United States General Accounting Office GAO Testimony Before the Committee on Ways and Means, House of Representatives For Release on Delivery Expected at YEAR 2000 COMPUTING CRISIS 9 a.m. Wednesday, February 24, 1999 Customs Is Effectively Managing Its Year 2000 Program Statement of Randolph C. Hite Associate Director, Governmentwide and Defense Information Systems Accounting and Information Management Division GAO/T-AIMD-99-85 Mr. Chairman and Members of the Committee: Thank you for inviting me to participate in today’s hearing on the challenges faced by the Customs Service in responding to the century date problem. If this problem is not addressed in time, key automated systems affecting trillions of dollars in trade between the United States and other countries could malfunction, resulting in delayed trade processing, lost trade revenue, and increased illegal activities, such as narcotics smuggling, money laundering, and commercial fraud. Fortunately, Customs has made good progress to date addressing its Year 2000 problem, thanks in large part to the effective Year 2000 program management structures and processes that it has in place for doing so. Nevertheless, Customs faces certain Year 2000 challenges, such as completing end-to-end testing, before it will be ready to cross into the new millenium. My testimony today will address these three areas: progress to date, program management effectiveness, and future challenges. Additionally, I will comment on how Customs can benefit from its Year 2000 experience in strengthening its management of information technology. This testimony is based on our ongoing review of the effectiveness of Customs’ Year 2000 management and reporting controls. We are performing this review at the request of this Committee’s Oversight Subcommittee and its Trade Subcommittee. In short, we have reviewed Customs’ Year 2000 management and reporting structures and processes, including those relating to testing, contingency planning, risk management, and quality assurance, and we have compared these to our Year 2000 guidance1 to determine whether key internal controls are in place and functioning as intended. We have also traced the reported status of selected system components back to supporting systems documentation to verify the reported information’s accuracy. We conducted our work in collaboration with the Treasury Inspector General and in accordance with generally accepted government auditing standards from July 1998 through January 1999. 1 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in February 1997, issued final in September 1997); Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998, issued final in August 1998); and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998, issued final in November 1998). Page 1 GAO/T-AIMD-99-85 Customs Relies Addressing the Year 2000 problem in time is critical for the Customs Service because it relies extensively on information technology to help Extensively on enforce trade laws and collect and account for duties, taxes, and fees on Automated Systems imports.2 As the following illustrates, Customs has five mission-critical systems that run over 20 million lines of application code and are used by thousands of users within Customs, other government agencies, and the trade community. • The Automated Commercial System (ACS) tracks, controls, and processes all commercial goods imported into the United States. Over 97 percent of the data filed for imported cargo entries are sent through ACS and more than 15,000 trade and other government agency users have access to this system. • Customs’ Treasury Enforcement Communications System (TECS) interfaces with the Federal Bureau of Investigation’s National Crime Information Center and a number of other law enforcement systems and is the major automation component of the Interagency Border Inspection System, which serves as a clearinghouse for law enforcement data. Some 27,000 users, including Customs; Immigration and Naturalization Service; Internal Revenue Service; Bureau of Alcohol, Tobacco, and Firearms; and the State Department rely on TECS. • The Seized Asset and Case Tracking System (SEACATS) processes and tracks activity associated with seizures for the initial law enforcement interest in the property to its final disposition. This system is used by more than 16,000 Customs employees, and it interfaces with the Justice Department and Internal Revenue Service systems. • Customs’ Automated Export System (AES) collects export-related data from exporters and carriers and is used to help target export violators. More than 28,000 users nationwide rely on this system. • ADMIN is Customs’ primary administrative system supporting financial and human resource functions. It consists of 40 separate systems that interface with each other and with ACS, AES, and TECS. In addition to fixing and testing its systems, Customs must assess and remediate a wide range of telecommunications equipment and non- information technology (non-IT) assets installed in over 900 facilities. This non-IT equipment includes check-writers; scanners; optical readers; security systems, such as badge readers, x-ray systems, cameras, secured 2 During 1997, Customs collected $22.1 billion in revenue at more that 300 ports of entry. Page 2 GAO/T-AIMD-99-85 doors and safes; fire alarms; heating and air conditioning systems; planes; and automobiles. Customs Is Making As of January 1999, Customs reported that it had met milestones recommended by the Office of Management and Budget (OMB) for Good Progress in renovating and validating most of its mission-critical systems.3 Addressing Its Year Specifically, it reported that it had completed renovation, validation and systems acceptance testing4 of all five of its mission-critical systems. 2000 Problem Moreover, it plans to complete end-to-end testing5 for these systems and associated telecommunications systems by March 1999. Customs has also renovated most of its telecommunications equipment. Specifically, as of January 1999, Customs reported that it had assessed all of its national data center-related telecommunications systems and renovated, validated, and implemented 92 percent of the inventory requiring Year 2000 work. It had also assessed telecommunications equipment in its field offices and completed 68 percent of needed renovations. Additionally, Customs had completed about half of the work needed on headquarters and field office voice communications equipment, including telephone and voice mail systems. Customs reported that it has assessed about 82 percent of its mission- critical non-IT products. It reported that 95 percent of the products assessed is compliant, 4 percent requires renovation or replacement, and 1 percent is to be retired. It expects to complete this work by May 1999. To help ensure that the information it reports on Year 2000 progress is reliable, Customs has implemented reporting controls. For example, quality review teams review the information reported for (1) consistency (by comparing it to previously reported information), (2) completeness (by 3 OMB requires that agencies complete renovation of their mission-critical systems by September 1998, validation by January 1999, and implementation by March 1999. 4The purpose of system acceptance testing is to verify that the complete system (i.e., the full complement of application software running on the target hardware and systems software infrastructure) satisfies specified requirements (functional, performance, and security) and is acceptable to end users. 5 The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment, either actual or simulated. Page 3 GAO/T-AIMD-99-85 comparing it to reporting standards), and (3) accuracy (by validating it through observation, inquiry, or review of supporting documentation). Our review of quality review team results, as well as our independent review of the reliability of the information reported in selected system components, disclosed no discrepancies between what was being reported and what supporting system documentation showed actual progress to be. Effective Management Our Year 2000 guides provide a framework for effective Year 2000 program management. Collectively, they define a comprehensive set of program Structure and management controls for planning, directing, monitoring, and reporting on Processes Are Key to Year 2000 efforts. Customs’ Success Customs’ program management structures and processes are entirely consistent with our guidance, and Customs’ good progress to date is largely attributable to this program management capability. Along these lines, Customs has done the following. • Established a Year 2000 Program Office and designated a Year 2000 Program Manager in May 1997 and charged the office with authority over and responsibility for agencywide Year 2000 efforts, including such functional areas as Year 2000 contracting, budgeting and planning, technical support to project teams, quality assurance, auditing, and reporting. • Engaged its senior executives in the Year 2000 effort by charging the agency’s Executive Council6 with approving and overseeing the implementation of the Year 2000 strategy and resolving such issues as institutional Year 2000 priorities. • Developed a Year 2000 Strategic Plan and Year 2000 Operational Program Management Plan in June 1998, which (1) identified organizational roles and responsibilities, (2) established schedules for completing each program phase and described the tasks to be completed under each phase, (3) established reporting requirements to track progress in the various phases, (4) defined performance measures, and (5) estimated and allocated resources for the tasks and system activities within these phases. • Issued policies, guidelines, and procedures for managing and implementing the Year 2000 program, including guidance on quality 6 The Council is co-chaired by the Chief Information Officer and the Chief Financial Officer and includes the Year 2000 project managers as members. Page 4 GAO/T-AIMD-99-85 assurance, configuration management, and testing as well as business continuity and contingency planning. To ensure that the plans, policies, and guidelines are being implemented, the Year 2000 program manager is (1) holding weekly status meetings with the Year 2000 Program Office staff and the project teams, (2) tracking, prioritizing, and managing the risks associated with the IT and non-IT system conversion efforts, (3) overseeing and managing budget-related issues, and (4) conducting internal audit reviews to monitor and assess the implementation of established Year 2000 procedures. The Program Office is also tracking progress against plans and identifying issues that may affect its strategy using a central database it developed. Structured and disciplined processes have also been implemented for the testing phase of Customs’ Year 2000 effort. This is important since Customs’ key mission-critical systems run hundreds of interdependent applications, and must interface with thousands of external systems. In particular, Customs designated a Year 2000 test manager for mission- critical IT systems and assigned this manager authority and responsibility for key testing activities, such as defining exit criteria, designing and planning the tests, and executing the tests. It also established in its Year 2000 Application Testing Strategy and Plan an agencywide definition of Year 2000 compliance; engaged an independent verification and validation (IV&V) agent to ensure that process standards have been followed and that software products perform as intended; provided for ensuring that vendor- supported IT and non-IT products have been tested and that they are Year 2000 compliant; and established a Year 2000 test environment. These controls and processes have enabled Customs to meet milestones recommended by OMB for renovating and validating mission-critical systems and to allow time to conduct end-to-end tests. Finally, Customs has implemented sound management processes for developing business continuity and contingency plans that help Customs to mitigate the risks associated with unexpected internal and uncontrollable external failures. Specifically, Customs established a business continuity work group; developed a high-level business continuity planning strategy; developed a master schedule and milestones; implemented a risk management process and established a reporting system; and implemented quality assurance reviews. It then performed a business impact analysis to determine the effect that failures of mission-critical information systems have on the viability and effectiveness of agency core business processes. By defining disruption scenarios and assessing business, legal, and Page 5 GAO/T-AIMD-99-85 regulatory risks for major business processes, this analysis provided Customs the information needed to develop contingency plans for continuity of operations. Customs is now in the processes of testing its contingency plans and it plans to complete contingency plan testing, including plans for non-IT systems, by June 1999. Important Challenges Notwithstanding either Customs’ good progress to date or the effectiveness of its program management controls, Customs still has very important and Still Face Customs in challenging tasks to complete to effectively reduce its chances of serious Months to Come business disruptions. In particular, Customs still needs to conduct end-to- end testing of the systems that support important trade missions. These tests will be particularly challenging since Customs has hundreds of business partners and their respective systems. Additionally, Customs still needs to complete its contingency plans for ensuring continuity of its core business areas in the event of Year 2000-induced system failures. For Customs, this is especially challenging because it involves 42 distinct lines of business that cut across Customs’ organization units, and it involves over 300 organizational units that are located throughout the United States, each with its own unique and localized Year 2000 readiness issues. Moreover, Customs, like most organizations, faces serious risks outside of its control. For example, Customs’ depends on public infrastructure systems, such as those that provide power, water, transportation, and voice and data telecommunications. Given the number of Customs ports of entry throughout the United States, even localized disruptions in infrastructure- related services could seriously affect Customs business operations. As Customs works to develop, test, and complete its contingency plans, it must ensure that these localized event scenarios are adequately addressed. Customs Recognizes For federal agencies, the lessons to be learned from the Year 2000 problem are significant. Long-standing organizational weaknesses in managing That Management information technology contributed to both the size of the federal Improvements Made to government’s Year 2000 problem and agencies’ ensuing difficulties in addressing it. That is, agencies’ unsuccessful attempts to modernize their Address the Year 2000 information systems over the last 5 years have forced them to continue to Problem Can Provide maintain and rely on antiquated, poorly documented, noncompliant Future Benefits systems. The result was large inventories of noncompliant systems that the agencies had to quickly repair, replace, or retire in order to be century date ready. The Internal Revenue Service, with its well-chronicled history of Page 6 GAO/T-AIMD-99-85 modernization difficulties and its mammoth Year 2000 problem, vividly illustrates this point. Additionally, to address the Year 2000 problem, agencies chose to employ the same weak information technology management structures and processes that have contributed to their system modernization problems. Our reports and testimonies over the last 5 years have highlighted these weaknesses in major modernization programs.7 These weaknesses include the lack of chief information officer authority over agencies’ IT resources, the absence of complete and enforced systems architectures, the lack of mature software development and acquisition processes, and the failure to make informed IT investment decisions. Because of these weaknesses, we have designated certain modernization efforts, such as the Federal Aviation Administration’s air traffic control modernization and the Internal Revenue Service’s tax systems modernization, as high-risk federal programs.8 Customs did not adopt a “business-as-usual” approach to solving the Year 2000 problem. Using our Year 2000 guidance, Customs defined and implemented effective management structures and processes, as this testimony has described. The result is a Year 2000 program that is on schedule and has plans and management controls in place for completing remaining tasks. As important, Customs’ Commissioner has also committed to leveraging the agency’s Year 2000 experience by extending the level of project management discipline and rigor being employed on Year 2000 to other information technology programs and projects. By doing so, Customs could greatly strengthen its information technology management capabilities. In conclusion Mr. Chairman, we are cautiously optimistic about Customs’ Year 2000 program. We are optimistic because of Customs’ progress to date 7Tax System Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995); Tax Systems Modernization: Actions Underway but IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996); and Tax Systems Modernization: Blueprint Is a Good Start but Not Yet Sufficiently Complete to Build or Acquire Systems (GAO/AIMD/GGD-98-54, February 24, 1998); Air Traffic Control: Immature Software Acquisition Processes Increase FAA System Acquisition Risks (GAO/AIMD-97-47, March 21, 1997); Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30, February 3, 1997); and Air Traffic Control: Improved Cost Information Needed to Make Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20, January 22, 1997). 8 High-Risk Series: An Update (GAO/HR-99-1, January 1999); High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997); and High-Risk Series: An Overview (GAO/HR-95-1, February 1995). Page 7 GAO/T-AIMD-99-85 and its effective program management controls. We are cautious because important tasks remain, and because Customs, like all organizations, depends on others in order to fulfill its mission responsibilities. This concludes my statement. I would be glad to respond to any questions that you or other Members of the Committee may have at this time. (511139) Leter Page 8 GAO/T-AIMD-99-85 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000 Program
Published by the Government Accountability Office on 1999-02-24.
Below is a raw (and likely hideous) rendition of the original report. (PDF)