oversight

Weaknesses in the New Core Project Were Not Adequately Addressed

Published by the Department of Housing and Urban Development, Office of Inspector General on 2015-06-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

   Office of the Chief Financial Officer
     New Core Project: Release 3 Project Management




Information Systems Audit Division   Audit Report Number: 2015-DP-0006
Washington, DC                                            June 12, 2015
                    Audit Report Number: 2015-DP-0006
                    Date: June 12, 2015

                    Weaknesses in the New Core Project Were Not Adequately Addressed




Highlights
What We Audited and Why
We audited the U.S. Department of Housing and Urban Development’s (HUD) New Core
Project as part of the internal control assessments required for the fiscal year 2015 financial
statement audit under the Chief Financial Officer’s Act of 1990. Our objective was to assess the
status of the project and to determine whether the New Core Project team complied with Federal
regulations and departmental project management processes. This audit is the first of several to
be completed on the New Core Project implementation.

What We Found
Weaknesses in the New Core Project were not adequately addressed. HUD did not follow its
own agency policies and procedures, the policies established for New Core, or best practices.
HUD will become the first cabinet-level agency to use a Federal shared service provider. The
transfer of its financial management to a shared service provider has been widely publicized.
HUD’s previous attempt to use a commercial shared service provider to start a new financial
management system failed after spending more than $35 million. Our review of the previous
project determined that Office of the Chief Financial Officer did not properly plan and manage
its implementation of that project. If HUD is not successful in this implementation, it could
reflect negatively on Office of Management and Budget’s mandate to use Federal shared service
providers. The weaknesses identified in this report relate to requirements and schedule and risk
management. These areas are significant to the project plan, and the effectiveness with which
HUD manages them is critical to the project’s success.

What We Recommend
We recommend that the Chief Financial Officer (1) ensure that requirements for the functional
areas that were not part of the shared service provider’s standard configuration are completed
and approved before beginning design and development, (2) reevaluate the October 1, 2015, start
date for release 3, (3) modify the project schedule and dashboard to identify the critical path, (4)
establish a contingency plan, (5) ensure that all risks are fully mitigated before closing, and (6)
address the remaining weaknesses identified.
Table of Contents
Background and Objective......................................................................................4

Results of Audit ........................................................................................................6
         Finding: Weaknesses in the New Core Project Were Not Adequately Addressed .... 6

Scope and Methodology .........................................................................................12

Internal Controls ....................................................................................................13

Appendixes ..............................................................................................................14
         A. Auditee Comments and OIG’s Evaluation ............................................................. 14




                                                             3
Background and Objective
The U.S. Department of Housing and Urban Development (HUD) has been modernizing its
legacy financial management system since fiscal year 2003. The previous project, the HUD
Integrated Financial Management Improvement Project, was intended to replace two of the
applications currently used for core processing. In March 2012, however, HUD stopped work on
the project and later canceled it after spending more than $35 million. In the fall of 2012, the
New Core Project was created to implement a new core financial system.
On March 25, 2013, the Office of Management and Budget (OMB) issued memorandum M-13-
08, which mandates the use of Federal shared service providers to modernize core accounting or
mixed systems. HUD conducted an alternatives analysis and determined that U.S. Department of
the Treasury’s Bureau of Fiscal Services’ Administrative Resource Center (ARC), formerly the
Bureau of Public Debt, was the best option among the available Federal shared service providers.
HUD signed an interagency agreement on July 30, 2013, to migrate its financial transactions and
systems to ARC. Specifically, ARC will support (1) funds management, (2) purchasing, (3)
accounts payable, (4) accounts receivable, (5) cash management, (6) cost accounting, (7) the core
financial system, (8) the general ledger, (9) financial reporting, (10) grants management, and
(11) loans management.
The project includes the following four phases:

