GAO-02-703, Veterans Affairs: Sustained Management Attention Is Key to Achieving Information Technology Results


This is the accessible text file for GAO report number GAO-02-703 
entitled 'Veterans Affairs: Sustained Management Attention Is Key to 
Achieving Information Technology Results' which was released on June 
12, 2002.



This text file was formatted by the U.S. General Accounting Office 

(GAO) to be accessible to users with visual impairments, as part of a 

longer term project to improve GAO products’ accessibility. Every 

attempt has been made to maintain the structural and data integrity of 

the original printed product. Accessibility features, such as text 

descriptions of tables, consecutively numbered footnotes placed at the 

end of the file, and the text of agency comment letters, are provided 

but may not exactly duplicate the presentation or format of the printed 

version. The portable document format (PDF) file is an exact electronic 

replica of the printed version. We welcome your feedback. Please E-mail 

your comments regarding the contents or accessibility features of this 

document to Webmaster@gao.gov.



Report to the Chairman, Subcommittee on Oversight and Investigations, 

Committee on Veterans’ Affairs, House of Representatives:



June 2002:



Veterans Affairs:



Sustained Management Attention Is Key to Achieving Information 

Technology Results:



GAO-02-703:



June 12, 2002:



The Honorable Steve Buyer

Chairman, Subcommittee on Oversight and Investigations

Committee on Veterans’ Affairs

House of Representatives:



Dear Mr. Chairman:



On March 13, 2002, we testified before the Subcommittee on the 

Department of Veterans Affairs’ (VA) continuing actions to address 

critical weaknesses in its overall information technology (IT) 

program.[Footnote 1] In brief, we noted that VA had made important 

progress in raising corporate awareness of the department’s IT needs 

and in taking actions to improve key areas of IT performance. 

Nevertheless, the department has significant work to accomplish in 

order to use IT investments to improve mission performance. This report 

officially transmits recommendations that we are making to the 

Secretary of Veterans Affairs based on our work presented in our 

testimony. Prior to the testimony, we discussed the results of our 

review with VA officials, and they generally agreed with our findings. 

We performed our work from June 2001 through March 2002, in accordance 

with generally accepted government auditing standards.



In our testimony, we noted that VA had taken important steps in laying 

the groundwork for an integrated, departmentwide enterprise 

architecture--a blueprint for evolving its information systems and 

developing new systems that optimize their mission value--by 

establishing crucial executive support and a strategy to define 

products and processes essential to its development. VA also had 

strengthened its department-level information security program by 

requiring greater management accountability from senior executives, 

through mandated information security performance standards. In 

addition, Veterans Health Administration (VHA) managers and clinicians 

had shown good progress in expanding their use of the decision support 

system (DSS) to facilitate clinical and financial decisionmaking.



However, we also testified that many aspects of the department’s IT 

environment remained troublesome. For example, we noted the need for 

continued attention to instituting a sound program management 

structure, including a permanent chief architect and an established 

program office, to manage and advance the department’s enterprise 

architecture program. Further, VA’s efforts to establish a 

comprehensive information security management program required 

additional work to ensure that the department’s computer systems, 

networks, and sensitive veterans health care and benefits data were 

protected from unnecessary exposure to vulnerabilities and risks. The 

department continued to report pervasive computer security challenges, 

including access and other general control weaknesses.



Moreover, in pursuing critical information systems investments, the 

Veterans Benefits Administration had not addressed important concerns 

related to managing, defining requirements for, and testing software 

supporting the veterans service network compensation and pension 

replacement system initiative. In addition, as part of the government 

computer-based patient record (GCPR) initiative, VA had achieved 

limited progress in its joint efforts with the Department of Defense 

(DOD) and Indian Health Service (IHS) to create an interface for 

sharing data in their disparate health information systems. We noted 

that the scope of the project increasingly had been narrowed from its 

original objectives and that the initiative continued to proceed 

without a comprehensive strategy. Finally, while VHA managers and 

clinicians had continued to expand their use of DSS, VHA had not 

selected a permanent director to provide consistent management and 

oversight for the DSS program or fully staffed the DSS program office 

to support the system’s operation.



Collectively, these issues present continuing challenges for VA. It is 

paramount that VA’s leadership successfully address these matters in 

order to achieve a more stable, reliable, and modernized systems 

environment that can effectively support critical decisionmaking and 

operations and to realize better overall returns on the department’s IT 

investments. To assist the Subcommittee in its oversight role and to 

help the Secretary accomplish needed improvements, we are making 

recommendations based on the findings reported in our March testimony, 

which is reprinted in appendix I. In providing written comments on a 

draft of this report, the Secretary of Veterans Affairs concurred with 

our recommendations.



Recommendations for Executive Action:



Successful implementation of an enterprise architecture is essential 

for effectively and efficiently engineering business processes and for 

implementing and evolving their supporting information systems. Our 

experience with federal agencies has shown that attempting to modernize 

IT environments without an enterprise architecture to guide and 

constrain investments often results in systems that are duplicative, 

not well integrated, unnecessarily costly to maintain and interface, 

and ineffective in supporting mission goals.[Footnote 2] We therefore 

recommend that the Secretary take action to ensure that VA effectively 

develops, implements, and manages its enterprise architecture by 

instructing the department-level Chief Information Officer (CIO) to:



* expeditiously fill the position of chief architect with a full-time 

permanent employee who has the requisite core competencies needed for 

this position;



* immediately establish and adequately staff the enterprise 

architecture program management office;



* ensure that all critical process steps outlined in the federal CIO 

Council’s suggested guidance[Footnote 3] on managing the enterprise 

architecture program for (1) establishing management structure and 

control, (2) developing a baseline enterprise architecture, (3) 

developing a target enterprise architecture, (4) developing a 

sequencing plan to move from the baseline to the target architecture, 

(5) using the enterprise architecture to implement new projects, and(6) 

maintaining the enterprise architecture[Footnote 4] are sufficiently 

addressed and completed; and:



* integrate securities practices into the enterprise architecture.



Effectively securing VA’s information systems and telecommunications 

networks is vital to the department’s ability to safeguard its assets, 

maintain the confidentiality of sensitive veterans’ health and 

disability benefits information, and ensure the reliability of its 

financial data. Without a complete, comprehensive, and fully integrated 

computer security management program in place, VA will lack essential 

elements required to protect the department’s systems and networks from 

unnecessary exposure to vulnerabilities and risks. We therefore 

recommend that the Secretary take actions to complete a comprehensive 

and secure information systems environment by instructing the CIO, in 

conjunction with VA’s cyber security officer, to:



* implement all actions needed to complete a comprehensive security 

management program,[Footnote 5] including those related to (1) central 

security management functions, (2) security policies and procedures, 

(3) risk assessments, (4) security awareness, and (5) monitoring and 

evaluating computer controls;



* develop a process for managing the department’s updated security plan 

to include collecting and tracking performance data, ensuring 

management action when needed, and providing independent validation of 

reported issues; and:



* regularly report to the Secretary, or his designee, on progress in 

implementing VA’s security plan.



We further recommend that the Secretary enforce management 

accountability for information security by ensuring the consistent use 

of the mandated information security performance standards when 

appraising the department’s senior executives.



VA’s consistent and effective delivery of benefits payments is vital to 

fulfilling its service delivery obligations to our nation’s veterans. 

Accordingly, successful implementation of a system to replace the 

existing aging benefits delivery network is essential. We therefore 

recommend that, before the Secretary approves any new funding for the 

compensation and pension replacement system, he should ensure that 

actions have been taken to address our long-standing concerns regarding 

VBA’s development and implementation of this system by directing the 

Undersecretary for Benefits, in coordination with VBA’s CIO, to:



* appoint and direct a project manger to develop an action plan for and 

oversee a complete analysis of the current systems replacement 

initiative, to include (1) assessing and validating users’ requirements 

for the new system to ensure that business needs are met and (2) 

testing the system’s functional business and end-to-end processing 

capabilities to ensure that accurate and timely benefits payments are 

made;



* finalize and approve a revised compensation and pension replacement 

system strategy, based on the results of the analysis, and complete and 

implement an integrated compensation and pension replacement project 

plan;



* develop and implement an action plan to move VBA from the current to 

the replacement system; and:



* develop and implement an action plan to ensure that the benefits 

delivery network will be able to continue accurately processing 

benefits payments until the new compensation and pension system is 

deployed.



The original goal of the GCPR initiative was to provide VA, DOD, and 

IHS health care providers the capability to electronically share 

comprehensive patient information and thus improve the quality of care 

for patients. With the narrowing of the original objectives and the 

lack of a comprehensive strategy, GCPR’s ability to deliver expected 

benefits is in doubt. Moreover, VA still needs to implement the 

recommendations from our April 2001 report,[Footnote 6] which called 

for (1) designating a lead agency for the GCPR initiative and (2) 

developing detailed plans for the remainder of the endeavor. To make 

significant progress beyond the current strategy, we are additionally 

recommending that the Secretary instruct the VHA undersecretary and VHA 

CIO, in cooperation with DOD and IHS, to:



* revisit the original goals and objectives of the GCPR initiative to 

determine if they remain valid and where necessary, revise the goals 

and objectives to be aligned with the current strategy and direction of 

the project; and:



* commit the executive support necessary for adequately managing the 

project and ensure that sound project management principles are 

followed in carrying out the initiative.



VHA’s decision support system provides its managers and clinicians with 

data on patterns of patient care and patient health outcomes, and 

allows them to analyze resource allocation and determine the cost of 

providing health care services. We recommend that the Secretary take 

action to ensure continued progress in improving DSS operational 

efficiency and effectiveness and the realization of full clinical and 

financial benefits of the system by directing the Undersecretary for 

Health, in conjunction with VHA’s Chief Financial Officer, to:



* assign a permanent director to provide consistent management and 

oversight of the DSS program; and:



* fill the existing vacant positions in the DSS program office with 

individuals possessing the necessary skills to provide leadership and 

program direction for the overall DSS program.



Agency Comments and Our Evaluation:



In providing written comments on a draft of this report, the Secretary 

of Veterans Affairs concurred with our recommendations and stated that 

the department has initiated a number of actions to address them. These 

comments are reprinted in appendix II.



We are sending copies of this report to the Secretary of Veterans 

Affairs and to the Director, Office of Management and Budget, as well 

as to other interested parties. Copies will also be available at our 

Web site at www.gao.gov.



If you or your staff have any questions concerning matters discussed in 

this report, please contact me at (202) 512-6257, or Valerie Melvin, 

Assistant Director, at (202) 512-6304. We can also be reached by e-mail 

at:



mcclured@gao.gov and melvinv@gao.gov, respectively. Individuals making 

key contributions to this report included Dave Irvin, Tonia Johnson, 

Barbara Oliver, and J. Michael Resser.



Sincerely yours,



David L. McClure

Director, Information Technology Management Issues:



Signed by David L. McClure:



[End of section]



Appendix I: GAO’s March 13, 2002, Testimony:



[See PDF for image]



[End of section]



Appendix II: Comments from the Secretary of Veterans Affairs:



THE SECRETARY OF VETERANS AFFAIRS WASHINGTON:



MAY 23 2002:



Mr. David L. McClure:



Director, Information Technology Team U.S. General Accounting Office:



441 G Street, NW Washington, DC 20548:



Dear Mr. McClure:



The Department of Veterans Affairs (VA) has reviewed your draft report, 

VETERANS AFFAIRS: Sustained Management Attention is Key to Achieving 

Information Technology Results (GAO-02-703) and concurs with your 

recommendations. VA has actions underway and plans in development to 

implement the General Accounting Office (GAO) recommendations.



In addition to the information VA has already provided GAO on the 

actions taken in implementing the recommendations, it is worthy to note 

the progress made to date on the Government Computer Patient Records 

(GCPR) project. We believe the actions described in the enclosed fact 

sheet address all outstanding recommendations on this project.



Improving the quality of VA’s information technology services is a 

critical factor in providing quality service to our Nation’s veterans. 

The recommendations contained in your report, once implemented, will go 

a long way in helping VA enhance those services.



Thank you for the opportunity to comment on this draft report.



Sincerely yours,



Anthony J. Principi:



Signed by Anthony J. Principi:



Enclosure:



DEPARTMENT OF VETERANS AFFAIRS GOVERNMENT COMPUTER PATIENT RECORD 

(GCPR) ACCOMPLISHMENTS:



VA and the Department of Defense (DOD) have revisited the original 

goals and objectives of GCPR and established realistic goals and 

objectives for the future as documented in a May 3, 2002 Memorandum of 

Agreement (MOA) signed by VA’s Deputy Secretary and the Under Secretary 

for Personnel and Readiness, DOD. This MOA plus the plan for sharing 

medical information covered by the MOA were recently forwarded to you 

separately.



With respect to the issues raised in your April 2001 report on GCPR, 

the following actions have been taken:



*VA is the agreed “executive agent” for GCPR, per the May 3, 2002, MOA,



*A dedicated project manager was assigned September 2001, and:



*Project management oversight is provided by VA’s Chief Information 

Officer (CIO) as described below.



-In September 2001, the CIO reviewed the GCPR Near Term Solution (NTS) 

where a comprehensive testing schedule was developed to support the 

deployment of GCPR by June 2002.



-A deployment readiness review was conducted on April 26, 2002.



-All actions from both reviews are complete.



-GCPR NTS will be operational on Memorial Day.



May 2002:



[End of section]



FOOTNOTES



[1] U.S. General Accounting Office,VA Information Technology: Progress 

Made, but Continued Management Attention Is Key to Achieving Results, 

GAO-02-369T (Washington, D.C., March 13, 2002).



[2] U.S. General Accounting Office, Information Technology: Enterprise 

Architecture Use across the Federal Government Can Be Improved, GAO-02-

6 (Washington, D.C.: February 19, 2002).



[3] Chief Information Officer Council, A Practical Guide to Federal 

Enterprise Architecture, Version 1.0 (Washington, D.C., February 2001).



[4] Some examples of key actions yet to be performed by VA in 

developing, implementing, and using an enterprise architecture are 

highlighted in table 1 of appendix I.



[5] The actions still needed are highlighted in table 2 of appendix I.



[6] U.S. General Accounting Office, Computer-Based Patient Records: 

Better Planning and Oversight by VA, DOD, and IHS Would Enhance Data 

Sharing, GAO 01-459 (Washington, D.C., April 30, 2001).



GAO’s Mission:



The General Accounting Office, the investigative arm of Congress, 

exists to support Congress in meeting its constitutional 

responsibilities and to help improve the performance and accountability 

of the federal government for the American people. GAO examines the use 

of public funds; evaluates federal programs and policies; and provides 

analyses, recommendations, and other assistance to help Congress make 

informed oversight, policy, and funding decisions. GAO’s commitment to 

good government is reflected in its core values of accountability, 

integrity, and reliability.



Obtaining Copies of GAO Reports and Testimony:



The fastest and easiest way to obtain copies of GAO documents at no 

cost is through the Internet. GAO’s Web site ( www.gao.gov ) contains 

abstracts and full-text files of current reports and testimony and an 

expanding archive of older products. The Web site features a search 

engine to help you locate documents using key words and phrases. You 

can print these documents in their entirety, including charts and other 

graphics.



Each day, GAO issues a list of newly released reports, testimony, and 

correspondence. GAO posts this list, known as “Today’s Reports,” on its 

Web site daily. The list contains links to the full-text document 

files. To have GAO e-mail this list to you every afternoon, go to 

www.gao.gov and select “Subscribe to daily E-mail alert for newly 

released products” under the GAO Reports heading.



Order by Mail or Phone:



The first copy of each printed report is free. Additional copies are $2 

each. A check or money order should be made out to the Superintendent 

of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 

more copies mailed to a single address are discounted 25 percent. 

Orders should be sent to:



U.S. General Accounting Office



441 G Street NW,



Room LM Washington,



D.C. 20548:



To order by Phone: 	



	Voice: (202) 512-6000:



	TDD: (202) 512-2537:



	Fax: (202) 512-6061:



To Report Fraud, Waste, and Abuse in Federal Programs:



Contact:



Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov



Automated answering system: (800) 424-5454 or (202) 512-7470:



Public Affairs:



Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.



General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.



20548: