OFFICE OF INSPECTOR GENERAL Report of Inspection Information Technology Equipment Acquisition I-12-01 Auditor in Charge Veronica McCain Issued August 17, 2012 FARM CREDIT ADMINISTRATION Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, Virginia 22102-5090 August 17, 2012 The Honorable Leland A. Strom, Chairman and Chief Executive Officer The Honorable Kenneth A. Spearman, Board Member The Honorable Jill Long Thompson, Board Member Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 Dear Chairman Strom and FCA Board Members Spearman and Long Thompson: The Office of the Inspector General completed an inspection of the Information Technology (IT) Equipment Acquisition process at the FCA. The objective of this inspection was to determine whether the Agency’s acquisition process for IT equipment is being appropriately planned and administered. We determined that the IT equipment acquisition process was effective in determining the best and most cost-effective IT equipment needed for the Agency’s operations. Nevertheless, we identified areas where improvements can be made to increase transparency, accountability, and efficiency. Since management concurred with all four of our recommendations, we converted them to agreed-upon actions. We appreciate the courtesies and professionalism extended to OIG staff by Office of Management Services personnel. If you have any questions about this inspection, I would be pleased to meet with you at your convenience. Respectfully, Carl A. Clinefelter Inspector General Enclosure Office of Inspector General Information Technology Equipment Acquisition Issued August 17, 2012 Inspection Report 12-01 Table of Contents IT Equipment Acquisition Inspection Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Inspection Objective & Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Overall Conclusions & Areas Needing Improvement . . . . . . . . . . . . . . . . . . . . . . . 3 IT Acquisition Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Information Resources Management Plan Process . . . . . . . . . . . . . . . . . . . . . . . . 5 Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion on the Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Agreed-Upon Actions/Laptop Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . 8 Laptop Vendor Selection Process & Agreed-Upon Action . . . . . . . . . . . . . . . . . . . 9 Network Copier/Printer Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Network Copier/Printer Vendor Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . 12 Mobile Device Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Mobile Device Vendor . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Consistency in IT Equipment Acquisition Processes . . . . . . . . . . . . . . . . . . . . . . . 16 Agreed-Upon Action/Consistency in IT Equipment Acquisition Processes . . . . . . . 17 Vendor Payment Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Recent Improvements to Vendor Payment Controls . . . . . . . . . . . . . . . . . . . . . . . . 19 Report I-12-01 Information Technology Equipment Acquisition Background In November 2011, the OIG issued an audit report on FCA’s Contracting Activities. The objective of the audit was to determine whether FCA’s contracting environment was efficient and effective in acquiring products and services of the best value to FCA. Toward the end of the audit on Contracting Activities, a cursory review of the Agency’s acquisition of information technology (IT) equipment was completed. The review was limited to reviewing the 2007 laptop and 2010 Blackberry contracts. As a follow-on to that cursory review of IT equipment acquisition, the OIG decided to more fully review the most recent purchases of laptops, network copiers/printers, and mobile devices. Report I-12-01 Information Technology Equipment Acquisition 1 Inspection Objective & Scope The objective was to determine whether the Agency’s acquisition process for IT equipment is being appropriately planned and administered. The scope of the inspection was focused on reviewing the most recent purchases of laptops, network printers/copiers, and mobile devices. IT equipment reviewed included the following: IT Contract Award Quantity Equipment Number Date Purchased Amount Laptops 11-FCA-601-027 11/29/10 400 $827,682 Network Copiers/Printers 11-FCA-601-055 9/30/11 10 $130,910 Mobile Devices (iPhones) 11-FCA-601-031 9/27/11 203 $40,597 The inspection was conducted from May 2012 - July 2012. The inspection was conducted in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. Report I-12-01 Information Technology Equipment Acquisition 2 Overall Conclusions & Areas Needing Improvement The IT equipment acquisition process was effective in determining the best and most cost-effective IT equipment needed for the Agency’s operations. The CIO and OMS Technologists were diligent in conducting research and evaluating IT equipment options. IT equipment contracts were adequately competed. Vendor payment controls were sufficient. Overall IT equipment purchase processes are similar; however, specific procedures used during the process can vary for each IT equipment purchase. Our review of these procedures showed the following improvements were needed: 1. The laptop rating numbers need to be clearly defined. 2. Laptop evaluation committee members need to be involved in the entire evaluation and laptop recommendation process. 3. All staff involved in the model and vendor selection process need to sign a statement indicating there is no personal conflict of interest. 4. IT acquisition procedures need to be reviewed to identify methods that can be consistently applied to all IT equipment purchases. Report I-12-01 Information Technology Equipment Acquisition 3 IT Acquisition Directives The Agency’s policies and procedures for IT equipment acquisitions are outlined in the following directives: Office of Management Services (OMS) Directive 4, Duties of the Information Resources Management Operations Committee, sets forth the committee’s organization and the committee members’ duties. OMS Directive 5, Technology Project and Purchase Request, establishes procedures to have a project or purchase considered by the Information Resources Management Operations Committee. FCA Standardized IT Equipment List - FY 2011 Price List is a standardized list of IT equipment that has been tested and found compliant for use at FCA, and incudes IT equipment lifecycles. OMS Administrative Directive 4, Contract Desk Manual, provides implementing direction regarding the Agency’s policies and procedures for contracts. Report I-12-01 Information Technology Equipment Acquisition 4 Information Resources Management Plan Process The Information Resources Management Operations Committee (IRMOC), chaired by the Chief Information Officer (CIO), oversees the Agency’s IT equipment acquisitions. The IRMOC annually develops a five-year Information Resources Management (IRM) plan that addresses and implements the Agency’s IT needs. The IRM planning process is as follows: 1. In April of each year, the IRMOC conducts the IRM data call asking offices to submit their IT projects and equipment request. 2. Offices submit new IT projects, any updates to ongoing IT projects, and IT equipment needs for the next five years. 3. IRMOC reviews IRM data call information and prioritizes the projects for the next year. For new IT purchases, cost data is inputted into the IRM budget for up to five years. 4. After the IT data is reviewed, the IRM plan is updated and approved by IRMOC. 5. Once approved by IRMOC, the IRM Plan is submitted to the Chief Operating Officer for review and approval. Report I-12-01 Information Technology Equipment Acquisition 5 Laptop Acquisition Process The Agency has established a three-year life cycle for laptops, based on laptops reaching the end of their serviceability and due to advances in technology. Approximately a year prior to the lifecycle ending, the Agency begins the process for purchasing new laptops. The laptop acquisition process is as follows: 1. An evaluation committee is formed with a representative(s) from each office. 2. Committee members canvas their offices for input on laptop preferences. 3. Based on Agency staff preferences and technology requirements, the OCIO Technology Team conducts market research to identify potential laptop models. 4. Potential laptops are brought in-house for a hands-on evaluation by committee members. 5. Laptops are rated in various areas by committee members. 6. The committee’s evaluation results are computed to overall average ratings. 7. The top rated laptop models are further evaluated by the OMS Technology Team. 8. The OMS Technology Team analyzes additional information on the top rated laptops and details the results in a report to the CIO and the IRMOC. The report includes the recommended laptop to be purchased. 9. IRMOC reviews and considers for approval the recommended laptop. 10. After approval by IRMOC, the Board is briefed on the laptop replacement process and decision. Report I-12-01 Information Technology Equipment Acquisition 6 Conclusion on the Laptop Acquisition Process The most significant part of the laptop acquisition process is the laptop evaluation process. This process determines the specific laptop model the Agency will purchase. The laptop evaluation process could be improved in the following areas: ■ For the hands-on laptop testing, evaluation committee members use a standard form to rate laptops in various areas. The form states each area should be rated on a scale of 1 to 5 with 5 being the best. To ensure committee members’ interpretations of the ratings are consistent, all the rating numbers should be clearly defined. For example, what precisely does a“1” rating mean and so on. ■ After this initial rating by evaluation committee members, the OMS Technology Team completes a further analysis of top rated laptops and makes the laptop model recommendation to IRMOC. The laptop evaluation process could be strengthened by including the evaluation committee members in the entire process. This is favorable because it: allows committee members to discuss the bases for their ratings; provides opportunities for committee members to share insight and knowledge on factors other members may not be aware of; and ensures a more objective Agency-wide consensus on the final recommendation to IRMOC. Report I-12-01 Information Technology Equipment Acquisition 7 Agreed-Upon Actions/Laptop Evaluation Process Agreed-Upon Action 1: The Chief Information Officer will clearly define all rating numbers on the laptop evaluation form. Agreed-Upon Action 2: The Chief Information Officer will include evaluation committee members in the entire evaluation and laptop recommendation process, including making the final laptop model recommendation to IRMOC. Report I-12-01 Information Technology Equipment Acquisition 8 Laptop Vendor Selection Process & Agreed-Upon Action Once the decision is made on the recommended laptop model, the contracting office selects the vendor from whom to purchases the laptops. The process is as follows: ■ Request for bids are posted on an on-line procurement site. For the FY 2011 laptop acquisition, five vendors provided bids. The contracting office reviewed the bids. The vendor selected was based on the following: lowest bid, performance history with the Agency, ability to meet the Agency’s configuration requirements, and recommendation from the CIO and OMS Technologists. Because staff are involved in the laptop selection process, there is a risk they could disclose sensitive procurement information and/or have a personal interest in vendors providing bids. Agreed-Upon Action 3: The Director of the Office of Management Services will require all Agency staff who are involved in the model and vendor selection process sign a statement indicating they have no potential conflict-of-interest in the process. Report I-12-01 Information Technology Equipment Acquisition 9 Network Copier/Printer Acquisition Process The Agency has established a four-year life cycle for network copiers/printers, based on network copiers/printers reaching the end of the serviceability and due to technology advances. Approximately six months prior to the lifecycle timeframe ending, the Agency begins the acquisition process for the next purchase of copiers/printers. Agency users expressed the need for color copying. In response, for the FY 2011 network copier/printer purchase, the OMS Technologists completed an analysis outlining the pros/cons of converting to a color copier/printer for each office. ■ Prior to this FY 2011 network copier/printer purchase, each office had a black/white network copier/printer. Large volume color print jobs were accomplished using a centralized color printer located within OMS. ■ The analysis of transitioning to network color copier/printers included a summary of the efficiencies and cost differences of converting to a color copier/printer format versus black/white for each office. Based on the analysis, the OMS Director decided the Agency would purchase color copiers/printers for each office. Report I-12-01 Information Technology Equipment Acquisition 10 Network Copier/Printer Acquisition Process (con’t) Following this decision to transition to color network copiers/printers, the acquisition process for color copiers/printers was as follows: 1. The offices’ administrative personnel and other identified high volume users were surveyed to determine copier/printer preferences. Based on staff preferences and technology requirements, market research was conducted to identify potential copier/printer models. 2. An evaluation committee visited local copier/printer showrooms and evaluated potential models. The evaluation committee consisted of OMS staff whose duties include overseeing the Agency’s copier/printer and duplicating services. 3. For models evaluated, a more in-depth technical analysis was completed on copiers/printers capabilities and technical support. 4. The CIO then sent a decision memo to the OMS Director outlining the pro/cons of copiers/printers reviewed and recommending the type of copier/printer the Agency should purchase. 5. The OMS Director approved the recommendation on the copier/printer model most suitable for FCA. Conclusion/Agreed-Upon Action - Refer to slides16 and 17 which discuss bringing more consistency to all IT equipment acquisition processes. Report I-12-01 Information Technology Equipment Acquisition 11 Network Copier/Printer Vendor Selection Process Once the decision was made on the network color copier/printer model, the contracting office selects the vendor from whom to purchase the network copiers/printers. The process to select the vendor was as follows: 1. Request for bids was posted on an on-line procurement site. 2. For the FY 2011 network color copier/printer requisition, the Agency received one bid. This vendor was selected. 3. The vendor’s price was considered fair and reasonable based on the company being listed on the GSA Schedule. Report I-12-01 Information Technology Equipment Acquisition 12 Mobile Device Acquisition Process The Agency has established a 2-year lifecycle for mobile devices, based on equipment obsolescence and due to advances in technology. Toward the end of the mobile devices lifecycle, the Agency begins the acquisition process for the next mobile device purchase. For mobile devices, the acquisition process was conducted by the IRMOC. IRMOC’s acquisition strategy is focused on determining the mobile device that best fits the Agency’s needs, increases productivity/efficiencies, and that could be leveraged with future technology acquisitions. As part of the mobile device acquisition strategy, the CIO conducted a hands-on test of the iPhones approximately a year prior to the mobile device acquisition process. The iPhone was tested by the OMS Director, CIO, the Applications Team Supervisor, and an additional OMS staff person. The testing and review was completed to assess the iPhone’s security features and to evaluate whether the iPhone’s applications could improve the Agency’s operations. Report I-12-01 Information Technology Equipment Acquisition 13 Mobile Device Acquisition Process (con’t) The mobile device (iPhone) acquisition process was as follows: 1. Through market research, the IRMOC identified the three major types of mobile devices in the marketplace that would best meet the Agency’s needs. 2. An evaluation was completed on these three mobile device models. Information used for the evaluation included: technology publications, Gartner on-line research, visiting vendors’ websites, and IRMOC’s knowledge of mobile devices. 3. A decision memorandum from IRMOC was forwarded to the OMS Director outlining the pro/cons of mobile device models. The decision memo included IRMOC’s recommendation on the type of mobile device the Agency should purchase. Each IRMOC member signed the decision memo signifying they were in agreement with the final decision. 4. The OMS Director approved the mobile device recommendation. 5. The Chief Executive Officer (CEO) was briefed on the mobile device decision. The CEO also approved the decision. Conclusion/Agreed-Upon Action - Refer to slides16 and 17 which discuss bringing more consistency to all IT equipment acquisition processes. Report I-12-01 Information Technology Equipment Acquisition 14 Mobile Device Vendor Once the decision was made on the particular mobile device to be acquired, the contracting office purchased the mobile device (iPhone). For the FY 2011 mobile device (iPhone) purchase, the contracting office contacted the Agency’s telecommunication service provider and requested an upgrade from Blackberries to iPhones. The Agency’s telecommunication service provider is listed on the GSA Federal Supply Schedule. Report I-12-01 Information Technology Equipment Acquisition 15 Consistency in IT Equipment Acquisition Processes Although the overall process for the IT equipment acquisitions reviewed is generally the same, our inspection showed the methods used to complete the process varied. For example: ■ The laptop evaluation committee’s review included each committee member performing individual ratings on behalf of their offices using a standard form and rating scale to evaluate laptops. ■ However, the network copiers/printers evaluation committee members do not perform individual ratings and there is no standard form or rating scale used to evaluate each network copiers/printer model. ■ For the mobile device’s (iPhones) acquisition, the decision memo is signed by each IRMOC member stating they are in agreement with the mobile device decision. ■ However, for the laptop and network copiers/printers acquisition the evaluation committee members do not sign the report/decision memo stating they were in agreement with the recommendation. In addition, there is no signed documentation by IRMOC showing they approved the final decision. Report I-12-01 Information Technology Equipment Acquisition 16 Agreed-Upon Action/Consistency in IT Equipment Acquisition Processes Agreed-Upon Action 4: The Chief Information Officer will evaluate all IT equipment acquisition processes and identify methods that can be universally applied for all IT equipment purchases as appropriate. Report I-12-01 Information Technology Equipment Acquisition 17 Vendor Payment Controls For all IT equipment reviewed, the overall vendor payment process was similar. Requisitions were submitted by the OMS Technologists for equipment purchases. The requisitions contained all pertinent information and were appropriately approved. Vendors doing business with the Agency were registered on the Central Contractor Registration (CCR) list. The CCR is maintained by the General Service Administration and serves as the primary vendor database for the U.S. Federal Government. The CCR collects, validates, stores and disseminates data in support of agency acquisitions. The Bureau of Public Debt ensures vendors are registered in the CCR before making payments. A contracting officer’s representative (COR) was assigned to each contract. The CORs were all OMS Technology Team staff. The COR’s responsibilities included reviewing invoice costs, verifying that goods have been received, and approving invoices for payment. Report I-12-01 Information Technology Equipment Acquisition 18 Recent Improvements to Vendor Payment Controls As of May 2012, the OMS Director modified the controls in the procurement function as follows: ■ The Application Team has set up a SharePoint site to hold all requisitions that are processed in OMS. Prior to requisitions being forwarded to the contracting office, they must go through the OMS Director’s office for SharePoint input. Monthly, the finance team reconciles obligations against the SharePoint library for purchase orders and contracts. ■ OMS staff who have purchasing authority are not authorized to approve requisitions where they have control over the procurement action. ■ Only Finance Team members will be allowed to add vendors to the Agency’s procurement system. ■ The contract manual will be revised to establish specific circumstances under which the contracting office will approve the use of credit card purchases over the micro purchase threshold of $3,000. Conclusion - Overall the vendor payment controls were adequate to ensure vendors payments were appropriately processed. Report I-12-01 Information Technology Equipment Acquisition 19
Information Technology Equipment Acquisition
Published by the Farm Credit Administration, Office of Inspector General on 2012-08-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)