrated Support Services; (8) EDFacts; (9) National Student Loan Data System; (10) Enterprise Web Portal; (11) Common Services for Borrowers; and (12) Common Origination and Disbursement. [A] The Office of Management was included because of the office's privacy-related responsibilities. [End of figure] Education Developed an IRM Strategic Plan to Guide Its IT Investments, but Did So without the Benefit of a Current Departmentwide Strategic Plan: Strategic planning is essential to define what an organization seeks to accomplish, identify strategies to achieve desired results, and measure progress to subsequently determine how well it is succeeding in reaching results-oriented goals and objectives.[Footnote 61] [Footnote 62] The Government Performance and Results Act of 1993 requires federal agencies to prepare and submit a strategic plan to the Director of OMB and to Congress, and to update or revise the plan at least every 3 years.[Footnote 63] Further, OMB Circular A-130, Management of Federal Information Resources, requires agencies to develop an IRM strategic plan to support the agency's strategic plan, provide a description of how information resources management activities are expected to help accomplish the agency's mission, and ensure that IRM decisions are integrated with organizational planning and program decisions. In September 2010, Education released its IRM strategic plan for fiscal years 2010 through 2014. The plan describes how IT activities will be used to support the department's mission and operations and includes three primary technology goals: (1) aligning IT investments with Education business objectives; (2) establishing the OCIO as provider of common and infrastructure services; and (3) ensuring the effectiveness of IT governance, data and information processing, and use of technology across the department. However, while Education met OMB's requirement to update its IRM strategic plan and identified how IT activities will be used to support its mission, the plan was developed prior to, and thus, was not informed by a current departmental strategic plan. The most recent update of the IRM plan, as well as the previous 2006 revision, were both completed prior to the department releasing its respective strategic plans. Specifically, while the previous IRM plan was completed in 2006, the departmental strategic plan was not issued until 2007, and the department subsequently did not update its IRM plan to reflect any relevant changes in the department's strategic direction. More recently, Education issued its updated IRM strategic plan in September 2010, but as of January 2011, the departmental strategic plan had not yet been published. An official in the Office of the Deputy Secretary indicated that this departmental strategic plan was in draft form and commented that the goals of this plan were still evolving. An OCIO official stated that the sequence in updating the department and IRM strategic plans has hindered that office's ability to identify performance measures and goals that are essential to ensuring that IT effectively supports the department's mission. Moreover, insight into the department's current strategic direction is critical because the Deputy Secretary of Education has set a goal of increasing the department's budget for new investments by fiscal year 2012.[Footnote 64] According to the Director, Information Technology Program Services, the department has, in part, mitigated risks of these IT investments not being aligned with the department current strategic priorities by organizing similar IT investments into IT categories or "segments,"[Footnote 65] such as grants management, developing modernization plans[Footnote 66] and collaborating with business segment owners. The official stated that when deciding whether to allocate funds to IT investments, the department uses segment modernization plans to rank the investments to determine the degree to which they support the department's strategic priorities. While it is good practice to take these actions to mitigate risks, without an overall IRM strategic plan that is informed by the department's current strategic plan, there remains a risk that IT investments may not be aligned to the department's most current priorities. An OCIO official recognized this potential risk and as such, stated that the department intends to update the IRM strategic plan when a department strategic plan is released in the first half of 2011. Further, Education's 2010 IRM strategic plan did not incorporate critical goals from three other planning documents--the Open Government plan, the Strategic Sustainability Performance plan, and the Data Center Consolidation plan--that reflect the department's planned use of IT to support its mission.[Footnote 67] [Footnote 68] While the updated IRM strategic plan includes the goals of Education's open government plan--which aims to, among other things, make Education activities more transparent--the IRM plan does not specifically address how IT activities will support that effort. For example, the open government plan identifies a goal for making more data and information available to the public. However, the IRM strategic plan does not include plans, resources, or time frames to show how IT activities will support these goals. An OCIO official indicated that, while the department prepared an open government plan in accordance with OMB guidance, in order to meet the IRM strategic planning time frame, the department decided to address how IT will be used to accomplish these goals at a later time. Addressing these goals in the IRM strategic plan is critical to ensure that competing IT resources are effectively prioritized to meet the open government goals. Further, with regard to the Strategic Sustainability Performance Plan, an official in Education's OCIO noted that although this plan was published in June 2010, the office had not been aware of the plan when updating the IRM strategic plan in September 2010. As such, the goals from the Strategic Sustainability Performance Plan were not addressed in the IRM plan. Additionally, while an OCIO official noted that a major investment involving a data center that aims to provide information technology services for the department was addressed in the IRM plan, Education did not address other IT-related goals included in the department's Data Center Consolidation plan. The official stated that both the Strategic Sustainability Performance Plan and the Data Center Consolidation Plan are intended to be addressed when the IRM plan is next updated. By not including these goals in the IRM strategic plan, Education lacks an essential means of ensuring that it can comprehensively and effectively support the department's goals to, for example, reduce technology energy consumption in the data centers and streamline operations. Because the department updated the IRM strategic plan before it finalized its current strategic direction, it may not effectively prioritize IT investments in support of the department's mission. Education Has Established Processes for Managing IT Investments but Has Not Always Implemented OMB and Department Guidelines: Education has developed an IT investment management process and guidelines to address selection, control, and evaluation of its investments.[Footnote 69] For example, Education has a documented policy, implemented in 2006, which states all IT initiatives must support and be aligned with the department's business objectives and strategic plan to minimize duplication.[Footnote 70] Further, in 2009 the department revised its guidance to prioritize investments based on decisions from its Planning and Investment Review Working Group; it also made the Chief Information Officer responsible for the department's IT investment management process.[Footnote 71] Additionally, Education has established key oversight bodies to monitor and control IT investments. The Investment Review Board, whose membership represents the department's offices and critical areas, including acquisition, budget, IT management, and planning, is the executive decision-making body for investments, with responsibility for reviewing proposals and recommendations of the Chief Information Officer. According to Education, the Planning and Investment Review Working Group, whose membership includes senior managers with specialized knowledge and skills in the various disciplines that comprise the work of the department, assesses the effectiveness of Education's investment management process and provides recommendations for improving the process. These elements of Education's governance structure are consistent with IT investment management best practices. [Footnote 72] See appendix III for a description of Education's governance structure. While Education has developed guidelines to support IT investment management best practices, the department has not consistently conducted postimplementation reviews. An Education directive stipulates that postimplementation reviews are to be conducted during the evaluation phase of IT investments.[Footnote 73] Postimplementation reviews are used to evaluate whether the estimated return on investment was actually achieved and to identify lessons learned.[Footnote 74] Specifically, a postimplementation review should evaluate stakeholder and user satisfaction with the end product, mission impact, and technical capability, as well as provide decision makers with lessons learned so they can improve investment decision- making processes. Of the 10 completed IT investments that we reviewed--representing 6 department and 4 FSA investments--only 3 had undergone post implementation reviews. These three reviews were performed by FSA on its IT investments. The Education Chief Information Officer had not conducted postimplementation reviews for any of the six department investments that required such reviews.[Footnote 75] Moreover, the department had not finalized or approved the guidance for performing them. The department's 2005 IT investment management process guide reports that in 2004, Education outlined a process for conducting such reviews. According to the department, it postponed implementing this review process in February 2005 because other IT capital planning activities took priority. Further, an Education official stated that the department conducts operational analyses that satisfy the requirement to conduct postimplementation reviews. However, according to Education's own documentation, these reviews serve different purposes.[Footnote 76] Specifically, an operational analysis allows an agency to understand only how a particular investment is performing, whereas a postimplementation review is intended to improve the investment management process by identifying differences between estimated and actual investment costs and benefits and lessons learned for continuous improvements.[Footnote 77] By not performing postimplementation reviews of department-level investments, Education limits its ability to apply lessons learned from IT investments to improve the effectiveness of the department's overall IT investment management process. Education Has Taken Steps to Establish Its IT Information Security and Privacy Programs but Has an Unresolved Issue with Protecting Access to Data: Education has established an information security program that addresses key components of the Federal Information Security Management Act of 2002 (FISMA).[Footnote 78] FISMA was enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002.[Footnote 79] FISMA requires federal agencies to develop and implement an agencywide security program for the information and information systems that support the operations and assets of the agency. FISMA's eight key components include periodic risk assessment, risk-based policies and procedures, a security plan, security awareness training, periodic security testing, a remedial action process, security incident procedures, and continuity of operations plans. An Education OCIO official stated that the department has taken a number of steps to establish this program. We reviewed the department's security guidance, policies, and procedures and verified that Education has responded to key FISMA requirements that include, among other things, * developing, maintaining, and updating an inventory of major information systems operated by the department or under its control; * developing policies and procedures aimed at reducing information security risks; * providing security awareness training for agency personnel and contractors; * performing periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices; and: * implementing a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies identified in its policies, procedures, and practices. Further, Education is responsible for protecting and controlling the personal information it collects to perform its missions.[Footnote 80] These laws and guidance define specific privacy responsibilities that include, for example, reviewing and evaluating the privacy implications of agency policies, regulations, and initiatives; producing reports on the status of privacy protections; and ensuring that employees and contractors receive appropriate training. The Education Senior Agency Official for Privacy stated that the department conducts assessments to ensure that personally identifiable information is adequately protected from inappropriate disclosure. [Footnote 81] In addition, this official stated that Education has developed a program that discusses privacy implications of agency policies, instructs employees to respond to possible privacy incidents, and describes training that employees and contractors are to receive. According to the officials, and our review of related department documentation and FISMA reporting, Education has taken the following specific actions: * Using a system to track notices to the public required under law about IT systems that maintain personal information.[Footnote 82] * Inventorying data assets, program offices to which they belong, and whether the assets store or contain personally identifiable information. * Developing guidance on privacy by creating several privacy directives and establishing a Social Security number best practices guide to address OMB guidelines.[Footnote 83] Education is taking steps to follow OMB's mandate to reduce and remove duplicative personally identifiable information and the use of Social Security numbers in its databases. For example, some Education organizations have retired systems or merged duplicate systems to reduce the use of Social Security numbers. According to Education officials and our review of related security guidelines, the department has taken steps to fulfill OMB organizational and reporting elements on privacy guidelines and statutory privacy requirements. In addition, as we have previously reported, a chief privacy officer is critical to serving as a focal point for a department's overall privacy responsibilities.[Footnote 84] According to Education's Open Government Plan, it plans to establish a chief privacy officer to ensure that, as required by law, individual privacy is protected.[Footnote 85] A senior agency official for privacy said the department expects to have the position filled by January 2011. Nonetheless, although Education has taken important steps to improve security protections, it has not resolved a long-standing critical access control issue. In a memorandum dated June 23, 2006, OMB directed agencies to ensure that there are adequate controls over critical systems, such as Education's student loan and grants systems. [Footnote 86] A critical control measure that OMB recommended was two- factor authentication, which improves the control over system access by using something the employee knows--a password or PIN--and something in the employee's possession--an authenticator or token--to identify users. In 2007 and again in 2009 Education's OIG found that, to protect privacy from an escalating threat and to manage risk to Education operations, the department and FSA should consider moving more quickly toward implementing two-factor authentication for all users (students, lenders, employees, contractors, and other third parties) because an uncertain number of accounts are vulnerable to threats. The 2009 OIG report recommended that the Chief Information Officer accelerate two-factor authentication for protecting the confidentiality, integrity, and availability of personally identifiable data residing on public Web sites. However, the department has not implemented this security measure. Implementation of this security measure is essential due to the increasing number of Pell grants and direct loans being administered by FSA. Education officials stated that they are currently taking steps to incorporate two-factor authentication into department system architectures and fund the implementation of two-factor authentication. A senior advisor at FSA provided us with the major milestones for implementing a two- factor authentication for department employees by midsummer 2011. Conclusions: The U.S. Department of Education is tasked with responsibility over a broad array of complex federal education programs. In recent years, the federal role in education has expanded significantly, and with it, so have its responsibilities as staff resources have decreased. In order for Education to carry out its responsibilities, it must establish and carry out an effective set of management practices. Our work for this report in the key management areas we reviewed demonstrates that Education has, in general, addressed many of these challenges and worked to put in place a number of good management practices, but that there are several areas in which Education could build on its these efforts. With respect to strategic workforce planning, Education will be challenged to figure out how best to allocate its workforce to address its top priorities. To the extent that it can improve the quality of the workload data it uses to make decisions on how to allocate its staff, it will be in a better position to move quickly and decisively to address its changing priorities. Currently, Education's program offices use professional judgment to estimate workload, making it difficult to compare estimates across program offices. Until Education establishes a more consistent agencywide approach to developing workload estimates, the department may not be able to respond effectively to rapidly changing legislative demands or efficiently meet its strategic goals. In addition, Education recently implemented a new performance management system with many key improvements over its previous system. While it is critical that any performance management system ensure the consistency of ratings, Education's new system still lacks safeguards in this regard. Until Education systematically reviews decisions made by supervisors about performance standards or appraisals before they are finalized, Education cannot be certain that its performance management system treats employees consistently across the department. Education has designed internal controls to help ensure accountability over contract monitoring and Pell Grants, but does not have adequate assurance that FSA is following departmental contract monitoring policies. FSA is responsible for administering a number of large, complex contracts that play a key role in its ability to oversee and administer its financial student aid programs. Accordingly, it is critical for FSA to exercise full and proper oversight of these contracts. Until FSA develops guidance on how to file and retain deliverable inspection evidence, guidance on how to document contract monitoring activities and results, and quality control procedures such as formal supervisory reviews, assurances of documentation of contract monitoring do not exist, hindering effective oversight of FSA contracts. For Pell Grants, we did not identify any significant flaws in the overall design of controls. IT systems are critical to Education's ability to carry out its increasing workload. Although it has established important IT management controls, several challenges remain to ensure that the department is overseeing, managing, and modernizing IT to support its mission. Unless Education has an IRM strategic plan that is aligned with, and informed by, the current departmentwide strategic plan, and the IRM strategic plan describes how IT activities will fulfill key goals and department initiatives, Education may not comprehensively and effectively support its mission. Education also has not finalized guidance for, nor consistently performed, postimplementation reviews, which are critical to assessing IT investments. If the department does not conduct postimplementation reviews for IT investments, it cannot effectively incorporate experiences and lessons learned from system development efforts that may save the agency time and money. Recommendations for Executive Action: To build on Education's current efforts to improve human capital management, we recommend the Secretary of Education take the following two actions: 1. Provide guidance to program offices on developing data-based estimates of workload, and incorporating these data into department workforce planning. This effort could include conducting an assessment of workload, developing an evidence-based estimate of staff needed to meet agency responsibilities using valid and reliable data, and using this estimate to inform agency budget requests and expenditures for human resources. 2. Develop a formal process for reviewing performance standards and performance appraisal decisions to help ensure Education's performance management system is consistent across the department. For example, such a review could include an analysis of standards and appraisals for all Education employees over a 3 to 5 year cycle to assess whether performance standards and appraisal decisions are being applied consistently. To help improve contract monitoring controls, we recommend that the Secretary of Education direct the Chief Operating Officer of FSA to take the following three actions: 1. Develop procedures that detail how to file and retain evidence demonstrating receipt and acceptance of contracted goods and services. 2. Develop procedures that outline how contract monitoring activities and results should be documented, retained, and shared. 3. Develop comprehensive quality control procedures that include guidance for review of contract files and contractor past performance reports to ensure that files are complete and contain documentation to evidence compliance with departmental contracting policies, including the following documents: * contractor performance evaluations, * contract monitoring plans, and: * contracting officers' representative appointment memoranda. We recommend the Secretary of Education build on Education's IT management efforts by directing the Chief Information Officer to take the following three actions: 1. Ensure that during the strategic planning process, the IRM strategic plan is aligned with and informed by the department's strategic plan to eliminate any potential risk of major IT investments not supporting the department's most current priorities. 