United States General Accounting Office GAO Testimony Before the Subcommittee on Oversight and Investigations, Committee on Education and the Workforce, House of Representatives For Release on Delivery Expected at 2 p.m. YEAR 2000 COMPUTING Wednesday, May 12, 1999 CHALLENGE Education Taking Needed Actions But Work Remains Statement of Joel C. Willemssen Director, Civil Agencies Information Systems Accounting and Information Management Division GAO/T-AIMD-99-180 Mr. Chairman and Members of the Subcommittee: We are pleased to testify before you today on the Department of Education's efforts to ensure that its computer systems supporting critical student financial aid activities will be able to process information reliably through the turn of the century. Last year, we testified that significant risks remained to the department's student financial aid delivery systems, risks that involved systems testing, exchanging data with internal and external partners, and developing business continuity and contingency plans.1 We also testified on the status of Education's mission-important and mission- supportive systems.2 After providing some background information, my statement today will briefly recap our prior findings and the actions that were needed for reducing risk, progress by the department since then, and future tasks facing Education. We performed our work from March through May 1999, in accordance with generally accepted government auditing standards. Background: Systems Student financial aid programs are administered by Education's Office of Student Financial Aid Programs under title IV of the Higher Education Act for Delivering Student of 1965, as amended. The four major programs providing student aid Financial Aid currently in use are the Federal Family Education Loan Program (FFELP), 3 the Federal Direct Loan Program (FDLP), the Federal Pell Grant Program, and campus-based programs.4 These programs together will make available over $50 billion to about 9 million students during the 1999-2000 academic year. FFELP and FDLP are the two largest postsecondary student loan programs, and Pell is the largest postsecondary grant program. FFELP provides student loans through private lending institutions; these loans are 1 Year 2000 Computing Crisis: Significant Risks Remain to Department of Education's Student Financial Aid Systems (GAO/T-AIMD-98-302, September 17, 1998). 2 Year 2000 Computing Crisis: Updated Status of Department of Education's Information Systems (GAO/T-AIMD-99-8, October 8, 1998). 3FFELP was formerly the Guaranteed and Stafford Student Loan programs. 4 The campus-based programs include the Federal Work-Study Program, the Federal Perkins Loan Program, and the Federal Supplemental Educational Opportunity Grant Program. Page 1 GAO/T-AIMD-99-180 guaranteed against default by some 36 guaranty agencies5 and insured by the federal government. FDLP provides student loans directly from the federal government, while Pell provides grants to economically disadvantaged students. In many ways, Education's student financial aid delivery system is similar to functions performed in the banking industry, such as making loans, reporting account status, and collecting payments. The department currently maintains 11 major systems for administering student financial aid programs. These systems were developed independently over time by multiple contractors in response to new programs or mandates. They have resulted in a complex, highly heterogeneous systems environment.6 The systems range from legacy mainframes, several originally developed over 15 years ago, to recently developed client-server environments.7 Last Year, Education Information systems are at the heart of the department's ability to carry out its mission. According to its own assessments, the student financial aid Faced Major delivery process could experience major problems if the systems upon Challenges in which it relies are not fully Year 2000 (Y2K) compliant in time. Such risks include delays in disbursements; reduction in Education's ability to Addressing Year 2000 transfer payments, process applications, or monitor program operations; Activities and the potential inability of postsecondary education students to verify the status of their loans or grants. Last September, the department had reported to the Office of Management and Budget (OMB) that of its 14 mission-critical systems (11 involving student financial aid), 4 had been implemented and were operating as Y2K compliant. Education, along with other executive branch agencies, faced a March 31, 1999, OMB deadline for implementation of Y2K-compliant mission-critical systems. Given the situation at the time, we saw three key issues that threatened the department's ability to carry out its mission: 5 State and private nonprofit guaranty agencies act as agents of the federal government, providing a variety of services including payment of defaulted claims, collection of some defaulted loans, default- avoidance activities, and counseling to schools and students. 6Student Financial Aid Information: Systems Architecture Needed to Improve Programs' Efficiency (GAO/AIMD-97-122, July 29, 1997). 7 In a client-server environment, individual workstations (the client) and shared processors (the server) cooperate over a network to complete tasks. Page 2 GAO/T-AIMD-99-180 systems testing, data exchanges, and business continuity and contingency planning. Thorough Y2K testing is essential to providing reasonable assurance that systems process dates correctly and will not jeopardize an organization's ability to perform core business operations. Agencies must test not only the Y2K compliance of individual applications, but also the complex interactions among numerous converted or replaced computer platforms, operating systems, utilities, applications, databases, and interfaces. Because of Education's late start and the compression of its schedule to meet the March 31 deadline, the time available for key testing activities of mission-critical systems was limited. We pointed out that Education needed to mitigate critical risks that affected its ability to award and track billions of dollars in student financial aid by ensuring adequate testing of its systems. We said that maintaining testing and implementation schedules while ensuring testing adequacy would be essential. Effectively addressing testing reduces the risk that the department's ability to deliver financial aid to students could be compromised. Data exchange—the transfer of information across systems—is the second area of risk we identified at Education last September. Conflicting formats or data processed on noncompliant systems could spread errors from system to system, compromising not only data but also the systems themselves. To mitigate this risk, organizations need to inventory and assess their data exchanges, reach agreements with exchange partners on formats and protocols, and develop contingency plans in the event of failure. Education's student financial aid environment is very large and complex; it includes over 7,000 schools, 6,500 lenders, and 36 loan guaranty agencies— not to mention other federal agencies. Figure 1 is a simplified graphic representation of that environment. As we reported in September, to address its data exchanges with schools, lenders, and guaranty agencies, Education dictated how the data that these institutions provide to the department should be formatted. The department handles this in one of two ways: it either provides software to institutions, such as EDExpress, or it provides the technical specifications for the institution to use in developing the necessary interface. Page 3 GAO/T-AIMD-99-180 Figure 1: Education's Student Financial Aid Data Exchange Environment Federal Agencies Students Lenders Immigration and Naturalization Service Guaranty Social Agencies Security Administration Internal Department Revenue of Service Education Federal Schools Internal Systems Reserve System Department of Justice State Grant Selective National Collection and Service Collection Agencies Scholarship System Center Agencies Title IV Wide Area Network Multiple Central Pell Grant Campus Direct Loan Direct Loan Direct Loan Data Entry Processing Recipient Fin Based Origination Central Data Servicing System System Mgmt System System System System System National Student Loan Data System Postsecondary Education's Education Participants Central Automated System Processing System Federal Family Education Loan System Source: Department of Education. As of last fall, the department had been active in coordinating with its data exchange partners. Beyond this, however, we pointed out that Education Page 4 GAO/T-AIMD-99-180 needed to engage in end-to-end testing8 of its mission-critical business processes, including data exchanges. Further complicating data exchange compliance is the need to ensure that data are not only formatted consistently but are accurate. As we have previously reported, Education has experienced serious data integrity problems in the past. 9 As Education reported last September, its own surveys showed that many of its data exchange partners had a long way to go. For example, in the summer of 1998, the department and the American Association of Community Colleges conducted surveys of the Y2K readiness of postsecondary schools. They found that up to one-third of the schools did not have a compliance plan in place. The third area we discussed last September as critical for Education was business continuity and contingency planning. Some problems are inevitable as any organization enters the next century. It is vital, then, that realistic contingency plans be developed to ensure the continuity of core business operations in the event of Y2K-induced failures. And as our testimony pointed out, continuity and contingency plans must focus on more than agency systems alone; they must likewise address data provided by their business partners and the public infrastructure. One weak link anywhere in the chain of critical dependencies can cause major disruption. The department has been committed to developing business continuity and contingency plans for each mission-critical business process and its supporting systems. It initiated contingency planning in February 1998, and appointed a senior executive to manage the development and testing of continuity and contingency plans for all student financial aid operations. Completion of such plans was targeted for March 31, 1999. Progress Has Been As of March 31, 1999, the Department of Education reported that all of its 14 mission-critical systems—including the 11 student financial aid delivery Made systems—were Y2K compliant and in operation. Our review of three of these systems found adequate test documentation. However, the department has not yet closed out four of its systems as completing the 8The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment, either actual or simulated. 9 GAO/AIMD-97-122, July 29, 1997. Page 5 GAO/T-AIMD-99-180 Y2K compliance process in accordance with Education-specific guidance; other systems issues also remain outstanding, although they are generally considered low-risk. Testing of data exchanges and end-to-end testing of key business processes are continuing according to the department's schedule, as is the refinement of business continuity and contingency plans. Systems Tests Were As part of our work, we selected three student financial aid systems and Adequately Supported But reviewed the contractor's change control/quality control process, test plans, and test results. We found adequate documentation supporting Open Issues Remain baseline, regression, and future date testing at the unit and system levels, as summarized in table 1. Table 1: Education's System Testing Documentation Test components System Type of test Unita Systemb National Student Loan Data System B Completed Completed R Completed Completed FT Completed Completed FF Not applicablec Completed Federal Family Education Loan System B Completed Completed R Completed Completed FT Completed Completed FF Not applicable Not planned Pell Grant Recipient Financial B Completed Completed Management System R Completed Completed FT Completed Completed FF Not applicable Not planned Legend: B: Baseline Testing provides a baseline assessment of component and system performance before changes are made so that a basis for comparison exists. R: Regression Testing is selective retesting to detect faults introduced during modification of a system. FT: Future Date Testing Using Test Tools simulates operating in the year 2000 by using software to simulate a date in the future. FF: Future Date Testing in Test Facility simulates operating in the year 2000 using a test facility that replicates a system's operating environment that is set to operate using a date in the future. Page 6 GAO/T-AIMD-99-180 aUnit testing is performed to determine whether individual program modules perform to specification. b System testing is performed to determine whether the results generated by the enterprise's information system and its components are accurate and the system performs to specification. c Future date testing in a test facility was not done at the unit level. Education reported that its 14 mission-critical systems were compliant as of March 31, but it still has remaining tasks to complete for several of these systems before certifying them as completing the Y2K compliance process. The final step of the department's close out process includes a Year 2000 System Closeout form that is signed by the system manager, principal office coordinator, Year 2000 project management team liaison, and either the independent verification and validation (IV&V) contractor or a representative of the Year 2000 Program Office support contractor.10 The signatures certify that the system has completed the Y2K compliance process, consisting of successfully passing appropriate Y2K validation tests (including IV&V), and identifying and testing data exchanges. As of May 9, the department had not closed out 411 of its 14 mission-critical systems, including 2 student financial aid systems. Education expects to close out three of the remaining four systems by the end of this month but has not yet received final concurrence from IV&V contractors, who are waiting to review documentation pending from the department. According to Education officials, the fourth system Education’s Local Area Network (EDNET) requires additional funding for Y2K interoperability. Education has requested these funds as part of a supplemental budget request to OMB for Y2K emergency funding. In addition to closing out the remaining 4 systems, 7 of the other 10 mission-critical systems have remaining tasks (excluding data exchange testing) that still need to be completed. For example, the Campus Based System's computing environment was converted in February 1999 to another operating system; however, the contractor for the data center has not provided the IV&V contractor with an updated inventory of its hardware and system-related software (e.g., operating system, system utilities, compilers, etc.). The inventory is due to the IV&V contractor in mid-May for review. Another example of an open item is a noncompliant software product used by the Direct Loan Origination System. The 10The IV&V contractor reviews Y2K test efforts to ensure that they are complete and accurate and in conformance with the Y2K test and evaluation master plan. 11 These systems are Education's Central Automated Processing System, Education's Local Area Network, Pell Grant Recipient Financial Management System, and Federal Family Education Loan System. Page 7 GAO/T-AIMD-99-180 software product was upgraded in April, but the IV&V contractor is still waiting for documentation. According to Education officials and the IV&V contractors, these open issues are considered low-risk items and are in the process of being resolved. With the exception of data exchange testing (discussed below), Education expects to resolve these issues over the next few months. The department needs to be diligent in making sure that these issues are indeed resolved expeditiously. The department is also currently in the process of developing a new mission-critical system—the Recipient Financial Management System—to replace the current Pell Grant Recipient Financial Management System. The first two phases of the Recipient Financial Management System are expected to be implemented on May 26, 1999, with the third phase following on June 25, 1999, and the final phase scheduled for implementation on August 13, 1999. According to department officials, the new system was developed to be Y2K compliant and is scheduled to begin compliance testing this month. Testing of Data Exchanges Beyond the testing of individual mission-critical systems, we reported last Is Ongoing fall that Education needed to devote a significant amount of time to testing its data exchanges as part of its end-to-end testing approach. In recognition of the importance of data exchanges, the Higher Education Amendments of 1998 specifically required that Education "fully test all data exchange routes for Year 2000 compliance via end-to-end testing, and submit a report describing the parameters and results of such tests to the Comptroller General no later than by March 31, 1999." In response to this mandate, the department submitted a report describing various aspects of its end-to-end testing approach and results to date. OMB has also identified student aid as one of 42 high-impact federal programs and has assigned the Department of Education as the lead agency. Education's approach includes the following: • Testing and validating the data exchange software that the department develops and provides to postsecondary institutions to support the administration and application of federal student financial aid, which includes EDExpress, Free Application for Federal Student Aid (FAFSA) Express, and FAFSA on the Web. Page 8 GAO/T-AIMD-99-180 • Testing all of its data exchanges during the renovation and validation process by simulating the trading partner's role (i.e., sending and receiving data to and from the systems). • Testing the data exchange with the actual trading partner. A series of test dates has been scheduled for this purpose—as listed in table 2—to confirm that the transmission performs correctly for a particular entity. Table 2: Education's 1999 Test Schedule With Data Exchange Partners Trading partners System involved Test schedule National Student Loan Data System Schools April 12 - May 21 Clearinghouse July 12 - August 20 Guaranty Agencies Central Processing System Schools May 31- July 12 August 9 - September 20 Direct Loan Origination System Schools April 12 - May 21 July 12 - August 20 Recipient Financial Management Schools May 11 - July 2a System August 30 - October 1b aTesting of the Pell grant origination process. b Testing of the Pell grant disbursement process. Source: Department of Education. In addition to data exchange testing, as part of its continuing outreach activities to data exchange partners, Education is in the process of sending out another survey this month to over 7,000 postsecondary institutions to be used in assessing how educational institutions are progressing with Y2K compliance efforts. The department expects to have results by June 1999. Education also maintains an Internet web site that contains Y2K information such as "Dear Colleague" letters about Y2K efforts, Education- developed software certification letters, and its publication entitled Year 2000 Readiness Kit: A Compilation of Y2K Resources for Schools, Colleges, and Universities. Also in development, according to Education, are plans to demonstrate the readiness of its student aid application system by having students at a local university apply for aid on systems (at the university and at an Education data center) with the clock set forward to February 29, 2000. Education also reports that as of this month, 18 of the 36 student loan guaranty agencies have Y2K-compliant systems. Of the remaining 18 guaranty agencies still working on Y2K activities, 11 are expected to be Page 9 GAO/T-AIMD-99-180 compliant by June 1999, with another 3 expected to be compliant by September 1999. Of the remaining 4, 1 guaranty agency reports it will not be compliant until December 1999. As part of its oversight function, the department, which will include staff from the Office of the Inspector General, is planning site visits to several guaranty agencies over the next few months to review their Y2K efforts. Business Continuity and In keeping with the department's commitment to engage in business Contingency Planning continuity and contingency planning, in November 1998 it posted an invitation for comment on its Y2K contingency planning process for student financial aid. Since then, a draft plan dated February 5, 1999, has been posted to its web site for review and comment by external trading partners. The draft document contains detailed plans for eight key business processes and associated subprocesses, outlining the process goal, description, and impact analysis. For each subprocess, the business impact analysis addresses failure scenarios, time horizon to failure, normal performance levels, emergency performance levels, risk mitigation options, and contingency options. The mission-critical business processes are • student aid application and eligibility determination; • student aid origination and disbursement; • student enrollment tracking and reporting; • guarantor and lender payments; • repayment and collection; • institutional eligibility and monitoring; • customer service and communication; and • Federal Family Education Loan Program origination, disbursement, repayment, and collection. Education also intends to test its business continuity and contingency plans, and has requested additional funding in its supplemental budget request to OMB to do so. The department has conducted some preliminary tests and anticipates doing more. It currently expects to complete all of these tests by June 15, 1999. Future Tasks Facing While much of the work on renovating and validating mission-critical systems has been completed, and the risk of student financial aid delivery Education system failures has been significantly reduced, the department needs to continue making Y2K a top priority. Accordingly, it needs to focus particular attention on the following activities. Leter Page 10 GAO/T-AIMD-99-180 • Expeditiously resolving open issues delaying certification of the remaining four mission-critical systems still pending formal closeout. • Continue resolving and tracking open issues, including environmental or functional changes made to existing systems; in doing so, ensure the involvement of IV&V contractors. • Ensuring that the new Recipient Financial Management System has been adequately tested for Y2K compliance as each phase is implemented between now and August. • Continue end-to-end testing of critical business processes involving Education's internal systems and its external data exchange partners. Ensure that results are monitored for completeness and any problems that may arise are addressed promptly—including concerns raised by the IV&V contractors. • Continue outreach activities with schools, guaranty agencies, and other participants in the student financial aid community to share successes and lessons learned to help further reduce the likelihood of Y2K failures. • Continue refining and testing the student financial aid business continuity and contingency plans, encouraging the involvement of postsecondary institutions, guaranty agencies, and other external trading partners. In summary, Mr. Chairman, the Department of Education has made progress toward making its programs and supporting systems Year 2000 compliant. However, work remains to complete Education’s planned Y2K program so as to ensure that the risk of disruption to student financial aid delivery is minimized, and that the department is prepared to handle emergencies that may arise. This concludes my statement. I would be pleased to respond to any questions that you or other members of the Subcommittee may have at this time. (511735) Leter Page 11 GAO/T-AIMD-99-180 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Challenge: Education Taking Needed Actions But Work Remains
Published by the Government Accountability Office on 1999-05-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)