OFFICE OF INSPECTOR GENERAL Audit Report The Farm Credit Administra on’s Risk Project A‐16‐01 Auditor‐in‐Charge Tori Kaufman Issued March 31, 2016 FARM CREDIT ADMINISTRATION Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, Virginia 22102-5090 March 31, 2016 The Honorable Kenneth A. Spearman, Board Chairman The Honorable Dallas P. Tonsager, Board Member The Honorable Jeffery S. Hall, Board Member Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall: The Office of Inspector General (OIG) completed an audit of the Farm Credit Administration’s (FCA or Agency) Risk Project. The objective of the audit was to determine whether the Risk Project was planned and is being managed efficiently and effectively. The Risk Project was developed to evaluate and acquire tools to conduct risk and statistical analysis of the Farm Credit System and to enable users to create reports and dashboards for data-driven decision- making. FCA formed a workgroup for the project due to its Agency-wide impact. The Risk Project workgroup conducted a multi-phase evaluation to select business intelligence software for the Agency; however, challenges arose after tools were purchased. We identified opportunities to improve the Risk Project and future information technology (IT) investments. In response to our audit, the Office of Information Technology agreed to the following actions: 1. Add or modify current procedures for large IT investments to: · Designate a project manager and project management responsibilities; · Assess resources and determine whether consultants are needed for project planning and implementation; and · Establish guidelines for incremental investment. 2. Establish a control to ensure project management guidance is implemented for large IT investments. 3. Create an incremental project plan for the remainder of the Risk Project in coordination with the Risk Project workgroup. Include an assessment of required resources and tasks requiring consultants and evaluate other tools that may be incorporated to accomplish Risk Project goals and objectives. 4. Modify standard operating procedures to define levels of approval for large IT acquisitions and establish a control to ensure appropriate reviews and approvals are obtained. 5. Evaluate Risk Project software licenses before the next renewal period. We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff. If you have any questions about this audit, I would be pleased to meet with you at your convenience. Respectfully, Elizabeth M. Dean Inspector General Enclosure RESULTS The goals of the Risk Project are to evaluate and acquire The objective of this audit was to determine whether the Risk Project was planned tools that enable the Farm Credit Administration (FCA and is being managed efficiently and effectively. or Agency) to 1) conduct risk The Agency agreed to implement 5 agreed-upon actions to improve the Risk and statistical analysis of the Farm Credit System; and 2) Project and future large IT projects at the Agency: enable users to create reports and dashboards for 1. Add or modify current procedures for large IT investments to: FCA’s key datasets. To limit risks associated with large, · Designate a project manager and project management information technology (IT) responsibilities; projects, the Agency · Assess resources and determine whether consultants are needed established project for project planning and implementation; and management and · Establish guidelines for incremental investment. acquisition requirements. The Risk Project faced 2. Establish a control to ensure project management guidance is implemented unexpected outcomes that for large IT investments. affected project implementation. 3. Create an incremental project plan for the remainder of the Risk Project in coordination with the Risk Project workgroup. Include an assessment of Although all contingencies required resources and tasks requiring consultants and evaluate other tools cannot be anticipated, we that may be incorporated to accomplish Risk Project goals and objectives. identified improvements to ensure the Risk Project and 4. Modify standard operating procedures to define levels of approval for large future IT investments stay IT acquisitions and establish a control to ensure appropriate reviews and on track and meet the needs approvals are obtained. of the Agency. Areas for improvement include: 5. Evaluate Risk Project software licenses before the next renewal period. · Project planning and The Office of Information Technology agreed with the report and provided specific tracking tasks to be completed. These tasks included updating a directive and standard implementation, operating procedures, establishing controls to ensure large IT project requirements · Assessing resource are implemented, developing a project plan for the remainder of the Risk Project, needs, and documenting an evaluation of necessary software licenses. · Utilizing an incremental investment approach, · Acquisition documentation, and · Software licenses. Table of Contents BACKGROUND ______________________________________________________________________ 1 Prior Reviews______________________________________________________________________ 3 AUDIT RESULTS ______________________________________________________________________ 4 Project Management _______________________________________________________________ 4 Agreed-Upon Actions 1-3 ____________________________________________________________ 8 Acquisition________________________________________________________________________ 9 Agreed-Upon Action 4_______________________________________________________________ 9 Agreed-Upon Action 5______________________________________________________________ 10 OBJECTIVE, SCOPE, AND METHODOLOGY ________________________________________________ 11 ACRONYMS ________________________________________________________________________ 12 BACKGROUND The Farm Credit Administration (FCA or Agency) is an independent federal agency responsible for regulating, examining, and supervising the Farm Credit System (FCS or System) and the Federal Agricultural Mortgage Corporation. The core mission of the Agency is to ensure a safe, sound, and dependable source of credit and related services for agriculture and rural America. Technology products and services are integral to achieving this mission. Information technology (IT) supports each office’s diverse needs and business objectives. To ensure the success of IT investments, the Agency must keep pace with the rapid rate of innovation and evaluate new ways to improve business processes. FCA uses an Information Resources Management (IRM) planning process to prioritize and manage IT investments. The Information Resources Management Operations Committee (IRMOC) plays a key role in this process by providing an Agency-wide perspective on information resources. The IRMOC consists of the Chief Information Officer (CIO), eight members from different FCA offices, and one member from the Farm Credit System Insurance Corporation who are knowledgeable about the Agency’s operational needs. Projects are evaluated to focus resources in areas that yield the highest-value for strategic outcomes. A five-year IRM Plan is developed annually to address the Agency’s IT requirements. This audit focuses on the Risk Project, an IRM project that was developed in 2009 and continues through the present. The goals of the Risk Project are to evaluate and acquire tools that enable FCA to 1) conduct risk and statistical analysis of the FCS; and 2) enable users to create reports and dashboards for FCA’s key datasets. The project was identified as high priority for FY 2013. Analysis and data modeling play a critical role in FCA’s safety, soundness, and regulatory functions. The Risk Project was developed to enhance these capabilities. FCA’s strategic plan covers areas where enhanced analytical capabilities were targeted: · Enhancing the use of institution and system-wide loan data in examination and policymaking. · Promoting system-wide risk supervision that uses stress testing, research, and analysis to identify emerging systemic risks and provides proactive examination direction and policy guidance for internal and external use. · Supporting policy and regulatory positions with sound regulatory, economic, legal, and financial analysis. · Ensuring prompt, comprehensive information is provided to the FCA Board so it will be better able to make fully informed, arm’s length decisions. FCA evaluates and analyzes the System through two primary datasets from each financial institution, the Consolidated Reporting System (CRS) and FCSLoans, which is the loan database. CRS Call Reports include institutional financial information and key financial ratios on a quarterly basis. FCSLoans contains detailed information on accounts and exposures held by each institution. In addition to evaluating System and institutional risk, FCA management uses other databases to evaluate and monitor budget information, employee time, and examination oversight as follows: 1 •Balance sheet, income statement, key financial ratios Consolidated Reporting •Collected quarterly System •Detailed information on accounts and exposures FCSLoans •Collected quarterly •FCA budget allocations and expenses incurred Budget •Data on employee time by project and office Time Recording System •Examination category, topic, and procedures Enterprise Documentation •Plan information, work summaries, and findings and Guidance The Risk Project was a continuation of prior initiatives to improve risk analysis and data collection. In late 2006, the Office of Examination (OE) initiated a project to standardize loan data from System institutions and load it into a single database. The resulting loan database, FCSLoans, started operating in January 2010. The second phase of FCSLoans aimed at improving the format, efficiency, and accuracy of data collection. The Agency worked with the FCS Funding Corporation to develop an agreed-upon framework for expanding and improving data collection. The long term plan to further enhance analysis of loan data includes application of business intelligence tools. A primary component of the Risk Project is to evaluate and acquire a business intelligence tool for the Agency. Business intelligence refers to analytical software applications for querying and reporting with raw data. These tools provide timely, graphical information for data-driven decision-making. FCA formed a workgroup in 2012 in response to agency-wide interest in and impact of business intelligence tools. The workgroup consisted of representatives from OE, the Office of Regulatory Policy, the Office of Secondary Market Oversight, the Farm Credit System Insurance Corporation, and the Office of Management Services (OMS). The Applications Team in OMS was the project lead. At the beginning of FY 2016, the Applications Team was transitioned from OMS to the newly created Office of Information Technology (OIT). Business intelligence is a new endeavor for the Agency. The Risk Project workgroup conducted research to familiarize itself with capabilities of these new tools. The workgroup identified desired software features and developed rating criteria for product demonstrations. Nine product demonstrations were viewed and evaluated. Hands-on evaluations were conducted for the four top-rated products and cost quotes were provided. A final vote was taken for the top two products, and the workgroup’s selection was based on the tool with stronger analytic capabilities. The selection process was completed in September 2013 and the purchase was made the same month. Unexpected challenges arose during implementation of the Agency’s new business intelligence tool during 2014 and 2015. Developing reports and configuring data to work with the new tools was difficult and time consuming. In addition, the tools did not work as expected with the Agency’s data. To address 2 data issues and improve query and reporting speeds, the Agency decided to create a data mart. This endeavor further complicated project implementation. Without the resources or expertise, the Agency hired contractors to assist with the data mart and report development, but challenges continued. In August 2015, the Risk Project workgroup developed a strategy to advance the progress of the project. A plan was prepared to select two additional contractors for: · A scoping and discovery contract for assistance translating user requirements into specifications for a data architecture to achieve desired analytic capabilities. This included designing a detailed plan for a data solution for CRS and the loan database. This contract was awarded in September 2015. · A data mart contract for the development and implementation of the solution recommended in the scoping and discovery contract and knowledge transfer to maintain it. Prior Reviews OIG has conducted several reviews of FCA’s IT projects: · IT Equipment Acquisition (I-12-01, August 2012) - The objective of the inspection was to determine whether the acquisition process for IT equipment was being appropriately planned and administered. Improvements were identified to increase transparency, accountability, and efficiency. · IT Infrastructure Project Management (A-07-02, June 2008) - The objective of the audit was to determine whether the Agency was using sound project management practices to minimize risks associated with making significant changes to IT infrastructure. As a result of the audit, OMS agreed to develop a quality assurance process for IRM Plans that included verification of estimated project costs. · Project Management (I-04-02, September 2004) - The objective of the inspection was to compare FCA’s project management for the implementation of two financial systems to best practices. The inspection found many elements of sound project management were missing and the projects needed to be reevaluated and monitored more closely. · Loan Account Reporting System (LARS) (A-03-01, August 2003) - The objective of the audit was to determine whether LARS (a former loan database that is no longer used) was effectively utilized. The audit found LARS was not providing sufficient and efficient loan data and, as a result, was underutilized. Nine agreed-upon actions were included in the report to improve the quality of data in the system and ensure the system redesign was effective. The importance of IT project management has been emphasized by the Government Accountability Office (GAO). GAO included “Improving the Management of IT Acquisitions and Operations” in its high risk list for 2015 (GAO-15-260, February 2015). GAO’s report stated “…federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.” GAO’s report further stated, “Failed IT projects often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and 3 governance. In many instances, agencies have not consistently applied best practices that are critical to successfully acquiring IT investments.” AUDIT RESULTS Large-scale information technology (IT) projects with multiple steps and stakeholders present unique challenges. The Risk Project was designed to acquire tools to analyze key datasets. The project was jointly sponsored by the Office of Information Technology (OIT) 1, Office of Examination, Office of Regulatory Policy, Office of Secondary Market Oversight, and the Farm Credit System Insurance Corporation due to its importance to the Agency’s mission. Various stakeholders provided important perspective on project decisions, and the Risk Project workgroup completed a multi-phase evaluation before selecting a business intelligence tool for the Agency. However, we identified improvements to ensure the Risk Project and future IT investments stay on track and meet the needs of the Agency. Project Management Planning FCA has detailed project management procedures set forth in Office of Management Services (OMS) Directive 3, Guidance for Project Management of Large Information Technology Projects (Total Cost More than $500,000). This guidance states major factors that influence the risk to success of IT initiatives include: · Clear goals and expected outcomes; · Effective strategy of goals, milestones, and timeframes; · Tracking progress and adjusting expectations; · Complexity of technology and tools to be incorporated in the project; · Length of the project; and · Cost of the project. OMS Directive 3 describes a disciplined, mandatory project management approach for high risk investments. A project plan must be approved by the CIO prior to beginning work on any project expected to cost over $500,000 or last over two years. OMS Directive 3 includes specific elements that must be addressed in each large IT investment project plan and tracked during implementation as follows: 1 In the beginning of FY 2016, FCA reorganized to establish an Office of Information Technology (OIT). A Chief Information Officer (CIO) was hired with exclusive responsibility for running this new office. Prior to this change, FCA’s CIO served concurrently as the director of OMS and Chief Financial Officer. OIT is responsible for managing the Agency’s IT, planning and control of IT investments, leading change to improve the efficiency and effectiveness of operations, and leveraging technology by collaborating and re-engineering business processes. 4 Describe the project or •include specific goals and objectives the project is expected to accomplish initiative •state what groups of employees are expected to be impacted and how they Describe project stakeholders will be impacted •describe how Agency processes or products and services will be affected. List the major project •establish a schedule to follow the progress of the project and determine milestones and expected whether it is on track for completion delivery dates Estimate the FCA manpower •include hours per quarter, total hours, and total Full-Time Equivalent (FTE) required to complete the positions project List any major purchases (over $5,000) that will be required to •determine IT hardware and software, new FTEs, training, etc. complete the project Describe the communications •describe how stakeholders will be kept informed of project progress and any required action, include frequency and form (i.e. email, meetings, etc.) of plan communication •describe how the plan will be modified in the event that major changes Describe the contingency plan occur to the project parameters (i.e. decrease in funding, decrease in manpower, unavailability of needed resources, changed political climate) •describe what steps will be taken to protect physical property, sensitive Describe the security plan data, and other Agency resources Determine whether the system must be certified and •include in project milestones (if applicable) accredited Although OMS Directive 3 provides an apt framework, the Risk Project did not have a comprehensive project plan. Components of the required project plan were incorporated as part of the annual IRM planning process, and each year, OIT prepared a budget to estimate staff resources and project costs. In addition, an intermediate project plan with estimated completion dates and responsible parties was used for consulting services from August 2015 through December 2016. Other key elements of OMS Directive 3 that would have provided for better communication, contingency, and security planning were not planned or documented. The Risk Project has been a top priority for the Agency for several years. Because the selection of business intelligence software was made so close to the end of the fiscal year (FY), the purchase was accelerated to utilize FY 2013 funding and advance the project. Creating a well-defined project plan and tracking implementation requires time and continuous coordination. OIT was the project lead, but IT 5 staff had numerous competing priorities. Varying stakeholder expectations also made it difficult to streamline project priorities. Due to the critical importance of risk assessment and data analytics to the Agency’s mission, multiple offices and staff have a vested interest in the Risk Project’s outcome. These factors made detailed, upfront planning more difficult but also more important. Effective planning also requires technology-specific knowledge. FCA did not have experience with business intelligence tools. Without this expertise, it is difficult to anticipate outcomes and plan accordingly. For example, the decision to create a data mart was initiated after business intelligence software was purchased to address data structure issues and improve query speeds and reporting. Without a complete understanding of data requirements at the onset of the project, the Agency did not plan for this costly project element. Understanding and accounting for the costs and benefits of a data mart may have impacted software selection and the overall course of the project. The Agency needed to acknowledge and account for business intelligence resource gaps and engage consultants with subject- matter expertise before purchasing approximately $277,300 in business intelligence software. These decisions are critical for project planning and preventing costly unexpected outcomes. During interviews, Agency officials acknowledged opportunities for improvement. A primary focus for the newly created OIT is improving project management procedures and reporting. OIT Officials stated they did not give enough weight to data requirements when business intelligence tools were being evaluated. In addition, the level of difficulty using newly acquired tools impacted the project. These lessons learned can provide useful insight for the remainder of the Risk Project and future IT investments. Systematic project management limits risks of unexpected outcomes, delays, and cost escalations. The Agency’s original estimated timeframe for selecting and purchasing a business intelligence tool was December 2012. The software evaluation process began in 2013, and after the software was purchased, the project scope was adjusted to include a data mart. The estimated project completion date has been revised to January 2017. Timeframes are especially important for technology projects. As time passes, new products and services can impact project implementation. Over the course of the Risk Project, budgeted costs included in IRM planning increased about 4.5 times and budgeted IT staff hours increased about 3.7 times: Five-Year IRM Five-Year IRM Fiscal Budgeted Total Budgeted Total OIT Years Project Costs 2 Hours 2010-2014 $566,500 1,500 2011-2015 $544,500 1,500 2012-2016 $548,500 1,500 2013-2017 $723,500 1,500 2014-2018 $735,204 1,200 2015-2019 $1,303,740 2,272 2016-2020 $2,562,620 5,480 2 These are projected five-year costs. Costs are budgeted each year for the following five fiscal years. These costs do not represent what was incurred, but rather what was budgeted for the Risk Project for a five-year period. 6 Although it is impossible to anticipate every project outcome, documenting a detailed plan before a project starts, facilitates agreement and understanding. This process also establishes an important baseline for tracking progress, challenges, and necessary adjustments. When a project deviates from its implementation plan or unplanned circumstances arise, strategic decision-making can be used to determine the best path forward. As it progresses, the Risk Project needs a set of agreed-upon timeframes, costs, and deliverables to ensure Agency goals are achieved effectively. Incremental Approach Due to the complexity and propensity for unexpected outcomes with IT projects, federal guidance emphasizes an incremental approach to IT investments. An incremental approach refers to dividing large-scale, long-lasting projects into smaller, defined, short-duration projects to reduce risk. This approach can deliver capabilities more quickly and allow easier adoption of new technologies. This process can also limit project costs that are not advancing project goals and desired outcomes. The Risk Project and future large IT investments will benefit from an incremental approach. Risk Project objectives correspond to a widespread Agency initiative: to turn data into information and make information quickly available to managers and staff for appropriate action. This initiative encompassed multiple phases, including: · Defining specific project requirements, · Determining resource needs and capabilities for business intelligence options, · Identifying priority reports to create with business intelligence tools, · Evaluating software and selecting what best meets Agency needs, · Training staff, · Assessing key datasets, · Designing a data mart, and · Building a data mart. The Risk Project started with a strategy to purchase software in FY 2013 and train staff at the beginning of FY 2014. After the software package was purchased for about $277,300, the Agency was unable to utilize and connect business intelligence tools with FCA data in its current structure. To address this challenge and use purchased software tools, the Agency decided to create a data mart. Contractors were selected to help create reports with Agency data using business intelligence software and implement the data mart. Working with the contractors resulted in an awareness of other data formatting challenges that needed to be addressed in the data mart. In June 2015, the Risk Project workgroup identified a need to better evaluate requirements and develop a data strategy and solution. The Risk Project workgroup decided to procure two contracts to assist in defining project needs and creating a data mart for the Agency’s two most critical datasets. From the start, the Risk Project plan design should have been to deliver capabilities incrementally. Agency officials stated, in hindsight, a scoping and discovery contractor should have been engaged when the project began to translate user requirements into a data architecture plan. Having scoping and discovery by a consultant initially could have impacted and possibly reduced or eliminated other consulting fees for report development and data warehousing, which totaled about $70,300. Defined phases ensure projects are on track before additional investments are made. This approach is especially important for high-cost, high-impact projects with multiple stakeholders. 7 Going forward, the CIO stated that the business intelligence tool purchased may be part of a set of tools to accomplish the goals and objectives of the Risk Project. No-cost tools may also be considered. These tools are less advanced but easier to use. Although the Risk Project workgroup determined that these tools did not accomplish the sophisticated analytics desired by the Agency long-term, no-cost tools could have been used before purchasing business intelligence software. These tools would have helped the Agency understand how business intelligence tools work in FCA’s environment. Use of no-cost tools would have assisted in defining the capabilities that needed to be purchased and pinpointing attributes to incorporate in the software selection criteria. By using an incremental investment approach the Agency could have waited to purchase business intelligence tools. Once software was purchased, however, project decisions had to focus on getting the purchased tools to work as needed. Therefore, the Agency did not fully utilize business intelligence software while data structuring and implementation issues were being addressed. By waiting to purchase analytics software, the Agency could have avoided about $143,200 in software license renewal fees for FYs 2015 and 2016. In addition, as noted above, technology can change significantly in a short period of time. By waiting to purchase software, the Agency could have evaluated the most current product options, which may have impacted the choice of the tools ultimately selected. Agreed-Upon Actions 1-3 To improve project management and decrease risks associated with IT investments, OIT, in coordination with the Risk Project workgroup, agreed to: 1. Add or modify current procedures for large IT investments to: · Designate a project manager and project management responsibilities; · Assess resources and determine whether consultants are needed for project planning and implementation; and · Establish guidelines for incremental investment. 2. Establish a control to ensure project management guidance is implemented for large IT investments. 3. Create an incremental project plan for the remainder of the Risk Project in coordination with the Risk Project workgroup. Include an assessment of required resources and tasks requiring consultants and evaluate other tools that may be incorporated to accomplish Risk Project goals and objectives. OIT stated it would update the directive for large IT project management guidance and establish a control to ensure requirements are implemented. A project plan will also be created for the remainder of the Risk Project, including: 1) building the data mart, 2) adding other loan data into the data mart, 3) reviewing business intelligence tools to determine what is best for the Agency, and 4) building reports and dashboards to identify risk in the FCS. 8 Acquisition Documentation and Approval The Risk Project was developed to evaluate and acquire tools for risk and statistical analysis. A main component of this project was selecting business intelligence software to generate reports and dashboards using key FCA datasets. Due to the widespread impact of this project, a team of Agency representatives was established to evaluate the best solution. The Risk Project workgroup conducted a multi-phase evaluation to select analytics software for the Agency. The process included: · researching available tools, · developing criteria to evaluate available tools, · viewing product demonstrations, · rating each product using team-developed criteria, · conducting hands-on evaluations of top-rated products using FCA data and equipment, and · voting for the final selection. FCA’s standard operating procedures describe steps for identifying, recommending, and approving large IT acquisitions with a high cost or significant Agency impact. The first step is for all personnel involved in the recommendation to sign a conflict of interest statement indicating they do not have a personal interest in products being evaluated. Two of the ten Risk Project software evaluators did not complete a conflict of interest statement. Those who did complete a conflict of interest statement did so in the middle of the initial product rating process. No conflicts were noted that affected product evaluations. FCA’s procedures also require preparation of a written recommendation approved by the CIO, IRMOC, Chief Financial Officer, and Chief Operating Officer. This type of recommendation was not prepared and approval signatures were not obtained. OIT did create a detailed document describing the Risk Project workgroup’s product rating and selection process. In addition, approval of selected software was discussed and documented in IRMOC meeting minutes. Due to the high cost and far-reaching impact of this purchase, it is important conflict of interest statements, reviews, and approvals are documented. This process ensures a coordinated, agreed-upon approach before acquisition. Agreed-Upon Action 4 To ensure appropriate reviews and approvals, OIT agreed to: 4. Modify standard operating procedures to define levels of approval for large IT acquisitions and establish a control to ensure appropriate reviews and approvals are obtained. OIT stated it would review the approval process for large IT acquisitions and add corresponding requirements to standard operating procedures. 9 Software Licenses FCA’s business intelligence software purchase included different licenses for different users and products. The Agency purchased: · 23 software licenses for power users to create dashboards and reports · 5 software licenses for predictive analytics software · 285 licenses for Agency personnel to access reports and dashboards · 2 administrator licenses to manage the software package The number of licenses was determined when the software was first purchased in September 2013. In the two years since, the Agency realized the degree of technical skills needed to create reports and dashboards is more challenging and specialized than anticipated. This technical skillset is also difficult to maintain when it is used sporadically and not as a core competency. Agency officials stated that based on these factors the number of licenses for power users and predictive analytics would likely decrease. Each year, after the initial software purchase, the Agency paid fees to renew all licenses. The renewal fee per license was $449 for power users, $2,550 for predictive analytics, $170 for Agency users, and $2,591 for administrators. Renewal fees totaled about $76,700 for FY 2016. To decrease costs, the Agency should evaluate the number of licenses needed for each type of user before the next renewal period. The number of power users is also important for training decisions. The Agency spent about $75,300 to conduct training for power users when business intelligence software was first purchased in November 2013 and January 2014. Before additional training occurs, the Agency should identify the correct number of power users. Agreed-Upon Action 5 To manage costs, OIT agreed to: 5. Evaluate Risk Project software licenses before the next renewal period. OIT stated it would determine how many licenses are likely to be needed for FY 2017 and 2018 with consideration of future costs. A decision memo will be signed by the CIO based on this evaluation. 10 OBJECTIVE, SCOPE, AND METHODOLOGY The objective of this audit was to determine whether the Risk Project was planned and is being managed efficiently and effectively. We conducted fieldwork at FCA’s headquarters in McLean, VA from November 2015 through March 2016. We limited our scope to the planning, implementation, and management phases of the Risk Project. We completed the following steps to accomplish the objective: · Reviewed laws, regulations, policies, procedures, and guidance related to the Risk Project. · Reviewed prior audits, inspections, evaluations and reviews related to the audit objective. · Obtained background information on Risk Project initiatives and business intelligence. · Interviewed the CIO and selected members of the Risk Project workgroup on implementation of the project and its current status. · Evaluated the project planning and project management process for the Risk Project. · Assessed project timeframes, budget, unexpected outcomes, delays, and adjustments. · Reviewed the Agency’s evaluation of business intelligence tools, selection criteria, ratings, and associated documentation and approvals. · Determined what contractors were utilized for the Risk Project. This audit was performed in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We assessed internal controls and compliance with laws and regulations to the extent necessary to satisfy the objective. Our review would not necessarily have disclosed all internal control deficiencies that may have existed at the time of our audit. We assessed the computer-processed data relevant to our audit objective and determined the data was sufficiently reliable. We assessed the risk of fraud related to our audit objective in the course of evaluating audit evidence. Overall, we believe the evidence obtained provides a reasonable basis for our conclusions based on our audit objective. 11 ACRONYMS CIO Chief Information Officer CRS Consolidated Reporting System FCA Farm Credit Administration FCS Farm Credit System FY Fiscal Year IRM Information Resources Management IRMOC Information Resources Management Operations Committee IT Information Technology OE Office of Examination OIG Office of Inspector General OIT Office of Information Technology OMS Office of Management Services 12 R E P O R T Fraud | Waste | Abuse | Mismanagement FARM CREDIT ADMINISTRATION OFFICE OF INSPECTOR GENERAL Phone: Toll Free (800) 437-7322; (703) 883-4316 Fax: (703) 883-4059 E-mail: firstname.lastname@example.org Mail: Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, VA 22102-5090
FCA's Risk Project
Published by the Farm Credit Administration, Office of Inspector General on 2016-03-31.
Below is a raw (and likely hideous) rendition of the original report. (PDF)