FDIC OIG: Audit Report 05-007 - Management Controls Over the Re-baselined New Financial Environment Project, February 18, 2005

Management Controls Over the Re-baselined
New Financial Environment Project

February 18, 2005
Audit Report 05-007

Purpose of Audit

The New Financial Environment (NFE) project is a major corporate initiative to enhance the FDIC's ability to meet current and future financial management and information needs. In 2001, the FDIC's Board of Directors approved the business case for NFE with a total estimated project cost of $40.7 million. In June 2004, the Board approved the business case to re-baseline the NFE project with additional funding of $18 million.

DOF management indicated that the NFE core financial system is scheduled for implementation by June 30, 2005, that is, functionality for accounts payable, accounts receivable, general ledger, budget, procurement, treasury management, projects, asset management, and reporting and portions of the cost management modules.

The objective of this audit was to determine whether the FDIC has established adequate management control over the re-baselined NFE project.

Results of Audit

However, project planning for NFE system implementation did not adequately cover post-installation activities as recommended by federal guidance. Specifically, the transition and data conversion plans and design documents do not provide policies and procedures or assignments of responsibility and accountability to ensure that post-installation tasks such as verifying data integrity, handling final disposition of the legacy system data, and monitoring of the first reporting cycle are adequately performed. The lack of planning for these activities limits the FDIC's preparedness for resolving problems and abnormalities that could affect reliability and availability of the operational NFE system.

Recommendations and Management Response

We recommended that the FDIC develop a plan or modify existing plans for NFE system implementation to address post-installation tasks and related controls, including policies, procedures, and assignments of responsibility and accountability.

FDIC management agreed with the recommendation and will expand NFE project planning to further address post-installation tasks and related controls.

Federally Recommended Post-installation Activities

Archiving master and transaction files

Archiving or warehousing closed account data

Confirming that converted data are functioning as designed

Performing post-conversion data clean-up

Assessing abnormalities that may appear

Reviewing how manual entries were handled

Verifying that edits function as designed

TABLE OF CONTENTS

BACKGROUND

Re-baselining of the NFE Project
Project Guidance
Planning for NFE System Implementation

RESULTS OF AUDIT

POST-INSTALLATION PLANNING FOR NFE SYSTEM IMPLEMENTATION

Guidance Related to Post-Installation Tasks Recommendation

CORPORATION COMMENTS AND OIG EVALUATION

APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY

APPENDIX II: PROJECT MANAGEMENT CONTROLS

APPENDIX III: CORPORATION COMMENTS

APPENDIX IV: MANAGEMENT RESPONSE TO THE RECOMMENDATION

TABLE

Post-installation Tasks and Related Controls

DATE: February 18, 2005

MEMORANDUM TO: Fred S. Selby, Director
Division of Finance

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau]
Assistant Inspector General for Audits

SUBJECT: Management Controls Over the Re-baselined New Financial Environment Project
Report No. 05-007

This report presents the results of our audit of the management controls over the re-baselined New Financial Environment (NFE) project. This audit is the third ^{[ 1 ]} in a series of reviews, as detailed in Appendix I, that we intend to conduct at critical milestones or decision points during the development and implementation of the Federal Deposit Insurance Corporation's (FDIC) NFE.

The objective of this audit was to determine whether the FDIC has established adequate management control over the re-baselined NFE project. Appendix I describes in detail our objective, scope, and methodology.

BACKGROUND

The NFE project is a major corporate initiative to enhance the FDIC's ability to meet current and future financial management and information needs. The Director, Division of Finance (DOF), is the project's sponsor, and DOF is the lead division for NFE project management. The project involves implementing a new commercial-off-the-shelf software package to replace the FDIC's current financial systems. ^{[ 2 ]} The project also involves extensive re-engineering of the FDIC's business practices and integration of legacy systems and other systems under development. The FDIC considers the re-engineering of its business practices to be a critical factor in achieving the expected benefits of the NFE in terms of streamlining business processes and avoiding the high maintenance costs associated with software customization.

On December 10, 2001, the FDIC's Board of Directors approved the business case for NFE with a total estimated project cost of $40.7 million. ^{[ 3 ]} The FDIC executed a multi-year contract with Accenture, LLP (Accenture) ^{[ 4 ]} in October 2002 to replace its financial systems with PeopleSoft® financial management software. ^{[ 5 ]} The FDIC had planned to implement the core financial system on July 1, 2004. DOF management indicated that the NFE system functionality would include accounts payable, accounts receivable, general ledger, budget, procurement, treasury management, projects, asset management, reporting, and portions of the cost management modules. The enhanced cost management functionality was scheduled for implementation in 2005.

