Summary
The Social Security Administration (SSA) spends about $1 billion annually to support its information technology (IT) needs. Given the size and significance of the agency's ongoing and future investments in IT, it is crucial that the agency manages these investments wisely. Accordingly, GAO was requested to determine whether SSA's investment management approach is consistent with leading investment management best practices. To accomplish this, GAO used its IT investment management framework and associated methodology, with a focus on the framework's Stages 2 and 3, which are based on the investment management provisions of the Clinger-Cohen Act of 1996.
SSA's investment management approach is largely consistent with leading investment management practices. It has established most of the practices needed to manage its projects as investments and is making progress towards managing IT investments as a portfolio; however, it is not applying its investment management process to all of its investments. Specifically: (1) The agency is executing a majority of the key practices needed to build the foundation for managing its IT projects as investments. Of the 5 processes and their 38 associated key practices, SSA is executing 31 practices. However, the agency's investment board, which should provide executive oversight of investments, is not adequately monitoring the performance of IT projects. (2) SSA has made progress in establishing the key practices for managing investments as a portfolio--it is executing 18 out of 27 key practices. The agency has made important progress in defining and creating the investment portfolio, but it has not developed enterprisewide portfolio selection criteria. The agency also has not established procedures for evaluating the portfolio, and its postimplementation reviews do not determine whether projects meet the agency's strategic goals. (3) SSA is not applying its investment management process to a major portion of its IT budget. Specifically, IT products and services acquired with its acquisition budget ($610 million of the $1 billion IT budget for fiscal year 2008) are not managed by the board as investments. SSA's executive-level review board is not responsible for overseeing the acquisition budget. Consequently, executive management has limited insight into investments acquired with these funds, and the agency has limited ability to ensure that the budget is spent in the most efficient and effective manner. Until it establishes oversight of all investments and fully defines policies and procedures for overseeing both individual projects and an agencywide portfolio, SSA risks not being able to select and control these investments consistently and completely, thus increasing the chance that investments will not meet mission needs in the most cost-effective and efficient manner.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Valerie C. Melvin
Government Accountability Office: Information Technology
(202) 512-6304
Recommendations for Executive Action
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish comprehensive policies and procedures for defining the investment governance process that specify (1) investment board operating procedures, (2) delegations of authority, and (3) criteria for prioritizing new and ongoing investments.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to strengthen and expand the board's oversight responsibilities for underperforming projects and evaluations of projects.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish a mechanism for tracking corrective actions for underperforming investments.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish policies and procedures for defining the portfolio criteria.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to evaluate quantitative measures during postimplementation reviews, and lessons learned for improving select, control, and evaluate processes.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to ensure senior management involvement and full accountability for the agency's investments, the Commissioner of Social Security should direct the Chief Information Officer to develop and implement policies and procedures to manage IT acquisitions as investments and manage them using the investment management framework.
Agency Affected: Social Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
