Audit of FDIC Resource and Cost Tracking Systems for Information Systems Projects

(Audit Report No. 98-019, February 27, 1998)

Summary

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an audit of FDIC resource and cost tracking systems for information systems projects. The objectives of the audit were to evaluate FDIC's methodology for accurately and completely accounting for and reporting for all costs relating to application systems development projects and other Information Resource Management (IRM) initiatives and/or projects. In addition, we evaluated the internal controls that ensure FDIC's Information Technology (IT) resource tracking and charge back systems provide reasonable assurance that cost information is accurate, complete, timely, and reliable. Our review also evaluated whether FDIC's IT charge back and resource tracking systems provide FDIC the ability to monitor progress toward achieving performance goals and objectives for information technology projects within approved budgets/estimates. These principles are embodied in a variety of recent legislation, including the Government Performance and Results Act of 1993 (GPRA), and the Clinger-Cohen Act of 1996. FDIC's System Development Life Cycle (SDLC) procedures and OMB circulars, including A-130, entitled Management of Federal Information Resources, also embody these principles.

Generally, we found there was a need to maintain more complete and up-to-date cost-benefit information on IT systems development projects throughout a project's life cycle. DIRM's cost tracking and reporting process did not capture significant costs incurred by FDIC's other program offices that were actively involved in IT activities. DIRM's process also did not track or report full life cycle costs for system development, enhancement, and maintenance projects. In addition, the process did not allocate the costs for major cost categories, such as data processing services, telecommunication services, or costs for PC/LAN server support.

Accurate, complete, and up-to-date project information is critical to measuring performance and making cost-effective decisions on FDIC's complex IT investments. Sound financial management and cost data are a cornerstone requirement of the CFO Act and are critical to making informed decisions under the performance management approach of GPRA.

FDIC did not have adequate controls in place to ensure that major IT projects were completed within approved life cycle budgets and time lines, and satisfied user requirements. FDIC's SDLC policies and procedures require that a cost-benefit analysis (CBA) be completed before initiating all significant SDLC projects. However, they do not specifically require that the CBA be updated throughout the life cycle if there are significant deviations from the original estimates and projections of costs, time lines, benefits, or risks. There also was not a requirement for project managers to notify management when there are actual or anticipated significant deviations from approved life cycle budgets, projected benefits, or time lines for development.

Based on our review of 11 systems development projects, we determined that updates to cost-benefit studies were not being completed as significant changes occurred. In addition, DIRM management acknowledged that thorough CBAs were not performed for system development projects prior to this year's implementation of new guidelines for conducting CBAs.

Recommendations

The report contains six recommendations for improvements. One recommendation is directed jointly to the Director, Division of Information Resources Management (DIRM) and the Director, Division of Finance (DOF). Five recommendations are addressed to the Director, DIRM. We are recommending that more detailed and comprehensive data be maintained on IT projects throughout a project's life cycle. In addition, we are recommending improvements in policies and procedures relating to measuring performance against approved cost-benefit studies prepared at the outset of IT projects. The report also recommends that senior management be advised when there are significant deviations from original estimates and projections of costs, time lines, benefits, or risks.

Management Response

Management has provided responses that satisfy the concerns addressed in the audit report and that provide the requisites for management decisions for all recommendations.

Last Updated 03/27/01 contact the OIPG