Re-baselining of the NFE Project

On June 28, 2004, the Board of Directors approved the business case to re-baseline the NFE project. The re-baselined case established new project implementation milestones and provided additional project funding to complete the initiative. Under the revised schedule, the NFE system will be implemented in three components. The core financial system is scheduled for implementation by June 30, 2005. The Budget Formulation/Receivership Service Billing/Enterprise Warehouse component and the cost management component are planned for implementation by September 30, 2005. The Board of Directors approved $18 million in additional funding to support the project costs associated with evaluation of the new system and changing business processes, renovation of legacy systems, new security and quality assurance mandates, and a contingency fund. As part of the re-baselining effort, 35 of the original 753 NFE requirements were deleted from the implementation scope. According to the re-baseline case, these 35 requirements were introducing functionality deemed to be of low value or not a priority of the impacted business area.

Project Guidance

To determine whether the FDIC had established management controls for developing a federal financial system, we used appropriate documents published by the Joint Financial Management Improvement Program (JFMIP). The JFMIP is a joint and cooperative undertaking of the U.S. Department of the Treasury, Government Accountability Office, Office of Management and Budget, and Office of Personnel Management, working in cooperation with each other and other agencies to improve financial management practices in government. We also used A Guide to the Project Management Body of Knowledge (PMBOK® Guide) published by the Project Management Institute (PMI). ^{[ 6 ]} Although the FDIC is not required to comply with the JFMIP guidance or the PMBOK® Guide, we used both as criteria in performing the audit because they contain sound and prudent practices for developing financial systems.

Planning for NFE System Implementation

The implementation of the NFE system affects many systems throughout the FDIC. Therefore, the deployment of the system will, in varying degrees, involve users from each division of the Corporation. The NFE project team has begun coordinating the transition activities with the business owners. These activities include understanding and documenting re-engineered business processes and preparing for data conversion.

To prepare for NFE implementation, Accenture has developed a Transition Plan and a Data Conversion Approach and Plan, which contain numerous interdependent tasks that must be performed for NFE system deployment. Some of these tasks include completing user procedures for the 23 key business operations, ensuring data integrity for 35 retiring systems and 23 interfacing systems, and conducting user acceptance testing for the core financial system. The Transition Plan defines the overall framework for the transition to the NFE. The plan lists the transition activities; stakeholder responsibilities; communication methods for stakeholders; NFE and other FDIC system interfaces; and the management, control, and reporting mechanisms for transition progress. The Data Conversion Approach and Plan presents the methodology for the conversion of data from the legacy systems to the PeopleSoft® applications. Although this plan is general in nature, more detailed design documents ^{[ 7 ]} for application-specific data conversions have been prepared.

The plans and design documents described above also defined activities for pre-conversion and cutover phases of data and system conversion. Pre-conversion activities include tasks prior to and leading up to the conversion, such as determining the scope and approach or method, developing the conversion plan, performing data clean-up and validation, ensuring data integrity, and conducting necessary analysis and testing. Cutover tasks to convert the legacy data to the new system include testing system process and data edits; testing system interfaces, both incoming and outgoing; managing the critical path of system implementation; supervising workload completion; and performing reconciliation.

Accenture is also developing and testing the Budgeting, Receivership Billing, Enterprise Warehouse, and cost management components for NFE. The modules will be deployed during the third quarter of 2005.

RESULTS OF AUDIT

The FDIC has established and implemented adequate management controls for the re-baselined NFE project. The FDIC has adopted project management best practices such as senior-management-level sponsorship and oversight and has conducted software quality assurance testing. Also, the FDIC is devoting considerable time and effort to manage the project, using status reports and frequent coordination meetings to track progress and discuss project issues. Appendix II identifies the various controls and activities that compose the project control framework. However, project planning for NFE system implementation did not cover post-installation activities. The lack of planning for these activities limits the FDIC's preparedness for resolving problems and abnormalities that could affect reliability and availability of the operational NFE system.

POST-INSTALLATION PLANNING FOR NFE SYSTEM IMPLEMENTATION

Post-installation activities as recommended in JFMIP guidance have not been adequately addressed. Specifically, the transition and data conversion plans and design documents do not provide policies and procedures or assignments of responsibility and accountability to ensure that post-installation tasks such as verifying data integrity, handling final disposition of the legacy system data, and monitoring of the first reporting cycle ^{[ 8 ]} are adequately performed. Without adequately planning for these activities, the FDIC risks not being prepared to promptly resolve problems or abnormalities that could occur after system implementation. Therefore, the reliability and availability of the NFE system to support the FDIC's financial operations could be adversely affected.

Guidance Related to Post-installation Tasks

According to the JFMIP White Paper, Financial Systems Data Conversion Considerations, dated December 2002, post-installation tasks are as important as any of the other conversion tasks included in the pre-conversion and cutover phases. After data conversion, the user is faced with a new system that may have new data input and edit requirements. There may also be changes in the business rules and processing methods. Therefore, users may need detailed guidance until they become familiar with all of the changes in data input, edit routines, and required adjustments. The JFMIP White Paper identifies the following post-installation tasks:

Archiving master and transaction files
Archiving or warehousing closed account data
Confirming that converted data are functioning as designed
Performing post-conversion data clean-up
Assessing abnormalities that may appear
Reviewing how manual entries were handled
Verifying that edits function as designed

Each of the post-installation tasks and related controls are described in detail in the table below.

Post-installation Tasks and Related Controls

Task Task Description and Related Control

Archiving master and transaction files
Description: In data conversion, archiving of master and transaction files requires the identification of the files for financial transactions such as the general ledger (account balances) and subsidiary ledgers (detail) from the legacy system(s) that will be converted to the new system. As data are converted into the new system, the files for legacy transactions are processed and stored in a secure medium and retained in accordance with FDIC and federal records policies.

Control: If the legacy system is to remain in production, established controls should prevent processing of transactions into the wrong system.

Archiving or warehousing closed account data
Description: Financial systems will have account transaction data that are closed, and no further transactions would be processed against the account.

Control: Closed transaction data need to be processed for storage and retained in accordance with FDIC and federal records policies on a secure medium that is accessible as needed for historical referencing.

Confirming that converted data are functioning as designed
Description: Data are converted from the legacy system to the new system.

Control: Post-installation procedures should include data validation in the new system to ensure that the converted data are complete and accurate and are processed according to set business rules.

Performing post-conversion data clean up
Description: Data clean-up is necessary to ensure that data conform to business rules and processes and are consistent and complete. Data clean-up is much easier to perform prior to deployment of the new system than after. However any of the following instances would constitute a need for data clean-up: erroneous and duplicative data, inactive transactions that should have been closed, open transactions with error conditions, suspended transactions, and other undesirable conditions.

Control: Data clean-up should occur before, during, and after data conversion.

Assessing abnormalities that may appear
Description: As part of the post-installation activities and into the first reporting cycle, abnormalities in transaction processing and reporting may occur. Both computer and financial systems analysts need to assess these abnormalities for cause, effect, and resolution.

Control: Changes made to correct problems should be controlled through a change management process.

Reviewing how manual entries were handled
Description: Manual entries are those entries that are not automatically processed by the system but require human intervention to ensure that the financial information is recorded in the system.

Control: A review of manual entries should consider the internal controls over the data processing to ensure data integrity and the consistency of such entries with system requirements and business rules.

Verifying that edits function as designed
Description: At times, during data conversion and loading, some edits may need to be turned off or not implemented so that the data conversion process can occur within a reasonable time frame. Any conversion methodology that requires bypassing system processes designed to perform data edit and validation must be given careful consideration. If data edits are turned off, only cleaned and tested data that meet all business rules and requirements should be processed in this environment.

Control: All transactions, whether entered manually or through an automated process, should be subjected to the same edit and validation procedures applied to any transaction.

Recommendation

With less than 5 months until the planned deployment of the NFE system, the NFE project team needs to ensure that post-installation tasks and related controls necessary for transition to the new system are adequately planned. Accordingly, we recommend that the Director, DOF:

Develop a plan or modify existing plans for the NFE system implementation to address post-installation tasks and related controls, including policies, procedures, and assignment of responsibility and accountability.

CORPORATION COMMENTS AND OIG EVALUATION

The Director, DOF, provided a written response on February 1, 2005 to the draft of this report. The response is presented, in its entirety, in Appendix III of this report.

DOF agreed with our recommendation and intends to expand NFE project planning to address post-installation tasks and related controls by March 31, 2005. Management's proposed actions are sufficient to resolve the recommendation. However, the recommendation will remain undispositioned and open for reporting purposes until we have determined that the agreed-to corrective actions have been completed and are effective. Appendix IV presents a summary of DOF's response to our recommendation.

APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The objective of this audit was to determine whether the FDIC has established adequate management controls over the re-baselined NFE project. Specifically, we reviewed the FDIC's controls over the project scope, schedule, cost, and quality and risk management practices.

Scope and Methodology

To accomplish our audit objective, we interviewed officials in Headquarters, DOF; the Division of Information Resources Management (DIRM); and the Office of Enterprise Risk Management (OERM), who are responsible for managing and implementing the NFE project. To become familiar with Accenture's control processes for managing and implementing the project, we spoke with representatives of Accenture, the consulting firm hired by the FDIC to provide implementation services for the NFE. Further, we attended NFE Steering Committee meetings and selected project briefings to observe certain aspects of the NFE control framework. We also reviewed key documents related to the NFE control framework, including the project plan, Transition Plan, Data Conversion Approach and Plan, quality management plan, risk management and mitigation plans, communication plan, deliverables schedule, the FDIC's Board of Directors case authorizing contract expenditure authority for the NFE, and relevant corporate correspondence.

The scope of our audit was limited to determining whether the FDIC had established a project control framework for the re-baselined NFE project.

Criteria

We relied on the JFMIP White Paper, Financial Systems Data Conversion Considerations, dated December 2002, and the PMI's PMBOK® Guide as the primary criteria for determining whether the FDIC had established a project control framework for the NFE.

The JFMIP White Paper supplements the JFMIP Framework for Federal Financial Management Systems regarding transitioning to a new financial management system. The guidance is intended to raise awareness of financial systems data conversion considerations that are to be addressed by financial management executives and project managers when planning or implementing a new financial management system. The guidance provides pre-conversion, cutover, and post-installation guidance to cover each phase of the data conversion process.

PMI has conducted extensive research and analysis in the field of project management and published the PMBOK® Guide in 2000. The PMBOK® Guide documents proven practices, tools, and techniques that have become generally accepted in the field of project management, including information systems development and implementation. The PMBOK® Guide is an approved standard of both the American National Standards Institute and the Institute of Electrical and Electronics Engineers.

Prior Audit Coverage

Prior to this audit, we issued the following reports related to the NFE.

Audit Report No. 03-045 entitled, New Financial Environment Scope Management Controls, dated September 29, 2003, which addressed whether the FDIC had implemented adequate controls for ensuring that the scope of the NFE project was effectively managed.

Audit Report No. 03-016 entitled, The New Financial Environment Project Control Framework, dated March 5, 2003, which addressed whether the FDIC had established a control framework for the NFE project.

Audit Report No. 03-002 entitled, Preaward Review of the New Financial Environment Project, dated October 7, 2002, which provided observations on selected procedures and documents related to the NFE Request for Proposal.

Evaluation Report No. 01-004 entitled, The New Financial Environment Project, dated December 7, 2001, which assessed the reasonableness of the NFE cost-benefit analysis and the financial systems architecture.

We conducted our audit work in Washington, D.C., and Dallas, Texas, from June 2004 through November 2004. We conducted our audit in accordance with generally accepted government auditing standards.

APPENDIX II

PROJECT MANAGEMENT CONTROLS

Project Controls

Description

Oversight

The NFE Principals group and NFE Steering Committee provide oversight to ensure the successful completion of the project. The NFE Principals group, composed of the Chief Financial Officer (CFO) and the directors of the divisions most affected by the NFE, keeps senior FDIC management informed of the project's progress. The NFE Steering Committee's purpose is to oversee the planning, development, and successful implementation of the core financial system. The Steering Committee meets every 2 weeks to discuss issues and receives progress reports from FDIC and Accenture NFE project managers.

Risk Management

The Director, OERM, is the risk manager responsible for ensuring that risks are closely monitored and controlled. The risk manager reports monthly to the CFO; Director, DOF; and NFE Steering Committee on indications that a significant risk event may occur. The Director, OERM, is charged with ensuring that the project team develops risk mitigation and contingency plans.

Organization

NFE management consists of two FDIC project managers who run the day-to-day technical, business, systems, and other aspects of the project. The NFE management team holds numerous regular meetings with various individuals involved in the NFE project. The NFE management team explained that these meetings served to keep the team members informed of the current status and involved in addressing issues as they arise.

Quality

The Corporate Quality Management Staff, DIRM, is conducting a series of independent testing of the NFE core financial system and the system interfaces.

Schedule

The NFE management team uses the System Integration Testing (SIT) Metrics Dashboard and the Interface Dashboard to track the project's progress during the testing phase. The SIT Metrics Dashboard displays the overall project indicators and lists the key SIT dates, major accomplishments in the current period, and open issues along with their impacts and the mitigating actions for each. The Interface Dashboard shows the current status of each interfacing system and the target dates for each step of the testing.

APPENDIX III

CORPORATE COMMENTS

[ D ]

[ D ]

APPENDIX IV

MANAGEMENT RESPONSE TO THE RECOMMENDATION

This table presents the management response made on the recommendation in our report and the status of the recommendation as of the date of report issuance. The information in this table is based on management’s written response to our report.


Corrective Action: Taken or Planned/Status	Expected Completion Date	Monetary Benefits	Resolved: ^{[ a ]} Yes or No	Dispositioned: ^{[ b ]} Yes or No	Open or Closed ^{[ c ]}

DOF agreed to a expand NFE project planning to further address post-installation tasks and related controls.	March 31, 2005		Yes	No	Open

^a Resolved –	(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
	(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
	(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

^b Dispositioned - The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.

^c Once the OIG dispositions the recommendation, it can then be closed.