United States General Accounting Office GAO Testimony Before the Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs, House of Representatives For Release on Delivery Expected at 9:30 a.m. VETERANS BENEFITS Thursday, June 26, 1997 COMPUTER SYSTEMS Uninterrupted Delivery of Benefits Depends on Timely Correction of Year-2000 Problems Statement of Joel C. Willemssen Director, Information Resources Management Accounting and Information Management Division GAO/T-AIMD-97-114 Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss actions being taken by the Department of Veterans Affairs’ (VA) Veterans Benefits Administration (VBA) to address the computing challenges faced by virtually all major organizations—public and private—with the upcoming change of century. Correct and on-time delivery of benefits and services to some 10 million American veterans and their dependents will hinge on how quickly and how well the agency can meet these demands. Because readiness for the year 2000 is a critical issue throughout the government, we have recently added the year-2000 problem to our list of federal program areas at high risk of vulnerability.1 As with all other federal agencies, VBA could face widespread computer systems failures as the year 2000 nears due to the potential for incorrect information processing. This could occur because many existing computer systems have a two-digit date field, such that the year 2000 would be represented by “00.” However, “00” could also be read as 1900. Age and other calculations would be thrown off, creating havoc as systems attempted to verify eligibility for various VBA programs. Because eligibility for many of VBA’s benefits and services is date-dependent, services could be seriously disrupted to millions of people. VBA is aware of these risks and knows it has work to do. In a report issued to you, Mr. Chairman, and being released publicly today, we detail our findings on VBA’s readiness for the change of century.2 VBA has initiated action to assess its vulnerability and perform the modifications that must be made to its information systems, but several substantial risks remain. If VBA is to avert serious disruption to its ability to disseminate benefits, it will need to strengthen its management and oversight of year-2000-related activities. Unless the systems that run VBA’s programs are modified correctly and with adequate time for thorough testing, they will not be prepared to function adequately after December 31, 1999. The Department of Veterans Affairs concurred with all 10 of our recommendations. If properly carried out, they will help ensure VBA’s success in making its systems year-2000 compliant. 1 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). 2 Veterans Benefits Computer Systems: Risks of VBA’s Year-2000 Efforts (GAO/AIMD-97-79, May 30, 1997). Page 1 GAO/T-AIMD-97-114 There is no question, Mr. Chairman, that VBA must make its key Making Systems information systems year-2000 compliant. Unless these systems changes Ready for the Year are made, veterans could receive inaccurate and/or delayed compensation 2000—a Deadline VBA and pension benefits, receive debt collection letters when they do not actually owe money, cease to receive vocational rehabilitation services, Cannot Afford to Miss receive inaccurate insurance benefits, or have foreclosure proceedings initiated unnecessarily due to erroneous date calculations. The financial stress that could accrue to millions of Americans from incorrect calculations must be avoided. At VBA, compensation and pension systems that relate dates to benefits—such as dates of birth or military service—could be especially vulnerable to disruption. To illustrate the potentially chaotic result of a system unable to tell 2000 from 1900, a veteran born in 1925 and therefore turning 75 in 2000 could—if the computer system read “00” as 1900—be seen as negative 25 years old—not even born yet. The veteran would likely then be judged ineligible for benefits he had already been receiving. While such scenarios would ultimately be resolved, the ensuing delays could be a hardship for many. Ensuring that information systems are made year-2000 compliant is an enormous, difficult, and time-consuming challenge. Perhaps ironically, however, it is more managerial than technical. Scheduling and monitoring are especially important because systems must continue to work while being changed; the needs of those being served by these applications are not put on hold while the agency prepares for the next century. Consequently, as with all agencies, VBA’s success or failure will reflect the quality of executive leadership and program management that is brought to bear on this task. It will be imperative for top agency management—including the agency head and the chief information officer, or CIO—to not only be fully aware of the importance of this undertaking, but to communicate this awareness and urgency to all agency personnel in such a way that everyone understands why year-2000 compliance is so important. The outcome of this challenge will also be determined by the extent to which the agency has institutionalized key systems development and program management practices. Page 2 GAO/T-AIMD-97-114 Addressing the year-2000 problem is not merely a matter of altering every Structured Approach, computer system and application. Management decisions relating to Rigorous Program impact, prioritization, and resources, among others, must first be made: Management Required Which systems are most important? Can they be converted or must they be replaced? Can corrections to any be delayed? Can any systems be eliminated because they overlap with others or no longer serve any useful purpose? Have sufficient analyses been conducted to answer these questions? Do we have adequate financial and personnel resources? Must our internal capabilities be upgraded? GAO has developed a guide3 that constitutes a framework that agencies can use to assess their readiness to achieve year-2000 compliance. It provides information on the scope of the challenge and offers a structured approach for reviewing the adequacy of agency planning and management of its year-2000 program. An exposure draft of the guide was released in February; it incorporates guidance and practices identified by leading information technology organizations. We have made copies available to VA and to VBA. The guide describes in detail the five phases involved in this challenge. Since we see each as critical to a successful year-2000 program, I would like to take a few minutes to briefly discuss them. AWARENESS. While this may seem obvious or unnecessary, we have found that neither is true. Agency personnel must get the word—from the top—as to what this project is all about, and why it matters. Also in this stage, the agency team that will attack the problem is identified, and begins examining potential impacts and developing a strategy. ASSESSMENT. When everything is a priority, nothing is a priority. The emphasis in this phase is on setting realistic priorities—those based on assessments of the potential risk of systems’ not being year-2000 compliant and the likely impact. Systems that are mission-critical—which therefore must be converted or replaced—need to be distinguished from important ones that should be changed and marginal ones that could be changed now or deferred. Such priority-setting is absolutely essential, and should be undertaken from a business standpoint: systems that are integral to the agency’s main function and on which its customers depend should receive the highest priority. Testing strategies must also be devised and contingency plans developed. 3 Year 2000 Computing Crisis: An Assessment Guide [Exposure Draft] (GAO/AIMD-10.1.14, February 1997). Page 3 GAO/T-AIMD-97-114 RENOVATION. This phase deals with actual changes—converting, replacing, or eliminating selected systems and applications. In doing this, it is important to consider the complex interdependencies among systems, and ensure that changes are consistent agencywide and that information about all changes is widely disseminated to users. VALIDATION. Here, agencies test, verify, and validate all converted or replaced systems and applications, ensuring that they perform as expected. It is likewise important that testing procedures themselves be tested, so that agencies can be sure that their results can be trusted. This critical phase can extend over a full year, and may take up to half an agency’s funds budgeted for the entire year-2000 program. It is, however, necessary—and worth the cost. Unless changed systems reliably work as needed, the rest of the expenditure is wasted. IMPLEMENTATION. Deploying and implementing compliant systems and components requires extensive integration and acceptance testing. And since not all agency systems will be converted or replaced simultaneously, it may be wise to operate in a parallel-processing environment for a period of time, running old and new systems side-by-side. Such redundancy can act as a fail-safe mechanism until it is clear that all changed systems are operating correctly. VBA clearly recognizes that the upcoming change of century poses serious VBA Today: challenges and began analyzing the problem in 1991. Its information Encouraging Actions resources management support plan, issued this past January, states Initiated, but unambiguously that achieving year-2000 compliance is the agency’s number one priority. The agency has developed a year-2000 charter, which Significant Risks defines a project management organization and designates a project Remain manager, along with coordinators at each of VBA’s three systems-development centers: Hines, Illinois; Austin, Texas; and Philadelphia. Initially, the primary focus of VBA’s strategy was to attain compliance by replacing noncompliant systems with new ones. Its goal was to have all systems and applications compliant by November 30, 1998, thus allowing over a year for testing and monitoring. VBA also developed a contingency plan, for its compensation and pension and educational assistance payment systems, to ensure continued operation into the next century should replacement systems not be implemented in time. On the basis of concerns we raised regarding VBA’s year-2000 strategy, the agency recently Page 4 GAO/T-AIMD-97-114 revised it to focus on making changes to its existing noncompliant systems rather than replacing them. Many of these efforts, however, remain unfinished. Some important obstacles to success remain, Mr. Chairman, in the areas of program management, assessment, contingency planning, and the handling of noncompliant systems. First, the structure of VBA’s year-2000 program management office needs strengthening, and technical and managerial issues must be addressed. An agency-level program office must coordinate and manage the full range of interdependent information systems activities involved in the year-2000 effort. Yet, according to VBA’s year-2000 project manager, her management functions were limited to conversion projects for the compensation and pension and educational assistance payment systems and replacement projects for educational assistance payment systems. The functions of VBA’s year-2000 project manager also do not include oversight of locally developed applications used by the 58 regional offices. In commenting on a draft of our report, the Secretary of Veterans Affairs concurred with our recommendation that VBA strengthen its year-2000 program management office. He has stated that VBA’s year-2000 project manager has been relieved of other duties to devote full attention to year-2000 activities. VA also has established an oversight committee to monitor and evaluate the progress of VBA’s year-2000 effort. A critical technical deficiency is VBA’s lack of an overall, integrated systems architecture, or blueprint, to guide and constrain the development of replacement systems and the evolution of related information systems. The Clinger-Cohen Act of 1996 requires, among other provisions, that department-level chief information officers develop, maintain, and facilitate integrated systems architectures. Without such a tool, successful systems integration through common standards is placed at added risk. Specifically, VBA has not yet developed, or has not documented, a comprehensive analysis of the flow of information among the various systems; further, it has not yet adequately (1) defined the interfaces among systems that must share data in order to facilitate delivery of benefits, (2) defined a security architecture because sufficient analysis to allow this has not been performed, or (3) analyzed characteristics or developed standards for measuring performance. Also, it is permitting changes to the database and data elements themselves without insisting on the appropriate quality assurance steps. Page 5 GAO/T-AIMD-97-114 The Secretary concurred with our recommendation that VBA develop a complete, integrated systems architecture for its new systems development activities. He further stated that VBA is documenting its systems architecture, information architecture, and data architecture. Also, VBA is still developing security services common to all applications and performance characteristics and standards. A second obstacle to VBA’s success in being ready for the year 2000 concerns the fact that much work remains in determining whether its information systems and their components are compliant now. VBA has yet to fully assess the severity of its year-2000 problem. And while inventories of regional applications and internal/external interfaces have been started, they are not yet complete. According to VBA’s December 1996 year-2000 plan, it expected to have completed all inventories by September 30, 1996. By that date, however, inventories had been completed only for software applications at its three systems development centers. According to VBA’s January 28, 1997, year-2000 risk assessment, part of the reason for the delay is the agency’s loss of some well-qualified employees to retirement during recent agency buyouts. Regardless of the reason, however, VBA’s challenge is more difficult because it has less time and fewer experienced personnel. VBA’s February 17, 1997, inventory shows 153 applications, consisting of over 8,400 modules and over 9 million lines of computer software code. VBA determined that 111 of the 153 applications—almost three quarters—were noncompliant. Decisions relating to about a third of these noncompliant applications had not been made as of that date. Further, this inventory does not include local applications developed by regional offices. While VBA’s CIO has requested that regional offices develop such inventories, he further stated that no regional applications need be included in the inventory of software applications because no locally developed applications were mission-critical. Yet according to VA’s year-2000 readiness review, without a complete inventory of regionally-developed applications, VBA cannot adequately predict or plan for the impact of the change of century. The Secretary concurred with our recommendation that VBA perform an assessment of how its major business areas would be affected if the year-2000 problem were not corrected in time to help prioritize the agency’s year-2000 activities. He stated that such an overall assessment Page 6 GAO/T-AIMD-97-114 has been completed, and that VBA concluded that all major business areas would be severely affected. The Secretary did not consider it beneficial to spend time developing a detailed analysis when the general business impact is already known. We believe, however, that even when general impact is known, a detailed assessment provides management with valuable information on which to prioritize activities, as well as a means of obtaining and publicizing management commitment and support for necessary initiatives. Regarding VBA’s inventory of interfaces, the Secretary stated that VBA expects to have this inventory completed by June 30. He stated that the assessment of interfaces is more complicated because VBA, like other government agencies, is dependent upon receiving information from other agencies. In addition, the newly-established oversight committee plans to assess whether VBA’s program management office needs to oversee the year-2000 work in the regional offices and include regional applications in its inventory. A third obstacle is that VBA has not developed contingency plans for all of its critical systems. Three of its major business areas—loan guaranty, vocational rehabilitation and counseling, and insurance—lack contingency plans to ensure continuity of operations. We recently learned that such plans are in development for the loan-guaranty system. VBA managers realize that they may have to return to manual processing if critical systems in these major business areas are not made year-2000 compliant in time. In his comments on a draft of our report, the Secretary also concurred with our recommendation that VBA develop a year-2000 contingency plan for all critical information systems. He stated that VBA is addressing the development of contingency plans with each program manager. Fourth, VBA does not yet have sufficient information about the costs and risks associated with its year-2000 activities. As a consequence, it has no basis on which to make decisions about prioritizing its information technology projects to make the best use of its two vital resources: people and money. Its year-2000 strategy calls for converting most existing systems while simultaneously continuing to replace its existing benefits payment systems. Yet both actions depend upon limited financial and personnel resources; it may not be able to complete either in time. Page 7 GAO/T-AIMD-97-114 Reliable assessments of costs and risks are important prerequisites for effective prioritization of information technology projects. VA’s readiness assessment estimated VBA’s year-2000 costs at about $20 million for fiscal years 1996 through 1999. This, however, only included conversion projects, such as those to upgrade the mainframes and operating systems at the Hines and Philadelphia data centers. It did not include costs to replace VBA’s aging systems with new, compliant payment systems. The Secretary concurred with our recommendation that VBA assess the costs, benefits, and risks of competing information technology projects and prioritize them to make effective use of limited people and financial resources. He indicated, however, that this assessment has been completed. But in light of VBA’s recent decision to make year-2000 changes to its existing systems its top priority, rather than relying on replacement systems, we believe that VBA must reevaluate its cost/benefit and risk assessments under this new strategy. The results of this evaluation are especially important, since in focusing on conversion of noncompliant benefits payment systems, VBA has decided to exclude only replacement of these specific systems from its overall year-2000 strategy, rather than discontinue the overall replacement strategy altogether. As a result, VBA’s new year-2000 strategy and replacement project effort continue to be dependent upon limited personnel and financial resources. Mr. Chairman, we all agree that VBA must do whatever it takes to be Strong Program year-2000 compliant. This will not be easy. Until an inventory and Oversight Essential; assessment of its information systems and their components is completed, Inventories and it will not be able to make informed choices about the best use of limited personnel and financial resources. Once this has been accomplished, it Assessments Must Be may be necessary to reallocate resources toward completing the Completed Quickly, conversion projects and developing contingency plans for all critical noncompliant systems. A stronger program management office structure Along With and improved technical and managerial capabilities will be essential Conversions and ingredients in helping to make this happen. Contingency Plans Given the serious risks associated with VBA’s year-2000 activities, our report recommends that the Secretary of Veterans Affairs direct and ensure that VBA’s acting undersecretary for benefits, in conjunction with VBA’s CIO, take 10 specific actions to help ensure the agency’s success in making its systems year-2000 compliant before the change of century. I have already discussed some of these recommendations in my testimony today. In summary, these actions involve strengthening program Page 8 GAO/T-AIMD-97-114 management and oversight; developing an integrated systems architecture; assessing the vulnerability of VBA’s major business areas to failing to achieve systems compliance in time; completing inventories, analyses, and assessments; developing a schedule for systems conversion/replacement; and developing critical contingency plans. We discussed our findings with both VA’s and VBA’s CIOs at the conclusion of our review. Not only did they agree with all of our recommendations, but in addition took quick action to address areas of concern that we identified. We were told that VBA is redirecting its year-2000 strategy to focus on the conversion of existing benefits payment systems. Further, VA has established an oversight committee, comprising a VBA executive, a senior manager from VA’s Office of Information Resources Management, and an independent contractor, to evaluate VBA’s progress in year-2000 readiness. The contractor is to report this August, and is to include an action plan detailing what will be required for VBA to complete software recoding in December 1998. As we said in our report, we are encouraged by these specific steps and we commend the agency both for its receptivity and speed of response. We will continue to work with VBA in evaluating its plans and strategies for accomplishing its goals. Mr. Chairman, this concludes my statement. I would be pleased to respond to any questions that you or other members of the Subcommittee may have at this time. (511218) Page 9 GAO/T-AIMD-97-114 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely Correction of Year-2000 Problems
Published by the Government Accountability Office on 1997-06-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)