oversight

Year 2000 Computing Challenge: Education Taking Needed Actions But Work Remains

Published by the Government Accountability Office on 1999-05-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Oversight and Investigations,
                          Committee on Education and the Workforce, House of
                          Representatives


For Release on Delivery
Expected at
2 p.m.
                          YEAR 2000 COMPUTING
Wednesday,
May 12, 1999              CHALLENGE

                          Education Taking Needed
                          Actions But Work Remains
                          Statement of Joel C. Willemssen
                          Director, Civil Agencies Information Systems
                          Accounting and Information Management Division




GAO/T-AIMD-99-180
                         Mr. Chairman and Members of the Subcommittee:

                         We are pleased to testify before you today on the Department of
                         Education's efforts to ensure that its computer systems supporting critical
                         student financial aid activities will be able to process information reliably
                         through the turn of the century. Last year, we testified that significant risks
                         remained to the department's student financial aid delivery systems, risks
                         that involved systems testing, exchanging data with internal and external
                         partners, and developing business continuity and contingency plans.1 We
                         also testified on the status of Education's mission-important and mission-
                         supportive systems.2 After providing some background information, my
                         statement today will briefly recap our prior findings and the actions that
                         were needed for reducing risk, progress by the department since then, and
                         future tasks facing Education. We performed our work from March
                         through May 1999, in accordance with generally accepted government
                         auditing standards.



Background: Systems      Student financial aid programs are administered by Education's Office of
                         Student Financial Aid Programs under title IV of the Higher Education Act
for Delivering Student   of 1965, as amended. The four major programs providing student aid
Financial Aid            currently in use are the Federal Family Education Loan Program (FFELP), 3
                         the Federal Direct Loan Program (FDLP), the Federal Pell Grant Program,
                         and campus-based programs.4 These programs together will make
                         available over $50 billion to about 9 million students during the 1999-2000
                         academic year.

                         FFELP and FDLP are the two largest postsecondary student loan
                         programs, and Pell is the largest postsecondary grant program. FFELP
                         provides student loans through private lending institutions; these loans are




                         1
                          Year 2000 Computing Crisis: Significant Risks Remain to Department of Education's Student Financial
                         Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).
                         2
                           Year 2000 Computing Crisis: Updated Status of Department of Education's Information Systems
                         (GAO/T-AIMD-99-8, October 8, 1998).

                         3FFELP   was formerly the Guaranteed and Stafford Student Loan programs.

                         4
                           The campus-based programs include the Federal Work-Study Program, the Federal Perkins Loan
                         Program, and the Federal Supplemental Educational Opportunity Grant Program.




                         Page 1                                                                        GAO/T-AIMD-99-180
                       guaranteed against default by some 36 guaranty agencies5 and insured by
                       the federal government. FDLP provides student loans directly from the
                       federal government, while Pell provides grants to economically
                       disadvantaged students.

                       In many ways, Education's student financial aid delivery system is similar
                       to functions performed in the banking industry, such as making loans,
                       reporting account status, and collecting payments. The department
                       currently maintains 11 major systems for administering student financial
                       aid programs. These systems were developed independently over time by
                       multiple contractors in response to new programs or mandates. They have
                       resulted in a complex, highly heterogeneous systems environment.6 The
                       systems range from legacy mainframes, several originally developed over
                       15 years ago, to recently developed client-server environments.7



Last Year, Education   Information systems are at the heart of the department's ability to carry out
                       its mission. According to its own assessments, the student financial aid
Faced Major            delivery process could experience major problems if the systems upon
Challenges in          which it relies are not fully Year 2000 (Y2K) compliant in time. Such risks
                       include delays in disbursements; reduction in Education's ability to
Addressing Year 2000   transfer payments, process applications, or monitor program operations;
Activities             and the potential inability of postsecondary education students to verify
                       the status of their loans or grants.

                       Last September, the department had reported to the Office of Management
                       and Budget (OMB) that of its 14 mission-critical systems (11 involving
                       student financial aid), 4 had been implemented and were operating as Y2K
                       compliant. Education, along with other executive branch agencies, faced a
                       March 31, 1999, OMB deadline for implementation of Y2K-compliant
                       mission-critical systems. Given the situation at the time, we saw three key
                       issues that threatened the department's ability to carry out its mission:



                       5
                         State and private nonprofit guaranty agencies act as agents of the federal government, providing a
                       variety of services including payment of defaulted claims, collection of some defaulted loans, default-
                       avoidance activities, and counseling to schools and students.

                       6Student Financial Aid Information: Systems Architecture Needed to Improve Programs' Efficiency
                       (GAO/AIMD-97-122, July 29, 1997).

                       7
                         In a client-server environment, individual workstations (the client) and shared processors (the server)
                       cooperate over a network to complete tasks.




                       Page 2                                                                            GAO/T-AIMD-99-180
systems testing, data exchanges, and business continuity and contingency
planning.

Thorough Y2K testing is essential to providing reasonable assurance that
systems process dates correctly and will not jeopardize an organization's
ability to perform core business operations. Agencies must test not only
the Y2K compliance of individual applications, but also the complex
interactions among numerous converted or replaced computer platforms,
operating systems, utilities, applications, databases, and interfaces.
Because of Education's late start and the compression of its schedule to
meet the March 31 deadline, the time available for key testing activities of
mission-critical systems was limited.

We pointed out that Education needed to mitigate critical risks that
affected its ability to award and track billions of dollars in student financial
aid by ensuring adequate testing of its systems. We said that maintaining
testing and implementation schedules while ensuring testing adequacy
would be essential. Effectively addressing testing reduces the risk that the
department's ability to deliver financial aid to students could be
compromised.

Data exchange—the transfer of information across systems—is the second
area of risk we identified at Education last September. Conflicting formats
or data processed on noncompliant systems could spread errors from
system to system, compromising not only data but also the systems
themselves. To mitigate this risk, organizations need to inventory and
assess their data exchanges, reach agreements with exchange partners on
formats and protocols, and develop contingency plans in the event of
failure.

Education's student financial aid environment is very large and complex; it
includes over 7,000 schools, 6,500 lenders, and 36 loan guaranty agencies—
not to mention other federal agencies. Figure 1 is a simplified graphic
representation of that environment. As we reported in September, to
address its data exchanges with schools, lenders, and guaranty agencies,
Education dictated how the data that these institutions provide to the
department should be formatted. The department handles this in one of
two ways: it either provides software to institutions, such as EDExpress,
or it provides the technical specifications for the institution to use in
developing the necessary interface.




Page 3                                                        GAO/T-AIMD-99-180
Figure 1: Education's Student Financial Aid Data Exchange Environment




                                                                                                                                 Federal Agencies
                            Students                                                                Lenders
                                                                                                                                   Immigration
                                                                                                                                      and
                                                                                                                                  Naturalization
                                                                                                                                     Service


                                                                    Guaranty                                                        Social
                                                                    Agencies                                                       Security
                                                                                                                                 Administration

                                                                                                                                    Internal
                                                                                                   Department                       Revenue
                                                                                                       of                           Service
                                                                                                   Education
                                                                                                                                     Federal
                             Schools                                                              Internal Systems                   Reserve
                                                                                                                                     System

                                                                                                                                   Department
                                                                                                                                       of
                                                                                                                                     Justice

                                                                                                    State Grant                     Selective
                                                                             National
                                                   Collection                                           and                          Service
                                                                            Collection
                                                   Agencies                                         Scholarship                      System
                                                                              Center
                                                                                                     Agencies




                                                                     Title IV Wide Area Network




                          Multiple       Central             Pell Grant          Campus             Direct Loan   Direct Loan    Direct Loan
                         Data Entry    Processing           Recipient Fin         Based             Origination   Central Data    Servicing
                          System        System              Mgmt System          System               System        System         System




                                                                    National Student
                                                                   Loan Data System

                             Postsecondary                                                                      Education's
                          Education Participants                                                             Central Automated
                                 System                                                                      Processing System

                                                                   Federal Family
                                                                Education Loan System




                                                     Source: Department of Education.


                                                     As of last fall, the department had been active in coordinating with its data
                                                     exchange partners. Beyond this, however, we pointed out that Education



                                                     Page 4                                                                                         GAO/T-AIMD-99-180
                    needed to engage in end-to-end testing8 of its mission-critical business
                    processes, including data exchanges. Further complicating data exchange
                    compliance is the need to ensure that data are not only formatted
                    consistently but are accurate. As we have previously reported, Education
                    has experienced serious data integrity problems in the past. 9

                    As Education reported last September, its own surveys showed that many
                    of its data exchange partners had a long way to go. For example, in the
                    summer of 1998, the department and the American Association of
                    Community Colleges conducted surveys of the Y2K readiness of
                    postsecondary schools. They found that up to one-third of the schools did
                    not have a compliance plan in place.

                    The third area we discussed last September as critical for Education was
                    business continuity and contingency planning. Some problems are
                    inevitable as any organization enters the next century. It is vital, then, that
                    realistic contingency plans be developed to ensure the continuity of core
                    business operations in the event of Y2K-induced failures. And as our
                    testimony pointed out, continuity and contingency plans must focus on
                    more than agency systems alone; they must likewise address data provided
                    by their business partners and the public infrastructure. One weak link
                    anywhere in the chain of critical dependencies can cause major disruption.

                    The department has been committed to developing business continuity and
                    contingency plans for each mission-critical business process and its
                    supporting systems. It initiated contingency planning in February 1998,
                    and appointed a senior executive to manage the development and testing of
                    continuity and contingency plans for all student financial aid operations.
                    Completion of such plans was targeted for March 31, 1999.



Progress Has Been   As of March 31, 1999, the Department of Education reported that all of its
                    14 mission-critical systems—including the 11 student financial aid delivery
Made                systems—were Y2K compliant and in operation. Our review of three of
                    these systems found adequate test documentation. However, the
                    department has not yet closed out four of its systems as completing the

                    8The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which
                    collectively support an organizational core business area or function, interoperate as intended in an
                    operational environment, either actual or simulated.

                    9
                        GAO/AIMD-97-122, July 29, 1997.




                    Page 5                                                                           GAO/T-AIMD-99-180
                           Y2K compliance process in accordance with Education-specific guidance;
                           other systems issues also remain outstanding, although they are generally
                           considered low-risk. Testing of data exchanges and end-to-end testing of
                           key business processes are continuing according to the department's
                           schedule, as is the refinement of business continuity and contingency
                           plans.


Systems Tests Were         As part of our work, we selected three student financial aid systems and
Adequately Supported But   reviewed the contractor's change control/quality control process, test
                           plans, and test results. We found adequate documentation supporting
Open Issues Remain
                           baseline, regression, and future date testing at the unit and system levels,
                           as summarized in table 1.



                           Table 1: Education's System Testing Documentation

                                                                                                      Test components
                           System                                          Type of test       Unita               Systemb
                           National Student Loan Data System               B                  Completed           Completed
                                                                           R                  Completed           Completed
                                                                           FT                 Completed           Completed
                                                                           FF                 Not   applicablec   Completed
                           Federal Family Education Loan System B                             Completed           Completed
                                                                           R                  Completed           Completed
                                                                           FT                 Completed           Completed
                                                                           FF                 Not applicable      Not planned
                           Pell Grant Recipient Financial                  B                  Completed           Completed
                           Management System
                                                                           R                  Completed           Completed
                                                                           FT                 Completed           Completed
                                                                           FF                 Not applicable      Not planned
                           Legend:
                           B: Baseline Testing provides a baseline assessment of component and system performance before
                           changes are made so that a basis for comparison exists.
                           R: Regression Testing is selective retesting to detect faults introduced during modification of a system.
                           FT: Future Date Testing Using Test Tools simulates operating in the year 2000 by using software to
                           simulate a date in the future.
                           FF: Future Date Testing in Test Facility simulates operating in the year 2000 using a test facility that
                           replicates a system's operating environment that is set to operate using a date in the future.




                           Page 6                                                                            GAO/T-AIMD-99-180
aUnit    testing is performed to determine whether individual program modules perform to specification.
b
 System testing is performed to determine whether the results generated by the enterprise's
information system and its components are accurate and the system performs to specification.
c
    Future date testing in a test facility was not done at the unit level.


Education reported that its 14 mission-critical systems were compliant as
of March 31, but it still has remaining tasks to complete for several of these
systems before certifying them as completing the Y2K compliance process.
The final step of the department's close out process includes a Year 2000
System Closeout form that is signed by the system manager, principal
office coordinator, Year 2000 project management team liaison, and either
the independent verification and validation (IV&V) contractor or a
representative of the Year 2000 Program Office support contractor.10 The
signatures certify that the system has completed the Y2K compliance
process, consisting of successfully passing appropriate Y2K validation tests
(including IV&V), and identifying and testing data exchanges. As of May 9,
the department had not closed out 411 of its 14 mission-critical systems,
including 2 student financial aid systems. Education expects to close out
three of the remaining four systems by the end of this month but has not yet
received final concurrence from IV&V contractors, who are waiting to
review documentation pending from the department. According to
Education officials, the fourth system Education’s Local Area Network
(EDNET) requires additional funding for Y2K interoperability. Education
has requested these funds as part of a supplemental budget request to OMB
for Y2K emergency funding.

In addition to closing out the remaining 4 systems, 7 of the other 10
mission-critical systems have remaining tasks (excluding data exchange
testing) that still need to be completed. For example, the Campus Based
System's computing environment was converted in February 1999 to
another operating system; however, the contractor for the data center has
not provided the IV&V contractor with an updated inventory of its
hardware and system-related software (e.g., operating system, system
utilities, compilers, etc.). The inventory is due to the IV&V contractor in
mid-May for review. Another example of an open item is a noncompliant
software product used by the Direct Loan Origination System. The


10The IV&V contractor reviews Y2K test efforts to ensure that they are complete and accurate and in
conformance with the Y2K test and evaluation master plan.

11
 These systems are Education's Central Automated Processing System, Education's Local Area
Network, Pell Grant Recipient Financial Management System, and Federal Family Education Loan
System.




Page 7                                                                            GAO/T-AIMD-99-180
                            software product was upgraded in April, but the IV&V contractor is still
                            waiting for documentation.

                            According to Education officials and the IV&V contractors, these open
                            issues are considered low-risk items and are in the process of being
                            resolved. With the exception of data exchange testing (discussed below),
                            Education expects to resolve these issues over the next few months. The
                            department needs to be diligent in making sure that these issues are indeed
                            resolved expeditiously.

                            The department is also currently in the process of developing a new
                            mission-critical system—the Recipient Financial Management System—to
                            replace the current Pell Grant Recipient Financial Management System.
                            The first two phases of the Recipient Financial Management System are
                            expected to be implemented on May 26, 1999, with the third phase
                            following on June 25, 1999, and the final phase scheduled for
                            implementation on August 13, 1999. According to department officials, the
                            new system was developed to be Y2K compliant and is scheduled to begin
                            compliance testing this month.


Testing of Data Exchanges   Beyond the testing of individual mission-critical systems, we reported last
Is Ongoing                  fall that Education needed to devote a significant amount of time to testing
                            its data exchanges as part of its end-to-end testing approach. In
                            recognition of the importance of data exchanges, the Higher Education
                            Amendments of 1998 specifically required that Education "fully test all data
                            exchange routes for Year 2000 compliance via end-to-end testing, and
                            submit a report describing the parameters and results of such tests to the
                            Comptroller General no later than by March 31, 1999." In response to this
                            mandate, the department submitted a report describing various aspects of
                            its end-to-end testing approach and results to date. OMB has also identified
                            student aid as one of 42 high-impact federal programs and has assigned the
                            Department of Education as the lead agency. Education's approach
                            includes the following:

                            • Testing and validating the data exchange software that the department
                              develops and provides to postsecondary institutions to support the
                              administration and application of federal student financial aid, which
                              includes EDExpress, Free Application for Federal Student Aid (FAFSA)
                              Express, and FAFSA on the Web.




                            Page 8                                                     GAO/T-AIMD-99-180
• Testing all of its data exchanges during the renovation and validation
  process by simulating the trading partner's role (i.e., sending and
  receiving data to and from the systems).
• Testing the data exchange with the actual trading partner. A series of
  test dates has been scheduled for this purpose—as listed in table 2—to
  confirm that the transmission performs correctly for a particular entity.



Table 2: Education's 1999 Test Schedule With Data Exchange Partners

                                                Trading partners
System                                          involved            Test schedule
National Student Loan Data System               Schools             April 12 - May 21
                                                Clearinghouse       July 12 - August 20
                                                Guaranty Agencies
Central Processing System                       Schools             May 31- July 12
                                                                    August 9 - September 20
Direct Loan Origination System                  Schools             April 12 - May 21
                                                                    July 12 - August 20
Recipient Financial Management                  Schools             May 11 - July 2a
System                                                              August 30 - October 1b
aTesting   of the Pell grant origination process.
b
    Testing of the Pell grant disbursement process.
Source: Department of Education.


In addition to data exchange testing, as part of its continuing outreach
activities to data exchange partners, Education is in the process of sending
out another survey this month to over 7,000 postsecondary institutions to
be used in assessing how educational institutions are progressing with Y2K
compliance efforts. The department expects to have results by June 1999.
Education also maintains an Internet web site that contains Y2K
information such as "Dear Colleague" letters about Y2K efforts, Education-
developed software certification letters, and its publication entitled Year
2000 Readiness Kit: A Compilation of Y2K Resources for Schools, Colleges,
and Universities. Also in development, according to Education, are plans
to demonstrate the readiness of its student aid application system by
having students at a local university apply for aid on systems (at the
university and at an Education data center) with the clock set forward to
February 29, 2000.

Education also reports that as of this month, 18 of the 36 student loan
guaranty agencies have Y2K-compliant systems. Of the remaining 18
guaranty agencies still working on Y2K activities, 11 are expected to be



Page 9                                                                    GAO/T-AIMD-99-180
                          compliant by June 1999, with another 3 expected to be compliant by
                          September 1999. Of the remaining 4, 1 guaranty agency reports it will not
                          be compliant until December 1999. As part of its oversight function, the
                          department, which will include staff from the Office of the Inspector
                          General, is planning site visits to several guaranty agencies over the next
                          few months to review their Y2K efforts.


Business Continuity and   In keeping with the department's commitment to engage in business
Contingency Planning      continuity and contingency planning, in November 1998 it posted an
                          invitation for comment on its Y2K contingency planning process for
                          student financial aid. Since then, a draft plan dated February 5, 1999, has
                          been posted to its web site for review and comment by external trading
                          partners. The draft document contains detailed plans for eight key
                          business processes and associated subprocesses, outlining the process
                          goal, description, and impact analysis. For each subprocess, the business
                          impact analysis addresses failure scenarios, time horizon to failure, normal
                          performance levels, emergency performance levels, risk mitigation options,
                          and contingency options. The mission-critical business processes are

                          •   student aid application and eligibility determination;
                          •   student aid origination and disbursement;
                          •   student enrollment tracking and reporting;
                          •   guarantor and lender payments;
                          •   repayment and collection;
                          •   institutional eligibility and monitoring;
                          •   customer service and communication; and
                          •   Federal Family Education Loan Program origination, disbursement,
                              repayment, and collection.

                          Education also intends to test its business continuity and contingency
                          plans, and has requested additional funding in its supplemental budget
                          request to OMB to do so. The department has conducted some preliminary
                          tests and anticipates doing more. It currently expects to complete all of
                          these tests by June 15, 1999.



Future Tasks Facing       While much of the work on renovating and validating mission-critical
                          systems has been completed, and the risk of student financial aid delivery
Education                 system failures has been significantly reduced, the department needs to
                          continue making Y2K a top priority. Accordingly, it needs to focus
                          particular attention on the following activities.


               Leter      Page 10                                                    GAO/T-AIMD-99-180
                   • Expeditiously resolving open issues delaying certification of the
                     remaining four mission-critical systems still pending formal closeout.
                   • Continue resolving and tracking open issues, including environmental or
                     functional changes made to existing systems; in doing so, ensure the
                     involvement of IV&V contractors.
                   • Ensuring that the new Recipient Financial Management System has
                     been adequately tested for Y2K compliance as each phase is
                     implemented between now and August.
                   • Continue end-to-end testing of critical business processes involving
                     Education's internal systems and its external data exchange partners.
                     Ensure that results are monitored for completeness and any problems
                     that may arise are addressed promptly—including concerns raised by
                     the IV&V contractors.
                   • Continue outreach activities with schools, guaranty agencies, and other
                     participants in the student financial aid community to share successes
                     and lessons learned to help further reduce the likelihood of Y2K failures.
                   • Continue refining and testing the student financial aid business
                     continuity and contingency plans, encouraging the involvement of
                     postsecondary institutions, guaranty agencies, and other external
                     trading partners.


                   In summary, Mr. Chairman, the Department of Education has made
                   progress toward making its programs and supporting systems Year 2000
                   compliant. However, work remains to complete Education’s planned Y2K
                   program so as to ensure that the risk of disruption to student financial aid
                   delivery is minimized, and that the department is prepared to handle
                   emergencies that may arise.

                   This concludes my statement. I would be pleased to respond to any
                   questions that you or other members of the Subcommittee may have at this
                   time.




(511735)   Leter   Page 11                                                     GAO/T-AIMD-99-180
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested