oversight

FCA's Risk Project

Published by the Farm Credit Administration, Office of Inspector General on 2016-03-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

OFFICE OF
INSPECTOR GENERAL         Audit Report  
                    The Farm Credit Administra on’s
                              Risk Project
                                A‐16‐01



                           Auditor‐in‐Charge
                             Tori Kaufman

                        Issued March 31, 2016




                        FARM CREDIT ADMINISTRATION
Farm Credit Administration                                             Office of Inspector General
                                                                       1501 Farm Credit Drive
                                                                       McLean, Virginia 22102-5090




March 31, 2016

The Honorable Kenneth A. Spearman, Board Chairman
The Honorable Dallas P. Tonsager, Board Member
The Honorable Jeffery S. Hall, Board Member
Farm Credit Administration
1501 Farm Credit Drive
McLean, Virginia 22102-5090

Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall:

The Office of Inspector General (OIG) completed an audit of the Farm Credit Administration’s (FCA or
Agency) Risk Project. The objective of the audit was to determine whether the Risk Project was planned
and is being managed efficiently and effectively.

The Risk Project was developed to evaluate and acquire tools to conduct risk and statistical analysis of
the Farm Credit System and to enable users to create reports and dashboards for data-driven decision-
making. FCA formed a workgroup for the project due to its Agency-wide impact. The Risk Project
workgroup conducted a multi-phase evaluation to select business intelligence software for the Agency;
however, challenges arose after tools were purchased.

We identified opportunities to improve the Risk Project and future information technology (IT)
investments. In response to our audit, the Office of Information Technology agreed to the following
actions:

        1. Add or modify current procedures for large IT investments to:

                 ·   Designate a project manager and project management responsibilities;
                 ·   Assess resources and determine whether consultants are needed for project
                     planning and implementation; and
                 ·   Establish guidelines for incremental investment.

        2. Establish a control to ensure project management guidance is implemented for large IT
           investments.

        3. Create an incremental project plan for the remainder of the Risk Project in coordination
           with the Risk Project workgroup. Include an assessment of required resources and tasks
            requiring consultants and evaluate other tools that may be incorporated to accomplish Risk
            Project goals and objectives.

        4. Modify standard operating procedures to define levels of approval for large IT acquisitions
           and establish a control to ensure appropriate reviews and approvals are obtained.

        5. Evaluate Risk Project software licenses before the next renewal period.

We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff. If you
have any questions about this audit, I would be pleased to meet with you at your convenience.

Respectfully,




Elizabeth M. Dean
Inspector General

Enclosure
RESULTS

The goals of the Risk Project
are to evaluate and acquire
                                  The objective of this audit was to determine whether the Risk Project was planned
tools that enable the Farm
Credit Administration (FCA        and is being managed efficiently and effectively.
or Agency) to 1) conduct risk
                                  The Agency agreed to implement 5 agreed-upon actions to improve the Risk
and statistical analysis of the
Farm Credit System; and 2)        Project and future large IT projects at the Agency:
enable users to create
reports and dashboards for            1. Add or modify current procedures for large IT investments to:
FCA’s key datasets. To limit
risks associated with large,                   ·   Designate a project manager and project management
information technology (IT)                        responsibilities;
projects, the Agency                           ·   Assess resources and determine whether consultants are needed
established project                                for project planning and implementation; and
management and                                 ·   Establish guidelines for incremental investment.
acquisition requirements.
The Risk Project faced                2. Establish a control to ensure project management guidance is implemented
unexpected outcomes that                 for large IT investments.
affected project
implementation.                       3. Create an incremental project plan for the remainder of the Risk Project in
                                         coordination with the Risk Project workgroup. Include an assessment of
Although all contingencies               required resources and tasks requiring consultants and evaluate other tools
cannot be anticipated, we                that may be incorporated to accomplish Risk Project goals and objectives.
identified improvements to
ensure the Risk Project and           4. Modify standard operating procedures to define levels of approval for large
future IT investments stay               IT acquisitions and establish a control to ensure appropriate reviews and
on track and meet the needs              approvals are obtained.
of the Agency. Areas for
improvement include:                  5.   Evaluate Risk Project software licenses before the next renewal period.

    ·   Project planning and      The Office of Information Technology agreed with the report and provided specific
        tracking                  tasks to be completed. These tasks included updating a directive and standard
        implementation,           operating procedures, establishing controls to ensure large IT project requirements
    ·   Assessing resource        are implemented, developing a project plan for the remainder of the Risk Project,
        needs,                    and documenting an evaluation of necessary software licenses.
    ·   Utilizing an
        incremental
        investment
        approach,
    ·   Acquisition
        documentation, and
    ·   Software licenses.
                                   Table of Contents



BACKGROUND ______________________________________________________________________ 1

 Prior Reviews______________________________________________________________________ 3

AUDIT RESULTS ______________________________________________________________________ 4

 Project Management _______________________________________________________________ 4

 Agreed-Upon Actions 1-3 ____________________________________________________________ 8

 Acquisition________________________________________________________________________ 9

 Agreed-Upon Action 4_______________________________________________________________ 9

 Agreed-Upon Action 5______________________________________________________________ 10

OBJECTIVE, SCOPE, AND METHODOLOGY ________________________________________________ 11

ACRONYMS ________________________________________________________________________ 12
BACKGROUND

    The Farm Credit Administration (FCA or Agency) is an independent federal agency responsible for
    regulating, examining, and supervising the Farm Credit System (FCS or System) and the Federal
    Agricultural Mortgage Corporation. The core mission of the Agency is to ensure a safe, sound, and
    dependable source of credit and related services for agriculture and rural America. Technology products
    and services are integral to achieving this mission. Information technology (IT) supports each office’s
    diverse needs and business objectives. To ensure the success of IT investments, the Agency must keep
    pace with the rapid rate of innovation and evaluate new ways to improve business processes.

    FCA uses an Information Resources Management (IRM) planning process to prioritize and manage IT
    investments. The Information Resources Management Operations Committee (IRMOC) plays a key role
    in this process by providing an Agency-wide perspective on information resources. The IRMOC consists
    of the Chief Information Officer (CIO), eight members from different FCA offices, and one member from
    the Farm Credit System Insurance Corporation who are knowledgeable about the Agency’s operational
    needs. Projects are evaluated to focus resources in areas that yield the highest-value for strategic
    outcomes. A five-year IRM Plan is developed annually to address the Agency’s IT requirements.

    This audit focuses on the Risk Project, an IRM project that was developed in 2009 and continues through
    the present. The goals of the Risk Project are to evaluate and acquire tools that enable FCA to 1) conduct
    risk and statistical analysis of the FCS; and 2) enable users to create reports and dashboards for FCA’s
    key datasets. The project was identified as high priority for FY 2013.

    Analysis and data modeling play a critical role in FCA’s safety, soundness, and regulatory functions. The
    Risk Project was developed to enhance these capabilities. FCA’s strategic plan covers areas where
    enhanced analytical capabilities were targeted:

        ·   Enhancing the use of institution and system-wide loan data in examination and policymaking.
        ·   Promoting system-wide risk supervision that uses stress testing, research, and analysis to
            identify emerging systemic risks and provides proactive examination direction and policy
            guidance for internal and external use.
        ·   Supporting policy and regulatory positions with sound regulatory, economic, legal, and financial
            analysis.
        ·   Ensuring prompt, comprehensive information is provided to the FCA Board so it will be better
            able to make fully informed, arm’s length decisions.

    FCA evaluates and analyzes the System through two primary datasets from each financial institution, the
    Consolidated Reporting System (CRS) and FCSLoans, which is the loan database. CRS Call Reports include
    institutional financial information and key financial ratios on a quarterly basis. FCSLoans contains
    detailed information on accounts and exposures held by each institution. In addition to evaluating
    System and institutional risk, FCA management uses other databases to evaluate and monitor budget
    information, employee time, and examination oversight as follows:




                                                        1
                                          •Balance sheet, income statement, key financial ratios
          Consolidated Reporting
                                          •Collected quarterly
                  System

                                          •Detailed information on accounts and exposures
                   FCSLoans               •Collected quarterly


                                          •FCA budget allocations and expenses incurred
                    Budget

                                          •Data on employee time by project and office
          Time Recording System

                                          •Examination category, topic, and procedures
         Enterprise Documentation
                                          •Plan information, work summaries, and findings
               and Guidance

The Risk Project was a continuation of prior initiatives to improve risk analysis and data collection. In
late 2006, the Office of Examination (OE) initiated a project to standardize loan data from System
institutions and load it into a single database. The resulting loan database, FCSLoans, started operating
in January 2010. The second phase of FCSLoans aimed at improving the format, efficiency, and accuracy
of data collection. The Agency worked with the FCS Funding Corporation to develop an agreed-upon
framework for expanding and improving data collection. The long term plan to further enhance analysis
of loan data includes application of business intelligence tools.

A primary component of the Risk Project is to evaluate and acquire a business intelligence tool for the
Agency. Business intelligence refers to analytical software applications for querying and reporting with
raw data. These tools provide timely, graphical information for data-driven decision-making. FCA formed
a workgroup in 2012 in response to agency-wide interest in and impact of business intelligence tools.
The workgroup consisted of representatives from OE, the Office of Regulatory Policy, the Office of
Secondary Market Oversight, the Farm Credit System Insurance Corporation, and the Office of
Management Services (OMS). The Applications Team in OMS was the project lead. At the beginning of
FY 2016, the Applications Team was transitioned from OMS to the newly created Office of Information
Technology (OIT).

Business intelligence is a new endeavor for the Agency. The Risk Project workgroup conducted research
to familiarize itself with capabilities of these new tools. The workgroup identified desired software
features and developed rating criteria for product demonstrations. Nine product demonstrations were
viewed and evaluated. Hands-on evaluations were conducted for the four top-rated products and cost
quotes were provided. A final vote was taken for the top two products, and the workgroup’s selection
was based on the tool with stronger analytic capabilities. The selection process was completed in
September 2013 and the purchase was made the same month.

Unexpected challenges arose during implementation of the Agency’s new business intelligence tool
during 2014 and 2015. Developing reports and configuring data to work with the new tools was difficult
and time consuming. In addition, the tools did not work as expected with the Agency’s data. To address



                                                      2
data issues and improve query and reporting speeds, the Agency decided to create a data mart. This
endeavor further complicated project implementation. Without the resources or expertise, the Agency
hired contractors to assist with the data mart and report development, but challenges continued.

In August 2015, the Risk Project workgroup developed a strategy to advance the progress of the project.
A plan was prepared to select two additional contractors for:

    ·   A scoping and discovery contract for assistance translating user requirements into specifications
        for a data architecture to achieve desired analytic capabilities. This included designing a detailed
        plan for a data solution for CRS and the loan database. This contract was awarded in September
        2015.
    ·   A data mart contract for the development and implementation of the solution recommended in
        the scoping and discovery contract and knowledge transfer to maintain it.

Prior Reviews

OIG has conducted several reviews of FCA’s IT projects:

    ·   IT Equipment Acquisition (I-12-01, August 2012) - The objective of the inspection was to
        determine whether the acquisition process for IT equipment was being appropriately planned
        and administered. Improvements were identified to increase transparency, accountability, and
        efficiency.

    ·   IT Infrastructure Project Management (A-07-02, June 2008) - The objective of the audit was to
        determine whether the Agency was using sound project management practices to minimize
        risks associated with making significant changes to IT infrastructure. As a result of the audit,
        OMS agreed to develop a quality assurance process for IRM Plans that included verification of
        estimated project costs.

    ·   Project Management (I-04-02, September 2004) - The objective of the inspection was to
        compare FCA’s project management for the implementation of two financial systems to best
        practices. The inspection found many elements of sound project management were missing and
        the projects needed to be reevaluated and monitored more closely.

    ·   Loan Account Reporting System (LARS) (A-03-01, August 2003) - The objective of the audit was
        to determine whether LARS (a former loan database that is no longer used) was effectively
        utilized. The audit found LARS was not providing sufficient and efficient loan data and, as a
        result, was underutilized. Nine agreed-upon actions were included in the report to improve the
        quality of data in the system and ensure the system redesign was effective.

The importance of IT project management has been emphasized by the Government Accountability
Office (GAO). GAO included “Improving the Management of IT Acquisitions and Operations” in its high
risk list for 2015 (GAO-15-260, February 2015). GAO’s report stated “…federal IT investments too
frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related
outcomes.” GAO’s report further stated, “Failed IT projects often suffered from a lack of disciplined and
effective management, such as project planning, requirements definition, and program oversight and




                                                     3
     governance. In many instances, agencies have not consistently applied best practices that are critical to
     successfully acquiring IT investments.”


AUDIT RESULTS

     Large-scale information technology (IT) projects with multiple steps and stakeholders present unique
     challenges. The Risk Project was designed to acquire tools to analyze key datasets. The project was
     jointly sponsored by the Office of Information Technology (OIT) 1, Office of Examination, Office of
     Regulatory Policy, Office of Secondary Market Oversight, and the Farm Credit System Insurance
     Corporation due to its importance to the Agency’s mission. Various stakeholders provided important
     perspective on project decisions, and the Risk Project workgroup completed a multi-phase evaluation
     before selecting a business intelligence tool for the Agency. However, we identified improvements to
     ensure the Risk Project and future IT investments stay on track and meet the needs of the Agency.

     Project Management

     Planning

     FCA has detailed project management procedures set forth in Office of Management Services (OMS)
     Directive 3, Guidance for Project Management of Large Information Technology Projects (Total Cost
     More than $500,000). This guidance states major factors that influence the risk to success of IT
     initiatives include:

           ·    Clear goals and expected outcomes;
           ·    Effective strategy of goals, milestones, and timeframes;
           ·    Tracking progress and adjusting expectations;
           ·    Complexity of technology and tools to be incorporated in the project;
           ·    Length of the project; and
           ·    Cost of the project.

     OMS Directive 3 describes a disciplined, mandatory project management approach for high risk
     investments. A project plan must be approved by the CIO prior to beginning work on any project
     expected to cost over $500,000 or last over two years. OMS Directive 3 includes specific elements that
     must be addressed in each large IT investment project plan and tracked during implementation as
     follows:




     1
       In the beginning of FY 2016, FCA reorganized to establish an Office of Information Technology (OIT). A Chief
     Information Officer (CIO) was hired with exclusive responsibility for running this new office. Prior to this change,
     FCA’s CIO served concurrently as the director of OMS and Chief Financial Officer. OIT is responsible for managing
     the Agency’s IT, planning and control of IT investments, leading change to improve the efficiency and effectiveness
     of operations, and leveraging technology by collaborating and re-engineering business processes.



                                                              4
      Describe the project or         •include specific goals and objectives the project is expected to accomplish
             initiative

                                      •state what groups of employees are expected to be impacted and how they
  Describe project stakeholders        will be impacted
                                      •describe how Agency processes or products and services will be affected.


      List the major project
                                      •establish a schedule to follow the progress of the project and determine
     milestones and expected           whether it is on track for completion
           delivery dates

   Estimate the FCA manpower
                                      •include hours per quarter, total hours, and total Full-Time Equivalent (FTE)
     required to complete the          positions
              project

  List any major purchases (over
  $5,000) that will be required to    •determine IT hardware and software, new FTEs, training, etc.
        complete the project

  Describe the communications         •describe how stakeholders will be kept informed of project progress and any
                                       required action, include frequency and form (i.e. email, meetings, etc.) of
              plan                     communication


                                      •describe how the plan will be modified in the event that major changes
  Describe the contingency plan        occur to the project parameters (i.e. decrease in funding, decrease in
                                       manpower, unavailability of needed resources, changed political climate)



                                      •describe what steps will be taken to protect physical property, sensitive
    Describe the security plan         data, and other Agency resources


  Determine whether the system
      must be certified and           •include in project milestones (if applicable)
           accredited

Although OMS Directive 3 provides an apt framework, the Risk Project did not have a comprehensive
project plan. Components of the required project plan were incorporated as part of the annual IRM
planning process, and each year, OIT prepared a budget to estimate staff resources and project costs. In
addition, an intermediate project plan with estimated completion dates and responsible parties was
used for consulting services from August 2015 through December 2016. Other key elements of OMS
Directive 3 that would have provided for better communication, contingency, and security planning
were not planned or documented.

The Risk Project has been a top priority for the Agency for several years. Because the selection of
business intelligence software was made so close to the end of the fiscal year (FY), the purchase was
accelerated to utilize FY 2013 funding and advance the project. Creating a well-defined project plan and
tracking implementation requires time and continuous coordination. OIT was the project lead, but IT



                                                       5
staff had numerous competing priorities. Varying stakeholder expectations also made it difficult to
streamline project priorities. Due to the critical importance of risk assessment and data analytics to the
Agency’s mission, multiple offices and staff have a vested interest in the Risk Project’s outcome. These
factors made detailed, upfront planning more difficult but also more important.

Effective planning also requires technology-specific knowledge. FCA did not have experience with
business intelligence tools. Without this expertise, it is difficult to anticipate outcomes and plan
accordingly. For example, the decision to create a data mart was initiated after business intelligence
software was purchased to address data structure issues and improve query speeds and reporting.
Without a complete understanding of data requirements at the onset of the project, the Agency did not
plan for this costly project element. Understanding and accounting for the costs and benefits of a data
mart may have impacted software selection and the overall course of the project. The Agency needed to
acknowledge and account for business intelligence resource gaps and engage consultants with subject-
matter expertise before purchasing approximately $277,300 in business intelligence software. These
decisions are critical for project planning and preventing costly unexpected outcomes.

During interviews, Agency officials acknowledged opportunities for improvement. A primary focus for
the newly created OIT is improving project management procedures and reporting. OIT Officials stated
they did not give enough weight to data requirements when business intelligence tools were being
evaluated. In addition, the level of difficulty using newly acquired tools impacted the project. These
lessons learned can provide useful insight for the remainder of the Risk Project and future IT
investments.

Systematic project management limits risks of unexpected outcomes, delays, and cost escalations. The
Agency’s original estimated timeframe for selecting and purchasing a business intelligence tool was
December 2012. The software evaluation process began in 2013, and after the software was purchased,
the project scope was adjusted to include a data mart. The estimated project completion date has been
revised to January 2017. Timeframes are especially important for technology projects. As time passes,
new products and services can impact project implementation. Over the course of the Risk Project,
budgeted costs included in IRM planning increased about 4.5 times and budgeted IT staff hours
increased about 3.7 times:

                                             Five-Year IRM            Five-Year IRM
                              Fiscal
                                             Budgeted Total         Budgeted Total OIT
                              Years
                                              Project Costs 2             Hours
                           2010-2014            $566,500                  1,500
                           2011-2015            $544,500                  1,500
                           2012-2016            $548,500                  1,500
                           2013-2017            $723,500                  1,500
                           2014-2018            $735,204                  1,200
                           2015-2019           $1,303,740                 2,272
                           2016-2020           $2,562,620                 5,480




2
 These are projected five-year costs. Costs are budgeted each year for the following five fiscal years. These costs
do not represent what was incurred, but rather what was budgeted for the Risk Project for a five-year period.



                                                          6
Although it is impossible to anticipate every project outcome, documenting a detailed plan before a
project starts, facilitates agreement and understanding. This process also establishes an important
baseline for tracking progress, challenges, and necessary adjustments. When a project deviates from its
implementation plan or unplanned circumstances arise, strategic decision-making can be used to
determine the best path forward. As it progresses, the Risk Project needs a set of agreed-upon
timeframes, costs, and deliverables to ensure Agency goals are achieved effectively.

Incremental Approach

Due to the complexity and propensity for unexpected outcomes with IT projects, federal guidance
emphasizes an incremental approach to IT investments. An incremental approach refers to dividing
large-scale, long-lasting projects into smaller, defined, short-duration projects to reduce risk. This
approach can deliver capabilities more quickly and allow easier adoption of new technologies. This
process can also limit project costs that are not advancing project goals and desired outcomes.

The Risk Project and future large IT investments will benefit from an incremental approach. Risk Project
objectives correspond to a widespread Agency initiative: to turn data into information and make
information quickly available to managers and staff for appropriate action. This initiative encompassed
multiple phases, including:

    ·   Defining specific project requirements,
    ·   Determining resource needs and capabilities for business intelligence options,
    ·   Identifying priority reports to create with business intelligence tools,
    ·   Evaluating software and selecting what best meets Agency needs,
    ·   Training staff,
    ·   Assessing key datasets,
    ·   Designing a data mart, and
    ·   Building a data mart.

The Risk Project started with a strategy to purchase software in FY 2013 and train staff at the beginning
of FY 2014. After the software package was purchased for about $277,300, the Agency was unable to
utilize and connect business intelligence tools with FCA data in its current structure. To address this
challenge and use purchased software tools, the Agency decided to create a data mart. Contractors
were selected to help create reports with Agency data using business intelligence software and
implement the data mart. Working with the contractors resulted in an awareness of other data
formatting challenges that needed to be addressed in the data mart. In June 2015, the Risk Project
workgroup identified a need to better evaluate requirements and develop a data strategy and solution.
The Risk Project workgroup decided to procure two contracts to assist in defining project needs and
creating a data mart for the Agency’s two most critical datasets.

From the start, the Risk Project plan design should have been to deliver capabilities incrementally.
Agency officials stated, in hindsight, a scoping and discovery contractor should have been engaged when
the project began to translate user requirements into a data architecture plan. Having scoping and
discovery by a consultant initially could have impacted and possibly reduced or eliminated other
consulting fees for report development and data warehousing, which totaled about $70,300. Defined
phases ensure projects are on track before additional investments are made. This approach is especially
important for high-cost, high-impact projects with multiple stakeholders.



                                                     7
Going forward, the CIO stated that the business intelligence tool purchased may be part of a set of tools
to accomplish the goals and objectives of the Risk Project. No-cost tools may also be considered. These
tools are less advanced but easier to use. Although the Risk Project workgroup determined that these
tools did not accomplish the sophisticated analytics desired by the Agency long-term, no-cost tools
could have been used before purchasing business intelligence software. These tools would have helped
the Agency understand how business intelligence tools work in FCA’s environment. Use of no-cost tools
would have assisted in defining the capabilities that needed to be purchased and pinpointing attributes
to incorporate in the software selection criteria.

By using an incremental investment approach the Agency could have waited to purchase business
intelligence tools. Once software was purchased, however, project decisions had to focus on getting the
purchased tools to work as needed. Therefore, the Agency did not fully utilize business intelligence
software while data structuring and implementation issues were being addressed. By waiting to
purchase analytics software, the Agency could have avoided about $143,200 in software license renewal
fees for FYs 2015 and 2016. In addition, as noted above, technology can change significantly in a short
period of time. By waiting to purchase software, the Agency could have evaluated the most current
product options, which may have impacted the choice of the tools ultimately selected.

Agreed-Upon Actions 1-3

To improve project management and decrease risks associated with IT investments, OIT, in coordination
with the Risk Project workgroup, agreed to:

    1. Add or modify current procedures for large IT investments to:

            ·   Designate a project manager and project management responsibilities;
            ·   Assess resources and determine whether consultants are needed for project planning
                and implementation; and
            ·   Establish guidelines for incremental investment.

    2. Establish a control to ensure project management guidance is implemented for large IT
       investments.

    3. Create an incremental project plan for the remainder of the Risk Project in coordination with the
       Risk Project workgroup. Include an assessment of required resources and tasks requiring
       consultants and evaluate other tools that may be incorporated to accomplish Risk Project goals
       and objectives.

OIT stated it would update the directive for large IT project management guidance and establish a
control to ensure requirements are implemented. A project plan will also be created for the remainder
of the Risk Project, including: 1) building the data mart, 2) adding other loan data into the data mart, 3)
reviewing business intelligence tools to determine what is best for the Agency, and 4) building reports
and dashboards to identify risk in the FCS.




                                                     8
Acquisition

Documentation and Approval

The Risk Project was developed to evaluate and acquire tools for risk and statistical analysis. A main
component of this project was selecting business intelligence software to generate reports and
dashboards using key FCA datasets. Due to the widespread impact of this project, a team of Agency
representatives was established to evaluate the best solution. The Risk Project workgroup conducted a
multi-phase evaluation to select analytics software for the Agency. The process included:

    ·    researching available tools,
    ·    developing criteria to evaluate available tools,
    ·    viewing product demonstrations,
    ·    rating each product using team-developed criteria,
    ·    conducting hands-on evaluations of top-rated products using FCA data and equipment, and
    ·    voting for the final selection.

FCA’s standard operating procedures describe steps for identifying, recommending, and approving large
IT acquisitions with a high cost or significant Agency impact. The first step is for all personnel involved in
the recommendation to sign a conflict of interest statement indicating they do not have a personal
interest in products being evaluated. Two of the ten Risk Project software evaluators did not complete a
conflict of interest statement. Those who did complete a conflict of interest statement did so in the
middle of the initial product rating process. No conflicts were noted that affected product evaluations.

FCA’s procedures also require preparation of a written recommendation approved by the CIO, IRMOC,
Chief Financial Officer, and Chief Operating Officer. This type of recommendation was not prepared and
approval signatures were not obtained. OIT did create a detailed document describing the Risk Project
workgroup’s product rating and selection process. In addition, approval of selected software was
discussed and documented in IRMOC meeting minutes. Due to the high cost and far-reaching impact of
this purchase, it is important conflict of interest statements, reviews, and approvals are documented.
This process ensures a coordinated, agreed-upon approach before acquisition.

Agreed-Upon Action 4

To ensure appropriate reviews and approvals, OIT agreed to:

    4. Modify standard operating procedures to define levels of approval for large IT acquisitions and
       establish a control to ensure appropriate reviews and approvals are obtained.

OIT stated it would review the approval process for large IT acquisitions and add corresponding
requirements to standard operating procedures.




                                                      9
Software Licenses

FCA’s business intelligence software purchase included different licenses for different users and
products. The Agency purchased:

    ·   23 software licenses for power users to create dashboards and reports
    ·   5 software licenses for predictive analytics software
    ·   285 licenses for Agency personnel to access reports and dashboards
    ·   2 administrator licenses to manage the software package

The number of licenses was determined when the software was first purchased in September 2013. In
the two years since, the Agency realized the degree of technical skills needed to create reports and
dashboards is more challenging and specialized than anticipated. This technical skillset is also difficult to
maintain when it is used sporadically and not as a core competency. Agency officials stated that based
on these factors the number of licenses for power users and predictive analytics would likely decrease.

Each year, after the initial software purchase, the Agency paid fees to renew all licenses. The renewal
fee per license was $449 for power users, $2,550 for predictive analytics, $170 for Agency users, and
$2,591 for administrators. Renewal fees totaled about $76,700 for FY 2016. To decrease costs, the
Agency should evaluate the number of licenses needed for each type of user before the next renewal
period. The number of power users is also important for training decisions. The Agency spent about
$75,300 to conduct training for power users when business intelligence software was first purchased in
November 2013 and January 2014. Before additional training occurs, the Agency should identify the
correct number of power users.

Agreed-Upon Action 5

To manage costs, OIT agreed to:

    5. Evaluate Risk Project software licenses before the next renewal period.

OIT stated it would determine how many licenses are likely to be needed for FY 2017 and 2018 with
consideration of future costs. A decision memo will be signed by the CIO based on this evaluation.




                                                     10
OBJECTIVE, SCOPE, AND METHODOLOGY

     The objective of this audit was to determine whether the Risk Project was planned and is being
     managed efficiently and effectively. We conducted fieldwork at FCA’s headquarters in McLean, VA from
     November 2015 through March 2016. We limited our scope to the planning, implementation, and
     management phases of the Risk Project.

     We completed the following steps to accomplish the objective:

         ·   Reviewed laws, regulations, policies, procedures, and guidance related to the Risk Project.

         ·   Reviewed prior audits, inspections, evaluations and reviews related to the audit objective.

         ·   Obtained background information on Risk Project initiatives and business intelligence.

         ·   Interviewed the CIO and selected members of the Risk Project workgroup on implementation of
             the project and its current status.

         ·   Evaluated the project planning and project management process for the Risk Project.

         ·   Assessed project timeframes, budget, unexpected outcomes, delays, and adjustments.

         ·   Reviewed the Agency’s evaluation of business intelligence tools, selection criteria, ratings, and
             associated documentation and approvals.

         ·   Determined what contractors were utilized for the Risk Project.

     This audit was performed in accordance with Generally Accepted Government Auditing Standards.
     Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence
     to provide a reasonable basis for our findings and conclusions based on our audit objective. We
     assessed internal controls and compliance with laws and regulations to the extent necessary to satisfy
     the objective. Our review would not necessarily have disclosed all internal control deficiencies that may
     have existed at the time of our audit. We assessed the computer-processed data relevant to our audit
     objective and determined the data was sufficiently reliable. We assessed the risk of fraud related to our
     audit objective in the course of evaluating audit evidence. Overall, we believe the evidence obtained
     provides a reasonable basis for our conclusions based on our audit objective.




                                                         11
ACRONYMS


           CIO     Chief Information Officer

           CRS     Consolidated Reporting System

           FCA     Farm Credit Administration

           FCS     Farm Credit System

           FY      Fiscal Year

           IRM     Information Resources Management

           IRMOC   Information Resources Management Operations Committee

           IT      Information Technology

           OE      Office of Examination

           OIG     Office of Inspector General

           OIT     Office of Information Technology

           OMS     Office of Management Services




                                               12
    R E P O R T

Fraud | Waste | Abuse | Mismanagement




      FARM CREDIT ADMINISTRATION
      OFFICE OF INSPECTOR GENERAL

   Phone: Toll Free (800) 437-7322; (703) 883-4316

                Fax: (703) 883-4059

           E-mail: fca-ig-hotline@rcn.com

          Mail: Farm Credit Administration
            Office of Inspector General
               1501 Farm Credit Drive
              McLean, VA 22102-5090