oversight

Department of Homeland Security: Continued Progress Made Improving and Integrating Management Areas, but More Work Remains

Published by the Government Accountability Office on 2012-03-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            United States Government Accountability Office

GAO                         Testimony
                            Before the Subcommittee on Oversight,
                            Investigations, and Management,
                            Committee on Homeland Security, House
                            of Representatives
                            DEPARTMENT OF
For Release on Delivery
Expected at 9:30 a.m. EST
Thursday, March 1, 2012

                            HOMELAND SECURITY
                            Continued Progress Made
                            Improving and Integrating
                            Management Areas, but
                            More Work Remains
                            Statement of David C. Maurer, Director
                            Homeland Security and Justice Issues




GAO-12-365T
                                               March 1, 2012

                                               DEPARTMENT OF HOMELAND SECURITY
                                               Continued Progress Made Improving and
                                               Integrating Management Areas, but More Work
                                               Remains
Highlights of GAO-12-365T, a testimony
before the Subcommittee on Oversight,
Investigations, and Management, Committee
on Homeland Security, House of
Representatives


Why GAO Did This Study                         What GAO Found
Since 2003, GAO has designated the             The Department of Homeland Security (DHS) has updated and strengthened its
implementation and transformation of           strategy for how it plans to address GAO’s high-risk designation and resolve the
DHS as high risk because, among                department’s management challenges. In January 2011, DHS provided GAO
other things, DHS had to combine 22            with its Integrated Strategy for High Risk Management, which summarized the
agencies, while ensuring no serious            department’s preliminary plans for addressing the high-risk area. GAO found that
consequences for U.S. national and             this strategy, which was later updated in June and December 2011, was
economic security. This high-risk area         generally responsive to the actions and outcomes needed to address GAO’s
includes challenges in DHS’s                   high-risk designation. For example, the January 2011 strategy generally
management functions—financial
                                               identified multiple, specific actions and target completion time frames consistent
management, human capital, IT, and
                                               with the outcomes GAO identified. However, the strategy did not address the root
acquisitions; the effect of those
challenges on implementing DHS’s
                                               causes of problems, among other things. In its June 2011 strategy, DHS, among
missions; and integrating the functions.       other things, identified 10 root causes that cut across the management areas and
In November 2000, GAO published                their integration. GAO identified ways the strategy could be strengthened,
criteria for removing areas from its           including consistently reporting the progress of its initiatives and corrective
high-risk list. In September 2010, GAO         actions. In its most recent update, DHS better positioned itself to address its
identified 31 actions and outcomes             management challenges. For example, for the first time, DHS included ratings of
critical to addressing this high-risk          the department’s progress addressing its high-risk outcomes. However, GAO
area. This testimony addresses DHS’s           believes that DHS could more consistently report on available resources and
progress in (1) developing a strategy          corrective actions, establish measures and report on progress made for all
for addressing its high-risk designation       initiatives, and stabilize its methodology for measuring progress. These changes,
and (2) achieving outcomes critical to         if implemented and sustained, provide a path for DHS to address GAO’s high-risk
addressing this high-risk area. This           designation.
statement is based on GAO products
issued from June 2007 through                  DHS has made progress, but has considerable work ahead to achieve actions
February 2012, including selected              and outcomes critical to addressing this high-risk area. Among other
updates. It also includes preliminary          accomplishments, DHS realigned its acquisition management functions within a
observations from GAO’s ongoing work           new office to assess the health of major acquisitions and investments; conducted
reviewing DHS’s IT governance, for             program and portfolio reviews of hundreds of information technology (IT)
which GAO reviewed documents on IT             investments; and reduced the number of material weaknesses in internal
governance and interviewed officials.          controls. DHS also demonstrated top leadership commitment by identifying roles
                                               and responsibilities for its key management initiatives. However, DHS has more
What GAO Recommends                            work ahead to fully implement its plans and address its management challenges.
This testimony contains no new                 For example, in June 2010 GAO reported that over half of the programs reviewed
recommendations. GAO has made                  awarded contracts to initiate acquisition activities without component or
over 100 recommendations to DHS                department approval of essential planning documents. In addition, DHS faces
since 2003 to strengthen the                   challenges fully defining key system investment and acquisition management
department’s management and                    policies and procedures. Further, as of September 30, 2011, due to material
integration efforts. DHS has                   weaknesses in internal controls over financial reporting, DHS was unable to
implemented many of these                      provide assurance that these internal controls were operating effectively. In
recommendations and is in the process          September 2011 we reported that DHS also continues to face challenges
of implementing others.                        implementing some key human capital initiatives, such as its workforce strategy.
                                               DHS also needs to continue to demonstrate sustainable progress in integrating
                                               its management functions within and across the department and its components,
                                               including making progress with its model for managing investments across
                                               components and management functions. GAO will continue to assess DHS’s
View GAO-12-365T. For more information,        efforts to address its high-risk designation and will report its findings on the
contact David C. Maurer at (202) 512-9627 or   department’s progress in the high-risk update that it expects to issue in early
maurerd@gao.gov.
                                               2013.
                                                                                       United States Government Accountability Office
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee:

I am pleased to be here today to discuss the Department of Homeland
Security’s (DHS) ongoing efforts to build a single, unified department.
DHS now has more than 200,000 employees and almost $60 billion in
budget authority, and completing its transformation into a cohesive
department is critical to achieving its homeland security missions. Our
prior work on mergers and organizational transformations, undertaken
before the creation of DHS, found that successful transformations of large
organizations, even those faced with less-strenuous reorganizations than
DHS, can take years to achieve. 1 Since the department’s creation in
2003, GAO has designated the implementation and transformation of
DHS as high risk because DHS had to combine 22 agencies—several
with major management challenges—into one department, and failure to
effectively address DHS’s management and mission risks could have
serious consequences for U.S. national and economic security. 2 This
high-risk area includes challenges in strengthening DHS’s management
functions—financial management, human capital, information technology
(IT), and acquisition management—the effect of those challenges on
DHS’s mission implementation, and challenges in integrating
management functions within and across the department and its
components.




1
 See GAO, Highlights of a GAO Forum: Mergers and Transformations: Lessons Learned
for a Department of Homeland Security and Other Federal Agencies, GAO-03-293SP
(Washington, D.C.: Nov. 14, 2002) and Results-Oriented Cultures: Implementation Steps
to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, D.C.:
July 2, 2003).
2
 GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 2003). In
addition to this high-risk area, DHS has responsibility for other areas we have designated
as high risk. Specifically, in 2005 we designated information sharing for homeland security
as high risk, involving a number of federal departments to include DHS, and in 2006, we
identified the National Flood Insurance Program as high risk. Further, in 2003 we
expanded the scope of the high-risk area involving federal information security, which was
initially designated as high risk in 1997, to include the protection of the nation’s computer-
reliant critical infrastructure. GAO High-Risk Series: An Update, GAO-09-271
(Washington, D.C.: January 2009); High-Risk Series: An Update,
GAO-07-310(Washington, D.C.: January 2007); and High-Risk Series: An Update,
GAO-05-207(Washington, D.C.: January 2005).




Page 1                                                                           GAO-12-365T
In November 2000, we published our criteria for removing areas from the
high-risk list. 3 Specifically, agencies must have (1) a demonstrated strong
commitment and top leadership support to address the risks; (2) the
capacity (that is, the people and other resources) to resolve the risks; (3)
a corrective action plan that identifies the root causes, identifies effective
solutions, and provides for substantially completing corrective measures
in the near term, including but not limited to steps necessary to implement
solutions we recommended; (4) a program instituted to monitor and
independently validate the effectiveness and sustainability of corrective
measures; and (5) the ability to demonstrate progress in implementing
corrective measures.

On the basis of our prior work, in September 2010 we identified and
provided to DHS 31 actions and outcomes that are critical to addressing
the challenges within the department’s management areas and in
integrating those functions across the department. These key actions and
outcomes include, among others, obtaining and then sustaining
unqualified audit opinions for at least 2 consecutive years on the
departmentwide financial statements; validating required acquisition
documents in accordance with a department-approved, knowledge-based
acquisition process; and demonstrating measurable progress in
implementing its IT human capital plan and accomplishing defined
outcomes. 4 DHS committed to taking actions to address all 31 of these
outcomes. Achieving and sustaining progress in these areas would
demonstrate the department’s ability and commitment to addressing our
five criteria for removing issues from the high-risk list.

My testimony this morning will discuss our observations, based on prior
and ongoing work, on DHS’s progress in (1) developing a strategy for
addressing its high-risk designation for the implementation and
transformation of the department and (2) achieving outcomes critical to
addressing the high-risk designation.




3
 GAO, Determining Performance and Accountability Challenges and High Risks,
GAO-01-159SP (Washington, D.C.: November 2000).
4
 An unqualified opinion states that the financial statements present fairly, in all material
respects, the financial position, results of operations, and cash flows of the entity in
conformity with generally accepted accounting principles.




Page 2                                                                            GAO-12-365T
                       This statement is based on prior reports and testimonies we issued from
                       June 2007 through February 2012, as well as letters we submitted to
                       DHS in March and November 2011 providing feedback on the
                       department’s January and June 2011 versions of its Integrated Strategy
                       for High Risk Management. 5 The statement is also based on selected
                       updates we obtained from May 2011 through February 2012. For the past
                       products, among other things, we interviewed DHS officials; analyzed
                       DHS strategies and other documents related to the department’s
                       implementation and transformation high-risk area; and reviewed our past
                       reports, issued since DHS began its operations in March 2003. All of this
                       work was conducted in accordance with generally accepted government
                       auditing standards, and more-detailed information on the scope and
                       methodology from our prior work can be found within each specific report.
                       For the updates, we obtained information from DHS on its transformation
                       and management integration efforts through, among other things, (1)
                       obtaining the December 2011 version of the Integrated Strategy for High
                       Risk Management, and (2) meeting with DHS officials, including the
                       Under Secretary for Management and Deputy Under Secretary for
                       Management. This statement is also based on preliminary observations
                       from our ongoing work in response to your request to review DHS’s
                       progress in implementing the new IT governance approach. For this work,
                       among other things, we are reviewing DHS documentation on its planned
                       IT governance process and interviewing DHS officials responsible for
                       implementing this process. We are conducting this work in accordance
                       with generally accepted government auditing standards. Those standards
                       require that we plan and perform the audit to obtain sufficient, appropriate
                       evidence to provide a reasonable basis for our findings and conclusions
                       based on our audit objectives. We believe that the evidence obtained
                       provides a reasonable basis for our findings and conclusions based on
                       our audit objectives.


                       Since January 2011, DHS has continued to update and strengthen its
DHS Has Updated Its    strategy for how the department plans to address our high-risk
Strategy for           designation and resolve its management challenges. In January 2011,
                       DHS provided us with its initial Integrated Strategy for High Risk
Addressing Its High-   Management, which summarized the department’s preliminary plans for
Risk Designation       addressing the high-risk area. The January 2011 strategy, which DHS



                       5
                       See the related products list at the end of this statement.




                       Page 3                                                           GAO-12-365T
later updated in June 2011 and December 2011, was generally
responsive to the actions and outcomes we identified for the department
to address this high-risk area. Specifically, in our March 2011 written
response to DHS’s January 2011 update, we stated that

•   the strategy generally identified multiple, specific actions and target
    completion time frames consistent with the outcomes we identified;
•   designated senior officials to be responsible for implementing most
    actions; and
•   included scorecards to depict, at a high level, the department’s views
    of its progress in addressing each high-risk area and a framework for
    monitoring implementation of corrective actions through, among other
    things, quarterly meetings between DHS and us.
However, the January 2011 update generally did not discuss the root
causes of problems. Further, while the strategy identified whether DHS
believed it had the resources available to implement planned actions, it
did not identify what the specific resource needs were or what additional
resources may be needed, making it difficult to assess the extent to which
DHS has the capacity to implement those actions.

In June 2011, DHS updated its Integrated Strategy for High Risk
Management. The update demonstrated the department’s continued
leadership commitment to address the high-risk designation and
represented continued progress. For example:

•   DHS identified 10 root causes that cut across the four management
    functions and management integration. By identifying these root
    causes, the department better positioned itself to determine corrective
    actions for addressing the underlying problems that have affected its
    management implementation efforts, and to assess the extent to
    which progress made in implementing the corrective actions has
    mitigated those underlying problems.
•   DHS organized its corrective actions into 16 key management
    initiatives (e.g., financial management controls, IT program
    governance, and procurement staffing model) to address its
    management challenges and the 31 actions and outcomes we
    identified.
Identifying key management initiatives should help DHS prioritize its
efforts and resources for addressing its root causes and management
challenges, and provide a useful framework for monitoring the
department’s implementation of the initiatives and associated corrective
actions. However, elements of the update could be strengthened or



Page 4                                                           GAO-12-365T
clarified to better address our high-risk criteria and the actions and
outcomes we previously identified, including (1) better defining the root
causes of its management problems; (2) clarifying the resources available
to implement corrective actions; (3) consistently reporting the progress of
its corrective actions; and (4) more clearly and consistently reporting the
progress of its key management initiatives.

DHS provided its most recent update to its strategy in December 2011.
Overall, we believe that the December update positions the department to
address its management challenges and the implementation and
transformation high-risk area. For example:

•   DHS updated its initiatives—removing two initiatives from the
    management integration area and adding four new initiatives,
    including human resources information technology, management
    health assessment, strategic sourcing, and acquisition workforce
    development; 6
•   DHS included, for the first time, ratings of the department’s progress
    addressing the 31 high-risk outcomes; and
•   DHS enhanced its reporting and rating methodology for its key
    management initiatives. Specifically, DHS replaced a color-coded
    (green, yellow or red) rating system used in previous updates with a
    new system for self-reporting progress. DHS now measures and
    reports its progress addressing the five criteria for removal from high
    risk in two ways. One way uses standard indicators for measuring
    progress and a pie graph for reporting such progress across all of its
    key management initiatives against the first four criteria—leadership
    commitment, capacity, corrective action plans, and monitoring. The
    second way uses specific performance measures unique to each
    initiative for measuring progress and a fuel-type gauge for reporting
    on the fifth criterion—demonstrated progress. According to DHS, the
    revised methodology, amongst other things, results in a more
    objective view of each initiative’s progress.
However, the December 2011 update could be strengthened or clarified
to better enable DHS and GAO to assess the department’s progress, in
the following ways:



6
 DHS reported eliminating (1) the policies, procedures, and management directive
initiative because all of the actions had been completed, and (2) the department-wide
performance management initiative because it did not address the high risk outcomes.




Page 5                                                                      GAO-12-365T
•   More clearly and consistently report the resources available to
    implement corrective actions. DHS identified whether it had
    sufficient resources to implement most of the corrective actions.
    However, as we also reported to DHS regarding the January and
    June 2011 strategies, for many corrective actions DHS did not provide
    information on what the specific resource needs are or what additional
    resources may be needed to implement the corrective actions. The
    absence of resource information makes it difficult to fully assess the
    extent to which DHS has the capacity to implement these actions,
    particularly within the time frames identified for the corrective actions
•   Consistently report on corrective actions. DHS provided
    information on the department’s rationale for eliminating and adding
    key management initiatives, but has not consistently provided such
    information for the corrective actions it established for each initiative.
    For example, the December strategy contained three new corrective
    actions for the IT program-governance initiative that were not in the
    June 2011 strategy, but did not include three corrective actions that
    had been in the June 2011 strategy. The December strategy did not
    consistently explain the department’s rationale for eliminating or
    adding corrective actions from the June strategy, such as whether the
    corrective actions were already completed, or if the corrective actions
    were no longer appropriate or feasible. Without consistently providing
    information on the basis for DHS’s decision to add or remove
    corrective actions, it is difficult for DHS and us to track the status and
    progress of the department’s efforts to fully implement its
    management initiatives.
•   Establish measures and report on progress for all initiatives.
    DHS established a total of 58 measures to track its demonstrated
    progress in implementing the 18 initiatives included in the December
    2011 strategy. While these measures provide additional insight into
    DHS’s self-reported progress and represent an important
    improvement from the June 2011 strategy, DHS has not yet
    established measures for one of its initiatives—the new management
    health assessment initiative—and did not report on its progress for
    more than 40 percent (24 of the 58) of the measures in the December
    2011 strategy. Without establishing measures and consistently
    reporting on their progress, neither DHS nor we can fully assess the
    department’s progress in implementing its initiatives.
•   Stabilize its methodology for measuring progress. We believe that
    the enhanced methodology DHS established for assessing its
    progress in implementing its initiatives generally allows for a more-
    objective assessment. However, the evolving nature of DHS’s
    methodology, which the department revised in the June 2011 strategy




Page 6                                                             GAO-12-365T
                         and again in the December strategy, makes it difficult to effectively
                         monitor the department’s progress over time.
                     By strengthening these four aspects, we believe the December 2011
                     strategy, if implemented and sustained, provides a path for DHS to
                     address our high-risk designation. We will continue to closely monitor and
                     assess DHS’s progress in addressing the high-risk designation and the
                     department’s overall transformation efforts as part of our work for the
                     2013 high-risk update, which we plan to issue in January 2013.


                     DHS has made progress addressing management challenges and
DHS Has Made         achieving high-risk outcomes in some key areas. The Secretary and
Progress, but More   Deputy Secretary of Homeland Security, and other senior officials, have
                     demonstrated commitment and top leadership support to address the
Work Remains to      department’s management challenges. As the following examples
Achieve High-Risk    illustrate, DHS is making progress achieving the long-term goal of
Outcomes             enhancing its management capabilities and building a more-integrated
                     department.

                     •   In June 2011, we reported that, per departmental acquisition
                         guidance, DHS’s Science and Technology directorate reviewed and
                         approved test and evaluation documents and plans for programs
                         undergoing testing, and conducted independent assessments for the
                         programs that completed operational testing. 7 In October 2011, to
                         enhance the department’s ability to oversee major acquisition
                         programs, DHS realigned the acquisition management functions
                         previously performed by two divisions within the Office of Chief
                         Procurement Officer to establish the Office of Program Accountability
                         and Risk Management (PARM). PARM, which is responsible for
                         program governance and acquisition policy, serves as the
                         Management Directorate’s executive office for program execution and
                         works with DHS leadership to assess the health of major acquisitions
                         and investments. To help with this effort, PARM is developing a
                         database, known as the Decision Support Tool, intended to improve
                         the flow of information from component program offices to the
                         Management Directorate to support its governance efforts. DHS also
                         included a new management initiative in its December 2011 update
                         (strategic sourcing) to increase savings and improve acquisition


                     7
                      GAO, DHS Science and Technology: Additional Steps Needed to Ensure Test and
                     Evaluation Requirements Are Met, GAO-11-596 (Washington, D.C.: June 15, 2011).




                     Page 7                                                                  GAO-12-365T
    efficiency by consolidating contracts departmentwide for the same
    kinds of products and services, and reported awarding 14 strategically
    sourced contracts in fiscal year 2011. We currently have ongoing work
    related to both of these areas that we will report on later this year. 8
•   In February 2012, we reported that the DHS Chief Information Officer
    (CIO) and Chief Human Capital Officer were coordinating to
    streamline and consolidate the department’s human resources
    investments. 9 Specifically, in 2010 and 2011, the DHS CIO conducted
    program and portfolio reviews of hundreds of IT investments and
    systems. DHS evaluated portfolios of investments within its
    components to avoid investing in systems that are duplicative or
    overlapping, and to identify and leverage investments across the
    department. DHS also consolidated (1) 6 personnel security–related
    systems into its departmentwide Integrated Security Management
    System—with an additional personnel security system planned for
    consolidation in 2012, and (2) two components’ portals into the
    Homeland Security Information Network, with plans to consolidate 12
    additional portals before 2014.
•   DHS has reduced the number of material weaknesses in internal
    controls from 18 since the inception of the department in 2003 to 5 in
    fiscal year 2011. 10 In addition, in fiscal year 2010 DHS committed to
    the goal of receiving a qualified audit opinion on its consolidated
    balance sheet in fiscal year 2011 by, for example, remediating




8
 We are doing this work at the request of the Senate Committee on Homeland Security
and Governmental Affairs. Our strategic sourcing work is also being done for the House
Committee on Oversight and Government Reform.
9
 GAO, Information Technology: Departments of Defense and Energy Need to Address
Potentially Duplicative Investments, GAO-12-241 (Washington, D.C.: Feb. 17, 2012).
10
  A material weakness is a significant deficiency, or a combination of significant
deficiencies, in internal control such that there is a reasonable possibility that a material
misstatement of the entity’s financial statements will not be prevented or detected and
corrected on a timely basis. A significant deficiency is a deficiency, or combination of
deficiencies, in internal control that is less severe than a material weakness, yet important
enough to merit attention by those charged with governance. A deficiency in internal
control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or
detect and correct, misstatements on a timely basis.




Page 8                                                                          GAO-12-365T
       financial management issues at the U.S. Coast Guard (USCG). 11 In
       fiscal year 2011, DHS achieved this goal by moving from a disclaimer
       of opinion to a qualified audit opinion on its balance sheet and
       statement of custodial activity for the first time since the department’s
       creation. 12 In its December 2011 strategy, DHS reported plans to
       expand the audit to all financial statements in fiscal year 2012. DHS
       believes this will identify additional areas for corrective action and help
       it to obtain a clean audit opinion on all financial statements by
       September 2013, although there is no clear plan for how full
       auditability will be achieved.
•      In February 2012, we reported that DHS consolidated five time-and-
       attendance systems into a departmentwide time-and-attendance
       system and plans to incorporate an additional component by June
       2012. 13 This consolidation effort is part of DHS’s broader human
       resources IT initiative. This initiative is intended to, among other
       things (1) support the development and implementation of consistent
       and consolidated human resources IT systems across DHS, and (2)
       strengthen and unify the department’s ability to collect and share
       human resource information. We also reported in February 2012 that
       DHS had initiated a Senior Executive Service Candidate Development
       Program in May 2011 to build its senior leadership pipeline within the
       department—consolidating what had been four individual leadership
       programs into a single DHS-wide program—and lowered its senior
       leadership vacancy rates from a peak of 25 percent in 2006 to 10
       percent at the end of fiscal year 2011. 14
•      In February 2011, we reported that the department put in place
       common policies, procedures, and systems within individual
       management functions, such as human capital, that help to integrate




11
  A qualified opinion states that, except for the effects of the matter(s) to which the
qualification relates, the audited financial statements present fairly, in all material respects,
the financial position, results of operations, and cash flows of the entity in conformity with
generally accepted accounting principles. The matter(s) to which the qualification relates
could be due to a scope limitation, or the audited financial statements containing a
material departure from generally accepted accounting principles, or both.
12
   A disclaimer of opinion states that the auditor does not express an opinion on the
financial statements (e.g., scope limitations).
13
     GAO-12-241
14
 GAO, DHS Human Capital: Senior Leadership Vacancy Rates Generally Declined, but
Components’ Rates Varied, GAO-12-264 (Washington, D.C.: Feb. 10, 2012).




Page 9                                                                             GAO-12-365T
     its component agencies. 15 DHS has also demonstrated top leadership
     commitment by identifying roles and responsibilities at the
     departmental level for the key management initiatives it has included
     in the December 2011 strategy. Additionally, DHS has promoted
     accountability for management integration among department and
     component management chiefs by, among other things, having the
     department chiefs provide written objectives that explicitly reflect
     priorities and milestones for that management function as well as
     aligning the component chiefs’ individual performance plans to the
     department’s goals and objectives.
In its December 2011 strategy, DHS presented detailed plans to address
a number of management challenges. However, in many instances, DHS
has considerable work ahead to fully implement these plans and address
these challenges.

•    Our prior work has identified challenges related to acquisition
     oversight, cost growth, and schedule delays, including departmental
     concerns about the accuracy of cost estimates for some of DHS’s
     major programs. For example, in June 2010 we reported that over half
     of the programs we reviewed awarded contracts to initiate acquisition
     activities without component or department approval of documents
     essential to planning acquisitions, such as mission need statements
     outlining the specific functional capabilities required to accomplish
     DHS’s mission and objectives; operational requirements; and
     acquisition program baselines. 16 Additionally, we reported that only a
     small number of DHS’s major acquisitions had validated cost
     estimates. Further, DHS reported in its December 2011 strategy that
     senior executives are not confident enough in the data to use the
     Decision Support Tool developed by PARM to help make acquisition
     decisions. However, DHS’s plans to improve the quality of the data in
     this database are limited. At this time, PARM only plans to check the
     data quality in preparation for key milestone meetings in the
     acquisition process. This could significantly diminish the Decision



15
  GAO, Department of Homeland Security: Progress Made and Work Remaining in
Implementing Homeland Security Missions 10 Years after 9/11, GAO-11-881 (Washington
D.C.: Sep. 7, 2011); GAO, DHS: A Comprehensive Strategy Is Still Needed to Achieve
Management Integration Departmentwide, GAO-10-318T (Washington, D.C.: Dec. 15,
2009).
16
 GAO, Department of Homeland Security: Assessments of Selected Complex
Acquisitions, GAO-10-588SP (Washington, D.C.: June 30, 2010).




Page 10                                                                GAO-12-365T
      Support Tool’s value because users cannot confidently identify and
      take action to address problems meeting cost or schedule goals prior
      to program review meetings.
•     DHS continues to face challenges in managing its IT acquisitions,
      ensuring proper implementation and departmentwide coordination,
      and implementing information security controls. For example, as we
      reported in 2011, DHS faces challenges fully defining key system
      investment and acquisition management policies and procedures for
      IT. 17 Moreover, the extent to which DHS implemented these
      investment and acquisition management policies and practices in
      major IT programs has been inconsistent. We also reported that major
      IT acquisition programs were not subjected to executive-level
      acquisition and investment management reviews. As a result, major
      programs aimed at delivering important mission capabilities had not
      lived up to their capability, benefit, cost, and schedule expectations.
      DHS is currently pilot testing a new approach for overseeing and
      managing its IT acquisitions. We are currently reviewing this new
      governance approach and expect to report the results of our work
      later this year. Further, we previously reported on the need for federal
      agencies, including DHS, to improve implementation of information
      security controls, such as those for configuring desktop computers
      and wireless communication devices. 18 DHS reports that, as of
      December 2011, it mostly addressed IT security. However, the DHS
      Office of Inspector General continues to report a material weakness in
      this area and identifies information security as a major management
      challenge facing the department.
•     Due to material weaknesses in internal controls over financial
      reporting, DHS was unable to provide assurance that internal controls
      over financial reporting were operating effectively as of September 30,
      2011. According to DHS, due to existing internal control weaknesses
      and focus on corrective actions, the audit opinion on internal controls
      over financial reporting will likely remain a disclaimer in fiscal year
      2012. DHS also faces challenges in modernizing its financial systems.
      We previously reported that DHS twice attempted to implement an
      integrated departmentwide financial management system, but had not



17
    GAO-11-881
18
 GAO, Information Security: Federal Agencies Have Taken Steps to Secure Wireless
Networks, but Further Actions Can Mitigate Risk, GAO-11-43 (Washington, D.C.: Nov. 30,
2010); and Information Security: Agencies Need to Implement Federal Desktop Core
Configuration Requirements, GAO-10-202 (Washington, D.C.: Mar. 12, 2010).




Page 11                                                                   GAO-12-365T
     been able to consolidate its disparate systems. Specifically, in June
     2007, we reported that DHS ended its Electronic Managing Enterprise
     Resources for Government Effectiveness and Efficiency effort after
     determining that the resulting financial management systems would
     not provide the expected system functionality and performance. 19 In
     December 2009, we reported that the Transformation and Systems
     Consolidation program had been significantly delayed by bid protests
     and related litigation. 20 In March 2011, DHS ended this program and
     reported that moving forward it would consider alternatives to meet
     revised requirements. In 2011, DHS decided to change its strategy for
     financial system modernization. Rather than implement a
     departmentwide integrated financial management system solution,
     DHS opted for a decentralized approach to financial management
     systems modernization at the component level. Specifically, DHS
     reported in its December 2011 strategy that it plans to replace
     financial management systems at three components it has identified
     as most in need, including the Federal Emergency Management
     Agency (FEMA), USCG, and Immigrations and Customs Enforcement
     (ICE). As of February 2012, DHS officials stated that they first planned
     to modernize FEMA’s system, which would start using a federal
     shared service provider at the beginning of fiscal year 2015. DHS
     officials told us they had not yet identified the specific approach or
     necessary resources and time frames for implementing new systems
     at USCG and ICE. It is not clear whether DHS’s new, decentralized
     approach to financial system modernization will ensure that
     component’s financial management systems can generate reliable,
     useful, timely information for day-to-day decision making; enhance the
     department’s ability to comprehensively view financial information
     across DHS; and comply with related federal requirements at DHS
     and its components. We will continue to monitor DHS’s actions in this
     area.
•    DHS continues to face challenges implementing some of its key
     human capital initiatives and functions. For example, the DHS Chief
     Information Officer’s (CIO) September 2011 assessment of the human
     resources IT program identified two risks that could have adverse



19
 GAO, Homeland Security: Departmentwide Integrated Financial Management Systems
Remain a Challenge, GAO-07-536 (Washington, D.C.: June 21, 2007).
20
  GAO, Financial Management Systems: DHS Faces Challenges to Successfully
Consolidating Its Existing Disparate Systems, GAO-10-76 (Washington, D.C.: Dec. 4,
2009).




Page 12                                                                   GAO-12-365T
    effects on the cost and schedule of the program. First, if the program
    is unable to meet its established baseline schedules, there is a high
    probability of program breach and potential loss of funding due to lack
    of prioritization. Second, if a thorough understanding of existing
    legacy applications and processes across the DHS components is not
    achieved, the new, consolidated system will not adequately replace
    existing functionality nor provide the stable operational functionality
    needed from the program. DHS has also struggled with low job
    satisfaction among its employees since its inception. For the 2011
    Federal Employee Viewpoint Survey, DHS scored below the
    governmentwide average on the Office of Personnel Management’s
    Job Satisfaction Index and ranked 31st of 33 federal agencies on
    employee satisfaction, according to the Partnership for Public
    Service’s analysis of the survey results. At the subcommittee’s
    request, we currently have work underway evaluating the
    effectiveness of DHS’s plans and efforts to address its employee
    morale issues and expect to report our findings later this year.
    Further, in June 2011, DHS reported that it was developing
    component operational plans to implement its departmentwide
    workforce strategy and align the component plans with the goals,
    measures, and objectives of the strategy. However, in its December
    2011 strategy, DHS reported that it had not finished providing
    feedback to components on their fiscal year 2011 plans.
•   DHS needs to continue to demonstrate sustainable progress in
    integrating its management functions within and across the
    department and its components and take additional actions to further
    and more effectively integrate the department. Specifically, in its
    January 2011 high-risk strategy, DHS described plans to establish an
    Integrated Investment Life Cycle Model (IILCM) for managing
    investments across its components and management functions;
    strengthening integration within and across those functions; and
    ensuring mission needs drive investment decisions. This framework
    seeks to enhance DHS resource decision making and oversight by
    creating new department-level councils to identify priorities and
    capability gaps, revising how DHS components and lines of business
    manage acquisition programs, and developing a common framework
    for monitoring and assessing implementation of investment decisions.
    DHS reported in December 2011 that the IILCM initiative had made
    little progress since January 2011 though the department planned to
    begin using the IILCM by the end of September 2012. The department
    also indicated it had not determined resource needs to accomplish
    any of the eight associated corrective actions it has identified for this
    initiative.




Page 13                                                           GAO-12-365T
                  While DHS has made progress, the department still faces considerable
                  challenges. Going forward, DHS needs to continue implementing its
                  Integrated Strategy for High Risk Management and show measurable,
                  sustainable progress in implementing its key management initiatives and
                  corrective actions and achieving outcomes. We will continue to monitor
                  and assess DHS’s implementation and transformation efforts through our
                  ongoing and planned work, including the 2013 high-risk update that we
                  expect to issue in early 2013.


                  Chairman McCaul, Ranking Member Keating, and Members of the
                  Subcommittee, this concludes my prepared statement. I would be
                  pleased to respond to any questions that you may have.


                  For questions about this statement, please contact David C. Maurer at
GAO Contact and   (202) 512-9627 or maurerd@gao.gov. Contact points for our Offices of
Staff             Congressional Relations and Public Affairs may be found on the last page
                  of this statement. Individuals making key contributions to this statement
Acknowledgments   include Maria Strudwick, Assistant Director; Scott Behen, analyst-in-
                  charge; Michael Laforge, Anjalique Lawrence, Gary Mountjoy, Sabine
                  Paul, Nathan Tranquilli, and Katherine Trimble. Other contributors
                  include: David Alexander, Katherine Davis, Jan Montgomery, and Tomas
                  Ramirez, Jr. Key contributors for the previous work that this testimony is
                  based on are listed within each individual product.




                  Page 14                                                        GAO-12-365T
Related GAO Reports
             Related GAO Reports




             Information Technology: Departments of Defense and Energy Need to
             Address Potentially Duplicative Investments. GAO-12-241. Washington
             D.C.: February 17, 2012.

             DHS Human Capital: Senior Leadership Vacancy Rates Generally
             Declined, but Components’ Rates Varied. GAO-12-264. Washington,
             D.C.: February 10, 2012.

             Department of Homeland Security: Additional Actions Needed to
             Strengthen Strategic Planning and Management Functions.
             GAO-12-382T. Washington D.C.: February 3, 2012.

             Department of Homeland Security: Progress Made and Work Remaining
             in Implementing Homeland Security Missions 10 Years after 9/11.
             GAO-11-881. Washington D.C.: September 7, 2011.

             High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February
             2011.

             Information Security: Federal Agencies Have Taken Steps to Secure
             Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43.
             Washington, D.C.: November 30, 2010.

             Department of Homeland Security: Assessments of Selected Complex
             Acquisitions. GAO-10-588SP. Washington, D.C.: June 30, 2010.

             Information Security: Agencies Need to Implement Federal Desktop Core
             Configuration Requirements. GAO-10-202. Washington, D.C.: March 12,
             2010.

             Financial Management Systems: DHS Faces Challenges to Successfully
             Consolidating Its Existing Disparate Systems. GAO-10-76. Washington,
             D.C.: December 4, 2009.

             Department of Homeland Security: Actions Taken Toward Management
             Integration, but a Comprehensive Strategy Is Still Needed. GAO-10-131.
             Washington, D.C.: November 20, 2009.

             Homeland Security: Despite Progress, DHS Continues to Be Challenged
             in Managing Its Multi-Billion Dollar Annual Investment in Large-Scale
             Information Technology Systems. GAO-09-1002T. Washington, D.C.:
             September 15, 2009.



             Page 15                                                      GAO-12-365T
           Related GAO Reports




           Department of Homeland Security: Billions Invested in Major Programs
           Lack Appropriate Oversight. GAO-09-29. Washington, D.C.: November
           18, 2008.

           Department of Homeland Security: Better Planning and Assessment
           Needed to Improve Outcomes for Complex Service Acquisitions.
           GAO-08-263. Washington, D.C.: April 22, 2008.

           Homeland Security: Departmentwide Integrated Financial Management
           Systems Remain a Challenge. GAO-07-536. Washington, D.C.: June 21,
           2007.

           Information Technology Investment Management: A Framework for
           Assessing and Improving Process Maturity, version 1.1. GAO-04-394G.
           Washington, D.C.: March 2004.

           High-Risk Series: Strategic Human Capital Management. GAO-03-120.
           Washington, D.C.: January 2003.

           Determining Performance and Accountability Challenges and High Risks.
           GAO-01-159SP. Washington, D.C.: November 2000.




(441040)
           Page 16                                                      GAO-12-365T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.