Pursuant to the above subject matter, this memorandum responds to the two recommendations outlined in the draft OIG Audit Repeat dated November 1, 2005. In addition, an attachment to this memorandum titled “Statement of Facts” is provided to clarify certain statements underlying the draft report. The ASTEP project team requests the OIG take this information into consideration in preparing the final report.

The ASTEP project team noted that the OIG relied upon the FDIC Project Management Guide as policy, rather than guidance, for project management while conducting their audit. The FDIC Project Management Guide states that “Because each project at FDIC is different and has unique goals, objectives, resources, and timelines, this guidebook presents a process that should be considered a guide to successful management.” On December 29, 2004 the Chief Operating Officer and Chief Financial Officer further clarified that “The techniques and forms included in the FDIC Project Management Guide are offered to assist FDIC leaders and project managers. Their use is highly encouraged, but is not mandatory.” The ASTEP project team believes it is utilizing the components of the FDIC Project Management Guide that provide appropriate controls. This project is lead by two managers, one who has a Masters Certificate in Information Technology Project Management Professional (PMP) and the other who is a Certified Associate in Project Management (CAPM). Page four of the audit states that the OIG is in agreement the FDIC project management team “generally complied with the FDIC project management guidance.”

OIG Audit Recommendation #1:   KPMG recommends that DRR, in coordination with DIT, fully document costs and benefits in updating the ASTEP solution through current re-baselining efforts, including addressing key activities associated with specified costs. This analysis should include the lower level of detail available from contractor-developed costs in deriving key system requirements and design specifications that address the ASTEP strategies identified by project sponsors.

Response:   DRR agrees with this recommendation. According to established Capital Investment Review Committee (CIRC) procedures, if cost estimates remain within the approved investment budget, a formal document updating the original cost benefit analysis is not required. The ASTEP project management team has re-evaluated the ASTEP costs which resulted in revised cost estimates within the approved investment budget. The ASTEP project management team is in the process of obtaining concurrence from the Finance Analysis Committee, the Chief Financial Officer, and CIRC. which is expected no later than 2/28/06.

OIG Audit Recommendation #2:   As part of the current project re-baselining effort, KPMG recommends that DRR, in coordination with DIT, enhance the ASTEP project planning process by addressing areas needing improvement, as discussed in this report, to achieve greater compliance with the FDIC Project Management Guide and to provide greater assurance of the ASTEP project success, including these six elements:

1. Defining inter-relationships and integration of responsibilities across project charters;

   Response:   DRR agrees with this element of recommendation #2. The ASTEP team is currently reviewing the team charter and will update this charter by 1/31/06. With the minimal number of staff available after the reduction in force mid-year 2005, the ASTEP team recognized the sub-turn organizational structure was ineffective. At that time, the project team was re-organized and the sub-teams were no longer applicable. If, in the future, there is need to initiate a charter for a special project or a task requiting a specific learn, the ASTEP team will address the inter-relationship of roles and responsibilities of that team’s charter with other charters in effect at that time.

2. Defining she contactor oversight process in relation to ASTEP OM and TM roles, responsibilities, and communication activities;

   Response:   DRR agrees with this element of recommendation #2. The ASTEP team will add a statement to the Communications Plan which acknowledges that Oversight Manager and Technical Monitor roles are defined and governed by the Acquisition Policy Manual by 1/31/06.

3. Developing an accurate and complete master project plan baseline, under configuration management control, that defines all major ASTEP project activities, including integrating contractor sub-team plans into the master project plan; defines project and performance measures to measure project success; identifies the scope of work for major activities defined in the plan through a WBS; and fully discloses cost estimates for all resource categories.

   Response:   DRR agrees with this element of recommendation #2. The ASTEP team is committed to developing an accurate and complete master project plan that is baselined under configuration management control that defines the major ASTEP project activities, including integrating contractor sub-plans (i.e., a plan that identifies the scope of work for major activities defined in the plan through a WBS). The ASTEP team will have cost estimates for resource categories at the task order level for contractor resources. FDIC does not have the ability to track activity-based contracting to the level of specificity identified by the OIG. The master project plan will be baselined by 2/28/06.

   The ASTEP team uses the required CIRC reporting process to assess these project measures mid reports to the CIRC and the ASTEP Executive Sponsors quarterly, in addition, a bi-weekly scorecard is prepared and reviewed with FDIC senior management. Project measures indicate whether the project is being executed successfully, namely whether it is on time, on budget, and within scope. Performance measures to assess whether the execution of the tasks is producing the desired effect will be monitored under a separate plan. The project team will define a mechanism to do so by 7/31/06.

4. Establishing formal project controls to evaluate variances and, if needed, to initiate corrective actions for schedule, coot, scope, and quality variances;

   Response:   DRR agrees with this element of recommendation #2. The schedule will be monitored by the ASTEP project management team monthly by using the Master Project Plan for scheduled starts, finishes, milestones, critical path and percent complete. The Master Project Plan will be completed by 2/28/06. As outlined in response #3, the costs component of the Master Project Plan will be monitored subject to FDIC system limitations. The Change Control will continue to monitor the scope component of this element.

5. Updating and clarifying current risk assessment procedures and practices in the ASTEP risk management plan and finalizing the plan

   Response:   DRR agrees with this element of recommendation #2. The ASTEP team will finalize the Risk Management Plan by 3/31/06. The Risk Management Plan will include the ASTEP team’s current risk assessment procedures.

6. Developing risk mitigation plans for high priority risks as required by the ASTEP Risk Management Plan and ensuring that issues and risks are addressed in either the risk or the issue logs in accordance with the FDIC’s projects management guidelines

   Response:   DRR agrees with this element of recommendation #2. However, rather than using the high level templates in the FDIC Project Management Guide, the ASTEP team is using the more detailed oriented templates provided by the Office of Enterprise Risk Management. The ASTEP team is reviewing the ASTEP Risk Log and ASTEP Risk Management Plan to ensure high priority risks are identified with specific mitigation plans. Risk mitigation plans will be updated in the Risk Log or Risk Management Plan, as appropriate, by 3/31/06.

Attachment

ATTACHMENT: STATEMENT OF FACTS

This Statement of Facts is provided to clarify certain statements underlying the draft report entitled Asset Servicing Technology Enhancement Project — Project Management Framework dated November 1, 2005.

• The audit objective described in the Background and Purpose of Audit on page 1, the Executive Summary, and in Appendix A is not the revised objective communicated by the OIG. In addition, the scope described in Appendix A is not the scope provided by OIG.

  Fact: The report should state the revised objective, scope and methodology as provided by the OIG on June 7, 2005 to more accurately reflect the OIG’s change in focus from auditing the entire project to that of the project management framework.

• Page 3, paragraph 3 states: “In evaluating the effectiveness of ASTEP project management practices, KPMG relied on the FDIC’s Project Management Governance policy and the FDIC Project Management Guide, which were both issued in September 2004.”

  Page 4, paragraph 1 states: “The ASTEP project management team developed planning documents and implemented various activities that generally complied with the FDIC project management guidance and that the project team considered commensurate with the status of the project.”

  Fact: Although the Project Management Governance policy and Project Management Guide are dated September 2004, the Project Management Guide was not issued until December 29, 2004 via memorandum from the Chief Operating Officer and Chief Financial Officer. This is an important point because the December 29th memo states “Their use is highly encouraged but not mandatory.” In addition, the Project Management Guide on page 1 “about the guidebook” states “this guide presents a process that should be considered a “guide.” Throughout this document there are many references to the FDIC Project Management Guide being policy rather than being a guide, which leaves the reader with the misimpression that ASTEP project managers were not in compliance with policy. The FDIC project managers were using the FDIC Project Management Guide in the intended spirit, which is as a guide. References to policy should be removed from this document. Based on the information provided above from page 4 of the audit, the OIG is in agreement that the FDIC project management team “generally complied with the FDIC project management guidance.”

• Page 6, Background, footnote #3 states: “The $31.8 million budget for ASTEP development included $2 million as a contingency reserve……..”

  Fact: The contingency reserve amount is $2.9 million.

• Page 7, Background (continued), paragraph 3 states: “The FDIC has contracted with three vendors to (1) provide project management advisory support, (2) replace NPS with a COTS Loan and Customer Information System managed by an ASP, and (3) develop and implement the remaining ASTEP solution.”

  Fact: In addition to developing and implementing the vendor solution, the to-be requirements and system design are major components of the solution.

• Page 7, Background (continued), paragraph 3, sentence 2 states: Key activities performed to date include……..completing requirements analysis in April 2005; and completing the systems design in August 2005.”

  Fact: The requirements were completed on June 17, 2005.

• Page 7, Background (continued), paragraph 4, sentence 2 states: The project management team indicated that the delays were due to ......"

  Fact: The sentence should also include these additional delays: 1) the pilot of Websphere which took 9 months, and 2) the procurement philosophy changed from task assignments to task orders. These two additional items caused further delays in the project. This information was provided during KPMG’s interview with the project management team on 6/17/05.

• Page 7, Background (continued), last paragraph, sentence 2 states “…… project management team’s efforts to re-baseline the project because the original deployment goals and objectives are no longer achievable.”

  Fact: The original deployment goals are still achievable but not in the original timeframe. Deployment in a software project is specific to implementation, not schedule. The ASTEP team is ensuring the costs to complete the project are still within the approved investment budget.

• Page 8, ASTEP Project Management Structure, overall paragraph.

  Fact: In addition to the structure identified in this paragraph, the Executive Sponsors should be included in the project management structure because they are an approval authority and include representatives from DRR, DIT, DOA, and DOF. Also, CIRC and OERM are part of the structure in terms of reporting on cost, schedule, risks, change in scope, etc. The paragraph also states the DRR Project Manager “duties include……..providing oversight, reviewing deliverables, invoices, and task orders.” This is partially true in terms of the project management contract (Bearing Point); however, there is another Project Manager. The DIT Project Manager is the oversight manager for the Deloitte contract and provides oversight, reviews deliverables, invoices, and task orders.

• Page 9, Detailed Findings, paragraph 1, sentences which read: “At the start of the systems development activities, the ASTEP project management team developed a governance structure and a schedule-based project plan that describes various functions to manage ASTEP analysis and design activities. During the period, the project team also developed an integrated acquisition strategy, as well as communications, risk management, and configuration plans.”

  Fact: The statements suggest these items were not addressed until the system development activities. The ASTEP project has not started the system development activities and therefore, a more accurate statement would be at the “start of the system development life cycle,” or “during the planning phase.”

• Page 10, Finding 1: Cost-Benefit Analysis Condition (continued), paragraph 1, sentence which reads “At the start of the project, the ASTEP project management team learned that the NFE PeopleSoft portal and data warehouse could not interface with ASTEP applications.”

  Fact: The point at which the ASTEP project management team learned of the unsuitability of PeopleSoft was in May of 2005 when DIT surfaced the use of the Oracle Portal in lieu of PeopleSoft because Oracle had purchased PeopleSoft and was planning to discontinue PeopleSoft Portal as a product and use their portal instead. The use of the PeopleSoft Data Warehouse was a benefit claimed for the NFE project, not to ASTEP.

• Page 11, Criteria states: “The FDIC Capital Investment Policy, issued on April 11, 2005 calls for clear and complete CBA to ensure a well-informed decision regarding capital investments such as the ASTEP project.”

  Fact: The ASTEP CBA was completed in 2003 and therefore, the original CBA cannot be held to a policy issued in April, 2005. The CBA was prepared and approved by the FDIC Board of Directors on October 7, 2003.

• Page 13, Project Planning Controls (continued) states in the last sentence: “Additionally, the process for ASTEP oversight and technical monitors to assess contractor developer activities has not been formally defined.”

  Fact: The contractor oversight responsibilities are clearly outlined in the DOA Acquisition Policy Manual which all FDIC oversight and technical monitors adhere to. In addition, there are Letters of Oversight Manager Confirmation, Letter of Technical Monitor Confirmation, and other such documents that stale the roles and responsibilities of the OM/TM and are issued by DOA. The ASTEP Team adheres to this Corporate policy.

• Page 13, Project Planning Controls (continued), paragraph 2, sentence 2 states: “Also, the ASTEP project management team tasked its systems development contractor to define four high-level performance metrics related to cost, schedule, goodness of requirements, and goodness of design.”

  Fact: While it is true that the contactor provided sample metrics for use in Task Order 003 — “To-Be Requirements and Design”, these contractor metrics were not used. Instead the metrics were developed directly by the ASTEP team using elements of the PMBOK and the Rational Unified Process templates in conjunction with courses that the ASTEP team members took on Performance Based Contracting.