Review of the Department's Information Technology Shadow Investments.

Published by the Department of Education, Office of Inspector General on 2004-10-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                        OFFICE OF THE INSPECTOR GENERAL



To:               William J. Leidinger
                  Assistant Secretary for Management and
                  Chief Information Officer

From:             John P. Higgins, Jr.
                  Inspector General

Subject:          Review of the Department’s Information Technology Shadow
                  Investments (ED/OIG I13E0023)

In June, the OIG Inspection and Evaluation group began a study of the
Department’s “shadow IT investments” process, i.e., IT projects that were not
currently part of the Department’s capital planning process.1 The study was
intended to identify the scope (number and dollar amount) of these investments,
the kinds of activities supported by these investments; and to determine the
Department’s processes and procedures for review and approval. As the
inspection staff moved forward with their study, it became apparent that OCIO’s
IT Investment Management staff and OCFO were also gathering information on
these projects.

The results of the OCFO and ITIM inquiry were discussed at the September 29,
2004 IRB meeting. At that meeting, the ITIM staff stated they had identified 249
potential shadow investments that totaled $33.9M. ITIM staff stated they had
reviewed 201 of the identified projects and now had included 42 of the projects
totaling $15.32M in the Department’s Line of Business Enterprise Architecture.
Additionally, they stated that they had drafted and were circulating a consistent
definition of “IT” for the purpose of tracking and appropriately managing the
Department’s IT portfolio. Because of the work undertaken by these two offices,
we refocused our inquiries solely on the issue of Department processes and
procedures for approving IT shadow investments

OCIO provided the list of projects presented to the IRB to the OIG’s Evaluation
and Inspection group for review. As part of this review, my staff spoke to

 OCIO describes shadow IT investments as IT systems that are not part of the Department’s
capital planning process, Enterprise Architecture, or Information Assurance.

OCIO further identified these investments by stating that they are funded by program dollars (not
identified with IT) and they may be housed and maintained at a contractor’s site.
                             400 MARYLAND AVE., SW., WASHINGTON, DC 20202-1510

      Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation.
                                                                   ED/OIG I13E0023

Executive Officers and program managers throughout the Department who
provided input into what appeared on the list. They found that the executive
offices that did not have members on the Planning and Investment Review
Working Group (PIRWG) did not have a basic understanding of the Department’s
ITIM process. Given this lack of understanding, and the scope and size of the IT
investments identified, we suggest that to complete this process, OCIO address
the following three issues:

   1. While the ITIM staff has drafted a directive defining what is an IT
      investment, they may want to take another look at their definitions before
      proceeding farther. The Department may be unnecessarily expanding the
      scope and complexity of what it is requiring to be reviewed. The Clinger-
      Cohen Act defines IT to include computers, ancillary equipment software,
      firmware and similar procedures, services (including support services),
      and related resources. According to Clinger-Cohen, IT does not include
      any equipment that is acquired by a federal contractor incidental to a
      federal contract. However, according to OCIO, the Department’s revised
      definition will include IT investments residing at a contractor site. This
      seems to be adding unnecessary complexity to the process.
   2. OCIO needs to clearly identify, in a written policy, the roles and
      responsibilities of all parties in this process, including the executive
      officers and component level project managers. Once the policy is issued,
      OCIO needs to engage in outreach to ensure that everyone who has a
      role to play in this process understands his or her responsibilities.
   3. Additional training and support materials need to be made available for all
      participants. Up until this point, training has focused almost exclusively on
      the project managers for the major IT investments. If the definition of who
      needs to complete a business case is expanded, the training must be
      expanded to include them. ITIM should also enhance the support
      materials available to those involved in the investment review process.
      The E & I staff looked for best practices in government that the ITIM team
      could emulate. HUD’s ITIM process guide provides an IT investment
      selection process that includes providing IT managers, principal staff, and
      other key stakeholders with training in IT initiative documentation and
      sound project management practices. The training includes project
      documentation requirements and standards that provide specific IT
      investment information for OCIO to screen projects.

I commend the initiative of the OCIO and OCFO staff in pursuing this issue. If
you agree with our suggestions for completing this process, please advise us of
the specific additional actions that you will be undertaking.