   •   Phase 1 is separated into four different releases. Each release defines a particular
       function that will be transferred to Treasury’s shared services platform as follows:
           • Release 1 transferred the travel and relocation functions to Treasury on
               October 1, 2014.
           • Release 2, transferring time and attendance, was implemented on
               February 8, 2015.
           • Release 3 will cover the migration of the core financial services owned by the
               Office of the Chief Financial Officer (OCFO). This release includes the
               migration of accounting system services associated with budget execution,
               accounting, finance, data warehouse reporting, and an interface solution. Release
               3 is scheduled for implementation in the fourth quarter of fiscal year 2015 or the
               first quarter of fiscal year 2016.
           • Release 4 will address HUD’s grant and loan accounting systems. Details
               regarding this release have not been finalized, and there is no scheduled date for
               implementation.
   •   Phase 2 of the project will address managerial cost accounting, budget formulation, and a
       fixed assets system.
   •   Phases 3 and 4 of the project will address the consolidation of the Federal Housing
       Administration and Government National Mortgage Association as well as the migration
       of the functionality of HUD’s Line of Credit Control System.




                                                  4
Details regarding phases 2, 3, and 4 have not been finalized, and there are no scheduled dates for
implementation.
New Core resources come from various organizations and funding sources. New Core has a
three-part budget development that includes the following:

           •   Modernization and enhancement funds from the Working Capital Fund -
               Information Technology (IT) portfolio,
           •   Full-time employees from many sources, and
           •   Operations and maintenance – salaries and expenses.
Funding delays and cuts have impacted modernization and enhancement activities. As a result,
money appropriated in fiscal year 2014 was not fully available. As of February 2015, HUD had
received only about $4.5 million of the $10 million budgeted. In addition, congressional cuts to
fiscal year 2015-16 funding resulted in the elimination of all modernization and enhancement
funding, including the $15.9 million budgeted for New Core. A significant amount of the
operations and maintenance funding requested was also eliminated, resulting in the $16.6 million
requested for New Core being transferred to the salaries and expenses budget. As a result, New
Core is pursuing $18 million, the $10 million budgeted, and an additional $8 million reallocated
from other projects to cover current agreement and pending activity costs through March 2016.
This audit was conducted as a component of the internal control assessments required for the fiscal
year 2015 financial statement audit under the Chief Financial Officer’s Act of 1990. Our objective
was to assess the status of the project and to determine whether the New Core Project team
complied with Federal regulations and departmental project management processes. This audit
is the first of several to be completed on the New Core Project implementation.




                                                 5
Results of Audit

Finding: Weaknesses in the New Core Project Were Not
Adequately Addressed
Weaknesses in the New Core Project were not adequately addressed. Specifically, (1) HUD may
have rushed release 3 system design and development activities, (2) schedule management
deficiencies may impact the timeliness and quality of the release 3 solutions, and (3) risk
management weaknesses may have misrepresented the project’s status. These conditions
resulted from noncompliance with HUD’s own IT project management policy and best practices.
HUD’s failure to successfully implement New Core could result in a system that may not meet
HUD’s needs. In addition, HUD’s transfer of its financial management to a shared service
provider has been widely publicized. If HUD is not successful in this implementation, it could
reflect negatively on OMB’s mandate to use Federal shared service providers to modernize core
accounting or mixed systems.

System Design and Development Activities May Have Been Rushed
The project schedule allowed system design and development tasks to begin before all
requirements had been identified and approved for some of the functional areas that were not
part of the shared service provider’s standard configuration. In the planning phase, the integrated
project team decides whether to modify or enhance a system, custom develop a new solution,
install and configure a commercial or government off-the-shelf capability, or use a service
provided by an external commercial or government entity to meet the identified business needs.
During this phase, the team also develops a detailed project schedule.

The New Core team broke the requirements into multiple functional areas. Some of the areas
were part of the shared service provider’s standard configuration, and some were not. As of
April 3, 2015, all of the shared service requirements had been completed. For the areas that were
not part of the standard configuration, requirements needed to be completed before design and
development began. However, the March 12, 2015, project schedule had design and
development tasks for data reconciliations and the system interface solution that were not part of
the standard configuration. These tasks were scheduled to begin before the requirements had
been completed.
HUD identified the risks involved in developing system designs before completing the planning
phase approvals. The risks and anticipated outcomes were identified in the risk and issue logs
starting in August 2013 and in five independent verification and validation reports starting in
November 2013. If requirements are not identified and understood during the requirements and
analysis project phase, the release 3 solution may not meet HUD’s needs and could adversely
affect the design, development, business process, and testing components. Failing to identify
requirements before going online could negatively impact HUD’s business operations, create
additional work or cost overruns, and require labor-intensive manual work-arounds.




                                                 6
The deficiencies discussed above occurred because HUD did not comply with IT best practices
and HUD’s project planning and management procedures as well as a perceived reluctance to
delay the October 1, 2015, implementation date. The independent verification and validation
team reported that the release 3 schedule was developed under the October 1, 2015, deadline, and
this date was not extended when additional work packages were added to the schedule.
Although the independent verification and validation team repeated its concern that the time
needed to complete certain tasks may have been underestimated in several reports, HUD did not
change the October 1, 2015, implementation date.
Schedule Management Deficiencies May Impact the Release 3 Implementation Date
Schedule management deficiencies may impact the timeliness and quality of the release 3
solution. Specifically,
         1) The project master schedule was baselined, 1 signifying its finalization and approval
            prematurely,
         2) The project master schedule did not allow sufficient time to address issues identified
            during testing,
         3) Critical path tasks were not clearly identified in the project master schedule or
            dashboards, 2
         4) Critical path activities that were late were not listed as red on the dashboards,
         5) Information reported on the dashboard did not match the project master schedule, and
         6) The New Core team had not developed a contingency plan for release 3.
The project master schedule was baselined before the Office of the Chief Information Officer
(OCIO) could determine whether the time necessary to complete assigned tasks was appropriate.
In project management, establishing the baseline is the formal end of project planning and the
beginning of project execution and control. Controlling the project baseline is critical to project
success. The U.S. Government Accountability Office’s schedule assessment guide states that an
integrated master schedule connects all the scheduled work of the government and the contractor
in a collection of logically linked sequences of activities. It also states that the government
program management office must ensure that the schedule is as logical and realistic as possible
and that the integrated master schedule must be a complete and dynamic network. In addition, it
should consist of logically related activities with forecast dates that are automatically
recalculated when activities change. The decision to baseline the project master schedule before
the completion of the OCIO focus group’s meetings made it likely that adjustments to the project
schedule would be required, creating additional work for the New Core team. We discussed our
concerns with the project’s executive director, who acknowledged that the OCIO requirements
should have been obtained before the project master schedule was baselined.




1
  A baseline is a reference point in the software development life cycle marked by the completion and formal
approval of a set of predefined work products. The objective of a baseline is to reduce a project’s vulnerability to
uncontrolled change by fixing and formally change controlling various key deliverables (configuration items) at
critical points in the development life cycle.
2
  A dashboard displays the status of metrics and key performance indicators.



                                                           7
OCFO did not allocate time in the project master schedule to address issues uncovered during the
system integration testing or the mock 2 testing. Testing is done to provide quality assurance
and to reduce the cost and business impact of correcting previously undetected errors. System
integration testing ensures that all subcomponents are integrated to provide expected results.
Mock conversion testing is done to verify that system scenarios perform as expected when
executed with converted data. Failure to allow time in the schedule to address issues uncovered
during these forms of testing could delay the project or lead to unresolved issues.
Critical path tasks were not clearly identified in the project master schedule. HUD identified
some items as critical within the project schedule; however, it did not identify as critical all of
the dependent tasks required to complete an identifiable critical path in the schedule. Further,
additional tasks should have been identified as critical, such as the tasks associated with the
general ledger interface and accounting flex fields. In project management, the critical path is
the succession of connected tasks that will take the longest to complete. Critical path analysis
identifies the tasks that are dependent on each other. When the dependent tasks’ times are added
together, the longest time necessary to complete the project can be predicted. To estimate
overall project duration, it is important to know the tasks that can take place independently of
each other and those that must occur in a certain sequence. If an activity on the critical path is
late, the entire project will be delayed. The critical path and the tasks that are part of it must be
managed to complete a project on schedule. Additionally, we could not confirm HUD’s
calculated completion date because the critical path was not identified on the schedule.
Critical path activities that were late were not listed as red on the dashboards as required by the
New Core schedule management plan. For example, OCFO staff confirmed that the
“Accounting Flex Field Values / Legacy Value Crosswalk” tasks were both critical and late as of
March 11, 2015, but appeared as yellow on the dashboards. After discussing this matter with the
New Core team, this item was changed to red.
Also, the dashboards used to report the project status to project management and stakeholders
did not report the same information as the project master schedule. This discrepancy could
potentially mislead project management and stakeholders. Examples are shown in the table
below.

                                                        Percentage complete as reported on the
   Item
                          Description                dashboard, dated project master schedule,
  number
                                                         2/19/2015           dated 2/24/2015
            Finalize New Core interface
   1.2.8.9                                                    100                           86
            requirements part 1
            Complete baselining of
  1.2.5.17                                                     75                           0*
            requirements
            Accounting flex field values-
 1.3.2.2.13                                                    50                            7
            legacy value crosswalk defined
            Financial management review
   1.3.5.1                                                     25                          0**
            roles and responsibilities
* The February 26, 2015, schedule shows the item 100 percent complete with a completion date of June 2, 2014.
** The February 24, 2015, and February 26, 2015, schedules show that this item had not been started.




                                                       8
Failure to track the critical path on the project master schedule and the dashboard makes it
difficult to give an early warning of schedule bottlenecks or late critical path items. In addition,
failure to clearly identify these issues on the schedule may increase pressure to rush the
completion of the tasks once it is determined that the task is critical and the schedule cannot be
modified. Rushing completion of the critical path tasks could also compromise the integrity and
effectiveness of both the systems and the data they process, resulting in disruption to HUD’s
business operations.
Further, the New Core team had not developed a contingency plan for release 3. The
independent verification and validation contractor reported that there was no contingency plan to
provide an “alternate or back-out plan to ensure HUD will be able to continue to conduct their
day-to-day business processes if the integrity of the ARC-HUD environment was compromised.”
The contractor also noted that an alternative plan should be developed if New Core failed during
production. However, New Core’s project management team had not addressed these identified
weaknesses.
These deficiencies occurred because HUD did not comply with best practices or its own project
planning and management requirements and the policies and procedures established for New
Core. The independent verification and validation team concluded that there was great
reluctance to change the October 1, 2015, implementation date. Unrealistic attempts to meet the
October 1, 2015, release date could encourage schedule compression and overly optimistic
schedule assumptions and reporting.

The Project Status May Have Been Misrepresented
Risk management weaknesses may have misrepresented the status of New Core. The risk and
issue logs, dated January 12 through March 6, 2015, disclosed that
       (1) Some risks may not have been fully mitigated before being closed,
       (2) Risk logs were missing required information, and
       (3) Risk logs were not readily available on SharePoint and Max.gov collaboration sites.
Best practices call for a structured risk management process, which typically consists of
identifying risks, ranking or evaluating risks, responding to significant risks, resourcing controls,
reaction planning, reporting and monitoring risk performance, and reviewing the risk
management framework.
Since November 2013, the independent verification and validation team reported the need for
improvements in reporting, tracking, coordinating between HUD and ARC, and developing
mitigation strategies. In response the New Core team developed and issued a comprehensive
risk management plan jointly with ARC. The latest version of the plan, dated December 2014,
included those elements. The established process required regular reporting and scheduled
meetings to evaluate identified risks and included design strategies for mitigating risks and
resolving issues. The project team used this process daily to mitigate risks and issues, although
we identified some weaknesses.




                                                  9
As an example, risk item 142 was closed before the risk was fully mitigated. We tracked this
item between the logs and discovered that it was specifically described as “If the Release 3
reporting strategy is not defined, then the implementation of the Release 3 reporting solution
required to support financial management and programmatic operations will be delayed.” Risk
item 142 was created on November 7, 2014, and assigned a high severity level. To close this
risk, the completion of the release 3 reporting strategy, definition of release 3 reporting solution,
and completion of release 3 reporting requirements were required. The deputy director stated
that the risk was closed on February 23, 2015, based on the New Core reporting strategy that had
been approved and the completion of the reporting requirements work sessions. However, the
completion of the requirements management life cycle was not scheduled until April 3, 2015.
Therefore, the risk should not have been closed because not all of the closure criteria had been
met.
Further, risk item 142 was removed from the February 19, 2015, version of the dashboard.
Closing risks prematurely could lead to excessive risk taking, which could result in a product that
is missing the functionality needed by HUD’s program areas. According to the risk mitigation
task force, improper transaction processing or funds control could cause Antideficiency Act
violations.
The risk log for March 6, 2015, was missing required information. Specifically, four high-risk
items that were created on August 1, 2013, had due date and closure criteria entries of TBD (to
be determined) or were blank.
In addition, the collaboration sites were missing some of the risk and issue logs. Meetings were
held weekly to discuss high-severity risks and high-impact or time-sensitive issues at the release
and program level. Updates to the status were documented in the risk and issue logs and were
required to be posted to the New Core manager’s office’s SharePoint site and OMB’s Max.gov
site 3 within 3 business days following the meeting. We viewed the SharePoint and Max.gov
sites on February 13, 2015, and found that the SharePoint site did not contain any risk logs from
October and November 2014 and was missing logs from December 2014 and January 2015. The
Max.gov site contained only six risk logs from 2014.
A good risk management process ensures that executive management knows and understands the
probabilities associated with possible outcomes before starting a project or making funding
decisions. Failing to communicate all risks to executive management impairs its ability to make
those decisions, while recording and monitoring risk enables managers to learn from experience.
Weaknesses in HUD’s risk management resulted from the absence of risk mitigation oversight
and a failure to comply with all of the elements in the established risk management plan. The
New Core risk manager position had been vacant since project inception and resulted in a lack of
oversight. In 2014 the New Core team identified the risk of not complying with the risk




3
    A solution for posting information that is to be shared across office, agency and governmental boundaries.




                                                            10
management plan as having the potential to cause project failure with a severity level of high.
The team then closed the risk on September 15, 2014, with a response plan stating that the
established risk management plan would be followed.
Conclusion
In March 2013, OMB required agencies to consider, as part of their alternatives analysis, the use
of a Federal shared service provider for all new agency proposals for core accounting and mixed
system upgrades. OMB will fund the use of commercial shared service providers as an
appropriate solution if, after reviewing the available Federal and commercial shared service
provider solutions and using standard requirements, the agency’s business case shows that a
commercial shared service provider can provide a better value for the Federal Government.
HUD followed that mandate, and in July 2013, its alternatives analysis determined that ARC was
the best option among the available Federal shared service providers.
HUD will become the first cabinet-level agency to use a Federal shared service provider. The
transfer of its financial management to a shared service provider has been widely publicized.
HUD’s previous attempt to use a commercial shared service provider to start a new financial
management system failed after spending more than $35 million. Our review of the previous
project determined that OCFO did not properly plan and manage its implementation of that
project. If HUD is not successful in this implementation, it could reflect negatively on OMB’s
mandate to use Federal shared service providers. The weaknesses identified in this report relate
to requirements and schedule and risk management. These areas are significant to the project
plan, and the effectiveness with which HUD manages them is critical to the project’s success.

Recommendations
We recommend that the Chief Financial Officer
   1A. Ensure that requirements are completed and approved for the functional areas that are
       not part of the shared service provider’s standard configuration before beginning its
       design and development activities and adjust the project schedule accordingly.
   1B. Reevaluate the October 1, 2015, start date for release 3 at the completion of planning.
   1C. Modify the project master schedule and dashboard to better identify the critical path.
   1D. Modify the project master schedule and dashboard maintenance procedures to ensure
       that the documents are accurate and report the same information.
   1E. Modify the project master schedule to provide time to address issues identified during
       the system integration testing and mock 2 testing.
   1F. Identify specific and measurable progress factors and the minimum required
       functionality that will determine the go-no go decision.
   1G. Establish a contingency plan for release 3 that provides an alternate or backout plan.
   1H. Ensure that all risks are fully mitigated before closing and that the risk and issue logs
       contain all required information and are made available on the collaboration sites.
   1I.   Fill the risk manager position.



                                                 11
Scope and Methodology
The audit covered the period January 15 through April 10, 2015. We performed the audit at
HUD headquarters in Washington, DC. Audit work was conducted from January 15 through
April 10, 2015. Our audit was based on the U.S. Government Accountability Office’s Federal
Information System Controls Audit Manual methodology and IT guidelines established by the
National Institute of Standards and Technology.
We conducted the audit to

   •   Determine New Core’s status,
   •   Identify areas warranting additional review, and
   •   Obtain information to plan and perform the detailed audit work to follow and determine
       compliance with Federal regulations and departmental project management processes.
To evaluate these areas, we

   •   Identified and reviewed HUD’s policies and procedures;
   •   Reviewed project plans;
   •   Reviewed documentation related to the status of the project, including the project
       schedule and risk and issue logs; and
   •   Held discussions with HUD staff and contractors and stakeholders involved in the
       project.
We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective(s). We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




                                                12
Internal Controls
Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

•   Effectiveness and efficiency of operations,
•   Reliability of financial reporting, and
•   Compliance with applicable laws and regulations.
Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.

Relevant Internal Controls
We determined that the following internal controls were relevant to our audit objective:

•   Policies, procedures, and other management tools used for implementation of controls for the
    New Core Project.
We assessed the relevant controls identified above.
A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, the
reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or
efficiency of operations, (2) misstatements in financial or performance information, or (3)
violations of laws and regulations on a timely basis.
Significant Deficiency
Based on our review, we believe that the following item is a significant deficiency:

•   Weaknesses in the New Core Project were not adequately addressed.




                                                  13
Appendixes

Appendix A
             Auditee Comments and OIG’s Evaluation



Ref to OIG    Auditee Comments
Evaluation




Comment 1


Comment 2


Comment 3




Comment 4




                               14
             Auditee Comments and OIG’s Evaluation




Ref to OIG    Auditee Comments
Evaluation




Comment 5




Comment 6




Comment 7




                               15
             Auditee Comments and OIG’s Evaluation




Ref to OIG    Auditee Comments
Evaluation




Comment 8




Comment 9




Comment 10




                               16
             Auditee Comments and OIG’s Evaluation




Ref to OIG    Auditee Comments
Evaluation




Comment 11




Comment 12




                               17
                         OIG Evaluation of Auditee Comments


Comment 1   The statements made by the CFO are inaccurate. At no time did OIG audit staff
            indicate that the findings were minor or that further action would not be required
            to address the weaknesses. We consider the findings significant, one of our
            recommendations is for the CFO to reevaluate the October 1, 2015
            implementation date for release 3 at the completion of planning. The department
            has not provided evidence related to the actions they have initiated or taken to
            correct the weaknesses identified. We have revised the wording of the subject of
            the report to reflect the project’s current situation and efforts.
Comment 2   We agree that the audit work related to the identified weaknesses was performed
            during the survey phase of our audit. A survey is generally performed as a phase
            of an audit. It is a general review from which specific audit areas are identified.
            During the survey phase of this assignment, we concluded that several of the
            weaknesses identified were significant and needed to be brought to management’s
            attention quickly. To accomplish that, we completed the audit work in those
            areas, and in accordance with GAGAS, prepared and issued this audit report.
Comment 3   We cannot comment on the launch of Phase 1 - Release 1 and Release II as they
            were not within the scope of this report. We disagree with the statement that the
            actions and progress made by the Department in the implementation of the New
            Core Project was not taken into consideration within the course of our audit. In
            addition, the Department was given multiple opportunities to provide comments
            related to the issues we identified and modifications were made as appropriate
            throughout the standardized review process.
Comment 4   The OIG has not received documentation in support of the OCFO’s comments;
            therefore, we cannot make an assessment regarding them. We look forward to
            working with OCFO and reviewing the supporting documentation for the
            completion of all requirements, and verifying the requirements for the functional
            areas outside the shared service provider's standard configuration were
            completed prior to design and development activities.
Comment 5   The OIG has not received documentation in support of the OCFO’s comments;
            therefore, we cannot make an assessment regarding them. We look forward to
            working with OCFO and reviewing the supporting documentation for the mock
            conversions, system integration testing, user acceptance testing, and evaluation of
            the October 1, 2015 implementation date.
Comment 6   The OIG has not received documentation in support of the OCFO’s comments;
            therefore, we cannot make an assessment regarding them. We look forward to
            working with the OCFO and reviewing the supporting documentation for
            modifications made to the master schedule, projects dashboards and weekly status
            and leadership meetings.



                                              18
Comment 7     The OIG has not received documentation in support of the OCFO’s comments;
              therefore, we cannot make an assessment regarding them. We look forward to
              working with the OCFO and reviewing the Contingency Plan.
Comment 8     OIG agrees the New Core team has implemented several layers of risk
              identification and mitigation mechanisms as acknowledged in the body of this
              report. However, the OIG has not received documentation in support of the
              OCFO’s other comments; therefore, we cannot make an assessment regarding
              them. We look forward to working with OCFO and reviewing the enhancements
              made for monitoring risks until all closure criteria have been met, addition of
              missing information in the risks and issues log, and methods for keeping the
              collaboration sites current.
Comment 9     The OIG has not received documentation in support of the OCFO’s comments;
              therefore, we cannot make an assessment regarding them. We look forward to
              working with the OCFO and reviewing the modifications made to the schedule
              and dashboard maintenance procedures.
Comment 10 OIG partially agrees with OCFO. We agree that the go/no-go decision points are
           a good time to assess the impact of any major issues that are uncovered during
           testing. However, the effectiveness of the iterative approach to testing may be
           undermined by integrated tasks being completed at notably different times in an
           environment of ongoing development. In addition, if issues are uncovered in
           testing and the decision is made to proceed with deployment it is unclear as to
           where time in the schedule can be allocated to remediate the problems. Finally
           there are several critical tasks, including: Reconciliation, Crosswalk Maintenance,
           and Financial Data Extracts, which will finish development and unit testing
           during the time allocated for System Integration Testing. Delays on any of the
           aforementioned items could lead to inconclusive testing or affect the timeline.
           Therefore, we continue to recommend that the OCFO modify the project schedule
           to provide time to address the issues identified during testing.
Comment 11 The OIG has not received documentation in support of the OCFO’s comments;
           therefore, we cannot make an assessment regarding them. We look forward to
           working with the OCFO and reviewing the Operational Readiness Checklist and
           verifying the progress factors. While required sections of Release 3 may not be
           deployed by the Go/No Go decision date, development of critical parts of Release
           3 should be completed prior to the decision date. In addition, thorough testing of
           critical areas should be completed prior to the decision and all serious issues
           should be addressed.
Comment 12 We disagree that prior to the engagement of our survey the risk manager position
           had already been filled. We began our audit on January 28, 2015, and on March 6,
           2015, the New Core team member responsible for budget and contracting
           informed us the risk manager position was currently one of approximately thirteen
           vacant positions on the project. The Project Executive Director acknowledged
           that HUD made a decision not to fill the Risk Manager position and to instead


                                               19
have the deputy director assume those duties. The decisions made by the
department and the processes in place were assessed during our review and found
to be inadequate. We look forward to working with OCFO and reviewing the
supporting documentation that shows the risk manager position has been officially
filled.




                                20