oversight

Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely Correction of Year-2000 Problems

Published by the Government Accountability Office on 1997-06-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Oversight and Investigations,
                          Committee on Veterans’ Affairs, House of Representatives




For Release on Delivery
Expected at
9:30 a.m.
                          VETERANS BENEFITS
Thursday,
June 26, 1997             COMPUTER SYSTEMS

                          Uninterrupted Delivery of
                          Benefits Depends on Timely
                          Correction of Year-2000
                          Problems
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-114
Mr. Chairman and Members of the Subcommittee:

We are pleased to be here today to discuss actions being taken by the
Department of Veterans Affairs’ (VA) Veterans Benefits Administration
(VBA) to address the computing challenges faced by virtually all major
organizations—public and private—with the upcoming change of century.
Correct and on-time delivery of benefits and services to some 10 million
American veterans and their dependents will hinge on how quickly and
how well the agency can meet these demands.

Because readiness for the year 2000 is a critical issue throughout the
government, we have recently added the year-2000 problem to our list of
federal program areas at high risk of vulnerability.1 As with all other
federal agencies, VBA could face widespread computer systems failures as
the year 2000 nears due to the potential for incorrect information
processing. This could occur because many existing computer systems
have a two-digit date field, such that the year 2000 would be represented
by “00.” However, “00” could also be read as 1900. Age and other
calculations would be thrown off, creating havoc as systems attempted to
verify eligibility for various VBA programs. Because eligibility for many of
VBA’s benefits and services is date-dependent, services could be seriously
disrupted to millions of people.

VBA is aware of these risks and knows it has work to do. In a report issued
to you, Mr. Chairman, and being released publicly today, we detail our
findings on VBA’s readiness for the change of century.2 VBA has initiated
action to assess its vulnerability and perform the modifications that must
be made to its information systems, but several substantial risks remain. If
VBA is to avert serious disruption to its ability to disseminate benefits, it
will need to strengthen its management and oversight of year-2000-related
activities. Unless the systems that run VBA’s programs are modified
correctly and with adequate time for thorough testing, they will not be
prepared to function adequately after December 31, 1999. The Department
of Veterans Affairs concurred with all 10 of our recommendations. If
properly carried out, they will help ensure VBA’s success in making its
systems year-2000 compliant.




1
 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).
2
  Veterans Benefits Computer Systems: Risks of VBA’s Year-2000 Efforts (GAO/AIMD-97-79, May 30,
1997).



Page 1                                                                       GAO/T-AIMD-97-114
                        There is no question, Mr. Chairman, that VBA must make its key
Making Systems          information systems year-2000 compliant. Unless these systems changes
Ready for the Year      are made, veterans could receive inaccurate and/or delayed compensation
2000—a Deadline VBA     and pension benefits, receive debt collection letters when they do not
                        actually owe money, cease to receive vocational rehabilitation services,
Cannot Afford to Miss   receive inaccurate insurance benefits, or have foreclosure proceedings
                        initiated unnecessarily due to erroneous date calculations. The financial
                        stress that could accrue to millions of Americans from incorrect
                        calculations must be avoided.

                        At VBA, compensation and pension systems that relate dates to
                        benefits—such as dates of birth or military service—could be especially
                        vulnerable to disruption. To illustrate the potentially chaotic result of a
                        system unable to tell 2000 from 1900, a veteran born in 1925 and therefore
                        turning 75 in 2000 could—if the computer system read “00” as 1900—be
                        seen as negative 25 years old—not even born yet. The veteran would likely
                        then be judged ineligible for benefits he had already been receiving. While
                        such scenarios would ultimately be resolved, the ensuing delays could be a
                        hardship for many.

                        Ensuring that information systems are made year-2000 compliant is an
                        enormous, difficult, and time-consuming challenge. Perhaps ironically,
                        however, it is more managerial than technical. Scheduling and monitoring
                        are especially important because systems must continue to work while
                        being changed; the needs of those being served by these applications are
                        not put on hold while the agency prepares for the next century.
                        Consequently, as with all agencies, VBA’s success or failure will reflect the
                        quality of executive leadership and program management that is brought
                        to bear on this task. It will be imperative for top agency
                        management—including the agency head and the chief information officer,
                        or CIO—to not only be fully aware of the importance of this undertaking,
                        but to communicate this awareness and urgency to all agency personnel in
                        such a way that everyone understands why year-2000 compliance is so
                        important. The outcome of this challenge will also be determined by the
                        extent to which the agency has institutionalized key systems development
                        and program management practices.




                        Page 2                                                      GAO/T-AIMD-97-114
                       Addressing the year-2000 problem is not merely a matter of altering every
Structured Approach,   computer system and application. Management decisions relating to
Rigorous Program       impact, prioritization, and resources, among others, must first be made:
Management Required    Which systems are most important? Can they be converted or must they
                       be replaced? Can corrections to any be delayed? Can any systems be
                       eliminated because they overlap with others or no longer serve any
                       useful purpose? Have sufficient analyses been conducted to answer these
                       questions? Do we have adequate financial and personnel resources?
                       Must our internal capabilities be upgraded?

                       GAO  has developed a guide3 that constitutes a framework that agencies can
                       use to assess their readiness to achieve year-2000 compliance. It provides
                       information on the scope of the challenge and offers a structured
                       approach for reviewing the adequacy of agency planning and management
                       of its year-2000 program. An exposure draft of the guide was released in
                       February; it incorporates guidance and practices identified by leading
                       information technology organizations. We have made copies available to
                       VA and to VBA.


                       The guide describes in detail the five phases involved in this challenge.
                       Since we see each as critical to a successful year-2000 program, I would
                       like to take a few minutes to briefly discuss them.

                       AWARENESS. While this may seem obvious or unnecessary, we have
                       found that neither is true. Agency personnel must get the word—from the
                       top—as to what this project is all about, and why it matters. Also in this
                       stage, the agency team that will attack the problem is identified, and
                       begins examining potential impacts and developing a strategy.

                       ASSESSMENT. When everything is a priority, nothing is a priority. The
                       emphasis in this phase is on setting realistic priorities—those based on
                       assessments of the potential risk of systems’ not being year-2000
                       compliant and the likely impact. Systems that are mission-critical—which
                       therefore must be converted or replaced—need to be distinguished from
                       important ones that should be changed and marginal ones that could be
                       changed now or deferred. Such priority-setting is absolutely essential, and
                       should be undertaken from a business standpoint: systems that are
                       integral to the agency’s main function and on which its customers depend
                       should receive the highest priority. Testing strategies must also be devised
                       and contingency plans developed.

                       3
                         Year 2000 Computing Crisis: An Assessment Guide [Exposure Draft] (GAO/AIMD-10.1.14,
                       February 1997).



                       Page 3                                                                      GAO/T-AIMD-97-114
                      RENOVATION. This phase deals with actual changes—converting,
                      replacing, or eliminating selected systems and applications. In doing this,
                      it is important to consider the complex interdependencies among systems,
                      and ensure that changes are consistent agencywide and that information
                      about all changes is widely disseminated to users.

                      VALIDATION. Here, agencies test, verify, and validate all converted or
                      replaced systems and applications, ensuring that they perform as
                      expected. It is likewise important that testing procedures themselves be
                      tested, so that agencies can be sure that their results can be trusted. This
                      critical phase can extend over a full year, and may take up to half an
                      agency’s funds budgeted for the entire year-2000 program. It is, however,
                      necessary—and worth the cost. Unless changed systems reliably work as
                      needed, the rest of the expenditure is wasted.

                      IMPLEMENTATION. Deploying and implementing compliant systems and
                      components requires extensive integration and acceptance testing. And
                      since not all agency systems will be converted or replaced simultaneously,
                      it may be wise to operate in a parallel-processing environment for a period
                      of time, running old and new systems side-by-side. Such redundancy can
                      act as a fail-safe mechanism until it is clear that all changed systems are
                      operating correctly.


                      VBA clearly recognizes that the upcoming change of century poses serious
VBA Today:            challenges and began analyzing the problem in 1991. Its information
Encouraging Actions   resources management support plan, issued this past January, states
Initiated, but        unambiguously that achieving year-2000 compliance is the agency’s
                      number one priority. The agency has developed a year-2000 charter, which
Significant Risks     defines a project management organization and designates a project
Remain                manager, along with coordinators at each of VBA’s three
                      systems-development centers: Hines, Illinois; Austin, Texas; and
                      Philadelphia.

                      Initially, the primary focus of VBA’s strategy was to attain compliance by
                      replacing noncompliant systems with new ones. Its goal was to have all
                      systems and applications compliant by November 30, 1998, thus allowing
                      over a year for testing and monitoring. VBA also developed a contingency
                      plan, for its compensation and pension and educational assistance
                      payment systems, to ensure continued operation into the next century
                      should replacement systems not be implemented in time. On the basis of
                      concerns we raised regarding VBA’s year-2000 strategy, the agency recently



                      Page 4                                                      GAO/T-AIMD-97-114
revised it to focus on making changes to its existing noncompliant systems
rather than replacing them. Many of these efforts, however, remain
unfinished. Some important obstacles to success remain, Mr. Chairman, in
the areas of program management, assessment, contingency planning, and
the handling of noncompliant systems.

First, the structure of VBA’s year-2000 program management office needs
strengthening, and technical and managerial issues must be addressed. An
agency-level program office must coordinate and manage the full range of
interdependent information systems activities involved in the year-2000
effort. Yet, according to VBA’s year-2000 project manager, her management
functions were limited to conversion projects for the compensation and
pension and educational assistance payment systems and replacement
projects for educational assistance payment systems. The functions of
VBA’s year-2000 project manager also do not include oversight of locally
developed applications used by the 58 regional offices.

In commenting on a draft of our report, the Secretary of Veterans Affairs
concurred with our recommendation that VBA strengthen its year-2000
program management office. He has stated that VBA’s year-2000 project
manager has been relieved of other duties to devote full attention to
year-2000 activities. VA also has established an oversight committee to
monitor and evaluate the progress of VBA’s year-2000 effort.

A critical technical deficiency is VBA’s lack of an overall, integrated
systems architecture, or blueprint, to guide and constrain the development
of replacement systems and the evolution of related information systems.
The Clinger-Cohen Act of 1996 requires, among other provisions, that
department-level chief information officers develop, maintain, and
facilitate integrated systems architectures. Without such a tool, successful
systems integration through common standards is placed at added risk.

Specifically, VBA has not yet developed, or has not documented, a
comprehensive analysis of the flow of information among the various
systems; further, it has not yet adequately (1) defined the interfaces among
systems that must share data in order to facilitate delivery of benefits,
(2) defined a security architecture because sufficient analysis to allow this
has not been performed, or (3) analyzed characteristics or developed
standards for measuring performance. Also, it is permitting changes to the
database and data elements themselves without insisting on the
appropriate quality assurance steps.




Page 5                                                      GAO/T-AIMD-97-114
The Secretary concurred with our recommendation that VBA develop a
complete, integrated systems architecture for its new systems
development activities. He further stated that VBA is documenting its
systems architecture, information architecture, and data architecture.
Also, VBA is still developing security services common to all applications
and performance characteristics and standards.

A second obstacle to VBA’s success in being ready for the year 2000
concerns the fact that much work remains in determining whether its
information systems and their components are compliant now. VBA has yet
to fully assess the severity of its year-2000 problem. And while inventories
of regional applications and internal/external interfaces have been started,
they are not yet complete.

According to VBA’s December 1996 year-2000 plan, it expected to have
completed all inventories by September 30, 1996. By that date, however,
inventories had been completed only for software applications at its three
systems development centers. According to VBA’s January 28, 1997,
year-2000 risk assessment, part of the reason for the delay is the agency’s
loss of some well-qualified employees to retirement during recent agency
buyouts. Regardless of the reason, however, VBA’s challenge is more
difficult because it has less time and fewer experienced personnel.

VBA’s February 17, 1997, inventory shows 153 applications, consisting of
over 8,400 modules and over 9 million lines of computer software code.
VBA determined that 111 of the 153 applications—almost three
quarters—were noncompliant. Decisions relating to about a third of these
noncompliant applications had not been made as of that date.

Further, this inventory does not include local applications developed by
regional offices. While VBA’s CIO has requested that regional offices develop
such inventories, he further stated that no regional applications need be
included in the inventory of software applications because no locally
developed applications were mission-critical. Yet according to VA’s
year-2000 readiness review, without a complete inventory of
regionally-developed applications, VBA cannot adequately predict or plan
for the impact of the change of century.

The Secretary concurred with our recommendation that VBA perform an
assessment of how its major business areas would be affected if the
year-2000 problem were not corrected in time to help prioritize the
agency’s year-2000 activities. He stated that such an overall assessment



Page 6                                                      GAO/T-AIMD-97-114
has been completed, and that VBA concluded that all major business areas
would be severely affected. The Secretary did not consider it beneficial to
spend time developing a detailed analysis when the general business
impact is already known. We believe, however, that even when general
impact is known, a detailed assessment provides management with
valuable information on which to prioritize activities, as well as a means of
obtaining and publicizing management commitment and support for
necessary initiatives.

Regarding VBA’s inventory of interfaces, the Secretary stated that VBA
expects to have this inventory completed by June 30. He stated that the
assessment of interfaces is more complicated because VBA, like other
government agencies, is dependent upon receiving information from other
agencies. In addition, the newly-established oversight committee plans to
assess whether VBA’s program management office needs to oversee the
year-2000 work in the regional offices and include regional applications in
its inventory.

A third obstacle is that VBA has not developed contingency plans for all of
its critical systems. Three of its major business areas—loan guaranty,
vocational rehabilitation and counseling, and insurance—lack contingency
plans to ensure continuity of operations. We recently learned that such
plans are in development for the loan-guaranty system. VBA managers
realize that they may have to return to manual processing if critical
systems in these major business areas are not made year-2000 compliant in
time.

In his comments on a draft of our report, the Secretary also concurred
with our recommendation that VBA develop a year-2000 contingency plan
for all critical information systems. He stated that VBA is addressing the
development of contingency plans with each program manager.

Fourth, VBA does not yet have sufficient information about the costs and
risks associated with its year-2000 activities. As a consequence, it has no
basis on which to make decisions about prioritizing its information
technology projects to make the best use of its two vital resources: people
and money. Its year-2000 strategy calls for converting most existing
systems while simultaneously continuing to replace its existing benefits
payment systems. Yet both actions depend upon limited financial and
personnel resources; it may not be able to complete either in time.




Page 7                                                      GAO/T-AIMD-97-114
                       Reliable assessments of costs and risks are important prerequisites for
                       effective prioritization of information technology projects. VA’s readiness
                       assessment estimated VBA’s year-2000 costs at about $20 million for fiscal
                       years 1996 through 1999. This, however, only included conversion
                       projects, such as those to upgrade the mainframes and operating systems
                       at the Hines and Philadelphia data centers. It did not include costs to
                       replace VBA’s aging systems with new, compliant payment systems.

                       The Secretary concurred with our recommendation that VBA assess the
                       costs, benefits, and risks of competing information technology projects
                       and prioritize them to make effective use of limited people and financial
                       resources. He indicated, however, that this assessment has been
                       completed. But in light of VBA’s recent decision to make year-2000 changes
                       to its existing systems its top priority, rather than relying on replacement
                       systems, we believe that VBA must reevaluate its cost/benefit and risk
                       assessments under this new strategy. The results of this evaluation are
                       especially important, since in focusing on conversion of noncompliant
                       benefits payment systems, VBA has decided to exclude only replacement of
                       these specific systems from its overall year-2000 strategy, rather than
                       discontinue the overall replacement strategy altogether. As a result, VBA’s
                       new year-2000 strategy and replacement project effort continue to be
                       dependent upon limited personnel and financial resources.


                       Mr. Chairman, we all agree that VBA must do whatever it takes to be
Strong Program         year-2000 compliant. This will not be easy. Until an inventory and
Oversight Essential;   assessment of its information systems and their components is completed,
Inventories and        it will not be able to make informed choices about the best use of limited
                       personnel and financial resources. Once this has been accomplished, it
Assessments Must Be    may be necessary to reallocate resources toward completing the
Completed Quickly,     conversion projects and developing contingency plans for all critical
                       noncompliant systems. A stronger program management office structure
Along With             and improved technical and managerial capabilities will be essential
Conversions and        ingredients in helping to make this happen.
Contingency Plans
                       Given the serious risks associated with VBA’s year-2000 activities, our
                       report recommends that the Secretary of Veterans Affairs direct and
                       ensure that VBA’s acting undersecretary for benefits, in conjunction with
                       VBA’s CIO, take 10 specific actions to help ensure the agency’s success in
                       making its systems year-2000 compliant before the change of century. I
                       have already discussed some of these recommendations in my testimony
                       today. In summary, these actions involve strengthening program



                       Page 8                                                     GAO/T-AIMD-97-114
           management and oversight; developing an integrated systems architecture;
           assessing the vulnerability of VBA’s major business areas to failing to
           achieve systems compliance in time; completing inventories, analyses, and
           assessments; developing a schedule for systems conversion/replacement;
           and developing critical contingency plans.

           We discussed our findings with both VA’s and VBA’s CIOs at the conclusion
           of our review. Not only did they agree with all of our recommendations,
           but in addition took quick action to address areas of concern that we
           identified. We were told that VBA is redirecting its year-2000 strategy to
           focus on the conversion of existing benefits payment systems. Further, VA
           has established an oversight committee, comprising a VBA executive, a
           senior manager from VA’s Office of Information Resources Management,
           and an independent contractor, to evaluate VBA’s progress in year-2000
           readiness. The contractor is to report this August, and is to include an
           action plan detailing what will be required for VBA to complete software
           recoding in December 1998. As we said in our report, we are encouraged
           by these specific steps and we commend the agency both for its receptivity
           and speed of response. We will continue to work with VBA in evaluating its
           plans and strategies for accomplishing its goals.


           Mr. Chairman, this concludes my statement. I would be pleased to respond
           to any questions that you or other members of the Subcommittee may
           have at this time.




(511218)   Page 9                                                   GAO/T-AIMD-97-114
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested