District of Columbia: The District Has Not Adequately Planned for and Managed Its New Personnel and Payroll System

Published by the Government Accountability Office on 1999-12-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Chairman of the
                 Subcommittee on the District of
                 Columbia, Committee on Appropriations,
                 House of Representatives

December 1999
                 DISTRICT OF

                 The District Has Not
                 Adequately Planned
                 for and Managed Its
                 New Personnel and
                 Payroll System

United States General Accounting Office                                                 Accounting and Information
Washington, D.C. 20548                                                                       Management Division

                                    B-283549                                                                                Leter

                                    December 17, 1999

                                    The Honorable Ernest J. Istook, Jr.
                                    Chairman, Subcommittee on the District of Columbia
                                    Committee on Appropriations
                                    House of Representatives

                                    Dear Mr. Chairman:

                                    This report responds to your request that we review the District of
                                    Columbia’s management of the development of the Comprehensive
                                    Automated Personnel and Payroll System (CAPPS). The District is
                                    acquiring and developing CAPPS (which is based on a commercial,
                                    off-the-shelf software [COTS] product) in order to improve the quality of its
                                    personnel and payroll information, modernize its personnel and payroll
                                    business processes, and replace an aging legacy system. As noted in our
                                    earlier testimony,1 information on the District’s 40,000 employees has long
                                    been error-prone and inconsistent. CAPPS has been estimated to cost
                                    about $13 million to develop and was expected to be deployed by
                                    December 1999. As discussed with your office, we assessed whether the
                                    District has effectively planned and managed CAPPS.

Results in Brief                    The District did not effectively plan for CAPPS. Since beginning the CAPPS
                                    initiative in 1991, the District did not develop a project management plan
                                    and a risk management plan; it did not redesign personnel and payroll
                                    business processes; it did not obtain agreement from the acquisition team,
                                    system users, and the contractor on detailed requirements for CAPPS; and
                                    it did not establish a configuration control process to control the changes
                                    that were made to data tables connected to the software package that the
                                    District acquired for CAPPS. By not implementing these critical
                                    management processes, the District lacked the means to establish realistic
                                    time frames for CAPPS, track development along those time frames, and
                                    ensure that changes being made to CAPPS were consistent and in line with
                                    business requirements. In fact, the District has had to continually revise its

                                     District of Columbia: Weaknesses in Personnel Records and Public Schools’ Management
                                    Information and Controls (GAO/T-AIMD-95-170, June 14, 1995).

                                    Page 1                    GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

             CAPPS implementation deadline and, in view of these delays, has had to
             perform Year 2000 renovations on its legacy personnel and payroll system
             as a contingency measure. Furthermore, the District has not been able to
             prevent individual District agencies from requesting that the contractor
             modify the system without knowledge of the CAPPS program office, in
             order to meet their own unique requirements.

             The District also does not have the tools essential for maintaining,
             operating, and protecting CAPPS after its implementation. In particular, the
             District has not estimated the cost of maintaining CAPPS or even decided
             how the system will be maintained. It also does not have a centralized file
             for contract-related documents or a documented history of CAPPS-related
             decisions—both of which are needed to maintain and modify the system as
             well as to provide information for reviews and investigations. Furthermore,
             the District has not developed a security plan for CAPPS even though the
             system will contain sensitive privacy data.

             We are making recommendations to the District that are focused on the
             need to implement effective management controls and processes for
             maintaining, operating, and protecting CAPPS. In commenting on a draft of
             this report, the District agreed with our observations and identified actions
             being taken to address our recommendations.

Background   Information on employees in the District’s personnel, payroll, and budget
             systems has long been error-prone and inconsistent. Specifically, as we
             testified in June 1995,2 personnel records lacked up-to-date position
             descriptions and current data on pay and grade, contained service
             computation date errors, and did not agree with payroll and budget
             records. Payroll records included numerous errors in social security
             numbers, addresses, and other data. For example, at the time of our
             1995 review, the payroll system data indicated that District employees
             resided in 25 different states, including Texas and Florida. Further
             checking of a sample of these errors showed that the employees actually
             lived in the Washington metropolitan area. These and other data problems
             have hampered the District’s effort to manage programs and to make
             difficult decisions to address its fiscal crisis.

             GAO/T-AIMD-95-170, June 14, 1995.

             Page 2                    GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

CAPPS is being implemented to correct long-standing data problems with
personnel and payroll records as well as to modernize personnel and
payroll business processes and introduce a technology information
infrastructure to agencies that are not presently computerized. CAPPS will
replace the current personnel and payroll system, known as the Unified
Personnel and Payroll System (UPPS), which has been in operation since
1969. UPPS is a mainframe-based system with hardwired terminals located
in some, but not all District agencies. UPPS is outdated and limited in

As the basis of CAPPS, the District purchased a COTS3 product that was a
commercially successful, mainframe-based, computerized personnel
system. To implement CAPPS, the District contracted with a firm
experienced in human resources and personnel systems. This contractor
was given responsibility for incorporating District agency’s personnel and
payroll rules in the construction of systems tables as well as entry of
personnel records.4

Although most of the processing in the CAPPS system will be performed on
a mainframe computer, users will be able to access relevant data via
personal computers located in all of the District’s agency offices. CAPPS
will perform a wider range of personnel and payroll functions than UPPS,
including time and attendance reporting, tracking of personnel costs, and
position description and classification management. CAPPS will also
process pay for a broader range of District activities than did UPPS,
including the District of Columbia public school system. Unlike UPPS,
CAPPS will provide the District with on-line funding data at the agency
level, budgetary and spending controls at the position level, and accurate
accounting of costs of expenses, such as overtime.

The District’s Office of the Chief Financial Officer, which has responsibility
for acquiring and developing CAPPS, expected to spend approximately
$13 million to acquire and develop the system. The District’s contract data
made available to us show that as of July 9, 1999, $7.9 million had been
spent. As discussed later in this report, however, the District has not yet
estimated what it will cost to maintain CAPPS over its life cycle. Table 1
highlights some of the major milestones/events during the CAPPS effort.

The provider of COTS is called the “vendor” in this report.
The provider of the services is called the “contractor” in this report.

Page 3                       GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

                         Table 1: CAPPS Timeline
                         Date           Event
                         1991           In response to Congressional concerns about the lack of accurate
                                        personnel records, the District creates an action plan to acquire an
                                        automated human resources management information system.
                         1994           The District procures a standard human resources mainframe software
                         1997           The District solicits proposals to implement the COTS package. Following
                                        an initial request for proposals that did not generate a response, the
                                        District modifies the contract targeting six potential contractors, two of
                                        which were developing the District’s new Financial Management System.
                                        The two contractors decide to “team” on a response and are awarded the
                         Spring 1998    The District’s Office of the Chief Financial Officer commissions a study of
                                        CAPPS development and on the basis of the results of the study assigns
                                        a full-time program manager.
                         Fall 1998      The District conducts a risk assessment for CAPPS that identified 15
                                        specific areas of risk, including the lack of plans for support and
                                        maintenance of CAPPS and the lack of historical documentation on
                         January 1999   The District decides to implement the entire system agency-by-agency
                                        rather than follow its previous plan to implement the system module-by-
                                        module across all agencies. As a result, system implementation may be

Objectives, Scope, and   Our objective was to determine whether the District has effectively
                         planned and managed the acquisition of CAPPS. To do so, we reviewed and
Methodology              analyzed CAPPS program management and contractor documentation and
                         the 1998 CAPPS risk assessment. We discussed the CAPPS effort with
                         officials representing the prime contractor; the Office of the Chief
                         Financial Officer, including CAPPS program management staff;5 and the
                         District of Columbia Inspector General’s Office. We compared the District’s
                         efforts to plan and manage CAPPS with

                         • legislative requirements governing information technology for federal
                           agencies, including the Clinger-Cohen Act of 1996 and the Privacy Act of

                         CAPPS has had three different program managers since our audit began.

                         Page 4                     GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

                     • federal policy governing acquisition efforts, including Office of
                       Management and Budget guidance6 and the National Institute of
                       Standards and Technology Federal Information Processing Standards;7
                       and those standards applying to computer security and paperwork
                       reduction;8 and
                     • best practice literature, including guidance we and the Software
                       Engineering Institute9 issued on evaluating information technology

                     We also relied on a review11 that we conducted in 1998 to determine
                     whether the District of Columbia had implemented disciplined software
                     acquisition processes for its new financial management system, which is
                     also being managed by the Chief Financial Officer.

                     We conducted our review from March 1999 through November 1999 in
                     accordance with generally accepted government auditing standards. We
                     requested comments on a draft of this report from the District’s Chief
                     Financial Officer. These comments and our response are discussed in the
                     “Comments and Our Evaluation” section and are reprinted in appendix I.

Planning for CAPPS   Before undertaking its CAPPS effort, the District did not develop and
                     implement basic management processes that are designed to help ensure
Was Inadequate       that the system can be implemented within realistic time frames and will
                     meet the District’s personnel needs. As a result, the District has
                     encountered major delays and has been unable to ensure that the

                     Management of Federal Information Resources, OMB Circular A-130, December 12, 1985.
                     Guidelines for Security of Computer Applications, FIPS PUB 73, June 30, 1980.
                     Computer Security Guidelines for Implementing the Privacy Act of 1974, FIPS PUB 41,
                     May 30, 1975.
                     Capability Maturity Model for Software, Carnegie Mellon University, Software
                     Engineering Institute, version 1.1, February 1993.
                      Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT Investment
                     Decision-making (GAO/AIMD-10.1.13, February 1997) and Executive Guide: Creating
                     Value Through World-class Financial Management (GAO/AIMD-99-45, Exposure Draft,
                     August 1999).
                      District of Columbia: Software Acquisition Processes for a New Financial Management
                     System (GAO/AIMD-98-88, April 30, 1998).

                     Page 5                     GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

implementation of the COTS package it acquired for CAPPS is consistent
and in line with its personnel business needs. In particular, the District did
not do the following.

• Develop and implement a project management plan. Documented
  project plans help organizations to define realistic time frames for
  system acquisition and development and identify responsibilities for key
  tasks, deliverables, resources, performance measures, etc. Without
  them, organizations lack a yardstick by which to measure the progress
  of the acquisition and development effort.
• Develop and implement a risk management plan. In developing risk
  management plans, organizations identify, assess, and document the
  risks associated with the cost, resource, schedule, and technical aspects
  of the project and determine the procedures that will be used to manage
  those risks. Without such a plan, organizations do not have a disciplined
  means to predict and mitigate risks, such as the risk that the system will
  not (1) meet performance and business requirements, (2) work with
  other systems belonging to the organization, and/or (3) be delivered on
  schedule and within budget.
• Redesign personnel and payroll business processes. To maximize the
  success of a new system acquisition, organizations should redesign
  long-standing and ineffective business processes. As we recently noted
  in our executive guide on financial management,12 leading finance
  organizations have found that productivity gains typically result from
  more efficient processes, not from simply automating old processes.
• Develop an approved requirements baseline for CAPPS. To help ensure
  the success of a system acquisition and development effort,
  organizations should establish and maintain a common and
  unambiguous definition of requirements (e.g., function, performance,
  help desk operations, data characteristics, security) among the
  acquisition team, the system users, and the contractor. These
  requirements should be consistent with one another, verifiable, and
  traceable to higher level business or functional requirements. Poorly
  defined, vague, or conflicting requirements can result in a system that
  does not meet business needs or that cannot be delivered on schedule
  and within budget.
• Establish a configuration control process for the modification of
  CAPPS. Software configuration management involves establishing

 Executive Guide: Creating Value Through World-class Financial Management
(GAO/AIMD-99-45, Exposure Draft, August 1999).

Page 6                    GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

   product baselines and systematically controlling changes made to those
   baselines. As noted in our executive guide on financial management, it
   also ensures that product changes are clearly documented and tested
   before being placed into production. Having this process enables
   organizations to establish and maintain the integrity of the system
   throughout its lifecycle. Without a mature effective configuration
   management process, organizations can lose control of the software
   product baseline, potentially producing and using inconsistent product
   versions, and creating operational problems.

These planning weaknesses mirror those we identified in 1998 during our
review of the District’s software acquisition processes for its new Financial
Management System (FMS). Among other things, this review found that the
District did not have a written policy for software acquisition planning, did
not have a policy for establishing and managing software-related
requirements, did not have a risk management plan to track project risk,
and did not have a documented policy for contract tracking and oversight
activities. In light of these and other weaknesses, we made
35 recommendations to the Chief Financial Officer designed to strengthen
acquisition processes as they related to the FMS project and other
acquisitions, such as CAPPS.

Some project and risk management measures were undertaken after the
CAPPS acquisition and development effort began; however, these still fell
short of what was necessary to ensure that CAPPS could be delivered on
time and that the system would meet the District’s personnel needs. For
example, instead of a project plan, the District developed a series of
implementation schedules for CAPPS and is currently working with a
spreadsheet generated from project planning software to manage CAPPS.
These documents, however, were not sufficiently detailed to allow effective
control and visibility over basic critical aspects of the development effort.
For example, they did not detail tasks to be performed, assign
responsibilities, and, set realistic deadlines for CAPPS implementation. As
a result, the District has consistently underestimated the amount of effort
needed to fully implement CAPPS and, as shown in figure 1, deadlines have
been greatly extended.

Page 7                  GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

Figure 1: Estimated CAPPS Implementation Dates

     June 1997 Estimate

                                      May 1998 Estimate

                                                           Jan 1999 Estimate

                                                                      Sept 1999 Estimate

  June              Jan                  June             Jan            June        Jan
  1997              1998                 1998             1999           1999        2000

Source: CAPPS program office.

Also, while it did not develop a risk management plan, the District
performed a risk assessment in the fall of 1998 to identify major risks
associated with CAPPS. The assessment identified 15 problem areas and
recommended mitigation strategies for each. Included were areas we
identified in 1998 and in this review, such as the lack of a requirements
baseline, the lack of support and maintenance plans, and the lack of
historical records. However, the risk assessment was incomplete because it
did not address information security−a critical area of risk for a personnel
management information system. In addition, the District did not follow up
on the assessment by establishing a risk management committee or a
formal risk management process. Instead, the District conducted another
independent assessment of CAPPS in the spring of 1999, which merely
confirmed the previously identified problems, such as the lack of a
requirements baseline and the lack of support and maintenance plans.

Further, instead of developing a requirements baseline, the District relied
on the vendor to develop a list of 449 detailed requirements that CAPPS
needed to address. Examples of requirements included “Calculate position
turnover by job classification (and maintain historical turnover data),”
“Flag positions being filled by a temporary, detailed (acting or on loan)
employee,” and “Calculate position grade/step salary averages and
midpoints.” During implementation of CAPPS, the District asked the
contractor to prioritize the requirements and reduce them to “mandatory”
capabilities. However, the District did not take steps to ensure that the
system users agreed to these requirements or to link the requirements to

Page 8                          GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

                        the five core modules of the system (i.e., payroll, position control,
                        employee processing, benefits and compensation, and time and
                        attendance). Moreover, because the District has not established a
                        configuration control process, the CAPPS program office has been unable
                        to stop District agencies from individually requesting the contractor to
                        modify the system to accommodate their own unique requirements. As a
                        result, it does not have assurance that changes being made to the system
                        are (1) consistent with one another, (2) in line with higher level business
                        requirements, and (3) documented and communicated to other users.

The District Does Not   Even though the District currently expects to implement CAPPS by
                        December 1999, it has not taken steps necessary to ensure that CAPPS is
Have Tools for          effectively maintained and operated and that sensitive data within CAPPS
Maintaining and         will be protected. This has created the risk that, once implemented, CAPPS
                        will not be effectively managed and protected from unauthorized users.
Protecting CAPPS        Specifically, the District has not done the following.

                        • Estimated the cost of maintaining CAPPS. After the CAPPS system is
                          implemented, the District will need to periodically make changes to the
                          system to correct coding errors, design errors, and/or to accommodate
                          new requirements. According to information technology experts,13
                          maintenance costs are typically the greatest costs in the lifecycle of the
                          system and can end up being as much as twice to four times the
                          development costs. As such, they need to be estimated and planned for
                          as soon in the development stage as possible.
                        • Decided how the system will be maintained. It is just as necessary to
                          have a configuration control process in place for maintaining a system
                          as it is for developing one. Yet the District has not yet established such a
                          process. In addition, it has not decided who will operate and maintain
                          the system. While the District has a maintenance agreement with the
                          vendor, this agreement only covers the COTS product itself and not the
                          modifications that were made to the system in implementation.
                        • Organized files essential to maintaining CAPPS. To effectively maintain
                          and modify systems and to be able to provide information for reviews
                          and investigations, organizations need to maintain contract
                          documentation as well as a history of decisions leading up to
                          implementation of the system. The District does not have a complete,

                             Such as those at the Defense Systems Management College.

                        Page 9                        GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

                    centralized contracting file or a documented history of CAPPS-related
                    decisions. Instead, contract documentation is scattered and takes a long
                    time to assemble. For example, there is no central file for the task
                    orders that instruct the contractor to make specific changes to CAPPS,
                    and, as a result, there is no systematic way of knowing if anyone in the
                    program office approved specific tasks or if the tasks requested
                    repeated something that had already been requested and completed.
                  • Developed a security plan. Because personnel systems contain sensitive
                    privacy data, they need to be protected from internal and external
                    unauthorized users. Thus, it is good business practice to establish
                    appropriate administrative, technical, and physical safeguards to ensure
                    the security and confidentiality of records. Normally, security
                    requirements are defined and built into a system during the
                    development process along with other functional requirements. The
                    District, however, has not yet formally considered its security needs for

Conclusions       Because the District did not develop and implement effective management
                  processes for CAPPS, it was unable to prevent or mitigate major
                  development delays or ensure that the system would fully meet its
                  personnel needs. To mitigate future problems, it will be important for the
                  District to implement effective controls and processes for managing,
                  maintaining, and protecting the system.

Recommendations   So that the District implements effective processes and controls for
                  maintaining, operating, and protecting CAPPS, we recommend that the
                  Chief Financial Officer direct the CAPPS program office to do the

                  • Develop and maintain a risk management plan.
                  • Develop a requirements baseline and obtain agreement between the
                    program office and the system users.
                  • Implement a configuration control process to control and document
                    further modifications being made to CAPPS. The process should
                    (1) clearly define and assess the effects of modifications on future
                    product upgrades before the modification is approved, (2) clearly
                    document the software products that are placed under configuration
                    management, and (3) maintain the integrity and traceability of the
                    configuration throughout the system life cycle.

                  Page 10                GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

                   • Develop and implement a life cycle support plan, assign responsibility
                     for life cycle maintenance, and develop an estimate of maintenance and
                     operation costs for CAPPS.
                   • Develop and implement a security plan based on a realistic risk
                     assessment of CAPPS security vulnerabilities.
                   • Develop a centralized file for contract task orders and other contract
                     documentation related to CAPPS.

Comments and Our   The District of Columbia provided written comments on a draft of this
                   report. The Chief Financial Officer (CFO) agreed in principle with the
Evaluation         observations about needed improvements in project management for
                   CAPPS. She pointed out that the District has begun to implement changes
                   to project management, including the appointment of a new project
                   manager. In addition, the CFO stated that the District plans to improve
                   schedule compliance and budget control over the project, to create better
                   documentation of user needs and system configuration, and to implement
                   necessary security measures. The program manager is to develop a project
                   plan which will include provision for implementing CAPPS in the remaining
                   DC agencies, and which will provide for resources to maintain CAPPS once
                   it is fully implemented.

                   While the District’s actions are encouraging, implementing needed CAPPS
                   changes will be challenging, given the poor track record of the District in
                   making improvements to its management of information systems. As noted
                   in our report, many of the same problems we found with CAPPS were
                   identified more than a year ago in our April 1998 review of the District’s
                   new financial management system. For example, the District did not have a
                   risk management plan, a policy for establishing and managing software-
                   related requirements, or a policy for contract tracking and oversight
                   activities. At the time of our review, the Office of the Chief Financial Officer
                   assured us that corrective actions were underway to address our
                   35 recommendations. Nevertheless, such fundamental management
                   controls are still lacking with CAPPS.

                   The Chief Financial Officer also responded to our original concerns about
                   the lack of progress in determining CAPPS Year 2000 compliance. In a draft
                   we sent to the District for comment, we reported that the District did not
                   yet have adequate assurance that CAPPS was Year 2000 compliant and that
                   it had not yet completed a written business continuity plan for personnel
                   and payroll operations that went beyond immediate contingency actions
                   and anticipated possible failures in business partner systems or public

                   Page 11                  GAO/AIMD-00-19 District of Columbia’s Development of CAPPS

infrastructure systems, such as power and telecommunications. In her
comments, the Chief Financial Officer described the District’s recent
progress in assuring Year 2000 compliance for CAPPS and in preparing
continuity plans. After reviewing additional documentation provided by the
District on its Year 2000 progress, we determined that the District has taken
steps needed to ensure the continuity of payroll and personnel operations
into 2000 and have modified our final report accordingly.

We are sending this report to the Honorable Anthony A. Williams, Mayor of
the District of Columbia; Valerie Holt, the Chief Financial Officer of the
District of Columbia; Henry Debman, Program Manager of the
Comprehensive Automated Personnel and Payroll System; Suzanne Peck,
Chief Technology Officer of the District of Columbia; and Mary Ellen
Hanley, Year 2000 Program Director of the District of Columbia. Copies will
also be made available to others upon request.

If you have questions regarding this report, please contact me or Carl M.
Urie, Assistant Director at (202) 512- 6240. Other key contributors to this
report are listed in appendix II.

Sincerely yours,

Jack L. Brock, Jr.
Director, Government and Defense Information Systems

Page 12                 GAO/AIMD-00-19 District of Columbia’s Development of CAPPS
Page 13   GAO/AIMD-00-19 District of Columbia’s Development of CAPPS
Appendix I

Comments From the District of Columbia                                           AA

              Page 14   GAO/AIMD-00-19 District of Columbia’s Development of CAPPS
Appendix I
Comments From the District of Columbia

Page 15                   GAO/AIMD-00-19 District of Columbia’s Development of CAPPS
Appendix II

GAO Contacts and Staff Acknowledgements                                                               Appendx

GAO Contacts          Jack Brock, (202) 512-6240
                      Carl Urie, (202) 512-6231

Acknowledgements      In addition to the above contacts, Cristina Chaplain, Robert Crocker, Greg
                      Donnellon, and Brian Spencer, made key contributions to this report.

(511667)      Leter   Page 16                GAO/AIMD-00-19 District of Columbia’s Development of CAPPS
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:


or visit GAO’s World Wide Web Home Page at:

United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested