Office of the Chief Financial Officer New Core Project: Release 3 Project Management Information Systems Audit Division Audit Report Number: 2015-DP-0006 Washington, DC June 12, 2015 Audit Report Number: 2015-DP-0006 Date: June 12, 2015 Weaknesses in the New Core Project Were Not Adequately Addressed Highlights What We Audited and Why We audited the U.S. Department of Housing and Urban Development’s (HUD) New Core Project as part of the internal control assessments required for the fiscal year 2015 financial statement audit under the Chief Financial Officer’s Act of 1990. Our objective was to assess the status of the project and to determine whether the New Core Project team complied with Federal regulations and departmental project management processes. This audit is the first of several to be completed on the New Core Project implementation. What We Found Weaknesses in the New Core Project were not adequately addressed. HUD did not follow its own agency policies and procedures, the policies established for New Core, or best practices. HUD will become the first cabinet-level agency to use a Federal shared service provider. The transfer of its financial management to a shared service provider has been widely publicized. HUD’s previous attempt to use a commercial shared service provider to start a new financial management system failed after spending more than $35 million. Our review of the previous project determined that Office of the Chief Financial Officer did not properly plan and manage its implementation of that project. If HUD is not successful in this implementation, it could reflect negatively on Office of Management and Budget’s mandate to use Federal shared service providers. The weaknesses identified in this report relate to requirements and schedule and risk management. These areas are significant to the project plan, and the effectiveness with which HUD manages them is critical to the project’s success. What We Recommend We recommend that the Chief Financial Officer (1) ensure that requirements for the functional areas that were not part of the shared service provider’s standard configuration are completed and approved before beginning design and development, (2) reevaluate the October 1, 2015, start date for release 3, (3) modify the project schedule and dashboard to identify the critical path, (4) establish a contingency plan, (5) ensure that all risks are fully mitigated before closing, and (6) address the remaining weaknesses identified. Table of Contents Background and Objective......................................................................................4 Results of Audit ........................................................................................................6 Finding: Weaknesses in the New Core Project Were Not Adequately Addressed .... 6 Scope and Methodology .........................................................................................12 Internal Controls ....................................................................................................13 Appendixes ..............................................................................................................14 A. Auditee Comments and OIG’s Evaluation ............................................................. 14 3 Background and Objective The U.S. Department of Housing and Urban Development (HUD) has been modernizing its legacy financial management system since fiscal year 2003. The previous project, the HUD Integrated Financial Management Improvement Project, was intended to replace two of the applications currently used for core processing. In March 2012, however, HUD stopped work on the project and later canceled it after spending more than $35 million. In the fall of 2012, the New Core Project was created to implement a new core financial system. On March 25, 2013, the Office of Management and Budget (OMB) issued memorandum M-13- 08, which mandates the use of Federal shared service providers to modernize core accounting or mixed systems. HUD conducted an alternatives analysis and determined that U.S. Department of the Treasury’s Bureau of Fiscal Services’ Administrative Resource Center (ARC), formerly the Bureau of Public Debt, was the best option among the available Federal shared service providers. HUD signed an interagency agreement on July 30, 2013, to migrate its financial transactions and systems to ARC. Specifically, ARC will support (1) funds management, (2) purchasing, (3) accounts payable, (4) accounts receivable, (5) cash management, (6) cost accounting, (7) the core financial system, (8) the general ledger, (9) financial reporting, (10) grants management, and (11) loans management. The project includes the following four phases: • Phase 1 is separated into four different releases. Each release defines a particular function that will be transferred to Treasury’s shared services platform as follows: • Release 1 transferred the travel and relocation functions to Treasury on October 1, 2014. • Release 2, transferring time and attendance, was implemented on February 8, 2015. • Release 3 will cover the migration of the core financial services owned by the Office of the Chief Financial Officer (OCFO). This release includes the migration of accounting system services associated with budget execution, accounting, finance, data warehouse reporting, and an interface solution. Release 3 is scheduled for implementation in the fourth quarter of fiscal year 2015 or the first quarter of fiscal year 2016. • Release 4 will address HUD’s grant and loan accounting systems. Details regarding this release have not been finalized, and there is no scheduled date for implementation. • Phase 2 of the project will address managerial cost accounting, budget formulation, and a fixed assets system. • Phases 3 and 4 of the project will address the consolidation of the Federal Housing Administration and Government National Mortgage Association as well as the migration of the functionality of HUD’s Line of Credit Control System. 4 Details regarding phases 2, 3, and 4 have not been finalized, and there are no scheduled dates for implementation. New Core resources come from various organizations and funding sources. New Core has a three-part budget development that includes the following: • Modernization and enhancement funds from the Working Capital Fund - Information Technology (IT) portfolio, • Full-time employees from many sources, and • Operations and maintenance – salaries and expenses. Funding delays and cuts have impacted modernization and enhancement activities. As a result, money appropriated in fiscal year 2014 was not fully available. As of February 2015, HUD had received only about $4.5 million of the $10 million budgeted. In addition, congressional cuts to fiscal year 2015-16 funding resulted in the elimination of all modernization and enhancement funding, including the $15.9 million budgeted for New Core. A significant amount of the operations and maintenance funding requested was also eliminated, resulting in the $16.6 million requested for New Core being transferred to the salaries and expenses budget. As a result, New Core is pursuing $18 million, the $10 million budgeted, and an additional $8 million reallocated from other projects to cover current agreement and pending activity costs through March 2016. This audit was conducted as a component of the internal control assessments required for the fiscal year 2015 financial statement audit under the Chief Financial Officer’s Act of 1990. Our objective was to assess the status of the project and to determine whether the New Core Project team complied with Federal regulations and departmental project management processes. This audit is the first of several to be completed on the New Core Project implementation. 5 Results of Audit Finding: Weaknesses in the New Core Project Were Not Adequately Addressed Weaknesses in the New Core Project were not adequately addressed. Specifically, (1) HUD may have rushed release 3 system design and development activities, (2) schedule management deficiencies may impact the timeliness and quality of the release 3 solutions, and (3) risk management weaknesses may have misrepresented the project’s status. These conditions resulted from noncompliance with HUD’s own IT project management policy and best practices. HUD’s failure to successfully implement New Core could result in a system that may not meet HUD’s needs. In addition, HUD’s transfer of its financial management to a shared service provider has been widely publicized. If HUD is not successful in this implementation, it could reflect negatively on OMB’s mandate to use Federal shared service providers to modernize core accounting or mixed systems. System Design and Development Activities May Have Been Rushed The project schedule allowed system design and development tasks to begin before all requirements had been identified and approved for some of the functional areas that were not part of the shared service provider’s standard configuration. In the planning phase, the integrated project team decides whether to modify or enhance a system, custom develop a new solution, install and configure a commercial or government off-the-shelf capability, or use a service provided by an external commercial or government entity to meet the identified business needs. During this phase, the team also develops a detailed project schedule. The New Core team broke the requirements into multiple functional areas. Some of the areas were part of the shared service provider’s standard configuration, and some were not. As of April 3, 2015, all of the shared service requirements had been completed. For the areas that were not part of the standard configuration, requirements needed to be completed before design and development began. However, the March 12, 2015, project schedule had design and development tasks for data reconciliations and the system interface solution that were not part of the standard configuration. These tasks were scheduled to begin before the requirements had been completed. HUD identified the risks involved in developing system designs before completing the planning phase approvals. The risks and anticipated outcomes were identified in the risk and issue logs starting in August 2013 and in five independent verification and validation reports starting in November 2013. If requirements are not identified and understood during the requirements and analysis project phase, the release 3 solution may not meet HUD’s needs and could adversely affect the design, development, business process, and testing components. Failing to identify requirements before going online could negatively impact HUD’s business operations, create additional work or cost overruns, and require labor-intensive manual work-arounds. 6 The deficiencies discussed above occurred because HUD did not comply with IT best practices and HUD’s project planning and management procedures as well as a perceived reluctance to delay the October 1, 2015, implementation date. The independent verification and validation team reported that the release 3 schedule was developed under the October 1, 2015, deadline, and this date was not extended when additional work packages were added to the schedule. Although the independent verification and validation team repeated its concern that the time needed to complete certain tasks may have been underestimated in several reports, HUD did not change the October 1, 2015, implementation date. Schedule Management Deficiencies May Impact the Release 3 Implementation Date Schedule management deficiencies may impact the timeliness and quality of the release 3 solution. Specifically, 1) The project master schedule was baselined, 1 signifying its finalization and approval prematurely, 2) The project master schedule did not allow sufficient time to address issues identified during testing, 3) Critical path tasks were not clearly identified in the project master schedule or dashboards, 2 4) Critical path activities that were late were not listed as red on the dashboards, 5) Information reported on the dashboard did not match the project master schedule, and 6) The New Core team had not developed a contingency plan for release 3. The project master schedule was baselined before the Office of the Chief Information Officer (OCIO) could determine whether the time necessary to complete assigned tasks was appropriate. In project management, establishing the baseline is the formal end of project planning and the beginning of project execution and control. Controlling the project baseline is critical to project success. The U.S. Government Accountability Office’s schedule assessment guide states that an integrated master schedule connects all the scheduled work of the government and the contractor in a collection of logically linked sequences of activities. It also states that the government program management office must ensure that the schedule is as logical and realistic as possible and that the integrated master schedule must be a complete and dynamic network. In addition, it should consist of logically related activities with forecast dates that are automatically recalculated when activities change. The decision to baseline the project master schedule before the completion of the OCIO focus group’s meetings made it likely that adjustments to the project schedule would be required, creating additional work for the New Core team. We discussed our concerns with the project’s executive director, who acknowledged that the OCIO requirements should have been obtained before the project master schedule was baselined. 1 A baseline is a reference point in the software development life cycle marked by the completion and formal approval of a set of predefined work products. The objective of a baseline is to reduce a project’s vulnerability to uncontrolled change by fixing and formally change controlling various key deliverables (configuration items) at critical points in the development life cycle. 2 A dashboard displays the status of metrics and key performance indicators. 7 OCFO did not allocate time in the project master schedule to address issues uncovered during the system integration testing or the mock 2 testing. Testing is done to provide quality assurance and to reduce the cost and business impact of correcting previously undetected errors. System integration testing ensures that all subcomponents are integrated to provide expected results. Mock conversion testing is done to verify that system scenarios perform as expected when executed with converted data. Failure to allow time in the schedule to address issues uncovered during these forms of testing could delay the project or lead to unresolved issues. Critical path tasks were not clearly identified in the project master schedule. HUD identified some items as critical within the project schedule; however, it did not identify as critical all of the dependent tasks required to complete an identifiable critical path in the schedule. Further, additional tasks should have been identified as critical, such as the tasks associated with the general ledger interface and accounting flex fields. In project management, the critical path is the succession of connected tasks that will take the longest to complete. Critical path analysis identifies the tasks that are dependent on each other. When the dependent tasks’ times are added together, the longest time necessary to complete the project can be predicted. To estimate overall project duration, it is important to know the tasks that can take place independently of each other and those that must occur in a certain sequence. If an activity on the critical path is late, the entire project will be delayed. The critical path and the tasks that are part of it must be managed to complete a project on schedule. Additionally, we could not confirm HUD’s calculated completion date because the critical path was not identified on the schedule. Critical path activities that were late were not listed as red on the dashboards as required by the New Core schedule management plan. For example, OCFO staff confirmed that the “Accounting Flex Field Values / Legacy Value Crosswalk” tasks were both critical and late as of March 11, 2015, but appeared as yellow on the dashboards. After discussing this matter with the New Core team, this item was changed to red. Also, the dashboards used to report the project status to project management and stakeholders did not report the same information as the project master schedule. This discrepancy could potentially mislead project management and stakeholders. Examples are shown in the table below. Percentage complete as reported on the Item Description dashboard, dated project master schedule, number 2/19/2015 dated 2/24/2015 Finalize New Core interface 188.8.131.52 100 86 requirements part 1 Complete baselining of 184.108.40.206 75 0* requirements Accounting flex field values- 220.127.116.11.13 50 7 legacy value crosswalk defined Financial management review 18.104.22.168 25 0** roles and responsibilities * The February 26, 2015, schedule shows the item 100 percent complete with a completion date of June 2, 2014. ** The February 24, 2015, and February 26, 2015, schedules show that this item had not been started. 8 Failure to track the critical path on the project master schedule and the dashboard makes it difficult to give an early warning of schedule bottlenecks or late critical path items. In addition, failure to clearly identify these issues on the schedule may increase pressure to rush the completion of the tasks once it is determined that the task is critical and the schedule cannot be modified. Rushing completion of the critical path tasks could also compromise the integrity and effectiveness of both the systems and the data they process, resulting in disruption to HUD’s business operations. Further, the New Core team had not developed a contingency plan for release 3. The independent verification and validation contractor reported that there was no contingency plan to provide an “alternate or back-out plan to ensure HUD will be able to continue to conduct their day-to-day business processes if the integrity of the ARC-HUD environment was compromised.” The contractor also noted that an alternative plan should be developed if New Core failed during production. However, New Core’s project management team had not addressed these identified weaknesses. These deficiencies occurred because HUD did not comply with best practices or its own project planning and management requirements and the policies and procedures established for New Core. The independent verification and validation team concluded that there was great reluctance to change the October 1, 2015, implementation date. Unrealistic attempts to meet the October 1, 2015, release date could encourage schedule compression and overly optimistic schedule assumptions and reporting. The Project Status May Have Been Misrepresented Risk management weaknesses may have misrepresented the status of New Core. The risk and issue logs, dated January 12 through March 6, 2015, disclosed that (1) Some risks may not have been fully mitigated before being closed, (2) Risk logs were missing required information, and (3) Risk logs were not readily available on SharePoint and Max.gov collaboration sites. Best practices call for a structured risk management process, which typically consists of identifying risks, ranking or evaluating risks, responding to significant risks, resourcing controls, reaction planning, reporting and monitoring risk performance, and reviewing the risk management framework. Since November 2013, the independent verification and validation team reported the need for improvements in reporting, tracking, coordinating between HUD and ARC, and developing mitigation strategies. In response the New Core team developed and issued a comprehensive risk management plan jointly with ARC. The latest version of the plan, dated December 2014, included those elements. The established process required regular reporting and scheduled meetings to evaluate identified risks and included design strategies for mitigating risks and resolving issues. The project team used this process daily to mitigate risks and issues, although we identified some weaknesses. 9 As an example, risk item 142 was closed before the risk was fully mitigated. We tracked this item between the logs and discovered that it was specifically described as “If the Release 3 reporting strategy is not defined, then the implementation of the Release 3 reporting solution required to support financial management and programmatic operations will be delayed.” Risk item 142 was created on November 7, 2014, and assigned a high severity level. To close this risk, the completion of the release 3 reporting strategy, definition of release 3 reporting solution, and completion of release 3 reporting requirements were required. The deputy director stated that the risk was closed on February 23, 2015, based on the New Core reporting strategy that had been approved and the completion of the reporting requirements work sessions. However, the completion of the requirements management life cycle was not scheduled until April 3, 2015. Therefore, the risk should not have been closed because not all of the closure criteria had been met. Further, risk item 142 was removed from the February 19, 2015, version of the dashboard. Closing risks prematurely could lead to excessive risk taking, which could result in a product that is missing the functionality needed by HUD’s program areas. According to the risk mitigation task force, improper transaction processing or funds control could cause Antideficiency Act violations. The risk log for March 6, 2015, was missing required information. Specifically, four high-risk items that were created on August 1, 2013, had due date and closure criteria entries of TBD (to be determined) or were blank. In addition, the collaboration sites were missing some of the risk and issue logs. Meetings were held weekly to discuss high-severity risks and high-impact or time-sensitive issues at the release and program level. Updates to the status were documented in the risk and issue logs and were required to be posted to the New Core manager’s office’s SharePoint site and OMB’s Max.gov site 3 within 3 business days following the meeting. We viewed the SharePoint and Max.gov sites on February 13, 2015, and found that the SharePoint site did not contain any risk logs from October and November 2014 and was missing logs from December 2014 and January 2015. The Max.gov site contained only six risk logs from 2014. A good risk management process ensures that executive management knows and understands the probabilities associated with possible outcomes before starting a project or making funding decisions. Failing to communicate all risks to executive management impairs its ability to make those decisions, while recording and monitoring risk enables managers to learn from experience. Weaknesses in HUD’s risk management resulted from the absence of risk mitigation oversight and a failure to comply with all of the elements in the established risk management plan. The New Core risk manager position had been vacant since project inception and resulted in a lack of oversight. In 2014 the New Core team identified the risk of not complying with the risk 3 A solution for posting information that is to be shared across office, agency and governmental boundaries. 10 management plan as having the potential to cause project failure with a severity level of high. The team then closed the risk on September 15, 2014, with a response plan stating that the established risk management plan would be followed. Conclusion In March 2013, OMB required agencies to consider, as part of their alternatives analysis, the use of a Federal shared service provider for all new agency proposals for core accounting and mixed system upgrades. OMB will fund the use of commercial shared service providers as an appropriate solution if, after reviewing the available Federal and commercial shared service provider solutions and using standard requirements, the agency’s business case shows that a commercial shared service provider can provide a better value for the Federal Government. HUD followed that mandate, and in July 2013, its alternatives analysis determined that ARC was the best option among the available Federal shared service providers. HUD will become the first cabinet-level agency to use a Federal shared service provider. The transfer of its financial management to a shared service provider has been widely publicized. HUD’s previous attempt to use a commercial shared service provider to start a new financial management system failed after spending more than $35 million. Our review of the previous project determined that OCFO did not properly plan and manage its implementation of that project. If HUD is not successful in this implementation, it could reflect negatively on OMB’s mandate to use Federal shared service providers. The weaknesses identified in this report relate to requirements and schedule and risk management. These areas are significant to the project plan, and the effectiveness with which HUD manages them is critical to the project’s success. Recommendations We recommend that the Chief Financial Officer 1A. Ensure that requirements are completed and approved for the functional areas that are not part of the shared service provider’s standard configuration before beginning its design and development activities and adjust the project schedule accordingly. 1B. Reevaluate the October 1, 2015, start date for release 3 at the completion of planning. 1C. Modify the project master schedule and dashboard to better identify the critical path. 1D. Modify the project master schedule and dashboard maintenance procedures to ensure that the documents are accurate and report the same information. 1E. Modify the project master schedule to provide time to address issues identified during the system integration testing and mock 2 testing. 1F. Identify specific and measurable progress factors and the minimum required functionality that will determine the go-no go decision. 1G. Establish a contingency plan for release 3 that provides an alternate or backout plan. 1H. Ensure that all risks are fully mitigated before closing and that the risk and issue logs contain all required information and are made available on the collaboration sites. 1I. Fill the risk manager position. 11 Scope and Methodology The audit covered the period January 15 through April 10, 2015. We performed the audit at HUD headquarters in Washington, DC. Audit work was conducted from January 15 through April 10, 2015. Our audit was based on the U.S. Government Accountability Office’s Federal Information System Controls Audit Manual methodology and IT guidelines established by the National Institute of Standards and Technology. We conducted the audit to • Determine New Core’s status, • Identify areas warranting additional review, and • Obtain information to plan and perform the detailed audit work to follow and determine compliance with Federal regulations and departmental project management processes. To evaluate these areas, we • Identified and reviewed HUD’s policies and procedures; • Reviewed project plans; • Reviewed documentation related to the status of the project, including the project schedule and risk and issue logs; and • Held discussions with HUD staff and contractors and stakeholders involved in the project. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective(s). We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 12 Internal Controls Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to • Effectiveness and efficiency of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: • Policies, procedures, and other management tools used for implementation of controls for the New Core Project. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. Significant Deficiency Based on our review, we believe that the following item is a significant deficiency: • Weaknesses in the New Core Project were not adequately addressed. 13 Appendixes Appendix A Auditee Comments and OIG’s Evaluation Ref to OIG Auditee Comments Evaluation Comment 1 Comment 2 Comment 3 Comment 4 14 Auditee Comments and OIG’s Evaluation Ref to OIG Auditee Comments Evaluation Comment 5 Comment 6 Comment 7 15 Auditee Comments and OIG’s Evaluation Ref to OIG Auditee Comments Evaluation Comment 8 Comment 9 Comment 10 16 Auditee Comments and OIG’s Evaluation Ref to OIG Auditee Comments Evaluation Comment 11 Comment 12 17 OIG Evaluation of Auditee Comments Comment 1 The statements made by the CFO are inaccurate. At no time did OIG audit staff indicate that the findings were minor or that further action would not be required to address the weaknesses. We consider the findings significant, one of our recommendations is for the CFO to reevaluate the October 1, 2015 implementation date for release 3 at the completion of planning. The department has not provided evidence related to the actions they have initiated or taken to correct the weaknesses identified. We have revised the wording of the subject of the report to reflect the project’s current situation and efforts. Comment 2 We agree that the audit work related to the identified weaknesses was performed during the survey phase of our audit. A survey is generally performed as a phase of an audit. It is a general review from which specific audit areas are identified. During the survey phase of this assignment, we concluded that several of the weaknesses identified were significant and needed to be brought to management’s attention quickly. To accomplish that, we completed the audit work in those areas, and in accordance with GAGAS, prepared and issued this audit report. Comment 3 We cannot comment on the launch of Phase 1 - Release 1 and Release II as they were not within the scope of this report. We disagree with the statement that the actions and progress made by the Department in the implementation of the New Core Project was not taken into consideration within the course of our audit. In addition, the Department was given multiple opportunities to provide comments related to the issues we identified and modifications were made as appropriate throughout the standardized review process. Comment 4 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with OCFO and reviewing the supporting documentation for the completion of all requirements, and verifying the requirements for the functional areas outside the shared service provider's standard configuration were completed prior to design and development activities. Comment 5 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with OCFO and reviewing the supporting documentation for the mock conversions, system integration testing, user acceptance testing, and evaluation of the October 1, 2015 implementation date. Comment 6 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with the OCFO and reviewing the supporting documentation for modifications made to the master schedule, projects dashboards and weekly status and leadership meetings. 18 Comment 7 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with the OCFO and reviewing the Contingency Plan. Comment 8 OIG agrees the New Core team has implemented several layers of risk identification and mitigation mechanisms as acknowledged in the body of this report. However, the OIG has not received documentation in support of the OCFO’s other comments; therefore, we cannot make an assessment regarding them. We look forward to working with OCFO and reviewing the enhancements made for monitoring risks until all closure criteria have been met, addition of missing information in the risks and issues log, and methods for keeping the collaboration sites current. Comment 9 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with the OCFO and reviewing the modifications made to the schedule and dashboard maintenance procedures. Comment 10 OIG partially agrees with OCFO. We agree that the go/no-go decision points are a good time to assess the impact of any major issues that are uncovered during testing. However, the effectiveness of the iterative approach to testing may be undermined by integrated tasks being completed at notably different times in an environment of ongoing development. In addition, if issues are uncovered in testing and the decision is made to proceed with deployment it is unclear as to where time in the schedule can be allocated to remediate the problems. Finally there are several critical tasks, including: Reconciliation, Crosswalk Maintenance, and Financial Data Extracts, which will finish development and unit testing during the time allocated for System Integration Testing. Delays on any of the aforementioned items could lead to inconclusive testing or affect the timeline. Therefore, we continue to recommend that the OCFO modify the project schedule to provide time to address the issues identified during testing. Comment 11 The OIG has not received documentation in support of the OCFO’s comments; therefore, we cannot make an assessment regarding them. We look forward to working with the OCFO and reviewing the Operational Readiness Checklist and verifying the progress factors. While required sections of Release 3 may not be deployed by the Go/No Go decision date, development of critical parts of Release 3 should be completed prior to the decision date. In addition, thorough testing of critical areas should be completed prior to the decision and all serious issues should be addressed. Comment 12 We disagree that prior to the engagement of our survey the risk manager position had already been filled. We began our audit on January 28, 2015, and on March 6, 2015, the New Core team member responsible for budget and contracting informed us the risk manager position was currently one of approximately thirteen vacant positions on the project. The Project Executive Director acknowledged that HUD made a decision not to fill the Risk Manager position and to instead 19 have the deputy director assume those duties. The decisions made by the department and the processes in place were assessed during our review and found to be inadequate. We look forward to working with OCFO and reviewing the supporting documentation that shows the risk manager position has been officially filled. 20
Weaknesses in the New Core Project Were Not Adequately Addressed
Published by the Department of Housing and Urban Development, Office of Inspector General on 2015-06-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)