United States General Accounting Office GAO Report to the Chairman of the Subcommittee on the District of Columbia, Committee on Appropriations, House of Representatives December 1999 DISTRICT OF COLUMBIA The District Has Not Adequately Planned for and Managed Its New Personnel and Payroll System GAO/AIMD-00-19 United States General Accounting Office Accounting and Information Washington, D.C. 20548 Management Division B-283549 Leter December 17, 1999 The Honorable Ernest J. Istook, Jr. Chairman, Subcommittee on the District of Columbia Committee on Appropriations House of Representatives Dear Mr. Chairman: This report responds to your request that we review the District of Columbia’s management of the development of the Comprehensive Automated Personnel and Payroll System (CAPPS). The District is acquiring and developing CAPPS (which is based on a commercial, off-the-shelf software [COTS] product) in order to improve the quality of its personnel and payroll information, modernize its personnel and payroll business processes, and replace an aging legacy system. As noted in our earlier testimony,1 information on the District’s 40,000 employees has long been error-prone and inconsistent. CAPPS has been estimated to cost about $13 million to develop and was expected to be deployed by December 1999. As discussed with your office, we assessed whether the District has effectively planned and managed CAPPS. Results in Brief The District did not effectively plan for CAPPS. Since beginning the CAPPS initiative in 1991, the District did not develop a project management plan and a risk management plan; it did not redesign personnel and payroll business processes; it did not obtain agreement from the acquisition team, system users, and the contractor on detailed requirements for CAPPS; and it did not establish a configuration control process to control the changes that were made to data tables connected to the software package that the District acquired for CAPPS. By not implementing these critical management processes, the District lacked the means to establish realistic time frames for CAPPS, track development along those time frames, and ensure that changes being made to CAPPS were consistent and in line with business requirements. In fact, the District has had to continually revise its 1 District of Columbia: Weaknesses in Personnel Records and Public Schools’ Management Information and Controls (GAO/T-AIMD-95-170, June 14, 1995). Page 1 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 CAPPS implementation deadline and, in view of these delays, has had to perform Year 2000 renovations on its legacy personnel and payroll system as a contingency measure. Furthermore, the District has not been able to prevent individual District agencies from requesting that the contractor modify the system without knowledge of the CAPPS program office, in order to meet their own unique requirements. The District also does not have the tools essential for maintaining, operating, and protecting CAPPS after its implementation. In particular, the District has not estimated the cost of maintaining CAPPS or even decided how the system will be maintained. It also does not have a centralized file for contract-related documents or a documented history of CAPPS-related decisions—both of which are needed to maintain and modify the system as well as to provide information for reviews and investigations. Furthermore, the District has not developed a security plan for CAPPS even though the system will contain sensitive privacy data. We are making recommendations to the District that are focused on the need to implement effective management controls and processes for maintaining, operating, and protecting CAPPS. In commenting on a draft of this report, the District agreed with our observations and identified actions being taken to address our recommendations. Background Information on employees in the District’s personnel, payroll, and budget systems has long been error-prone and inconsistent. Specifically, as we testified in June 1995,2 personnel records lacked up-to-date position descriptions and current data on pay and grade, contained service computation date errors, and did not agree with payroll and budget records. Payroll records included numerous errors in social security numbers, addresses, and other data. For example, at the time of our 1995 review, the payroll system data indicated that District employees resided in 25 different states, including Texas and Florida. Further checking of a sample of these errors showed that the employees actually lived in the Washington metropolitan area. These and other data problems have hampered the District’s effort to manage programs and to make difficult decisions to address its fiscal crisis. 2 GAO/T-AIMD-95-170, June 14, 1995. Page 2 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 CAPPS is being implemented to correct long-standing data problems with personnel and payroll records as well as to modernize personnel and payroll business processes and introduce a technology information infrastructure to agencies that are not presently computerized. CAPPS will replace the current personnel and payroll system, known as the Unified Personnel and Payroll System (UPPS), which has been in operation since 1969. UPPS is a mainframe-based system with hardwired terminals located in some, but not all District agencies. UPPS is outdated and limited in capability. As the basis of CAPPS, the District purchased a COTS3 product that was a commercially successful, mainframe-based, computerized personnel system. To implement CAPPS, the District contracted with a firm experienced in human resources and personnel systems. This contractor was given responsibility for incorporating District agency’s personnel and payroll rules in the construction of systems tables as well as entry of personnel records.4 Although most of the processing in the CAPPS system will be performed on a mainframe computer, users will be able to access relevant data via personal computers located in all of the District’s agency offices. CAPPS will perform a wider range of personnel and payroll functions than UPPS, including time and attendance reporting, tracking of personnel costs, and position description and classification management. CAPPS will also process pay for a broader range of District activities than did UPPS, including the District of Columbia public school system. Unlike UPPS, CAPPS will provide the District with on-line funding data at the agency level, budgetary and spending controls at the position level, and accurate accounting of costs of expenses, such as overtime. The District’s Office of the Chief Financial Officer, which has responsibility for acquiring and developing CAPPS, expected to spend approximately $13 million to acquire and develop the system. The District’s contract data made available to us show that as of July 9, 1999, $7.9 million had been spent. As discussed later in this report, however, the District has not yet estimated what it will cost to maintain CAPPS over its life cycle. Table 1 highlights some of the major milestones/events during the CAPPS effort. 3 The provider of COTS is called the “vendor” in this report. 4 The provider of the services is called the “contractor” in this report. Page 3 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 Table 1: CAPPS Timeline Date Event 1991 In response to Congressional concerns about the lack of accurate personnel records, the District creates an action plan to acquire an automated human resources management information system. 1994 The District procures a standard human resources mainframe software package. 1997 The District solicits proposals to implement the COTS package. Following an initial request for proposals that did not generate a response, the District modifies the contract targeting six potential contractors, two of which were developing the District’s new Financial Management System. The two contractors decide to “team” on a response and are awarded the contract. Spring 1998 The District’s Office of the Chief Financial Officer commissions a study of CAPPS development and on the basis of the results of the study assigns a full-time program manager. Fall 1998 The District conducts a risk assessment for CAPPS that identified 15 specific areas of risk, including the lack of plans for support and maintenance of CAPPS and the lack of historical documentation on CAPPS. January 1999 The District decides to implement the entire system agency-by-agency rather than follow its previous plan to implement the system module-by- module across all agencies. As a result, system implementation may be delayed. Objectives, Scope, and Our objective was to determine whether the District has effectively planned and managed the acquisition of CAPPS. To do so, we reviewed and Methodology analyzed CAPPS program management and contractor documentation and the 1998 CAPPS risk assessment. We discussed the CAPPS effort with officials representing the prime contractor; the Office of the Chief Financial Officer, including CAPPS program management staff;5 and the District of Columbia Inspector General’s Office. We compared the District’s efforts to plan and manage CAPPS with • legislative requirements governing information technology for federal agencies, including the Clinger-Cohen Act of 1996 and the Privacy Act of 1974; 5 CAPPS has had three different program managers since our audit began. Page 4 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 • federal policy governing acquisition efforts, including Office of Management and Budget guidance6 and the National Institute of Standards and Technology Federal Information Processing Standards;7 and those standards applying to computer security and paperwork reduction;8 and • best practice literature, including guidance we and the Software Engineering Institute9 issued on evaluating information technology investment.10 We also relied on a review11 that we conducted in 1998 to determine whether the District of Columbia had implemented disciplined software acquisition processes for its new financial management system, which is also being managed by the Chief Financial Officer. We conducted our review from March 1999 through November 1999 in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the District’s Chief Financial Officer. These comments and our response are discussed in the “Comments and Our Evaluation” section and are reprinted in appendix I. Planning for CAPPS Before undertaking its CAPPS effort, the District did not develop and implement basic management processes that are designed to help ensure Was Inadequate that the system can be implemented within realistic time frames and will meet the District’s personnel needs. As a result, the District has encountered major delays and has been unable to ensure that the 6 Management of Federal Information Resources, OMB Circular A-130, December 12, 1985. 7 Guidelines for Security of Computer Applications, FIPS PUB 73, June 30, 1980. 8 Computer Security Guidelines for Implementing the Privacy Act of 1974, FIPS PUB 41, May 30, 1975. 9 Capability Maturity Model for Software, Carnegie Mellon University, Software Engineering Institute, version 1.1, February 1993. 10 Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT Investment Decision-making (GAO/AIMD-10.1.13, February 1997) and Executive Guide: Creating Value Through World-class Financial Management (GAO/AIMD-99-45, Exposure Draft, August 1999). 11 District of Columbia: Software Acquisition Processes for a New Financial Management System (GAO/AIMD-98-88, April 30, 1998). Page 5 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 implementation of the COTS package it acquired for CAPPS is consistent and in line with its personnel business needs. In particular, the District did not do the following. • Develop and implement a project management plan. Documented project plans help organizations to define realistic time frames for system acquisition and development and identify responsibilities for key tasks, deliverables, resources, performance measures, etc. Without them, organizations lack a yardstick by which to measure the progress of the acquisition and development effort. • Develop and implement a risk management plan. In developing risk management plans, organizations identify, assess, and document the risks associated with the cost, resource, schedule, and technical aspects of the project and determine the procedures that will be used to manage those risks. Without such a plan, organizations do not have a disciplined means to predict and mitigate risks, such as the risk that the system will not (1) meet performance and business requirements, (2) work with other systems belonging to the organization, and/or (3) be delivered on schedule and within budget. • Redesign personnel and payroll business processes. To maximize the success of a new system acquisition, organizations should redesign long-standing and ineffective business processes. As we recently noted in our executive guide on financial management,12 leading finance organizations have found that productivity gains typically result from more efficient processes, not from simply automating old processes. • Develop an approved requirements baseline for CAPPS. To help ensure the success of a system acquisition and development effort, organizations should establish and maintain a common and unambiguous definition of requirements (e.g., function, performance, help desk operations, data characteristics, security) among the acquisition team, the system users, and the contractor. These requirements should be consistent with one another, verifiable, and traceable to higher level business or functional requirements. Poorly defined, vague, or conflicting requirements can result in a system that does not meet business needs or that cannot be delivered on schedule and within budget. • Establish a configuration control process for the modification of CAPPS. Software configuration management involves establishing 12 Executive Guide: Creating Value Through World-class Financial Management (GAO/AIMD-99-45, Exposure Draft, August 1999). Page 6 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 product baselines and systematically controlling changes made to those baselines. As noted in our executive guide on financial management, it also ensures that product changes are clearly documented and tested before being placed into production. Having this process enables organizations to establish and maintain the integrity of the system throughout its lifecycle. Without a mature effective configuration management process, organizations can lose control of the software product baseline, potentially producing and using inconsistent product versions, and creating operational problems. These planning weaknesses mirror those we identified in 1998 during our review of the District’s software acquisition processes for its new Financial Management System (FMS). Among other things, this review found that the District did not have a written policy for software acquisition planning, did not have a policy for establishing and managing software-related requirements, did not have a risk management plan to track project risk, and did not have a documented policy for contract tracking and oversight activities. In light of these and other weaknesses, we made 35 recommendations to the Chief Financial Officer designed to strengthen acquisition processes as they related to the FMS project and other acquisitions, such as CAPPS. Some project and risk management measures were undertaken after the CAPPS acquisition and development effort began; however, these still fell short of what was necessary to ensure that CAPPS could be delivered on time and that the system would meet the District’s personnel needs. For example, instead of a project plan, the District developed a series of implementation schedules for CAPPS and is currently working with a spreadsheet generated from project planning software to manage CAPPS. These documents, however, were not sufficiently detailed to allow effective control and visibility over basic critical aspects of the development effort. For example, they did not detail tasks to be performed, assign responsibilities, and, set realistic deadlines for CAPPS implementation. As a result, the District has consistently underestimated the amount of effort needed to fully implement CAPPS and, as shown in figure 1, deadlines have been greatly extended. Page 7 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 Figure 1: Estimated CAPPS Implementation Dates June 1997 Estimate May 1998 Estimate Jan 1999 Estimate Sept 1999 Estimate June Jan June Jan June Jan 1997 1998 1998 1999 1999 2000 Source: CAPPS program office. Also, while it did not develop a risk management plan, the District performed a risk assessment in the fall of 1998 to identify major risks associated with CAPPS. The assessment identified 15 problem areas and recommended mitigation strategies for each. Included were areas we identified in 1998 and in this review, such as the lack of a requirements baseline, the lack of support and maintenance plans, and the lack of historical records. However, the risk assessment was incomplete because it did not address information security−a critical area of risk for a personnel management information system. In addition, the District did not follow up on the assessment by establishing a risk management committee or a formal risk management process. Instead, the District conducted another independent assessment of CAPPS in the spring of 1999, which merely confirmed the previously identified problems, such as the lack of a requirements baseline and the lack of support and maintenance plans. Further, instead of developing a requirements baseline, the District relied on the vendor to develop a list of 449 detailed requirements that CAPPS needed to address. Examples of requirements included “Calculate position turnover by job classification (and maintain historical turnover data),” “Flag positions being filled by a temporary, detailed (acting or on loan) employee,” and “Calculate position grade/step salary averages and midpoints.” During implementation of CAPPS, the District asked the contractor to prioritize the requirements and reduce them to “mandatory” capabilities. However, the District did not take steps to ensure that the system users agreed to these requirements or to link the requirements to Page 8 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 the five core modules of the system (i.e., payroll, position control, employee processing, benefits and compensation, and time and attendance). Moreover, because the District has not established a configuration control process, the CAPPS program office has been unable to stop District agencies from individually requesting the contractor to modify the system to accommodate their own unique requirements. As a result, it does not have assurance that changes being made to the system are (1) consistent with one another, (2) in line with higher level business requirements, and (3) documented and communicated to other users. The District Does Not Even though the District currently expects to implement CAPPS by December 1999, it has not taken steps necessary to ensure that CAPPS is Have Tools for effectively maintained and operated and that sensitive data within CAPPS Maintaining and will be protected. This has created the risk that, once implemented, CAPPS will not be effectively managed and protected from unauthorized users. Protecting CAPPS Specifically, the District has not done the following. • Estimated the cost of maintaining CAPPS. After the CAPPS system is implemented, the District will need to periodically make changes to the system to correct coding errors, design errors, and/or to accommodate new requirements. According to information technology experts,13 maintenance costs are typically the greatest costs in the lifecycle of the system and can end up being as much as twice to four times the development costs. As such, they need to be estimated and planned for as soon in the development stage as possible. • Decided how the system will be maintained. It is just as necessary to have a configuration control process in place for maintaining a system as it is for developing one. Yet the District has not yet established such a process. In addition, it has not decided who will operate and maintain the system. While the District has a maintenance agreement with the vendor, this agreement only covers the COTS product itself and not the modifications that were made to the system in implementation. • Organized files essential to maintaining CAPPS. To effectively maintain and modify systems and to be able to provide information for reviews and investigations, organizations need to maintain contract documentation as well as a history of decisions leading up to implementation of the system. The District does not have a complete, 13 Such as those at the Defense Systems Management College. Page 9 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 centralized contracting file or a documented history of CAPPS-related decisions. Instead, contract documentation is scattered and takes a long time to assemble. For example, there is no central file for the task orders that instruct the contractor to make specific changes to CAPPS, and, as a result, there is no systematic way of knowing if anyone in the program office approved specific tasks or if the tasks requested repeated something that had already been requested and completed. • Developed a security plan. Because personnel systems contain sensitive privacy data, they need to be protected from internal and external unauthorized users. Thus, it is good business practice to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. Normally, security requirements are defined and built into a system during the development process along with other functional requirements. The District, however, has not yet formally considered its security needs for CAPPS. Conclusions Because the District did not develop and implement effective management processes for CAPPS, it was unable to prevent or mitigate major development delays or ensure that the system would fully meet its personnel needs. To mitigate future problems, it will be important for the District to implement effective controls and processes for managing, maintaining, and protecting the system. Recommendations So that the District implements effective processes and controls for maintaining, operating, and protecting CAPPS, we recommend that the Chief Financial Officer direct the CAPPS program office to do the following: • Develop and maintain a risk management plan. • Develop a requirements baseline and obtain agreement between the program office and the system users. • Implement a configuration control process to control and document further modifications being made to CAPPS. The process should (1) clearly define and assess the effects of modifications on future product upgrades before the modification is approved, (2) clearly document the software products that are placed under configuration management, and (3) maintain the integrity and traceability of the configuration throughout the system life cycle. Page 10 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 • Develop and implement a life cycle support plan, assign responsibility for life cycle maintenance, and develop an estimate of maintenance and operation costs for CAPPS. • Develop and implement a security plan based on a realistic risk assessment of CAPPS security vulnerabilities. • Develop a centralized file for contract task orders and other contract documentation related to CAPPS. Comments and Our The District of Columbia provided written comments on a draft of this report. The Chief Financial Officer (CFO) agreed in principle with the Evaluation observations about needed improvements in project management for CAPPS. She pointed out that the District has begun to implement changes to project management, including the appointment of a new project manager. In addition, the CFO stated that the District plans to improve schedule compliance and budget control over the project, to create better documentation of user needs and system configuration, and to implement necessary security measures. The program manager is to develop a project plan which will include provision for implementing CAPPS in the remaining DC agencies, and which will provide for resources to maintain CAPPS once it is fully implemented. While the District’s actions are encouraging, implementing needed CAPPS changes will be challenging, given the poor track record of the District in making improvements to its management of information systems. As noted in our report, many of the same problems we found with CAPPS were identified more than a year ago in our April 1998 review of the District’s new financial management system. For example, the District did not have a risk management plan, a policy for establishing and managing software- related requirements, or a policy for contract tracking and oversight activities. At the time of our review, the Office of the Chief Financial Officer assured us that corrective actions were underway to address our 35 recommendations. Nevertheless, such fundamental management controls are still lacking with CAPPS. The Chief Financial Officer also responded to our original concerns about the lack of progress in determining CAPPS Year 2000 compliance. In a draft we sent to the District for comment, we reported that the District did not yet have adequate assurance that CAPPS was Year 2000 compliant and that it had not yet completed a written business continuity plan for personnel and payroll operations that went beyond immediate contingency actions and anticipated possible failures in business partner systems or public Page 11 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS B-283549 infrastructure systems, such as power and telecommunications. In her comments, the Chief Financial Officer described the District’s recent progress in assuring Year 2000 compliance for CAPPS and in preparing continuity plans. After reviewing additional documentation provided by the District on its Year 2000 progress, we determined that the District has taken steps needed to ensure the continuity of payroll and personnel operations into 2000 and have modified our final report accordingly. We are sending this report to the Honorable Anthony A. Williams, Mayor of the District of Columbia; Valerie Holt, the Chief Financial Officer of the District of Columbia; Henry Debman, Program Manager of the Comprehensive Automated Personnel and Payroll System; Suzanne Peck, Chief Technology Officer of the District of Columbia; and Mary Ellen Hanley, Year 2000 Program Director of the District of Columbia. Copies will also be made available to others upon request. If you have questions regarding this report, please contact me or Carl M. Urie, Assistant Director at (202) 512- 6240. Other key contributors to this report are listed in appendix II. Sincerely yours, Jack L. Brock, Jr. Director, Government and Defense Information Systems Page 12 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS Page 13 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS Appendix I Comments From the District of Columbia AA ppp ep ned nx idx eIis Page 14 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS Appendix I Comments From the District of Columbia Page 15 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS Appendix II GAO Contacts and Staff Acknowledgements Appendx iI GAO Contacts Jack Brock, (202) 512-6240 Carl Urie, (202) 512-6231 Acknowledgements In addition to the above contacts, Cristina Chaplain, Robert Crocker, Greg Donnellon, and Brian Spencer, made key contributions to this report. (511667) Leter Page 16 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
District of Columbia: The District Has Not Adequately Planned for and Managed Its New Personnel and Payroll System
Published by the Government Accountability Office on 1999-12-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)