oversight

Information Technology Equipment Acquisition

Published by the Farm Credit Administration, Office of Inspector General on 2012-08-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

OFFICE OF
INSPECTOR GENERAL   Report of Inspection
                    Information Technology
                     Equipment Acquisition

                            I-12-01

                        Auditor in Charge
                        Veronica McCain

                     Issued August 17, 2012




                    FARM CREDIT ADMINISTRATION
Farm Credit Administration	                    Office of Inspector General
                                               1501 Farm Credit Drive
                                               McLean, Virginia 22102-5090




August 17, 2012


The Honorable Leland A. Strom, Chairman and Chief Executive Officer
The Honorable Kenneth A. Spearman, Board Member
The Honorable Jill Long Thompson, Board Member
Farm Credit Administration
1501 Farm Credit Drive
McLean, Virginia 22102-5090

Dear Chairman Strom and FCA Board Members Spearman and Long Thompson:

The Office of the Inspector General completed an inspection of the Information
Technology (IT) Equipment Acquisition process at the FCA. The objective of this
inspection was to determine whether the Agency’s acquisition process for IT
equipment is being appropriately planned and administered.

We determined that the IT equipment acquisition process was effective in
determining the best and most cost-effective IT equipment needed for the Agency’s
operations. Nevertheless, we identified areas where improvements can be made to
increase transparency, accountability, and efficiency. Since management
concurred with all four of our recommendations, we converted them to agreed-upon
actions.

We appreciate the courtesies and professionalism extended to OIG staff by Office
of Management Services personnel. If you have any questions about this
inspection, I would be pleased to meet with you at your convenience.

Respectfully,



Carl A. Clinefelter
Inspector General

Enclosure
    Office of Inspector General 





Information Technology Equipment Acquisition

              Issued August 17, 2012


                                       Inspection Report 12-01

                      Table of Contents

              IT Equipment Acquisition Inspection


Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    1

Inspection Objective & Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              2

Overall Conclusions & Areas Needing Improvement . . . . . . . . . . . . . . . . . . . . . . .                              3

IT Acquisition Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .        4

Information Resources Management Plan Process . . . . . . . . . . . . . . . . . . . . . . . .                              5

Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           6

Conclusion on the Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . .                       7

Agreed-Upon Actions/Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . .                           8

Laptop Vendor Selection Process & Agreed-Upon Action . . . . . . . . . . . . . . . . . . .                                 9

Network Copier/Printer Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                    10

Network Copier/Printer Vendor Selection Process . . . . . . . . . . . . . . . . . . . . . . . . .                         12

Mobile Device Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               13

Mobile Device Vendor . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .         15

Consistency in IT Equipment Acquisition Processes . . . . . . . . . . . . . . . . . . . . . . .                           16

Agreed-Upon Action/Consistency in IT Equipment Acquisition Processes . . . . . . .                                        17

Vendor Payment Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           18

Recent Improvements to Vendor Payment Controls . . . . . . . . . . . . . . . . . . . . . . . .                            19



                                 Report I-12-01 Information Technology Equipment Acquisition
                                      Background


   In November 2011, the OIG issued an audit report on FCA’s Contracting
    Activities. The objective of the audit was to determine whether FCA’s
    contracting environment was efficient and effective in acquiring products and
    services of the best value to FCA.
   Toward the end of the audit on Contracting Activities, a cursory review of the
    Agency’s acquisition of information technology (IT) equipment was completed.
    The review was limited to reviewing the 2007 laptop and 2010 Blackberry
    contracts.
   As a follow-on to that cursory review of IT equipment acquisition, the OIG
    decided to more fully review the most recent purchases of laptops, network
    copiers/printers, and mobile devices.




                         Report I-12-01 Information Technology Equipment Acquisition   1
                       Inspection Objective & Scope


   The objective was to determine whether the Agency’s acquisition process for IT equipment
    is being appropriately planned and administered.
   The scope of the inspection was focused on reviewing the most recent purchases of
    laptops, network printers/copiers, and mobile devices. IT equipment reviewed included the
    following:

              IT                        Contract                   Award            Quantity
           Equipment                    Number                      Date           Purchased   Amount
    Laptops                    11-FCA-601-027                     11/29/10               400   $827,682

    Network Copiers/Printers   11-FCA-601-055                      9/30/11               10    $130,910

    Mobile Devices (iPhones)   11-FCA-601-031                      9/27/11               203   $40,597


   The inspection was conducted from May 2012 - July 2012.

   The inspection was conducted in accordance with the Quality Standards for Inspection and
    Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency.



                           Report I-12-01 Information Technology Equipment Acquisition                    2
     Overall Conclusions & Areas Needing Improvement



   The IT equipment acquisition process was effective in determining the best and most
    cost-effective IT equipment needed for the Agency’s operations.
   The CIO and OMS Technologists were diligent in conducting research and evaluating IT
    equipment options.
   IT equipment contracts were adequately competed.
   Vendor payment controls were sufficient.
   Overall IT equipment purchase processes are similar; however, specific procedures used
    during the process can vary for each IT equipment purchase.
         Our review of these procedures showed the following improvements were needed:
            1.	 The laptop rating numbers need to be clearly defined.
            2.	 Laptop evaluation committee members need to be involved in the entire
                evaluation and laptop recommendation process.
            3.	 All staff involved in the model and vendor selection process need to sign a
                statement indicating there is no personal conflict of interest.
            4.	 IT acquisition procedures need to be reviewed to identify methods that can be
                consistently applied to all IT equipment purchases.

                       Report I-12-01 Information Technology Equipment Acquisition              3
                        IT Acquisition Directives 



The Agency’s policies and procedures for IT equipment acquisitions are outlined in the following
directives:

   Office of Management Services (OMS) Directive 4, Duties of the Information Resources
    Management Operations Committee, sets forth the committee’s organization and the
    committee members’ duties.

   OMS Directive 5, Technology Project and Purchase Request, establishes procedures to
    have a project or purchase considered by the Information Resources Management
    Operations Committee.

   FCA Standardized IT Equipment List - FY 2011 Price List is a standardized list of IT
    equipment that has been tested and found compliant for use at FCA, and incudes IT
    equipment lifecycles.

   OMS Administrative Directive 4, Contract Desk Manual, provides implementing direction
    regarding the Agency’s policies and procedures for contracts.




                          Report I-12-01 Information Technology Equipment Acquisition              4
    Information Resources Management Plan Process

   The Information Resources Management Operations Committee (IRMOC), chaired by the Chief
    Information Officer (CIO), oversees the Agency’s IT equipment acquisitions. The IRMOC annually
    develops a five-year Information Resources Management (IRM) plan that addresses and
    implements the Agency’s IT needs.
   The IRM planning process is as follows:
     1.	   In April of each year, the IRMOC conducts the IRM data call asking offices to submit their IT
           projects and equipment request.
     2.	   Offices submit new IT projects, any updates to ongoing IT projects, and IT equipment needs
           for the next five years.
     3.	   IRMOC reviews IRM data call information and prioritizes the projects for the next year. For
           new IT purchases, cost data is inputted into the IRM budget for up to five years.
     4.	   After the IT data is reviewed, the IRM plan is updated and approved by IRMOC.
     5.	   Once approved by IRMOC, the IRM Plan is submitted to the Chief Operating Officer for review
           and approval.




                               Report I-12-01 Information Technology Equipment Acquisition               5
                     Laptop Acquisition Process


 The Agency has established a three-year life cycle for laptops, based on laptops reaching the
  end of their serviceability and due to advances in technology.
 Approximately a year prior to the lifecycle ending, the Agency begins the process for
  purchasing new laptops.
 The laptop acquisition process is as follows:
    1.	 An evaluation committee is formed with a representative(s) from each office.
    2.	 Committee members canvas their offices for input on laptop preferences.
    3.	 Based on Agency staff preferences and technology requirements, the OCIO Technology
        Team conducts market research to identify potential laptop models.
    4.	 Potential laptops are brought in-house for a hands-on evaluation by committee members.
    5.	 Laptops are rated in various areas by committee members.
    6.	 The committee’s evaluation results are computed to overall average ratings.
    7.	 The top rated laptop models are further evaluated by the OMS Technology Team.
    8.	 The OMS Technology Team analyzes additional information on the top rated laptops and
        details the results in a report to the CIO and the IRMOC. The report includes the
        recommended laptop to be purchased.
    9.	 IRMOC reviews and considers for approval the recommended laptop.
   10.	 After approval by IRMOC, the Board is briefed on the laptop replacement process and
        decision.

                         Report I-12-01 Information Technology Equipment Acquisition          6
    Conclusion on the Laptop Acquisition Process 


   The most significant part of the laptop acquisition process is the laptop evaluation process. This
    process determines the specific laptop model the Agency will purchase. The laptop evaluation
    process could be improved in the following areas:

    ■	 For the hands-on laptop testing, evaluation committee members use a standard form to rate
       laptops in various areas. The form states each area should be rated on a scale of 1 to 5 with
       5 being the best. To ensure committee members’ interpretations of the ratings are
       consistent, all the rating numbers should be clearly defined. For example, what precisely
       does a“1” rating mean and so on.

    ■	 After this initial rating by evaluation committee members, the OMS Technology Team
       completes a further analysis of top rated laptops and makes the laptop model
       recommendation to IRMOC. The laptop evaluation process could be strengthened by
       including the evaluation committee members in the entire process. This is favorable because
       it:

        allows committee members to discuss the bases for their ratings;

        provides opportunities for committee members to share insight and knowledge on factors
          other members may not be aware of; and

        ensures a more objective Agency-wide consensus on the final recommendation to IRMOC.

                              Report I-12-01 Information Technology Equipment Acquisition           7
 Agreed-Upon Actions/Laptop Evaluation Process 


Agreed-Upon Action 1:
The Chief Information Officer will clearly define all rating numbers on the laptop
evaluation form.


Agreed-Upon Action 2:
The Chief Information Officer will include evaluation committee members in the
entire evaluation and laptop recommendation process, including making the final
laptop model recommendation to IRMOC.




                       Report I-12-01 Information Technology Equipment Acquisition   8
Laptop Vendor Selection Process & Agreed-Upon Action 


   Once the decision is made on the recommended laptop model, the contracting office selects the
    vendor from whom to purchases the laptops.
   The process is as follows:
      ■	 Request for bids are posted on an on-line procurement site. For the FY 2011 laptop
          acquisition, five vendors provided bids. The contracting office reviewed the bids. The
          vendor selected was based on the following:
             lowest bid,
             performance history with the Agency,
             ability to meet the Agency’s configuration requirements, and
             recommendation from the CIO and OMS Technologists.
   Because staff are involved in the laptop selection process, there is a risk they could disclose
    sensitive procurement information and/or have a personal interest in vendors providing bids.

Agreed-Upon Action 3:

The Director of the Office of Management Services will require all Agency staff who are 

involved in the model and vendor selection process sign a statement indicating they

have no potential conflict-of-interest in the process. 



                            Report I-12-01 Information Technology Equipment Acquisition               9
    Network Copier/Printer Acquisition Process



   The Agency has established a four-year life cycle for network copiers/printers, based on
    network copiers/printers reaching the end of the serviceability and due to technology
    advances.

   Approximately six months prior to the lifecycle timeframe ending, the Agency begins the
    acquisition process for the next purchase of copiers/printers.

   Agency users expressed the need for color copying. In response, for the FY 2011 network
    copier/printer purchase, the OMS Technologists completed an analysis outlining the
    pros/cons of converting to a color copier/printer for each office.

     ■	   Prior to this FY 2011 network copier/printer purchase, each office had a black/white
          network copier/printer. Large volume color print jobs were accomplished using a
          centralized color printer located within OMS.

     ■	   The analysis of transitioning to network color copier/printers included a summary of the
          efficiencies and cost differences of converting to a color copier/printer format versus
          black/white for each office.

   Based on the analysis, the OMS Director decided the Agency would purchase color
    copiers/printers for each office.

                            Report I-12-01 Information Technology Equipment Acquisition          10
Network Copier/Printer Acquisition Process (con’t) 


     Following this decision to transition to color network copiers/printers, the acquisition process
      for color copiers/printers was as follows:

        1.	   The offices’ administrative personnel and other identified high volume users were
              surveyed to determine copier/printer preferences. Based on staff preferences and
              technology requirements, market research was conducted to identify potential
              copier/printer models.
        2.	   An evaluation committee visited local copier/printer showrooms and evaluated potential
              models. The evaluation committee consisted of OMS staff whose duties include
              overseeing the Agency’s copier/printer and duplicating services.
        3.	   For models evaluated, a more in-depth technical analysis was completed on
              copiers/printers capabilities and technical support.
        4.	   The CIO then sent a decision memo to the OMS Director outlining the pro/cons of
              copiers/printers reviewed and recommending the type of copier/printer the Agency
              should purchase.
        5.	   The OMS Director approved the recommendation on the copier/printer model most
              suitable for FCA.
     Conclusion/Agreed-Upon Action - Refer to slides16 and 17 which discuss bringing more
      consistency to all IT equipment acquisition processes.

                                Report I-12-01 Information Technology Equipment Acquisition          11
Network Copier/Printer Vendor Selection Process


   Once the decision was made on the network color copier/printer model, the contracting office
    selects the vendor from whom to purchase the network copiers/printers.

    The process to select the vendor was as follows:

     1.	   Request for bids was posted on an on-line procurement site.

     2.	   For the FY 2011 network color copier/printer requisition, the Agency received one bid.
           This vendor was selected.

     3.	   The vendor’s price was considered fair and reasonable based on the company being
           listed on the GSA Schedule.




                         Report I-12-01 Information Technology Equipment Acquisition            12
              Mobile Device Acquisition Process



   The Agency has established a 2-year lifecycle for mobile devices, based on equipment
    obsolescence and due to advances in technology.

   Toward the end of the mobile devices lifecycle, the Agency begins the acquisition process
    for the next mobile device purchase.

   For mobile devices, the acquisition process was conducted by the IRMOC.

   IRMOC’s acquisition strategy is focused on determining the mobile device that best fits the
    Agency’s needs, increases productivity/efficiencies, and that could be leveraged with future
    technology acquisitions.

   As part of the mobile device acquisition strategy, the CIO conducted a hands-on test of the
    iPhones approximately a year prior to the mobile device acquisition process. The iPhone
    was tested by the OMS Director, CIO, the Applications Team Supervisor, and an additional
    OMS staff person. The testing and review was completed to assess the iPhone’s security
    features and to evaluate whether the iPhone’s applications could improve the Agency’s
    operations.




                           Report I-12-01 Information Technology Equipment Acquisition          13
            Mobile Device Acquisition Process (con’t)


   The mobile device (iPhone) acquisition process was as follows:

      1.	   Through market research, the IRMOC identified the three major types of mobile devices in
            the marketplace that would best meet the Agency’s needs.

      2.	   An evaluation was completed on these three mobile device models. Information used for
            the evaluation included: technology publications, Gartner on-line research, visiting vendors’
            websites, and IRMOC’s knowledge of mobile devices.

      3.	   A decision memorandum from IRMOC was forwarded to the OMS Director outlining the
            pro/cons of mobile device models. The decision memo included IRMOC’s
            recommendation on the type of mobile device the Agency should purchase. Each IRMOC
            member signed the decision memo signifying they were in agreement with the final
            decision.

      4.	   The OMS Director approved the mobile device recommendation.

      5.	   The Chief Executive Officer (CEO) was briefed on the mobile device decision. The CEO
            also approved the decision.

   Conclusion/Agreed-Upon Action - Refer to slides16 and 17 which discuss bringing more
    consistency to all IT equipment acquisition processes.
                                 Report I-12-01 Information Technology Equipment Acquisition         14
                          Mobile Device Vendor 



   Once the decision was made on the particular mobile device to be acquired, the contracting
    office purchased the mobile device (iPhone).

   For the FY 2011 mobile device (iPhone) purchase, the contracting office contacted the
    Agency’s telecommunication service provider and requested an upgrade from Blackberries to
    iPhones.

   The Agency’s telecommunication service provider is listed on the GSA Federal Supply
    Schedule.




                          Report I-12-01 Information Technology Equipment Acquisition       15
Consistency in IT Equipment Acquisition Processes 


   Although the overall process for the IT equipment acquisitions reviewed is generally the same,
    our inspection showed the methods used to complete the process varied. For example:

      ■	   The laptop evaluation committee’s review included each committee member performing
           individual ratings on behalf of their offices using a standard form and rating scale to
           evaluate laptops.

      ■	   However, the network copiers/printers evaluation committee members do not perform
           individual ratings and there is no standard form or rating scale used to evaluate each
           network copiers/printer model.

      ■	   For the mobile device’s (iPhones) acquisition, the decision memo is signed by each IRMOC
           member stating they are in agreement with the mobile device decision.

      ■	   However, for the laptop and network copiers/printers acquisition the evaluation committee
           members do not sign the report/decision memo stating they were in agreement with the
           recommendation. In addition, there is no signed documentation by IRMOC showing they
           approved the final decision.




                               Report I-12-01 Information Technology Equipment Acquisition           16
Agreed-Upon Action/Consistency in IT Equipment Acquisition Processes





 Agreed-Upon Action 4:
 The Chief Information Officer will evaluate all IT equipment acquisition processes
 and identify methods that can be universally applied for all IT equipment
 purchases as appropriate.




                      Report I-12-01 Information Technology Equipment Acquisition   17
                          Vendor Payment Controls


   For all IT equipment reviewed, the overall vendor payment process was similar.

   Requisitions were submitted by the OMS Technologists for equipment purchases. The
    requisitions contained all pertinent information and were appropriately approved.

   Vendors doing business with the Agency were registered on the Central Contractor Registration
    (CCR) list. The CCR is maintained by the General Service Administration and serves as the
    primary vendor database for the U.S. Federal Government. The CCR collects, validates, stores
    and disseminates data in support of agency acquisitions. The Bureau of Public Debt ensures
    vendors are registered in the CCR before making payments.

   A contracting officer’s representative (COR) was assigned to each contract. The CORs were all
    OMS Technology Team staff. The COR’s responsibilities included reviewing invoice costs,
    verifying that goods have been received, and approving invoices for payment.




                             Report I-12-01 Information Technology Equipment Acquisition       18
Recent Improvements to Vendor Payment Controls 


   As of May 2012, the OMS Director modified the controls in the procurement function as follows:

      ■	 The Application Team has set up a SharePoint site to hold all requisitions that are
         processed in OMS. Prior to requisitions being forwarded to the contracting office, they
         must go through the OMS Director’s office for SharePoint input. Monthly, the finance
         team reconciles obligations against the SharePoint library for purchase orders and
         contracts.

      ■	 OMS staff who have purchasing authority are not authorized to approve requisitions
         where they have control over the procurement action.

      ■	 Only Finance Team members will be allowed to add vendors to the Agency’s procurement
         system.

      ■	 The contract manual will be revised to establish specific circumstances under which the
         contracting office will approve the use of credit card purchases over the micro purchase
         threshold of $3,000.

   Conclusion - Overall the vendor payment controls were adequate to ensure vendors payments
    were appropriately processed.


                               Report I-12-01 Information Technology Equipment Acquisition          19