FDIC's Software Management Program
(Report No. 04-020, June 8, 2004)
The Office of Inspector General has completed an evaluation of the Division of Information Resources Management's (DIRM) software management program. The objective of our evaluation was to determine whether DIRM effectively manages its software assets. Because DIRM is planning to implement a new Enterprise Asset Management (EAM) system that will track information technology hardware and software assets, we ended our assignment without performing detailed testing of the Federal Deposit Insurance Corporation's (FDIC) software inventory.
Generally, DIRM has established several effective controls over its software management program. However, DIRM could improve the effectiveness of the program by establishing formal policies and procedures and by developing a consolidated software inventory system. DIRM has actions underway to develop these controls.
DIRM could also improve its management of individual software licenses to ensure that the FDIC complies with licensing terms and that the number of licenses deployed approximates user demand. For example, establishing a standard methodology for determining the number of licenses the Corporation requires under the Microsoft Enterprise Agreement would help to ensure that the FDIC is not at risk for being underlicensed and does not incur unnecessary expenses for being overlicensed.
We recommended that the Chief Information Officer and Director, DIRM:
- Verify the accuracy of DIRM's software inventory prior to loading software asset information into the proposed EAM system.
- Document a standard methodology for calculating the number of Microsoft licenses that the Corporation requires.
- Prior to loading software asset information into the proposed EAM system, verify that DIRM has appropriate licensing documentation for each software application and validate the requirements for all software licensing agreements to ensure that FDIC is paying only for maintaining licenses that the Corporation is actually using.
On June 4, 2004, we received a written response from the CIO and Director, DIRM. The Corporation proposed actions that are responsive to all three recommendations. The recommendations are resolved, but will remain undispositioned and open for reporting purposes until we have determined that the agreed-to corrective actions have been completed and are effective.
This report addresses issues associated with specific software in use at the FDIC and software management practices at other regulatory agencies. Accordingly, we have not made, nor do we intend to make, public release of the specific contents of this report.