oversight

Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000 Program

Published by the Government Accountability Office on 1999-02-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Committee on Ways and Means, House of
                          Representatives




For Release on Delivery

Expected at               YEAR 2000 COMPUTING
                          CRISIS
9 a.m.

Wednesday,

February 24, 1999




                          Customs Is Effectively
                          Managing Its Year 2000
                          Program
                          Statement of Randolph C. Hite
                          Associate Director, Governmentwide and Defense
                          Information Systems
                          Accounting and Information Management Division




GAO/T-AIMD-99-85
Mr. Chairman and Members of the Committee:

Thank you for inviting me to participate in today’s hearing on the
challenges faced by the Customs Service in responding to the century date
problem. If this problem is not addressed in time, key automated systems
affecting trillions of dollars in trade between the United States and other
countries could malfunction, resulting in delayed trade processing, lost
trade revenue, and increased illegal activities, such as narcotics smuggling,
money laundering, and commercial fraud. Fortunately, Customs has made
good progress to date addressing its Year 2000 problem, thanks in large
part to the effective Year 2000 program management structures and
processes that it has in place for doing so. Nevertheless, Customs faces
certain Year 2000 challenges, such as completing end-to-end testing, before
it will be ready to cross into the new millenium. My testimony today will
address these three areas: progress to date, program management
effectiveness, and future challenges. Additionally, I will comment on how
Customs can benefit from its Year 2000 experience in strengthening its
management of information technology.

This testimony is based on our ongoing review of the effectiveness of
Customs’ Year 2000 management and reporting controls. We are
performing this review at the request of this Committee’s Oversight
Subcommittee and its Trade Subcommittee. In short, we have reviewed
Customs’ Year 2000 management and reporting structures and processes,
including those relating to testing, contingency planning, risk management,
and quality assurance, and we have compared these to our Year 2000
guidance1 to determine whether key internal controls are in place and
functioning as intended. We have also traced the reported status of
selected system components back to supporting systems documentation to
verify the reported information’s accuracy. We conducted our work in
collaboration with the Treasury Inspector General and in accordance with
generally accepted government auditing standards from July 1998 through
January 1999.




1
  Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
February 1997, issued final in September 1997); Year 2000 Computing Crisis: Business Continuity and
Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998, issued final in
August 1998); and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an
exposure draft in June 1998, issued final in November 1998).




Page 1                                                                        GAO/T-AIMD-99-85
Customs Relies      Addressing the Year 2000 problem in time is critical for the Customs
                    Service because it relies extensively on information technology to help
Extensively on      enforce trade laws and collect and account for duties, taxes, and fees on
Automated Systems   imports.2 As the following illustrates, Customs has five mission-critical
                    systems that run over 20 million lines of application code and are used by
                    thousands of users within Customs, other government agencies, and the
                    trade community.

                    • The Automated Commercial System (ACS) tracks, controls, and
                      processes all commercial goods imported into the United States. Over
                      97 percent of the data filed for imported cargo entries are sent through
                      ACS and more than 15,000 trade and other government agency users
                      have access to this system.
                    • Customs’ Treasury Enforcement Communications System (TECS)
                      interfaces with the Federal Bureau of Investigation’s National Crime
                      Information Center and a number of other law enforcement systems and
                      is the major automation component of the Interagency Border
                      Inspection System, which serves as a clearinghouse for law enforcement
                      data. Some 27,000 users, including Customs; Immigration and
                      Naturalization Service; Internal Revenue Service; Bureau of Alcohol,
                      Tobacco, and Firearms; and the State Department rely on TECS.
                    • The Seized Asset and Case Tracking System (SEACATS) processes and
                      tracks activity associated with seizures for the initial law enforcement
                      interest in the property to its final disposition. This system is used by
                      more than 16,000 Customs employees, and it interfaces with the Justice
                      Department and Internal Revenue Service systems.
                    • Customs’ Automated Export System (AES) collects export-related data
                      from exporters and carriers and is used to help target export violators.
                      More than 28,000 users nationwide rely on this system.
                    • ADMIN is Customs’ primary administrative system supporting financial
                      and human resource functions. It consists of 40 separate systems that
                      interface with each other and with ACS, AES, and TECS.

                    In addition to fixing and testing its systems, Customs must assess and
                    remediate a wide range of telecommunications equipment and non-
                    information technology (non-IT) assets installed in over 900 facilities. This
                    non-IT equipment includes check-writers; scanners; optical readers;
                    security systems, such as badge readers, x-ray systems, cameras, secured


                    2
                        During 1997, Customs collected $22.1 billion in revenue at more that 300 ports of entry.




                    Page 2                                                                               GAO/T-AIMD-99-85
                      doors and safes; fire alarms; heating and air conditioning systems; planes;
                      and automobiles.



Customs Is Making     As of January 1999, Customs reported that it had met milestones
                      recommended by the Office of Management and Budget (OMB) for
Good Progress in      renovating and validating most of its mission-critical systems.3
Addressing Its Year   Specifically, it reported that it had completed renovation, validation and
                      systems acceptance testing4 of all five of its mission-critical systems.
2000 Problem          Moreover, it plans to complete end-to-end testing5 for these systems and
                      associated telecommunications systems by March 1999.

                      Customs has also renovated most of its telecommunications equipment.
                      Specifically, as of January 1999, Customs reported that it had assessed all
                      of its national data center-related telecommunications systems and
                      renovated, validated, and implemented 92 percent of the inventory
                      requiring Year 2000 work. It had also assessed telecommunications
                      equipment in its field offices and completed 68 percent of needed
                      renovations. Additionally, Customs had completed about half of the work
                      needed on headquarters and field office voice communications equipment,
                      including telephone and voice mail systems.

                      Customs reported that it has assessed about 82 percent of its mission-
                      critical non-IT products. It reported that 95 percent of the products
                      assessed is compliant, 4 percent requires renovation or replacement, and 1
                      percent is to be retired. It expects to complete this work by May 1999.

                      To help ensure that the information it reports on Year 2000 progress is
                      reliable, Customs has implemented reporting controls. For example,
                      quality review teams review the information reported for (1) consistency
                      (by comparing it to previously reported information), (2) completeness (by


                      3
                        OMB requires that agencies complete renovation of their mission-critical systems by September 1998,
                      validation by January 1999, and implementation by March 1999.

                      4The purpose of system acceptance testing is to verify that the complete system (i.e., the full
                      complement of application software running on the target hardware and systems software
                      infrastructure) satisfies specified requirements (functional, performance, and security) and is
                      acceptable to end users.

                      5
                        The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which
                      collectively support an organizational core business area or function, interoperate as intended in an
                      operational environment, either actual or simulated.




                      Page 3                                                                             GAO/T-AIMD-99-85
                       comparing it to reporting standards), and (3) accuracy (by validating it
                       through observation, inquiry, or review of supporting documentation).
                       Our review of quality review team results, as well as our independent
                       review of the reliability of the information reported in selected system
                       components, disclosed no discrepancies between what was being reported
                       and what supporting system documentation showed actual progress to be.



Effective Management   Our Year 2000 guides provide a framework for effective Year 2000 program
                       management. Collectively, they define a comprehensive set of program
Structure and          management controls for planning, directing, monitoring, and reporting on
Processes Are Key to   Year 2000 efforts.
Customs’ Success       Customs’ program management structures and processes are entirely
                       consistent with our guidance, and Customs’ good progress to date is largely
                       attributable to this program management capability. Along these lines,
                       Customs has done the following.

                       • Established a Year 2000 Program Office and designated a Year 2000
                         Program Manager in May 1997 and charged the office with authority
                         over and responsibility for agencywide Year 2000 efforts, including such
                         functional areas as Year 2000 contracting, budgeting and planning,
                         technical support to project teams, quality assurance, auditing, and
                         reporting.
                       • Engaged its senior executives in the Year 2000 effort by charging the
                         agency’s Executive Council6 with approving and overseeing the
                         implementation of the Year 2000 strategy and resolving such issues as
                         institutional Year 2000 priorities.
                       • Developed a Year 2000 Strategic Plan and Year 2000 Operational
                         Program Management Plan in June 1998, which (1) identified
                         organizational roles and responsibilities, (2) established schedules for
                         completing each program phase and described the tasks to be
                         completed under each phase, (3) established reporting requirements to
                         track progress in the various phases, (4) defined performance measures,
                         and (5) estimated and allocated resources for the tasks and system
                         activities within these phases.
                       • Issued policies, guidelines, and procedures for managing and
                         implementing the Year 2000 program, including guidance on quality


                       6
                         The Council is co-chaired by the Chief Information Officer and the Chief Financial Officer and includes
                       the Year 2000 project managers as members.




                       Page 4                                                                             GAO/T-AIMD-99-85
   assurance, configuration management, and testing as well as business
   continuity and contingency planning.

To ensure that the plans, policies, and guidelines are being implemented,
the Year 2000 program manager is (1) holding weekly status meetings with
the Year 2000 Program Office staff and the project teams, (2) tracking,
prioritizing, and managing the risks associated with the IT and non-IT
system conversion efforts, (3) overseeing and managing budget-related
issues, and (4) conducting internal audit reviews to monitor and assess the
implementation of established Year 2000 procedures. The Program Office
is also tracking progress against plans and identifying issues that may
affect its strategy using a central database it developed.

Structured and disciplined processes have also been implemented for the
testing phase of Customs’ Year 2000 effort. This is important since
Customs’ key mission-critical systems run hundreds of interdependent
applications, and must interface with thousands of external systems. In
particular, Customs designated a Year 2000 test manager for mission-
critical IT systems and assigned this manager authority and responsibility
for key testing activities, such as defining exit criteria, designing and
planning the tests, and executing the tests. It also established in its Year
2000 Application Testing Strategy and Plan an agencywide definition of
Year 2000 compliance; engaged an independent verification and validation
(IV&V) agent to ensure that process standards have been followed and that
software products perform as intended; provided for ensuring that vendor-
supported IT and non-IT products have been tested and that they are Year
2000 compliant; and established a Year 2000 test environment. These
controls and processes have enabled Customs to meet milestones
recommended by OMB for renovating and validating mission-critical
systems and to allow time to conduct end-to-end tests.

Finally, Customs has implemented sound management processes for
developing business continuity and contingency plans that help Customs to
mitigate the risks associated with unexpected internal and uncontrollable
external failures. Specifically, Customs established a business continuity
work group; developed a high-level business continuity planning strategy;
developed a master schedule and milestones; implemented a risk
management process and established a reporting system; and implemented
quality assurance reviews. It then performed a business impact analysis to
determine the effect that failures of mission-critical information systems
have on the viability and effectiveness of agency core business processes.
By defining disruption scenarios and assessing business, legal, and



Page 5                                                      GAO/T-AIMD-99-85
                        regulatory risks for major business processes, this analysis provided
                        Customs the information needed to develop contingency plans for
                        continuity of operations. Customs is now in the processes of testing its
                        contingency plans and it plans to complete contingency plan testing,
                        including plans for non-IT systems, by June 1999.



Important Challenges    Notwithstanding either Customs’ good progress to date or the effectiveness
                        of its program management controls, Customs still has very important and
Still Face Customs in   challenging tasks to complete to effectively reduce its chances of serious
Months to Come          business disruptions. In particular, Customs still needs to conduct end-to-
                        end testing of the systems that support important trade missions. These
                        tests will be particularly challenging since Customs has hundreds of
                        business partners and their respective systems. Additionally, Customs still
                        needs to complete its contingency plans for ensuring continuity of its core
                        business areas in the event of Year 2000-induced system failures. For
                        Customs, this is especially challenging because it involves 42 distinct lines
                        of business that cut across Customs’ organization units, and it involves
                        over 300 organizational units that are located throughout the United States,
                        each with its own unique and localized Year 2000 readiness issues.

                        Moreover, Customs, like most organizations, faces serious risks outside of
                        its control. For example, Customs’ depends on public infrastructure
                        systems, such as those that provide power, water, transportation, and voice
                        and data telecommunications. Given the number of Customs ports of entry
                        throughout the United States, even localized disruptions in infrastructure-
                        related services could seriously affect Customs business operations. As
                        Customs works to develop, test, and complete its contingency plans, it
                        must ensure that these localized event scenarios are adequately addressed.



Customs Recognizes      For federal agencies, the lessons to be learned from the Year 2000 problem
                        are significant. Long-standing organizational weaknesses in managing
That Management         information technology contributed to both the size of the federal
Improvements Made to    government’s Year 2000 problem and agencies’ ensuing difficulties in
                        addressing it. That is, agencies’ unsuccessful attempts to modernize their
Address the Year 2000   information systems over the last 5 years have forced them to continue to
Problem Can Provide     maintain and rely on antiquated, poorly documented, noncompliant
Future Benefits         systems. The result was large inventories of noncompliant systems that the
                        agencies had to quickly repair, replace, or retire in order to be century date
                        ready. The Internal Revenue Service, with its well-chronicled history of



                        Page 6                                                        GAO/T-AIMD-99-85
modernization difficulties and its mammoth Year 2000 problem, vividly
illustrates this point.

Additionally, to address the Year 2000 problem, agencies chose to employ
the same weak information technology management structures and
processes that have contributed to their system modernization problems.
Our reports and testimonies over the last 5 years have highlighted these
weaknesses in major modernization programs.7 These weaknesses include
the lack of chief information officer authority over agencies’ IT resources,
the absence of complete and enforced systems architectures, the lack of
mature software development and acquisition processes, and the failure to
make informed IT investment decisions. Because of these weaknesses, we
have designated certain modernization efforts, such as the Federal Aviation
Administration’s air traffic control modernization and the Internal Revenue
Service’s tax systems modernization, as high-risk federal programs.8

Customs did not adopt a “business-as-usual” approach to solving the Year
2000 problem. Using our Year 2000 guidance, Customs defined and
implemented effective management structures and processes, as this
testimony has described. The result is a Year 2000 program that is on
schedule and has plans and management controls in place for completing
remaining tasks. As important, Customs’ Commissioner has also
committed to leveraging the agency’s Year 2000 experience by extending
the level of project management discipline and rigor being employed on
Year 2000 to other information technology programs and projects. By
doing so, Customs could greatly strengthen its information technology
management capabilities.

In conclusion Mr. Chairman, we are cautiously optimistic about Customs’
Year 2000 program. We are optimistic because of Customs’ progress to date


7Tax System Modernization: Management and Technical Weaknesses Must Be Corrected If
Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995); Tax Systems Modernization: Actions
Underway but IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106,
June 7, 1996); and Tax Systems Modernization: Blueprint Is a Good Start but Not Yet Sufficiently
Complete to Build or Acquire Systems (GAO/AIMD/GGD-98-54, February 24, 1998); Air Traffic Control:
Immature Software Acquisition Processes Increase FAA System Acquisition Risks (GAO/AIMD-97-47,
March 21, 1997); Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems
Modernization (GAO/AIMD-97-30, February 3, 1997); and Air Traffic Control: Improved Cost
Information Needed to Make Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20,
January 22, 1997).

8
 High-Risk Series: An Update (GAO/HR-99-1, January 1999); High-Risk Series: Information Management
and Technology (GAO/HR-97-9, February 1997); and High-Risk Series: An Overview (GAO/HR-95-1,
February 1995).




Page 7                                                                        GAO/T-AIMD-99-85
                   and its effective program management controls. We are cautious because
                   important tasks remain, and because Customs, like all organizations,
                   depends on others in order to fulfill its mission responsibilities.

                   This concludes my statement. I would be glad to respond to any questions
                   that you or other Members of the Committee may have at this time.




(511139)   Leter   Page 8                                                   GAO/T-AIMD-99-85
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested