United States Government Accountability Office GAO Testimony Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives DEPARTMENT OF For Release on Delivery Expected at 9:30 a.m. EST Thursday, March 1, 2012 HOMELAND SECURITY Continued Progress Made Improving and Integrating Management Areas, but More Work Remains Statement of David C. Maurer, Director Homeland Security and Justice Issues GAO-12-365T March 1, 2012 DEPARTMENT OF HOMELAND SECURITY Continued Progress Made Improving and Integrating Management Areas, but More Work Remains Highlights of GAO-12-365T, a testimony before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives Why GAO Did This Study What GAO Found Since 2003, GAO has designated the The Department of Homeland Security (DHS) has updated and strengthened its implementation and transformation of strategy for how it plans to address GAO’s high-risk designation and resolve the DHS as high risk because, among department’s management challenges. In January 2011, DHS provided GAO other things, DHS had to combine 22 with its Integrated Strategy for High Risk Management, which summarized the agencies, while ensuring no serious department’s preliminary plans for addressing the high-risk area. GAO found that consequences for U.S. national and this strategy, which was later updated in June and December 2011, was economic security. This high-risk area generally responsive to the actions and outcomes needed to address GAO’s includes challenges in DHS’s high-risk designation. For example, the January 2011 strategy generally management functions—financial identified multiple, specific actions and target completion time frames consistent management, human capital, IT, and with the outcomes GAO identified. However, the strategy did not address the root acquisitions; the effect of those challenges on implementing DHS’s causes of problems, among other things. In its June 2011 strategy, DHS, among missions; and integrating the functions. other things, identified 10 root causes that cut across the management areas and In November 2000, GAO published their integration. GAO identified ways the strategy could be strengthened, criteria for removing areas from its including consistently reporting the progress of its initiatives and corrective high-risk list. In September 2010, GAO actions. In its most recent update, DHS better positioned itself to address its identified 31 actions and outcomes management challenges. For example, for the first time, DHS included ratings of critical to addressing this high-risk the department’s progress addressing its high-risk outcomes. However, GAO area. This testimony addresses DHS’s believes that DHS could more consistently report on available resources and progress in (1) developing a strategy corrective actions, establish measures and report on progress made for all for addressing its high-risk designation initiatives, and stabilize its methodology for measuring progress. These changes, and (2) achieving outcomes critical to if implemented and sustained, provide a path for DHS to address GAO’s high-risk addressing this high-risk area. This designation. statement is based on GAO products issued from June 2007 through DHS has made progress, but has considerable work ahead to achieve actions February 2012, including selected and outcomes critical to addressing this high-risk area. Among other updates. It also includes preliminary accomplishments, DHS realigned its acquisition management functions within a observations from GAO’s ongoing work new office to assess the health of major acquisitions and investments; conducted reviewing DHS’s IT governance, for program and portfolio reviews of hundreds of information technology (IT) which GAO reviewed documents on IT investments; and reduced the number of material weaknesses in internal governance and interviewed officials. controls. DHS also demonstrated top leadership commitment by identifying roles and responsibilities for its key management initiatives. However, DHS has more What GAO Recommends work ahead to fully implement its plans and address its management challenges. This testimony contains no new For example, in June 2010 GAO reported that over half of the programs reviewed recommendations. GAO has made awarded contracts to initiate acquisition activities without component or over 100 recommendations to DHS department approval of essential planning documents. In addition, DHS faces since 2003 to strengthen the challenges fully defining key system investment and acquisition management department’s management and policies and procedures. Further, as of September 30, 2011, due to material integration efforts. DHS has weaknesses in internal controls over financial reporting, DHS was unable to implemented many of these provide assurance that these internal controls were operating effectively. In recommendations and is in the process September 2011 we reported that DHS also continues to face challenges of implementing others. implementing some key human capital initiatives, such as its workforce strategy. DHS also needs to continue to demonstrate sustainable progress in integrating its management functions within and across the department and its components, including making progress with its model for managing investments across components and management functions. GAO will continue to assess DHS’s View GAO-12-365T. For more information, efforts to address its high-risk designation and will report its findings on the contact David C. Maurer at (202) 512-9627 or department’s progress in the high-risk update that it expects to issue in early email@example.com. 2013. United States Government Accountability Office Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee: I am pleased to be here today to discuss the Department of Homeland Security’s (DHS) ongoing efforts to build a single, unified department. DHS now has more than 200,000 employees and almost $60 billion in budget authority, and completing its transformation into a cohesive department is critical to achieving its homeland security missions. Our prior work on mergers and organizational transformations, undertaken before the creation of DHS, found that successful transformations of large organizations, even those faced with less-strenuous reorganizations than DHS, can take years to achieve. 1 Since the department’s creation in 2003, GAO has designated the implementation and transformation of DHS as high risk because DHS had to combine 22 agencies—several with major management challenges—into one department, and failure to effectively address DHS’s management and mission risks could have serious consequences for U.S. national and economic security. 2 This high-risk area includes challenges in strengthening DHS’s management functions—financial management, human capital, information technology (IT), and acquisition management—the effect of those challenges on DHS’s mission implementation, and challenges in integrating management functions within and across the department and its components. 1 See GAO, Highlights of a GAO Forum: Mergers and Transformations: Lessons Learned for a Department of Homeland Security and Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, 2002) and Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2, 2003). 2 GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 2003). In addition to this high-risk area, DHS has responsibility for other areas we have designated as high risk. Specifically, in 2005 we designated information sharing for homeland security as high risk, involving a number of federal departments to include DHS, and in 2006, we identified the National Flood Insurance Program as high risk. Further, in 2003 we expanded the scope of the high-risk area involving federal information security, which was initially designated as high risk in 1997, to include the protection of the nation’s computer- reliant critical infrastructure. GAO High-Risk Series: An Update, GAO-09-271 (Washington, D.C.: January 2009); High-Risk Series: An Update, GAO-07-310(Washington, D.C.: January 2007); and High-Risk Series: An Update, GAO-05-207(Washington, D.C.: January 2005). Page 1 GAO-12-365T In November 2000, we published our criteria for removing areas from the high-risk list. 3 Specifically, agencies must have (1) a demonstrated strong commitment and top leadership support to address the risks; (2) the capacity (that is, the people and other resources) to resolve the risks; (3) a corrective action plan that identifies the root causes, identifies effective solutions, and provides for substantially completing corrective measures in the near term, including but not limited to steps necessary to implement solutions we recommended; (4) a program instituted to monitor and independently validate the effectiveness and sustainability of corrective measures; and (5) the ability to demonstrate progress in implementing corrective measures. On the basis of our prior work, in September 2010 we identified and provided to DHS 31 actions and outcomes that are critical to addressing the challenges within the department’s management areas and in integrating those functions across the department. These key actions and outcomes include, among others, obtaining and then sustaining unqualified audit opinions for at least 2 consecutive years on the departmentwide financial statements; validating required acquisition documents in accordance with a department-approved, knowledge-based acquisition process; and demonstrating measurable progress in implementing its IT human capital plan and accomplishing defined outcomes. 4 DHS committed to taking actions to address all 31 of these outcomes. Achieving and sustaining progress in these areas would demonstrate the department’s ability and commitment to addressing our five criteria for removing issues from the high-risk list. My testimony this morning will discuss our observations, based on prior and ongoing work, on DHS’s progress in (1) developing a strategy for addressing its high-risk designation for the implementation and transformation of the department and (2) achieving outcomes critical to addressing the high-risk designation. 3 GAO, Determining Performance and Accountability Challenges and High Risks, GAO-01-159SP (Washington, D.C.: November 2000). 4 An unqualified opinion states that the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the entity in conformity with generally accepted accounting principles. Page 2 GAO-12-365T This statement is based on prior reports and testimonies we issued from June 2007 through February 2012, as well as letters we submitted to DHS in March and November 2011 providing feedback on the department’s January and June 2011 versions of its Integrated Strategy for High Risk Management. 5 The statement is also based on selected updates we obtained from May 2011 through February 2012. For the past products, among other things, we interviewed DHS officials; analyzed DHS strategies and other documents related to the department’s implementation and transformation high-risk area; and reviewed our past reports, issued since DHS began its operations in March 2003. All of this work was conducted in accordance with generally accepted government auditing standards, and more-detailed information on the scope and methodology from our prior work can be found within each specific report. For the updates, we obtained information from DHS on its transformation and management integration efforts through, among other things, (1) obtaining the December 2011 version of the Integrated Strategy for High Risk Management, and (2) meeting with DHS officials, including the Under Secretary for Management and Deputy Under Secretary for Management. This statement is also based on preliminary observations from our ongoing work in response to your request to review DHS’s progress in implementing the new IT governance approach. For this work, among other things, we are reviewing DHS documentation on its planned IT governance process and interviewing DHS officials responsible for implementing this process. We are conducting this work in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Since January 2011, DHS has continued to update and strengthen its DHS Has Updated Its strategy for how the department plans to address our high-risk Strategy for designation and resolve its management challenges. In January 2011, DHS provided us with its initial Integrated Strategy for High Risk Addressing Its High- Management, which summarized the department’s preliminary plans for Risk Designation addressing the high-risk area. The January 2011 strategy, which DHS 5 See the related products list at the end of this statement. Page 3 GAO-12-365T later updated in June 2011 and December 2011, was generally responsive to the actions and outcomes we identified for the department to address this high-risk area. Specifically, in our March 2011 written response to DHS’s January 2011 update, we stated that • the strategy generally identified multiple, specific actions and target completion time frames consistent with the outcomes we identified; • designated senior officials to be responsible for implementing most actions; and • included scorecards to depict, at a high level, the department’s views of its progress in addressing each high-risk area and a framework for monitoring implementation of corrective actions through, among other things, quarterly meetings between DHS and us. However, the January 2011 update generally did not discuss the root causes of problems. Further, while the strategy identified whether DHS believed it had the resources available to implement planned actions, it did not identify what the specific resource needs were or what additional resources may be needed, making it difficult to assess the extent to which DHS has the capacity to implement those actions. In June 2011, DHS updated its Integrated Strategy for High Risk Management. The update demonstrated the department’s continued leadership commitment to address the high-risk designation and represented continued progress. For example: • DHS identified 10 root causes that cut across the four management functions and management integration. By identifying these root causes, the department better positioned itself to determine corrective actions for addressing the underlying problems that have affected its management implementation efforts, and to assess the extent to which progress made in implementing the corrective actions has mitigated those underlying problems. • DHS organized its corrective actions into 16 key management initiatives (e.g., financial management controls, IT program governance, and procurement staffing model) to address its management challenges and the 31 actions and outcomes we identified. Identifying key management initiatives should help DHS prioritize its efforts and resources for addressing its root causes and management challenges, and provide a useful framework for monitoring the department’s implementation of the initiatives and associated corrective actions. However, elements of the update could be strengthened or Page 4 GAO-12-365T clarified to better address our high-risk criteria and the actions and outcomes we previously identified, including (1) better defining the root causes of its management problems; (2) clarifying the resources available to implement corrective actions; (3) consistently reporting the progress of its corrective actions; and (4) more clearly and consistently reporting the progress of its key management initiatives. DHS provided its most recent update to its strategy in December 2011. Overall, we believe that the December update positions the department to address its management challenges and the implementation and transformation high-risk area. For example: • DHS updated its initiatives—removing two initiatives from the management integration area and adding four new initiatives, including human resources information technology, management health assessment, strategic sourcing, and acquisition workforce development; 6 • DHS included, for the first time, ratings of the department’s progress addressing the 31 high-risk outcomes; and • DHS enhanced its reporting and rating methodology for its key management initiatives. Specifically, DHS replaced a color-coded (green, yellow or red) rating system used in previous updates with a new system for self-reporting progress. DHS now measures and reports its progress addressing the five criteria for removal from high risk in two ways. One way uses standard indicators for measuring progress and a pie graph for reporting such progress across all of its key management initiatives against the first four criteria—leadership commitment, capacity, corrective action plans, and monitoring. The second way uses specific performance measures unique to each initiative for measuring progress and a fuel-type gauge for reporting on the fifth criterion—demonstrated progress. According to DHS, the revised methodology, amongst other things, results in a more objective view of each initiative’s progress. However, the December 2011 update could be strengthened or clarified to better enable DHS and GAO to assess the department’s progress, in the following ways: 6 DHS reported eliminating (1) the policies, procedures, and management directive initiative because all of the actions had been completed, and (2) the department-wide performance management initiative because it did not address the high risk outcomes. Page 5 GAO-12-365T • More clearly and consistently report the resources available to implement corrective actions. DHS identified whether it had sufficient resources to implement most of the corrective actions. However, as we also reported to DHS regarding the January and June 2011 strategies, for many corrective actions DHS did not provide information on what the specific resource needs are or what additional resources may be needed to implement the corrective actions. The absence of resource information makes it difficult to fully assess the extent to which DHS has the capacity to implement these actions, particularly within the time frames identified for the corrective actions • Consistently report on corrective actions. DHS provided information on the department’s rationale for eliminating and adding key management initiatives, but has not consistently provided such information for the corrective actions it established for each initiative. For example, the December strategy contained three new corrective actions for the IT program-governance initiative that were not in the June 2011 strategy, but did not include three corrective actions that had been in the June 2011 strategy. The December strategy did not consistently explain the department’s rationale for eliminating or adding corrective actions from the June strategy, such as whether the corrective actions were already completed, or if the corrective actions were no longer appropriate or feasible. Without consistently providing information on the basis for DHS’s decision to add or remove corrective actions, it is difficult for DHS and us to track the status and progress of the department’s efforts to fully implement its management initiatives. • Establish measures and report on progress for all initiatives. DHS established a total of 58 measures to track its demonstrated progress in implementing the 18 initiatives included in the December 2011 strategy. While these measures provide additional insight into DHS’s self-reported progress and represent an important improvement from the June 2011 strategy, DHS has not yet established measures for one of its initiatives—the new management health assessment initiative—and did not report on its progress for more than 40 percent (24 of the 58) of the measures in the December 2011 strategy. Without establishing measures and consistently reporting on their progress, neither DHS nor we can fully assess the department’s progress in implementing its initiatives. • Stabilize its methodology for measuring progress. We believe that the enhanced methodology DHS established for assessing its progress in implementing its initiatives generally allows for a more- objective assessment. However, the evolving nature of DHS’s methodology, which the department revised in the June 2011 strategy Page 6 GAO-12-365T and again in the December strategy, makes it difficult to effectively monitor the department’s progress over time. By strengthening these four aspects, we believe the December 2011 strategy, if implemented and sustained, provides a path for DHS to address our high-risk designation. We will continue to closely monitor and assess DHS’s progress in addressing the high-risk designation and the department’s overall transformation efforts as part of our work for the 2013 high-risk update, which we plan to issue in January 2013. DHS has made progress addressing management challenges and DHS Has Made achieving high-risk outcomes in some key areas. The Secretary and Progress, but More Deputy Secretary of Homeland Security, and other senior officials, have demonstrated commitment and top leadership support to address the Work Remains to department’s management challenges. As the following examples Achieve High-Risk illustrate, DHS is making progress achieving the long-term goal of Outcomes enhancing its management capabilities and building a more-integrated department. • In June 2011, we reported that, per departmental acquisition guidance, DHS’s Science and Technology directorate reviewed and approved test and evaluation documents and plans for programs undergoing testing, and conducted independent assessments for the programs that completed operational testing. 7 In October 2011, to enhance the department’s ability to oversee major acquisition programs, DHS realigned the acquisition management functions previously performed by two divisions within the Office of Chief Procurement Officer to establish the Office of Program Accountability and Risk Management (PARM). PARM, which is responsible for program governance and acquisition policy, serves as the Management Directorate’s executive office for program execution and works with DHS leadership to assess the health of major acquisitions and investments. To help with this effort, PARM is developing a database, known as the Decision Support Tool, intended to improve the flow of information from component program offices to the Management Directorate to support its governance efforts. DHS also included a new management initiative in its December 2011 update (strategic sourcing) to increase savings and improve acquisition 7 GAO, DHS Science and Technology: Additional Steps Needed to Ensure Test and Evaluation Requirements Are Met, GAO-11-596 (Washington, D.C.: June 15, 2011). Page 7 GAO-12-365T efficiency by consolidating contracts departmentwide for the same kinds of products and services, and reported awarding 14 strategically sourced contracts in fiscal year 2011. We currently have ongoing work related to both of these areas that we will report on later this year. 8 • In February 2012, we reported that the DHS Chief Information Officer (CIO) and Chief Human Capital Officer were coordinating to streamline and consolidate the department’s human resources investments. 9 Specifically, in 2010 and 2011, the DHS CIO conducted program and portfolio reviews of hundreds of IT investments and systems. DHS evaluated portfolios of investments within its components to avoid investing in systems that are duplicative or overlapping, and to identify and leverage investments across the department. DHS also consolidated (1) 6 personnel security–related systems into its departmentwide Integrated Security Management System—with an additional personnel security system planned for consolidation in 2012, and (2) two components’ portals into the Homeland Security Information Network, with plans to consolidate 12 additional portals before 2014. • DHS has reduced the number of material weaknesses in internal controls from 18 since the inception of the department in 2003 to 5 in fiscal year 2011. 10 In addition, in fiscal year 2010 DHS committed to the goal of receiving a qualified audit opinion on its consolidated balance sheet in fiscal year 2011 by, for example, remediating 8 We are doing this work at the request of the Senate Committee on Homeland Security and Governmental Affairs. Our strategic sourcing work is also being done for the House Committee on Oversight and Government Reform. 9 GAO, Information Technology: Departments of Defense and Energy Need to Address Potentially Duplicative Investments, GAO-12-241 (Washington, D.C.: Feb. 17, 2012). 10 A material weakness is a significant deficiency, or a combination of significant deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. Page 8 GAO-12-365T financial management issues at the U.S. Coast Guard (USCG). 11 In fiscal year 2011, DHS achieved this goal by moving from a disclaimer of opinion to a qualified audit opinion on its balance sheet and statement of custodial activity for the first time since the department’s creation. 12 In its December 2011 strategy, DHS reported plans to expand the audit to all financial statements in fiscal year 2012. DHS believes this will identify additional areas for corrective action and help it to obtain a clean audit opinion on all financial statements by September 2013, although there is no clear plan for how full auditability will be achieved. • In February 2012, we reported that DHS consolidated five time-and- attendance systems into a departmentwide time-and-attendance system and plans to incorporate an additional component by June 2012. 13 This consolidation effort is part of DHS’s broader human resources IT initiative. This initiative is intended to, among other things (1) support the development and implementation of consistent and consolidated human resources IT systems across DHS, and (2) strengthen and unify the department’s ability to collect and share human resource information. We also reported in February 2012 that DHS had initiated a Senior Executive Service Candidate Development Program in May 2011 to build its senior leadership pipeline within the department—consolidating what had been four individual leadership programs into a single DHS-wide program—and lowered its senior leadership vacancy rates from a peak of 25 percent in 2006 to 10 percent at the end of fiscal year 2011. 14 • In February 2011, we reported that the department put in place common policies, procedures, and systems within individual management functions, such as human capital, that help to integrate 11 A qualified opinion states that, except for the effects of the matter(s) to which the qualification relates, the audited financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the entity in conformity with generally accepted accounting principles. The matter(s) to which the qualification relates could be due to a scope limitation, or the audited financial statements containing a material departure from generally accepted accounting principles, or both. 12 A disclaimer of opinion states that the auditor does not express an opinion on the financial statements (e.g., scope limitations). 13 GAO-12-241 14 GAO, DHS Human Capital: Senior Leadership Vacancy Rates Generally Declined, but Components’ Rates Varied, GAO-12-264 (Washington, D.C.: Feb. 10, 2012). Page 9 GAO-12-365T its component agencies. 15 DHS has also demonstrated top leadership commitment by identifying roles and responsibilities at the departmental level for the key management initiatives it has included in the December 2011 strategy. Additionally, DHS has promoted accountability for management integration among department and component management chiefs by, among other things, having the department chiefs provide written objectives that explicitly reflect priorities and milestones for that management function as well as aligning the component chiefs’ individual performance plans to the department’s goals and objectives. In its December 2011 strategy, DHS presented detailed plans to address a number of management challenges. However, in many instances, DHS has considerable work ahead to fully implement these plans and address these challenges. • Our prior work has identified challenges related to acquisition oversight, cost growth, and schedule delays, including departmental concerns about the accuracy of cost estimates for some of DHS’s major programs. For example, in June 2010 we reported that over half of the programs we reviewed awarded contracts to initiate acquisition activities without component or department approval of documents essential to planning acquisitions, such as mission need statements outlining the specific functional capabilities required to accomplish DHS’s mission and objectives; operational requirements; and acquisition program baselines. 16 Additionally, we reported that only a small number of DHS’s major acquisitions had validated cost estimates. Further, DHS reported in its December 2011 strategy that senior executives are not confident enough in the data to use the Decision Support Tool developed by PARM to help make acquisition decisions. However, DHS’s plans to improve the quality of the data in this database are limited. At this time, PARM only plans to check the data quality in preparation for key milestone meetings in the acquisition process. This could significantly diminish the Decision 15 GAO, Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11, GAO-11-881 (Washington D.C.: Sep. 7, 2011); GAO, DHS: A Comprehensive Strategy Is Still Needed to Achieve Management Integration Departmentwide, GAO-10-318T (Washington, D.C.: Dec. 15, 2009). 16 GAO, Department of Homeland Security: Assessments of Selected Complex Acquisitions, GAO-10-588SP (Washington, D.C.: June 30, 2010). Page 10 GAO-12-365T Support Tool’s value because users cannot confidently identify and take action to address problems meeting cost or schedule goals prior to program review meetings. • DHS continues to face challenges in managing its IT acquisitions, ensuring proper implementation and departmentwide coordination, and implementing information security controls. For example, as we reported in 2011, DHS faces challenges fully defining key system investment and acquisition management policies and procedures for IT. 17 Moreover, the extent to which DHS implemented these investment and acquisition management policies and practices in major IT programs has been inconsistent. We also reported that major IT acquisition programs were not subjected to executive-level acquisition and investment management reviews. As a result, major programs aimed at delivering important mission capabilities had not lived up to their capability, benefit, cost, and schedule expectations. DHS is currently pilot testing a new approach for overseeing and managing its IT acquisitions. We are currently reviewing this new governance approach and expect to report the results of our work later this year. Further, we previously reported on the need for federal agencies, including DHS, to improve implementation of information security controls, such as those for configuring desktop computers and wireless communication devices. 18 DHS reports that, as of December 2011, it mostly addressed IT security. However, the DHS Office of Inspector General continues to report a material weakness in this area and identifies information security as a major management challenge facing the department. • Due to material weaknesses in internal controls over financial reporting, DHS was unable to provide assurance that internal controls over financial reporting were operating effectively as of September 30, 2011. According to DHS, due to existing internal control weaknesses and focus on corrective actions, the audit opinion on internal controls over financial reporting will likely remain a disclaimer in fiscal year 2012. DHS also faces challenges in modernizing its financial systems. We previously reported that DHS twice attempted to implement an integrated departmentwide financial management system, but had not 17 GAO-11-881 18 GAO, Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk, GAO-11-43 (Washington, D.C.: Nov. 30, 2010); and Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements, GAO-10-202 (Washington, D.C.: Mar. 12, 2010). Page 11 GAO-12-365T been able to consolidate its disparate systems. Specifically, in June 2007, we reported that DHS ended its Electronic Managing Enterprise Resources for Government Effectiveness and Efficiency effort after determining that the resulting financial management systems would not provide the expected system functionality and performance. 19 In December 2009, we reported that the Transformation and Systems Consolidation program had been significantly delayed by bid protests and related litigation. 20 In March 2011, DHS ended this program and reported that moving forward it would consider alternatives to meet revised requirements. In 2011, DHS decided to change its strategy for financial system modernization. Rather than implement a departmentwide integrated financial management system solution, DHS opted for a decentralized approach to financial management systems modernization at the component level. Specifically, DHS reported in its December 2011 strategy that it plans to replace financial management systems at three components it has identified as most in need, including the Federal Emergency Management Agency (FEMA), USCG, and Immigrations and Customs Enforcement (ICE). As of February 2012, DHS officials stated that they first planned to modernize FEMA’s system, which would start using a federal shared service provider at the beginning of fiscal year 2015. DHS officials told us they had not yet identified the specific approach or necessary resources and time frames for implementing new systems at USCG and ICE. It is not clear whether DHS’s new, decentralized approach to financial system modernization will ensure that component’s financial management systems can generate reliable, useful, timely information for day-to-day decision making; enhance the department’s ability to comprehensively view financial information across DHS; and comply with related federal requirements at DHS and its components. We will continue to monitor DHS’s actions in this area. • DHS continues to face challenges implementing some of its key human capital initiatives and functions. For example, the DHS Chief Information Officer’s (CIO) September 2011 assessment of the human resources IT program identified two risks that could have adverse 19 GAO, Homeland Security: Departmentwide Integrated Financial Management Systems Remain a Challenge, GAO-07-536 (Washington, D.C.: June 21, 2007). 20 GAO, Financial Management Systems: DHS Faces Challenges to Successfully Consolidating Its Existing Disparate Systems, GAO-10-76 (Washington, D.C.: Dec. 4, 2009). Page 12 GAO-12-365T effects on the cost and schedule of the program. First, if the program is unable to meet its established baseline schedules, there is a high probability of program breach and potential loss of funding due to lack of prioritization. Second, if a thorough understanding of existing legacy applications and processes across the DHS components is not achieved, the new, consolidated system will not adequately replace existing functionality nor provide the stable operational functionality needed from the program. DHS has also struggled with low job satisfaction among its employees since its inception. For the 2011 Federal Employee Viewpoint Survey, DHS scored below the governmentwide average on the Office of Personnel Management’s Job Satisfaction Index and ranked 31st of 33 federal agencies on employee satisfaction, according to the Partnership for Public Service’s analysis of the survey results. At the subcommittee’s request, we currently have work underway evaluating the effectiveness of DHS’s plans and efforts to address its employee morale issues and expect to report our findings later this year. Further, in June 2011, DHS reported that it was developing component operational plans to implement its departmentwide workforce strategy and align the component plans with the goals, measures, and objectives of the strategy. However, in its December 2011 strategy, DHS reported that it had not finished providing feedback to components on their fiscal year 2011 plans. • DHS needs to continue to demonstrate sustainable progress in integrating its management functions within and across the department and its components and take additional actions to further and more effectively integrate the department. Specifically, in its January 2011 high-risk strategy, DHS described plans to establish an Integrated Investment Life Cycle Model (IILCM) for managing investments across its components and management functions; strengthening integration within and across those functions; and ensuring mission needs drive investment decisions. This framework seeks to enhance DHS resource decision making and oversight by creating new department-level councils to identify priorities and capability gaps, revising how DHS components and lines of business manage acquisition programs, and developing a common framework for monitoring and assessing implementation of investment decisions. DHS reported in December 2011 that the IILCM initiative had made little progress since January 2011 though the department planned to begin using the IILCM by the end of September 2012. The department also indicated it had not determined resource needs to accomplish any of the eight associated corrective actions it has identified for this initiative. Page 13 GAO-12-365T While DHS has made progress, the department still faces considerable challenges. Going forward, DHS needs to continue implementing its Integrated Strategy for High Risk Management and show measurable, sustainable progress in implementing its key management initiatives and corrective actions and achieving outcomes. We will continue to monitor and assess DHS’s implementation and transformation efforts through our ongoing and planned work, including the 2013 high-risk update that we expect to issue in early 2013. Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee, this concludes my prepared statement. I would be pleased to respond to any questions that you may have. For questions about this statement, please contact David C. Maurer at GAO Contact and (202) 512-9627 or firstname.lastname@example.org. Contact points for our Offices of Staff Congressional Relations and Public Affairs may be found on the last page of this statement. Individuals making key contributions to this statement Acknowledgments include Maria Strudwick, Assistant Director; Scott Behen, analyst-in- charge; Michael Laforge, Anjalique Lawrence, Gary Mountjoy, Sabine Paul, Nathan Tranquilli, and Katherine Trimble. Other contributors include: David Alexander, Katherine Davis, Jan Montgomery, and Tomas Ramirez, Jr. Key contributors for the previous work that this testimony is based on are listed within each individual product. Page 14 GAO-12-365T Related GAO Reports Related GAO Reports Information Technology: Departments of Defense and Energy Need to Address Potentially Duplicative Investments. GAO-12-241. Washington D.C.: February 17, 2012. DHS Human Capital: Senior Leadership Vacancy Rates Generally Declined, but Components’ Rates Varied. GAO-12-264. Washington, D.C.: February 10, 2012. Department of Homeland Security: Additional Actions Needed to Strengthen Strategic Planning and Management Functions. GAO-12-382T. Washington D.C.: February 3, 2012. Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11. GAO-11-881. Washington D.C.: September 7, 2011. High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February 2011. Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43. Washington, D.C.: November 30, 2010. Department of Homeland Security: Assessments of Selected Complex Acquisitions. GAO-10-588SP. Washington, D.C.: June 30, 2010. Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements. GAO-10-202. Washington, D.C.: March 12, 2010. Financial Management Systems: DHS Faces Challenges to Successfully Consolidating Its Existing Disparate Systems. GAO-10-76. Washington, D.C.: December 4, 2009. Department of Homeland Security: Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed. GAO-10-131. Washington, D.C.: November 20, 2009. Homeland Security: Despite Progress, DHS Continues to Be Challenged in Managing Its Multi-Billion Dollar Annual Investment in Large-Scale Information Technology Systems. GAO-09-1002T. Washington, D.C.: September 15, 2009. Page 15 GAO-12-365T Related GAO Reports Department of Homeland Security: Billions Invested in Major Programs Lack Appropriate Oversight. GAO-09-29. Washington, D.C.: November 18, 2008. Department of Homeland Security: Better Planning and Assessment Needed to Improve Outcomes for Complex Service Acquisitions. GAO-08-263. Washington, D.C.: April 22, 2008. Homeland Security: Departmentwide Integrated Financial Management Systems Remain a Challenge. GAO-07-536. Washington, D.C.: June 21, 2007. Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, version 1.1. GAO-04-394G. Washington, D.C.: March 2004. High-Risk Series: Strategic Human Capital Management. GAO-03-120. Washington, D.C.: January 2003. Determining Performance and Accountability Challenges and High Risks. GAO-01-159SP. Washington, D.C.: November 2000. (441040) Page 16 GAO-12-365T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Department of Homeland Security: Continued Progress Made Improving and Integrating Management Areas, but More Work Remains
Published by the Government Accountability Office on 2012-03-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)