2. Update the IRM strategic plan to reflect goals from the Open Government, Strategic Sustainability Performance, and Data Center Consolidation plans. 3. Finalize and approve department guidance for implementing postimplementation reviews and conduct these reviews, where appropriate, to assess lessons learned and identify potential improvements to the IT management process. Agency Comments and Our Evaluation: We provided a draft of this report to Education for review and comment and received a written response, which is reprinted in appendix IV. Education agreed with our recommendations and highlighted several steps it has taken, or intends to take, to address issues raised in our report. For example, to improve human capital management, Education responded that it has already identified data that primarily impacts workload of formula and discretionary grant programs and that it plans to take several steps to improve the quality of its workload data and how it is used to inform decision making. In addition, Education plans to convene a working group this year to determine how best to conduct a review of all employees performance standards and appraisals. In response to our recommendation to improve contracting monitoring controls, Education generally agreed with our recommendations and noted that FSA will develop guidance to improve how it documents and retains contracting activities and to require contracting officers to inspect and document findings and corrective actions related to contracting officers' representatives' records. In addition, FSA said it will develop and document methods to address quality controls for contract files. In response to our recommendation to build on Education's IT management efforts, Education noted that it has already taken steps to align the IRM strategic plan with the department's strategic plan and other critical plans. Education plans to take further steps by updating the IRM Strategic plan with the latest department strategic plan once it is finalized and by providing greater detail in the IRM strategic plan on the goals of other critical plans. Finally, Education noted that, as a part of an effort to increase the portion of its IT portfolio dedicated to modernization, the department will release a post implementation review guide and begin conducting these reviews by the second half of fiscal year 2011, assuming projects are ready for that stage of review. We are encouraged that the department is implementing a process for conducting postimplementation reviews on future investments. However, it is important that such reviews also be performed on already-deployed systems, as five out of the six projects we reviewed were deployed over the last 4 years did not have postimplementation reviews performed. These reviews could help Education determine whether the estimated return on the department's investments was realized and identify any lessons learned. Education also provided technical comments that we incorporated as appropriate. We are sending copies of this report to the appropriate congressional committee and the Secretary of Education. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-7215 or scottg@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix V. Sincerely yours, Signed by: George A. Scott: Director, Education, Workforce and Income Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: To describe the Department of Education's (Education) high-level management challenges, we reviewed documents detailing the shifting landscape faced by Education and how that may challenge the agency. These documents included Education's historical budget and staffing information, its fiscal year 2011 budget request, the Recovery Act, and the fiscal year 2009 through fiscal year 2012 workforce plan. We also reviewed grant award and student loan data. We assessed the reliability of Education data by interviewing agency officials knowledgeable about the data and determined that the data were sufficiently reliable for the purposes of this report. In addition, we examined the administration's proposal to reauthorize the Elementary and Secondary Education Act of 1965, which could include major changes to Education's role and responsibilities. We reviewed past GAO work and Office of Inspector General (OIG) work, including the fiscal year 2011 Management Challenges. We conducted interviews with high-level Education officials with responsibility for overall management of the agency. We also interviewed officials at the Office of Management and Budget (OMB) and the Office of Personnel Management (OPM), and former high-ranking Education officials, to obtain their perspectives on key management challenges facing Education. To assess the extent to which Education has human capital strategic planning and management strategies to meet its needs, we focused our work on two key aspects of human capital management--strategic workforce planning and performance management. Both were identified as key areas of focus after our initial interviews with Education, former Education, OIG, and OMB officials, and after our review of the 2008 Federal Human Capital Survey. We reviewed documents related to Education's strategic workforce planning and performance management efforts. The strategic workforce planning documents included Education's quarterly workforce review, Leadership Succession Management plan, corporate recruitment strategy, and Human Capital Management plan. The documents related to performance management included Education's current and former performance management policies, sample employee performance standards that were submitted to OPM using the Performance Assessment and Accountability Tool (PAAT), employee performance management system training modules, the 2008 Federal Human Capital Survey results, and OPM's PAAT handbook. We also conducted interviews with officials responsible for the overall planning and management of Education's human capital efforts, and in five program offices--Office of Elementary and Secondary Education, Office of Postsecondary Education, Office for Civil Rights, Office of Special Education and Rehabilitative Services, and the White House Initiative on Educational Excellence for Hispanic Americans. These offices were selected based on the number of staff, the work functions of the employees in the office, and the results of the 2008 OPM Federal Human Capital Survey. In addition to four program offices with large staffs, we included a smaller office, the White House Initiative on Educational Excellence for Hispanic Americans, to capture the experience of officials from a smaller program office. We also interviewed a senior official from Education's labor union. We used criteria developed by GAO to assess Education's efforts to identify risks and implement improvements in human capital processes. For strategic workforce planning, we used a GAO report identifying key principles of strategic workforce planning--Human Capital: Key Principles for Effective Strategic Workforce Planning (GAO-04-39)--and the GAO Cost Estimating and Assessment Guide (GAO-09-3SP) that addresses the importance of workload data for estimating agency budgets. For performance management criteria, we used Results-Oriented Cultures: Creating a Clear Linkage between Individual Performance and Organizational Success (GAO-03-488). In the area of financial management, our objective was to determine whether the design of Education's internal controls was adequate to help provide accountability over (1) contracts and (2) student aid grants. Our review focused on key internal control activities at Education's Office of Federal Student Aid (FSA) because it administers student aid grants and incurred approximately 58 percent of Education's contract obligations in fiscal year 2009. Fiscal year 2009 was the most recent year for which transactions for an entire fiscal year were available for our review. For contracts, we focused our review on the design of controls over contract monitoring because it has been a long-standing management challenge for the department. To obtain an understanding of the design of controls over FSA's contract monitoring process, we assessed applicable Education policies and procedures using governmentwide internal controls standards and interviewed FSA officials. To further understand the effect of identified design controls weaknesses, we selected a nongeneralizable sample of 15 active and 13 closed contracts and 2 closed interagency acquisitions from Education's Contracts Purchasing Support System. [Footnote 87] These 28 contracts and 2 interagency acquisitions had in total $171.5 million of contract obligations as of September 30, 2009. Contracts and interagency acquisitions selected were either closed in 2009 or active in 2009, but could have been obligated since October 1, 2006. The Departmental Directive defines contracts to include awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; and orders, such as purchase orders, under which a contract becomes effective by written acceptance or performance. Therefore, our sample of 28 contracts may include job orders performed under the same vendor but treated as separate "contracts" under the Departmental Directive for contract monitoring purposes. To ensure that we reviewed monitoring controls over contracts and interagency acquisitions, hereafter referred to as acquisitions, with various award amounts, we sorted both the active and the closed acquisitions populations into five strata by obligated amount of the acquisitions. To maximize the total dollar value of the acquisitions included in our selection, we selected more acquisitions from strata with larger award amounts. In addition, we selected the acquisitions with the largest award amounts from each stratum. We focused on Pell Grants because it accounted for over 91 percent of all student aid grant disbursements in fiscal year 2009 and because a recent GAO study examined internal controls for other Education grants.[Footnote 88] To obtain an understanding of the design of controls over Pell Grants, we reviewed relevant Pell Grant policies and procedures using GAO's Standards for Internal Controls in the Federal Government[Footnote 89] and interviewed FSA officials. We also reviewed documentation such as process cycle memos and flowcharts related to the assessment of internal control activities over Pell Grant financial reporting, which was performed by FSA in accordance with OMB Circular No. A-123, Appendix A, Management's Responsibility for Internal Control Over Financial Reporting. To obtain an understanding of the scope and methodology of FSA's procedures related to the OMB Circular No. A-123 review process, we reviewed FSA's OMB Circular No. A-123 test plans and sampling methodology. Using a nongeneralizable sample selection,[Footnote 90] FSA's OMB Circular No. A-123 assessment covered financial reporting internal control activities from July 1, 2009, through June 30, 2010, including areas such as student eligibility, disbursements, and reconciliations. To validate the accuracy of the results issued by the FSA's OMB Circular No. A-123 assessment, we reperformed a selected number of FSA's sampled transactions for each one of its testing procedures. Our assessment did not include an evaluation of internal controls at schools that have a role in determining, and if necessary, verifying student eligibility and application data, and making accurate award computations and disbursements. To assess the extent to which Education has established management controls needed to oversee, manage, and modernize its information technology to support its mission, we reviewed strategic planning, investment controls, and information security and privacy plans for information technology (IT). We conducted interviews with officials responsible for IT functions in seven Education management and program offices: FSA; the Institute of Education Sciences; Office of Elementary and Secondary Education; Office of the Chief Information Officer; Office of Management; Office of Communications and Outreach; and Office of Planning, Evaluation, and Policy Development. We selected these six offices because they had at least one major IT investment. Additionally, we selected 12 investments representing approximately 73 percent of the department's total IT budget.[Footnote 91] These investments are: * Migrant Student Information Exchange; * National Assessment of Educational Progress; * Contracts and Purchasing Support System; * Education Department Utility for Communications, Applications, and Technical Environment; * Budget Formulation and Execution Line of Business; * G-5 Grants Management; * Integrated Support Services; * EDFacts; * National Student Loan Data System (now Aid Data); * Enterprise Web Portals (now Enterprise IT Services); * Common Services for Borrowers (now Aid Servicing); and: * Common Origination and Disbursement (now Aid Delivery): We selected at least one major investment from each of the offices that had major IT investments to determine how department guidance is implemented at the system level. In making the selections, we considered whether the investments spanned multiple offices across Education; had potential IT security issues; called for major spending from Education's IT systems budget and were under development or operational. We also reviewed Education's Information Resource Management (IRM) strategic plan to determine the extent to which Education had included the critical elements, such as addressing all agency IRM requirements in its strategic plan as described in OMB Circulars A-11 and A-130. Further, to determine how effectively Education is identifying weaknesses and opportunities for improvement in investments throughout the systems development lifecycle, we reviewed relevant Education policies, procedures, guidance, and documentation. Specifically, we looked at its postimplementation review guide, investment board charters, budget documents, and project reviews and presentations. To assess the quality of Education's IT security program, we used requirements in the Federal Information Security Management Act of 2002 (FISMA) and relevant department and inspectors general reporting. We assessed Education's level of compliance with FISMA requirements by reviewing relevant Office of Inspector General (OIG) reports (including access controls and service continuity), and met with personnel from OIG, the Office of the Chief Information Officer, and other Education IT security personnel. We did not conduct our own assessment of the IT security program. However, to validate the information provided by the agency officials, we reviewed Education's (1) FISMA reporting and security risk levels of systems; (2) policies and procedures related to reducing security risks, including Education's certification and accreditation program; (3) incident reporting and handling processes to identify how the department was responding to security violations; and (4) security training materials and guidance to ascertain that the department had a program in place to respond to FISMA training requirements. To assess Education's privacy program, we interviewed officials responsible for privacy and reviewed Education's directives and guidelines on privacy to determine to what extent the department's privacy program implemented applicable laws and guidance. We conducted this performance audit from October 2009 to February 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Summary of Changes to Education's Performance Management System, Implemented in 2010: Education's goal: Establish more transparency throughout process; EDPAS (Former system): During appraisal year, feedback emphasized between employee and supervisor at annual midpoint and rating period; REACH (Revised system): Feedback and communication emphasized between employee and supervisor over course of year. Education's goal: Establish more transparency throughout process; EDPAS (Former system): At midpoint review, a discussion between supervisor and employee occurred, and each signed performance plan to document the discussion; REACH (Revised system): Employee and supervisor provided a space in new software to write midpoint narratives so employee better understands midpoint status. Education's goal: Simplify process for employee and supervisor; EDPAS (Former system): Parts of the performance management process were paper-based; for example, performance plans had to be printed and signed; REACH (Revised system): New software makes the entire performance management process electronic. Education's goal: Improve performance standards; EDPAS (Former system): Did not require performance standards to be clear, specific, measurable goals aligned to organizational goals; REACH (Revised system): Each performance standard should be aligned, measurable, specific, realistic, time-based, and clearly define expected performance. Education's goal: Differentiate between levels of employee performance; EDPAS (Former system): Five-tier rating system for performance included unacceptable, minimally successful, successful, highly successful, and outstanding; REACH (Revised system): Four-tier rating system for performance includes unsatisfactory results, achieves results, achieves high results, and achieves exceptional results. Education's goal: Differentiate between levels of employee performance; EDPAS (Former system): Employees were eligible for performance awards at the highly successful and outstanding levels; REACH (Revised system): Employees are eligible for performance awards at the achieves results, achieves high results, and achieves exceptional results levels. Education's goal: Improve managers' understanding of responsibilities, and encourage employees to take active role in own professional development; EDPAS (Former system): New employees were provided orientation on EDPAS, and all employees encouraged to take performance management trainings when offered; REACH (Revised system): Required joint training for supervisors and employees on REACH, and a performance management toolkit is available as a reference for employees and supervisors. Source: GAO analysis of Education policies and procedures and interviews with Education officials. [End of table] [End of section] Appendix III: Education IT Governance Structure: The Office of the Chief Information Officer provides advice and assistance to the Secretary and other senior officials to ensure that IT is acquired and information resources are managed in a manner that is consistent with laws and executive orders. The capital planning and investment control is a decision-making process for ensuring IT investments integrate strategic planning, budgeting, procurement, and the management of IT in support of agency missions and business needs. Capital planning and investment control at Education consists of three phases: select, control, and evaluate.[Footnote 92] To carry out these responsibilities, Education has set up an IT governance process as shown in figure 5. Figure 5: Education IT Governance Process: [Refer to PDF for image: illustration] Top level: Secretary of Education. Second level, reporting to Secretary of Education: Chief Information Officer (CIO). * Investment Review Board (IRB); * Planning and Investment Review Working Group (PIRWG); * Enterprise Architecture Advisory Committee (EAAC); * Enterprise Architecture Review Board (EARB). Providing support to CIO: * Investment Acquisition Management Team (IAMT). Providing support to EAAC and EARB: * Enterprise Architecture Program Office (EAPO). Source: Department of Education. [End of figure] The IT governance process is managed through a review board and subordinate working groups. The Investment Review Board is the highest level decision-making body for the department's IT investment management process. Membership of the board includes the Deputy Secretary, Chief Information Officer, Assistant Secretary for Management, Chief Financial Officer, Director of Budget, Senior Counselor to the Secretary of Federal Student Aid, and additional principal officers of the department representing business units. It meets quarterly, or more frequently if required, to support the IT investment management process. The Investment Review Board sets the priorities and objectives used to assess IT initiatives and oversees the entire IT portfolio. During the select phase, the Investment Review Board receives funding recommendations from the Planning and Investment Review Working Group. Upon Investment Review Board approval, the IT portfolio is submitted to OMB as part of Education's budget request. The Planning and Investment Review Working Group is comprised of senior managers with specialized knowledge and skills in the various disciplines that comprise the work of the department. It meets monthly, or more frequently if required, to support the IT investment management process, the Chief Information Officer, and the Investment Review Board. Members represent the department's principal offices and critical areas including acquisition, budget, information technology management, and planning. During the select phase, the Planning and Investment Review Working Group reviews candidate investments and makes funding recommendations to the Investment Review Board. The working group reviews the IT portfolio from a departmentwide perspective and makes recommendations to the Chief Information Officer to inform decisions on selecting, controlling, and evaluating investments. The Enterprise Architecture Advisory Committee meets quarterly to develop and maintain segment architectures, propose business modernization and shared service investments to the Planning and Investment Review Working Group, assess opportunities for IT reuse and collaboration, and review the department's IT portfolio for enterprise architecture compliance. The Enterprise Architecture Advisory Committee is comprised of senior managers from the principal office responsible for supporting a segment of the department's enterprise architecture. The Enterprise Architecture Review Board maintains the department's technical standards and conducts reviews in accordance with the department's lifecycle management framework. The Investment and Acquisition Team is responsible for developing and implementing strategies and programs designed to enhance the department's OMB Exhibit 300 business case preparation and capital investment management and planning and for day-to-day oversight of its capital planning and investment control processes. The Investment and Acquisition Team reports to Information Technology Program Services, which in turn reports to the Chief Information Officer.[Footnote 93] The Enterprise Architecture Program Office is responsible for maintaining the departmental enterprise architecture, which includes reviewing all IT investments and making recommendations to the Planning and Investment Review Working Group. FSA Has Additional Responsibilities for IT Governance: FSA is responsible for administration of the information and financial systems that support student financial assistance programs. As a performance-based organization, FSA has been given independent control of its budget allocations and expenditures, personnel decisions and processes, procurements, and other administrative and management functions. FSA has also established a separate investment review board to provide oversight of its investment management and ensure effective utilization of investment dollars and human capital. [End of section] Appendix IV: Comments from the Department of Education: United States Department Of Education: The Deputy Secretary: 400 Maryland Ave. S.W. Washington, DC 20202: [hyperlink, http://www.cd.gov] January 24, 2011: Mr. George Scott: Director, Education, Workforce, and Income Security Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Scott: I am writing in response to your request for comments on the U.S. Government Accountability Office's (GAO's) draft report (GAO-11-194) dated January 2011, entitled "Department of Education: Improved Oversight and Controls Could Help Education Better Respond to Evolving Priorities." I appreciate the opportunity to comment on the draft report on behalf of the U.S. Department of Education (the Department). The Department takes very serious') its stewardship role in administering all of its programs. including those newly created by significant legislation such as the American Recovery and Reinvestment Act of 2009 (ARRA). Over the last two years. our workforce effectively administered grantmaking at an unprecedented scale and level of complexity. In addition. during this time. the Department also successfully completed the transition to direct student loans. We wholeheartedly agree that continuous improvement is key to meeting the evolving needs of the Department and to further enhancing the impact. We must also ensure our infrastructure is able to meet the demands of this increased responsibility, and acknowledge GAO's recognition of this effort and recommendations for improvement. The Department's responses to the report's recommendations follow. Recommendation Area 1: To build on Education's current efforts to improve human capital management, we recommend the Secretary of Education: 1. Provide guidance to program offices on developing data-based estimates of workload, and incorporating these data into department workforce planning. This effort could include conducting an assessment of workload, developing an evidence-based estimate of staff needed to meet agency responsibilities using valid and reliable data, and using this estimate to infOrm agency budget requests and expenditures for human resources. Generally, the Department agrees with GAO's recommendation. It is important to note that developing a set of workforce planning tools and algorithms to accurately forecast new and/or shifting resource needs, changing skill requirements, and potential process "bottlenecks" is complex and resource intensive. It also requires specific expertise that is not widely available within the Department. Many complex variables govern the work of the Department. These variables include items that are quantitative and predictable (e.g., number of new grants) on the one hand, and subjective, nuanced, or outside of the Department's control on the other (e.g., timing of final appropriation, need for and complexity of supporting regulations). We have discovered that these complexities present many challenges in creating useful Department workload models. In addition to these challenges, we also have limited resources — dollars and staffing — to take the Department's current workload analysis efforts to the next level of rigor. Despite these and other challenges, and compared to other federal agencies, the Department has demonstrated exemplary performance over the past several years in the effective use and distribution of taxpayer dollars. We are entrusted with more program dollars per FTE (Full Time Equivalent) than any other government agency with the third largest discretionary appropriation and a direct loan program. As noted by GAO, we were able to shift our workforce to meet the demands of ARRA. These achievements have been the result, in part, of unprecedented work in the Department over the past several years, which included the development of an FTE model to assess workload impact. Initial Department efforts to improve workload analysis primarily focused on identifying "key drivers" of work for the Department's formula and discretionary grant programs. Based on interviews with the Department's grantmaking experts, an initial set of workload drivers were identified. These drivers are basic data elements, including program dollar size, the number of new and continuing awards distributed each year, the frequency of grant competitions, the complexity of the grant competitions, and the number of site visits performed. Subjective drivers were also identified, including the level of innovation and/or flexibility that exists in the grant program. With an acknowledgment that the Department has limited resources to develop and implement a workload analysis system that fully integrates Department-wide human capital, operations, and cost data, we are determined to make continued progress. Our next steps include: * Building on the Department's Budget Service's fiscal year (FY) 2010 workload project, categorizing, and analyzing grant work by common program characteristics (that is, grouping common workload drivers among the Department's program offices); * Analyzing the results of in-process workload data studies commissioned by program offices (i.e., Office of Special and Education and Rehabilitative Services and Office of Elementary and Secondary Education) for Department-wide application; and; * Developing grantmaking workload activity "standards." The Office of Management, Human Capital and Client Services will continue collaborating with the Department's Budget Service, program offices, and other Department support offices to develop workload guidance to be used across the Department. Additional specific actions will include appropriately reclassifying positions from the current 343-Management and Program Analyst series to the 1109-Grants Management series established by the Office of Personnel Management in November 2010. Updating grants management position descriptions and gathering more reliable data around full-time equivalents in this series will lead to more effective workload modeling and workforce planning in the critical grants management area. 2. Develop a formal process for reviewing performance standards and performance appraisal decisions to help ensure Education's performance management system is consistent across the department. For example, such a review could include an analysis of standards and appraisals for all Education employees over a 3 to 5 year cycle to assess whether performance standards and appraisal decisions are being applied consistently. Performance management in government has been historically challenging. This is especially true in four primary areas: aligning performance expectations with strategic goals and operational priorities, developing standards that are quantifiable and measurable, calibrating across these standards to consistently identify varying levels of performance, and reliably assessing performance against these standards. The Department's approach over the past several years has been to improve strategic alignment and development of standards for both organizational and individual commitments. We have established organizational metrics that set expectations for each business unit and serve as the basis for organizational performance ratings. This Organizational Assessment ("OA") tool provides for a quantitative and qualitative review, and provides a link to strategic and operational priorities. We have begun to change the performance culture for all employees with a greater focus on measurable results aligned to organizational and strategic priorities. This coincides with the launch of a redesigned performance appraisal system called REsults ACHieved ("REACH") for the FY 2011 performance cycle. As part of this launch, the Department provided manager training on setting expectations and creating an effective performance management culture. We are also providing performance plan coaching for supervisors and employees on writing effective performance plans with standards that are specific, measurable, aligned, realistic, and time-based. In the FY 2010 performance cycle, the Department became a leader in government by explicitly basing a percentage of the senior executives' individual bonuses on their organizations' performance rating. In FY 2011, we will explore extending this practice that aligns individual and organizational performance to all employees. The Department agrees with GAO's recommendation that we should also incorporate a review process. We have recently developed written policy and reached agreement with the union to conduct ongoing assessments of REACH. We will convene a joint working group this year to determine how best to conduct this review. At a minimum, we expect that it will include a review of 100 percent of our employees over a 5- year period. as suggested by GAO. We will continue our efforts to enhance and improve performance management across the Department. Recommendation Area 2: To help improve contract monitoring controls, we recommend that the Secretary of Education direct the Chief Operating Officer of FSA to: 1. Develop procedures that detail how to file and retain evidence demonstrating receipt and acceptance of contracted goods and services. The Department agrees with GAO's recommendation as it pertains to activities preceding receipt and acceptance. FSA successfully adjusted its contracting activities to meet the requirements of both the Ensuring Continued Access to Student Loans Act and the Student Aid and Fiscal Responsibility Act, §2212 of the Health Care and Education Reconciliation Act. Our work has included significant effort to renegotiate existing contracts and also put in place new contracts such as Title IV Additional Servicer vehicles. Altogether, over the past two years FSA has seen nearly a 50 percent increase in contract spending for which it is accountable without a corresponding growth in staff and absent additional investment in contract management information technology systems. Given the significant role of contracting in delivering FSA's mission, we appreciate GAO's acknowledgment that we appropriately utilize the Financial Management Support System (FMSS) to capture evidence of receipt and acceptance of our contracted goods and services. We also engage in a variety of activities preceding entry of receipt and acceptance. We agree with GAO's finding that its reviewers were not able to efficiently validate information about these activities without direct intervention by the Contracting Officer (CO) or Contracting Officer's Representative (COR). We do not currently have guidance on how to document and retain artifacts of activities preceding receipt and acceptance. Consequently, the Department will develop guidance that details how to file and retain receipt and acceptance supporting documents in the contract and COR files to supplement what we capture in FMSS. The procedures will be prepared for distribution to each COR and CO, and COs will be directed to include a copy of the procedures as an attachment to each COR appointment letter. A copy of this guidance will also be distributed as part of the on-boarding process for each incoming Contract Specialist or CO. Furthermore, the Department will investigate whether the commercial application of FMSS includes features that would enable either the linking to, or storage of, additional recordation or documentation. Funding for alternative procurement management packages that may provide these important features or functions is not currently included in the budget. 2. Develop procedures that outline how contract monitoring activities and results should be documented, retained, and shared. The Department agrees with GAO's recommendation. GAO noted considerable evidence of FSA's contract monitoring activities, including many of the practices identified in the Office of Federal Procurement Policy's Guide to Acquisition Best Practices. These practices include the use of Service-Level Agreements, incentive and disincentive contract terms, and Quality Surveillance Assurance Plans. Nevertheless, we share GAO's vision for continuous improvement in this area. GAO's recommendation is especially timely considering the increased mobility of the acquisition workforce. Without clear guidance on how monitoring activities must be documented, the potential exists for knowledge of important contract events to be lost when personnel leave the organization. Information pertaining to contract monitoring activities will be included in the guidance identified in Recommendation 1. In addition, Federal Student Aid will issue guidance requiring COs to inspect COR records, document their review findings and require corrective actions, if appropriate, at least annually. 3. Develop comprehensive quality control procedures that include guidance for review of contract files and contractor past performance reports to ensure that files are complete and contain documentation to evidence compliance with departmental contracting policies. including the following documents: * Contractor performance evaluations, * Contract monitoring plans, and, * Contracting officer's representative appointment memoranda. The Department agrees with GAO's recommendation. We understand the importance of full accountability in ensuring that taxpayer dollars are appropriately leveraged through contracts to achieve the Department's mission. Federal Student Aid's increased spending on contracts over the past few years has been substantially due to the passage of significant legislation such as the Ensuring Continued Access to Student Loans Act, the Student Aid and Fiscal Responsibility Act, and §2212 of the Health Care and Education Reconciliation Act. Because of these additional requirements, we are assessing the need for additional tools and guidance, and greater management oversight, to ensure contract files include all required documentation. Federal Student Aid will continue to use historically effective quality control procedures such as Contract Review Boards, Contract Management Reviews, and soon-to-be implemented peer reviews. Likewise, FSA will work to make better use of data contained in acquisition systems to effect improvements in this area. GAO's review documented limited incidences of missing performance evaluations and COR appointment memoranda. Even so, we share in GAO's goal of consistent documentation of all contract monitoring activities. To achieve this goal, we shall implement greater internal controls to improve assurances that all required documentation is included in contract files. Past performance records will be monitored to ensure evaluations are prepared on a timely basis. The Department's Administrative Communications System Directive on contract monitoring will be revisited with acquisition personnel, as will the issue of COR appointment memoranda. FSA will also develop and document methods to address quality control at all obligation levels. Recommendation Area 3: We recommend the Secretary of Education build on Education's IT management efforts by directing the Chief Information Officer to: 1. Align the IRM strategic plan with the department's strategic plan to eliminate any potential risk of major IT investments not supporting the department's most current priorities. The Department concurs with GAO's recommendation and has addressed this issue. Alignment between the Department's published Strategic Plan and the IRM Strategic Plan is demonstrated in section 3.1 of the current (September 2010) release of the IRM Strategic Plan. The agency will update the IRM Strategic Plan to reflect the latest Department Strategic Plan. During the interim, risks related to the misalignment of dates between the IRM and Department strategic plans were discussed in the Planning and Investment Review Working Group (PIRWG) and the Investment Review Board (IRB). Agency officials determined that the modernization plans adequately conveyed current goals and priorities and mitigated the risk of selecting investments that did not align with the Department's current priorities. Further, the Department supports the use of modernization plans based on IT category or "segments," such as grants management and 1T security. These plans ensure a better alignment of investments and allow more precise allocation of IT resources to key milestones that accomplish the Department's mission. 2. Update the IRM strategic plan to reflect goals from the Open Government, Strategic Sustainability Performance, and Data Center Consolidation plans. The Department concurs with the recommendation and will address in greater detail the contents of each of these plans. Each of these plans received significant internal review by the appropriate subject matter experts, and each plan received positive feedback from external reviewers in the public and private sectors. The Department recognizes that timing of updates to each of these documents presents a significant challenge to continuous alignment with the IRM Strategic Plan; however, the benefit of ensuring that IT resources are most effectively and efficiently applied to the highest priorities of the Department is our goal. Specifically, the Office of the Chief Information Officer (OCIO) will collaborate more broadly among the subject matter experts, leveraging internal working groups to address the contents of the Open Government, Strategic Sustainability Performance, and Data Center Consolidation plans in the FY 2011 update to the IRM Strategic Plan. 3. Finalize and approve department guidance for implementing post implementation reviews and conduct these reviews, where appropriate, to assess lessons learned and identify potential improvements to the IT management process. The Department concurs with the recommendation. GAO's review documented that the Department has not conducted post-implementation reviews. Over the last several years, the Department's IT portfolio has been dominated by maintenance of current systems. Many of these systems have been operating successfully for more than a decade. In FY 2009, the Deputy Secretary and Investment Review Board Chair established the goal of increasing the portion of the IT portfolio dedicated to enhancements and modernization. As a result of this effort, the agency will have new capabilities deployed in FY 2011. Concurrent with the deployment of these new capabilities, the OCIO will deploy procedures to conduct post-implementation reviews. The Department is on schedule to release the post-implementation review guide and template in January 2011. The OCIO plans to begin conducting these reviews by the second half of FY 2011, assuming projects are available in that stage of the lifecycle. We appreciate the opportunity to review the draft report and comment on the recommendations. If you have any questions or concerns regarding our response, please have your staff members contact Beverly Ortega Babers at (202) 205-0167. Sincerely, Signed by: Anthony W. Miller: [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: George A. Scott, (202) 512-7215 or scottg@gao.gov: Staff Acknowledgments: Bryon Gordon, Assistant Director; Scott Spicer, analyst-in-charge; and Sheranda Campbell managed this assignment. Alise Nacson and Leigh Ann Sennette also made significant contributions to the human capital component of the project. Kay Daly, Elizabeth Martinez, Rathi Bose, Chau Dinh, and Rebecca Riklin managed the Pell Grants and contracts component of this assignment. Judy Lee, Pierre Kamga, and Joshua Edelman also made contributions to the Pell Grants and contracts work. Valerie Melvin, Christie Motley, and Charles Youman managed the information technology component of this assignment, and Rebecca Alvarez, Cortland Bradford, Neil Doherty, Scott Pettis, and Bradley Roach also made contributions to the information technology work. Additionally, Susan Aschoff, Rebecca Eyler, Janice Latimer, Steven Lozano, Jean McSween, James Rebbe, Karen Richey, and William Woods aided in this assignment. [End of section] Footnotes: [1] Discretionary appropriations refers to budgetary resources that are provided in appropriation acts, other than those that fund mandatory programs. Mandatory spending refers to budget authority that is provided in laws other than appropriations acts and the outlays that result from such budget authority. Discretionary appropriations constituted most of Education's budget in fiscal year 2009. [2] Pub. L. No. 111-5, 123 Stat. 115 (2009). [3] These offices were selected based on the number of staff, the work functions of the employees in the office, and the results of the 2008 OPM Federal Human Capital Survey. [4] Fiscal year 2009 was the most recent year for which transactions for an entire fiscal year were available for our review. [5] We selected 15 active and 13 closed contracts and two closed interagency acquisitions based on award amounts to ensure we reviewed monitoring controls over contracts and interagency acquisitions with various award amounts while still maximizing the total dollar value of contracts and interagency acquisitions included in our selection. The active contracts population consisted of 309 contracts and interagency acquisitions obligated since October 1, 2006, and active as of September 30, 2009. The closed contracts population consisted of 233 contracts and interagency acquisitions obligated since October 1, 2006, and closed in fiscal year 2009 (from October 1, 2008 to September 30, 2009). [6] According to the Federal Acquisition Regulation, interagency acquisitions are procedures by which an agency needing supplies or services obtains them from another agency by an assisted or direct acquisition. [7] GAO, Grant Monitoring: Department of Education Could Improve Its Processes with Greater Focus on Assessing Risks, Acquiring Financial Skills, and Sharing Information, [hyperlink, http://www.gao.gov/products/GAO-10-57] (Washington, D.C.: Nov. 19, 2009). [8] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [9] We selected six offices because they had at least one major IT investment. The Office of Management was included because of the office's privacy-related responsibilities. [10] We selected at least one major IT investment (obligating more than $500,000 annually) from each of the offices that had major IT investments to determine how department guidance is implemented at the system level. In selecting these investments we considered whether the investments span multiple offices across Education, had potential IT security issues, called for major spending from Education's IT systems budget, and were under development or operational. [11] Department of Education Organization Act, Pub. L. No. 96-88, 93 Stat. 668 (1979). [12] Pub. L. No. 101-576, 104 Stat. 2838 (1990). [13] 31 U.S.C. § 3512(c), (d). [14] Department of Education, FY 2009 Agency Financial Report (Nov. 16, 2009). [15] 20 U.S.C. § 1070 et seq. These postsecondary programs include the William D. Ford Federal Direct Loan Program, the Federal Family Education Loan Program, Pell Grants, and certain campus-based programs. [16] An obligation is a definite commitment that creates a legal liability of the government for the payment of goods or services ordered or received, such as a contract, and federal agencies must record and report obligations as part of their system for tracking federal funds. For more details on methods of tracking federal funds, see appendix III of GAO, A Glossary of Terms Used in the Federal Budget Process, [hyperlink, http://www.gao.gov/products/GAO-05-734SP] (Washington, D.C.: September 2005). [17] 48 C.F.R. ch. 1. [18] FSA's contracting officers are part of FSA's Acquisition Group. [19] The Federal Pell Grant Program provides need-based grants to low- income undergraduate and certain postbaccalaureate students to promote access to postsecondary education. Students may use their grants at any one of nearly 5,400 participating schools. The Pell Grant award year begins on July 1 and ends on June 30 of the following year, which differs from the October 1 to September 30 federal fiscal year. [20] A major investment is defined in OMB Circular A-11 as a financial management investment obligating more than $500,000 annually. Additionally, such an investment may be a system or acquisition requiring special management attention because of its importance to the mission or function of the agency, a component of the agency, or another organization. OMB, Preparation, Submission, and Execution of the Budget, Circular A-11 (Washington, D.C., July 21, 2010). [21] For the three largest programs under the Recovery Act, recipients must obligate all funds by September 30, 2011. Education is responsible for monitoring the use of these funds. [22] According to an Education financial report, nearly all of Education's nonadministrative appropriations support grants or loans for K-12 and higher education. In fiscal year 2009, administrative expenditures were less than 1 percent of the department's appropriations. [23] The number of grants awarded excludes Pell Grants because these grants are funded with both discretionary and mandatory funds. However, FSA reported a nearly 60 percent increase in the amount of aid disbursed to students in fiscal year 2010 compared to 2009. [24] In March 2010, the Health Care and Education Reconciliation Act of 2010 (Pub. L. No. 111-152, 124 Stat. 1029 (2010)) terminated authority as of June 30, 2010, for the Federal Family Education Loan Program, under which nonfederal lenders made student loans guaranteed by the federal government. Instead, borrowers who would have been eligible to receive these loans can receive loans made directly by Education. However, those outstanding loans made by nonfederal lenders and guaranteed repayment by the federal government after that date will continue under the same structure with FSA oversight for possibly 30 years, depending on the repayment plan. [25] Higher Education Opportunity Act, Pub. L. No. 110-315, 122 Stat. 3078 (2008). [26] Consolidated Appropriations Act, 2010, Pub. L. No. 111-117, 123 Stat. 3034 (2009). [27] GAO, Recovery Act: Opportunities to Improve Management and Strengthen Accountability over States' and Localities' Uses of Funds, [hyperlink, http://www.gao.gov/products/GAO-10-999] (Washington, D.C.: Sept. 20, 2010). [28] GAO, Low-Income and Minority Serving Institutions: Sustained Attention Needed to Improve Education's Oversight of Grant Programs, [hyperlink, http://www.gao.gov/products/GAO-10-659] (Washington, D.C.: May 27, 2010), and Grant Monitoring: Department of Education Could Improve Its Processes with Greater Focus on Assessing Risks, Acquiring Financial Skills, and Sharing Information, [hyperlink, http://www.gao.gov/products/GAO-10-57] (Washington, D.C.: Nov. 19, 2009). [29] Department of Education, Office of Inspector General, FY 2011 Management Challenges (October 2010). [30] In fiscal year 2010, 93 percent of contracts obligations were IT related. [31] Department of Education, A Blueprint for Reform: The Reauthorization of the Elementary and Secondary Education Act (March 2010). [32] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11, 2003). These principles include: (1) involving top management, employees, and other stakeholders in the strategic workforce plan; (2) determining skills and competencies needed in the future workforce to meet the organization's goals and identifying gaps in skills and competencies; (3) developing strategies tailored to address these gaps; (4) building the capability to address these gaps; and (5) monitoring and evaluating the agency's progress toward its human capital goals and the contribution that human capital results have made toward achieving programmatic results. [33] Senior-level officials include the Assistant Deputy Secretary, the Chief Human Capital Officer, and the Chief Financial and Budget Officer. [34] [hyperlink, http://www.gao.gov/products/GAO-04-39]. [35] [hyperlink, http://www.gao.gov/products/GAO-04-39]. [36] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [37] This survey is a tool that gauges the attitudes and impressions of federal employees in four areas of their work: leadership and knowledge management, results-oriented performance culture, talent management, and job satisfaction. The survey was first implemented in 2002 and is conducted every 2 years. [38] GAO, Results-Oriented Cultures: Creating a Clear Linkage between Individual Performance and Organizational Success, [hyperlink, http://www.gao.gov/products/GAO-03-488] (Washington, D.C.: March 2003). [39] Education refers to the satisfactory appraisal level as "achieves results." [40] [hyperlink, http://www.gao.gov/products/GAO-03-488]. [41] The PAAT is used to evaluate an agency's performance system to determine how well appraisal systems meet OPM's criteria for the design, implementation, and results expected for effectiveness. [42] Under 5 C.F.R. § 430.210, OPM determines whether an appraisal system meets applicable law, regulation, or OPM policy and, if not, directs an agency to implement an appropriate system or to take other corrective action. [43] GAO, Human Capital: DOD Needs to Improve Implementation of and Address Employee Concerns about Its National Security Personnel System, [hyperlink, http://www.gao.gov/products/GAO-08-773] (Washington, D.C.: Sept. 10, 2008). [44] GAO, Financial Regulators: Agencies Have Implemented Key Performance Management Practices, but Opportunities Exist for Improvement, [hyperlink, http://www.gao.gov/products/GAO-07-678] (Washington, D.C.: June 18, 2007). [45] Our work focused on Pell Grants because it accounted for over 91 percent of all student aid grant disbursements in fiscal year 2009 and a recent GAO study examined internal controls for other Education grants. For more information, see GAO, Grant Monitoring: Department of Education Could Improve Its Processes with Greater Focus on Assessing Risks, Acquiring Financial Skills, and Sharing Information, [hyperlink, http://www.gao.gov/products/GAO-10-57] (Washington, D.C.: Nov. 19, 2009). [46] U.S. Department of Education, Financial Management and Accountability, Procedure for Performing Contractor Performance Evaluation (CO-107) (May 4, 2006) and U.S. Department of Education, Financial Management and Accountability, Procedure for Writing and Implementing a Contract Monitoring Plan (CO-111) (Revised on June 4, 2007). [47] Education's Departmental Directive, OCFO 2-108, defines contracts as awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; orders, such as purchase orders, under which a contract becomes effective by written acceptance or performance; and bilateral contract modifications. Therefore, our selection of contracts may include purchase orders or new task orders for the same original contract. This guidance further provides that each task order should be treated as a separate contract and should be monitored according to the guidance in this directive. [48] U.S. Department of Education, Office of Inspector General, Controls Over Contract Monitoring for Federal Student Aid Contracts, ED-OIG/A19G0006 (Aug. 24, 2007). [49] FSA Acquisition Policy Letter, Invoice Payment Procedure, ACQ-07- 001, provides that the contracting officers' representatives shall identify, through e-mail, to the contracting officers those deliverables that do not conform to the contract requirements. FSA management does not have guidance on retaining these e-mails. [50] FSA Acquisition Policy Letter, Contract Records File Management, ACQ-08-001. [51] Education's Departmental Directive provides that the contracting officer's representative shall use his or her judgment to determine if any of the contractor's actions are significant and worthy of documentation. [52] Contracting officers' representatives report to applicable FSA program offices and perform contract management duties, as assigned, including monitoring individual contracts to ensure technical performance of a contractor and inspecting and making recommendations to the contracting officer on actions related to invoices and deliverables. Contracting officers' representatives are designated but not supervised by contracting officers who are part of FSA's Acquisition Group. [53] According to Education's guidance on performing contractor evaluations, contracting officers and contracting officers' representatives must complete contractor performance evaluations annually and at the completion of a contract in excess of $100,000. Our nongeneralizable sample included 11 contract and interagency acquisition files that were obligated for less than the simplified acquisition threshold of $100,000 and, therefore, did not require annual contractor performance evaluations. [54] Our sample included two interagency acquisitions that were government printing acquisitions under subpart 8.8 of the Federal Acquisition Regulation. According to an agency official, the Departmental Directive is not applicable to interagency acquisitions including government printing acquisitions. For interagency acquisitions, generally, section 17.502-1(b) of the Federal Acquisition Regulation requires agencies to define in advance the roles that the requesting and servicing agencies will take with regard to contract administration and management. [55] A contract monitoring plan is a written document outlining how the department will manage a contract from award to the completion of the contract period. A contract monitoring plan is usually prepared by the contracting officer or contracting specialist in coordination with the contracting officer's representative and lists the key performance objectives to monitor the effectiveness and efficiency of the contract. [56] Education's Departmental Directive provides that contracting officers' representatives responsible for monitoring individual contracts must be appointed in writing by the contracting officer through an appointment memorandum. The Departmental Directive also states that no program official can act on a contracting officer's behalf, or perform any duties normally reserved for the contracting officer's designee, without specific written delegation of authority from the contracting officer for that particular contract. [57] Department of Education, Office of Inspector General, Touro College's Title IV, Higher Education Act Programs, Institutional and Program Eligibility (Oct. 30, 2008). Department of Education, Office of Inspector General, TUI University's Administration of Higher Education Act, Title IV Student Financial Assistance Programs (Aug. 5, 2009). [58] U.S. Department of Education, FY 2010 Agency Financial Report (Nov. 15, 2010). [59] An improper payment is defined as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. [60] Deficiencies included, for example, the lack of a signature on a form documenting that a participating school should not receive funds and deficiencies in FSA's tracking of annual audit reports required of participating schools. FSA's corrective action plans included, for example, enhancing procedures to require FSA staff to confirm all required steps are taken so that documentation is complete and to perform more frequent quality control reviews of its report on missing audits. [61] GAO, Information Resources Management: Comprehensive Strategic Plan Needed to Address Mounting Challenges, [hyperlink, http://www.gao.gov/products/GAO-02-292] (Washington, D.C.: Feb. 22, 2002). [62] The Paperwork Reduction Act of 1995 and OMB Circular A-130 state that agencies should prepare a strategic IRM plan that describes how Information Resources Management activities will help accomplish agency missions. OMB Circular A-130 states that the IRM plan should support the agency strategic plan. 44 U.S.C. § 3506(b)(2), OMB, Management of Federal Information Resources, Circular A-130 (Washington, D.C., Nov. 28, 2000). [63] 5 U.S.C. § 306 (as of Dec. 31, 2010). [64] The department's modernization efforts represented 6 percent of its IT budget in Fiscal Year 2010--the lowest percentage of the major 25 government agencies. The department plans to increase the percentage of the budget allocated to modernization to 15 percent by 2012. [65] A segment is a part of the overall enterprise architecture that can be pursued as separate initiative. As such, segments serve as a bridge between the departmentwide enterprise architecture and the individual programs with separate system investments. For example segments can be grouped into categories, such as core mission areas (e.g., grants management), business services (e.g., financial management), and enterprise services (e.g., records management). An enterprise architecture is a blueprint for organizational transformation and IT modernization. Generally it consists of snapshots of the enterprise's current operational and technological environment, and its target environment, and contains a capital investment road map for transitioning from the current version to the target environment. [66] The objective of the department's segment modernization plans is to enable segment owners to help identify and prioritize IT investment decisions. This includes identifying business needs, evaluating current capabilities, and ensuring that these business needs are aligned to performance goals. [67] For example, Education's Open Government Plan (June 25, 2010) states that the development of the plan uncovered some internal challenges in data management and technology processes that need to be resolved. Education's Strategic Sustainability Performance Plan (June 8, 2010) includes a goal to reduce technology energy consumption in the department's data centers. The Data Center Consolidation Plan (Aug. 31, 2010) established goals to streamline operations. [68] According to OMB Circular A-130, the IRM strategic plan should address all agency IRM requirements. [69] Selection refers to a process when the organization identifies and analyzes each project's risks and returns before committing significant funds to any project and selects those IT projects that will best support its mission needs. Control refers to the process of ensuring that projects meet mission needs at the expected levels of cost and risk as they are implemented. Evaluation refers to the process that takes place after a project has been fully implemented where the organization compares the actual versus expected results. GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [70] Department of Education, Information Technology Investment Management (ITIM) and Software Acquisition Policy, Directive OCIO: 3- 108 (Sept. 15, 2006). [71] Department of Education, IT Investment Management Process Guide, Version 1.1 (December 2009). [72] An agency's IT investment review board is necessary because it is a key component in the investment management process and ensures the organization has effective oversight for its IT projects throughout all phases of their lifecycles. While the board should not micromanage each project, it should maintain adequate oversight and observe each project's performance and progress toward predefined cost and schedule expectations, as well as each project's anticipated benefits and risk exposure. See [hyperlink, http://www.gao.gov/products/GAO-04-394G]. [73] Department of Education, Lifecycle Management Framework Directive, OCIO 1-106, (2005); Department of Education, Information Technology Investment Management and Software Acquisition Policy, Directive, OCIO 3-108 (2006). Agencies must conduct postimplementation reviews of capital programming and acquisition processes and projects to validate estimated benefits and costs and document effective management practices. See OMB, Preparation, Submission, and Execution of the Budget, Circular A-11 (Washington, D.C., July 21, 2010). [74] According to the OMB Capital Planning Guide, post implementation reviews of IT projects serve as a diagnostic tool to evaluate the overall effectiveness of an agency's capital planning and acquisition process. [75] Of these six IT investments only one--the Contracts and Purchasing Support System--has been in operation for more than a decade; the remaining five were deployed within the last 4 years. [76] Department of Education, IT Investment Management Process Guide, Version 1.1. [77] OMB, Capital Programming Guide, Supplement to OMB Circular A-11, Part 7: Planning, Budgeting, and Acquisition of Capital Assets (Washington, D.C., June 2006). [78] The eight key components are (1) periodically assessing the risk from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems; (2) developing risk-based policies and procedures to reduce information security risks; (3) developing plans for providing adequate information security for systems; (4) providing security awareness training for agency personnel and contractors; (5) performing periodic testing and evaluating the effectiveness of information security policies, procedures, and practices; (6) implementing a process for remedial action to address deficiencies identified in the agency's IT security; (7) developing procedures for detecting, reporting, and responding to security incidents; and (8) developing plans and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. In addition, an annually updated inventory of major information systems operated by or under the control of the agency is also required. [79] Pub. L. No. 107-347, 116 Stat. 2899, 2946 (2002). [80] Government agencies have an obligation under the Privacy Act of 1974 (5 U.S.C. § 552a) and the E-Government Act (E-Gov Act) of 2002 (Pub. L. No. 107-347, 116 Stat. 2899 (2002)) to protect the privacy of individuals about whom they collect personal information. [81] As used in this report, personally identifiable information is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mothers' maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. [82] See 5 U.S.C. § 552a(e)(4), (e)(11). [83] Office of Management and Budget, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OMB memorandum M-07-16, (Washington, D.C., May 22, 2007). Specifically, OMB guidelines state that agencies review and reduce the volume of personally identifiable information. Agencies are required to review their current holdings of all personally identifiable information and ensure, to the maximum extent practicable, such holdings are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of a documented agency function. OMB also mandates the reduction of the use of Social Security numbers. [84] GAO, Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, [hyperlink, http://www.gao.gov/products/GAO-08-603] (Washington, D.C.: May 30, 2008). [85] Privacy Act of 1974, 5 U.S.C. § 552a, as amended. [86] OMB, Protection of Sensitive Agency Information, Memorandum M-06- 16 (June 23, 2006). [87] The active contracts population consisted of 309 contracts and interagency acquisitions obligated since October 1, 2006, and active as September 30, 2009. The closed contracts population consisted of 233 contracts and interagency acquisitions obligated since October 1, 2006, and closed in fiscal year 2009 (between October 1, 2008, and September 30, 2009). [88] GAO, Grant Monitoring: Department of Education Could Improve Its Processes with Greater Focus on Assessing Risks, Acquiring Financial Skills, and Sharing Information, [hyperlink, http://www.gao.gov/products/GAO-10-57] (Washington, D.C.: Nov. 19, 2009). [89] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [90] FSA followed the United States Chief Financial Officers Council's Implementation Guide for OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A, Internal Control over Financial Reporting to select samples. [91] A major investment is defined in OMB Circular A-11 as a financial management investment obligating more than $500,000 annually. Additionally, such an investment may be a system or acquisition requiring special management attention because of its importance to the mission or function of the agency, a component of the agency, or another organization. OMB, Preparation, Submission, and Execution of the Budget, Circular A-11 (Washington, D.C., July 21, 2010). [92] Selection refers to a process when the organization identifies and analyzes each project's risks and returns before committing significant funds to any project and selects those IT projects that will best support its mission needs. Control refers to the process of ensuring that projects meet mission needs at the expected levels of cost and risk as they are implemented. Evaluation refers to the process that takes place after a project has been fully implemented where the organization compares the actual versus expected results. GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [93] Information Technology Program Services has other responsibilities in addition to the capital planning and investment control processes performed by the Investment and Acquisition Management Team. For example, the Project Management Team provides a single point of access to department principal offices for coordinating the provision of IT services and capabilities and the Development Services Team manages the web-based applications that support and enhance the agency's online business processes. The Director of Information Technology Program Services reports to the Chief Information Officer. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: