SOCIAL SECURITY ADMINISTRATION
RELIABILITY AND ACCURACY OF THE
SOCIAL SECURITY ADMINISTRATION’S
EXHIBIT 300 SUBMISSIONS TO
THE OFFICE OF MANAGEMENT AND BUDGET
September
2008
A-14-08-18018
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.
MEMORANDUM
Date: September 30, 2008 Refer To:
To: The Commissioner
From: Inspector General
Subject: Reliability and Accuracy of the Social Security Administration’s Exhibit 300 Submissions to the Office of Management and Budget (A-14-08-18018)
OBJECTIVE
Our objective was to determine whether the Social Security Administration’s (SSA) Exhibit 300 submissions to the Office of Management and Budget (OMB) for its Information Technology (IT) projects were based on reliable and accurate data and information.
BACKGROUND
Federal agencies are required to effectively manage their capital assets to ensure scarce public resources are wisely invested. OMB plays a key role in determining the amount the Government will spend for IT and how these funds will be allocated. A key component of OMB’s management and oversight of the IT budget process is the Capital Asset Plan and Business Case, also known as the Exhibit 300. OMB designed the Exhibit 300 as the one-stop document for many IT management issues, including business cases for investments, IT security reporting, modernization efforts and overall investment management. Exhibit 300 is used to help make important IT management decisions and choices.
Each year, Federal agencies submit Exhibits 300 to OMB for budget justification and to satisfy reporting requirements for all major IT investments. The Exhibit’s content should reflect controls agencies have established to ensure good project management, as well as show that they have defined cost, schedule, and performance goals. OMB relies on the accuracy and completeness of the information reported in the Exhibits 300 for budget decisionmaking. Exhibits 300, submitted at the end of Fiscal Year (FY) 2007, were for the FY 2009 budget request. In the FY 2007 Exhibit 300 submission, FY 2007 was considered the prior year, FY 2008 was the current year and FY 2009 was the budget year.
At SSA, the Offices of the Chief Information Officer (OCIO) and Systems (OS) manage and lead the Exhibit 300 preparation and review process. This process integrates the decisions of SSA’s IT capital planning and budgeting processes. In May of each year, project management teams from SSA’s major IT projects begin developing SSA’s Exhibits 300 for September submission to OMB.
We examined SSA's Exhibit 300 process and other related processes and reviewed the supporting documents of the following SSA FY 2007 Exhibit 300 submissions to OMB.
• Financial Accounting System (FACTS) project provides for the operation and maintenance of SSA’s official accounting system, the Social Security Online Accounting and Reporting System.
• Call Center Network Solution (Call Center) project replaces the current call center for SSA’s National 800 Network and provides for capability to handle increasing call volumes.
• Information Technology Operations Assurance (Second Data Center) project establishes a second data center to address the single point of failure risk of SSA’s current data center, National Computer Center.
For more methodology and background information, see Appendices B and C.
RESULTS OF REVIEW
Our review found several areas in the Exhibit 300 process that SSA could improve to increase the reliability and accuracy of the Agency’s submissions to OMB. Preparation of the Exhibit 300 is difficult and complex. SSA has leveraged its existing capital planning and budgeting, financial accounting, and project management processes and designed a collaborated system for Exhibit 300 reporting. This system involves many levels of reviews and requires extensive communication and cooperation among numerous components at different organizational levels. In addition, SSA developed capital programming policies and procedures that generally meet OMB’s requirements for project management and Exhibit 300 reporting.
However, we noted several areas that SSA could improve to ensure the Agency’s Exhibit 300 submissions are based on accurate and reliable data and information. Well supported and more accurate Exhibits 300 will enable OMB to make better decisions for SSA’s major IT projects. These areas were as follows.
• SSA Exhibits 300 did not always reflect best estimates of total project cost for its IT projects.
• Alternatives Analyses were not always performed properly.
• There were weaknesses in SSA’s security costs allocation process.
• Risk assessments were not always performed properly.
• SSA did not fully address some OMB Exhibit 300 questions.
SSA’S EXHIBITS 300 DID NOT ALWAYS REFLECT TOTAL PROJECT COSTS
SSA’s Exhibit 300 process did not ensure the total costs for its major IT projects were properly estimated and reported in Exhibits 300 to OMB. We found certain cost data for some of SSA’s major IT projects were not accurately reflected or properly estimated in the Exhibits 300 to OMB. For example, for one of the three projects we reviewed, we found $18.8 million in historical costs was not included in SSA’s submission to OMB. This amount is 14 percent of the total costs of the project currently reported to OMB.
SSA Processes Focus on Short-term Costs Rather Than Long-term Resource Needs
For each major IT project, agencies are required to provide the total estimated life-cycle costs (total costs) for the investment by completing the Summary of Spending for Project Phases table (spending table). This table includes accumulated historical costs and estimated costs for the project’s current and future years. SSA’s IT budgeting process focuses more on the amount of funds expected to be available in the near future for the projects. As a result, the total costs reported in SSA’s Exhibit 300 spending tables represent short-term (1-2 years) budget decisions rather than the long term resource needs. OCIO IT budget staff stated that the out-year budgets are generally flat and serve as place holders. We found that the estimated costs in Exhibits 300 represent the amounts approved by the OCIO. As a result, SSA’s process did not always ensure the costs reported in the Exhibits 300 represent the total resources needed to complete the project.
We found that estimated total costs for the Call Center project were based on an incomplete analysis. When SSA submitted the project budget to OMB, it had developed estimated total costs for three viable investment alternatives but had not decided which investment alternative to select. SSA used the highest priced alternative rather than the best ranked alternative as its basis for total costs estimation for the project. In addition, cost estimates were based on a 2005 study that noted the costs for the best ranked alternative were expected to drop sharply. As a result, the project’s estimated total costs provided to OMB could be significantly different from the actual resources required to complete the project. SSA staff stated the scope of the project is still subject to changes, and a budget based on the higher cost alternative would ensure the project is not under-funded in the future.
We found omissions in the budget amount computation for the Exhibit 300 of one of the three projects we reviewed. Costs for two planned tasks were not included for a project because of a manual error. In 2007, SSA implemented a new process to better account for total project costs. The process is still being refined and improved. SSA needs to ensure the spending summaries reported in Exhibits 300 represent both budget decisions and its best estimates for the total costs for the projects.
Weaknesses in the Historical Costs Accumulation
We identified two weaknesses in the area of historical costs. First, in response to our inquiries about historical costs accumulation, SSA staff identified an issue that they were not previously aware of with SSA’s Exhibit 300 reporting and data maintenance system called the Electronic Capital Planning and Investment Control (eCPIC) System. The system automatically dropped costs for years before 2001. For example, for SSA’s FACTS, we found $18.8 million in historical costs for planning was dropped and excluded as project costs. This amount represents 14 percent of total project costs reported to OMB and half of the planning cost of the project. SSA staff stated that this was an issue with the software and was shared by other Federal agencies that used the same software. The software administrators have resolved this issue. SSA will review its projects to ensure all dropped costs are recaptured in the system. SSA considered several alternatives before it selected eCPIC. According to SSA, eCPIC is the most economical solution among the alternatives considered. OMB recommended, but did not require the use of, eCPIC for the Exhibit 300 submission solution.
Second, OMB requires that Federal agencies report estimated total life-cycle costs in the Exhibits 300, including historical costs and future cost estimates. Each January, SSA revises all its Exhibits 300 to reflect prior year actual spending. This process ensures the Exhibits 300 accumulate accurate historical costs. However, this process does not include SSA’s Full-Time Equivalent (FTE) costs. SSA did not reflect the accurate level of costs spent in the prior years for the number of Government FTEs and their related costs. As a result, the historical costs for Government labor were not accurate.
Some of the issues with total project costs may arise because of the nature of SSA’s Exhibit 300 process. SSA’s IT capital planning covers only a 2-year period. SSA’s Exhibit 300 process is largely manual and uses data from various automated and non automated systems and processes that are not fully integrated. To capture all cost elements related to an individual Exhibit 300 project, SSA staff manually combines component-level project data from various systems and data sources. This process is labor-intensive. See Appendix C for details.
To improve SSA’s Exhibit 300 process, SSA should further integrate its IT capital planning, budgeting, project management and reporting systems with its Exhibit 300 processes to minimize manual operations and adjustments. SSA also needs to ensure that OMB’s guidance is followed in an accurate and complete manner.
ALTERNATIVES ANALYSES WERE NOT ALWAYS PERFORMED PROPERLY
In selecting the best investment alternative for an IT project to improve current processes, OMB generally requires that agencies conduct cost-benefit analyses (CBA) for three viable alternatives in addition to the current process. OMB further requires that agencies analyze, identify, and compare total costs and benefits for each alternative as well as the costs and benefits for the current operation. The results of the comparison are to be reported to OMB in the Exhibit 300 for each major IT project. The goal of the Alternatives Analysis is to promote efficient resource allocation through well-informed decisionmaking by the Government.
The Alternatives Analyses conducted for the Call Center and Second Data Center projects were not properly performed, and both projects’ related Exhibit 300 sections were incomplete or not fully supported. Neither of the projects provided total cost and benefit estimates for their current operating process.
For example, SSA did not estimate the total benefits of the three alternatives for the Call Center project, as required by OMB. Instead, SSA reported the cost differences among the three alternatives as the benefit values for the three alternatives. Below is a summary of the Call Center project’s Alternatives Analysis results.
Call Center Project Alternatives Analysis Results Summary
Alternatives Analyzed Total Estimated Costs
(in millions) Total Estimated Benefits
(in millions)
Alternative 1 399 0
Alternative 2 367 32
Alternative 3 334 65
OMB recommends that agencies perform comprehensive analyses of different types of benefits and attempt to quantify the benefits identified. According to SSA, for the Call Center project, it determined the total estimated benefits by calculating the differences between the total estimated costs rather than actually assessing the benefits of the specific alternatives. For example, SSA determined the total estimated benefit for Alternative 2 of $32 million by calculating the difference between the total estimated costs of Alternatives 1 and 2 ($399 million minus $367 million). In addition to the issues with estimating project benefits, the Call Center project’s total cost estimates for the three alternatives were based on a 2005 study and susceptible to changes.
For the Second Data Center project, an Alternatives Analysis was not conducted in accordance with OMB guidance, and the estimated total costs and benefits reported in the Exhibit 300 were not fully supported by the documentation SSA provided. SSA conducted a cost-effectiveness analysis (CEA) instead of a CBA for the alternatives it identified for the Second Data Center Project. OMB allows the use of CEA when expected benefits are the same for all investment alternatives identified. A CEA compares only the total costs of the competing investment alternatives. An alternative is cost-effective if it has the lowest costs among the competing investment alternatives that provide the same benefits. On the other hand, a CBA compares net benefits (benefits minus costs) among competing investment alternatives.
The Second Data Center project is not a case that lends itself to use a CEA. SSA’s analysis considered a fully functional second data center and a fully configured hot site as providing the same benefits. These two scenarios, by definition, do not provide the same benefits. For example, the Second Data Center option would provide extra workload capacity throughout the year for routine operations. A hot-site only provides coverage during a disaster recovery period.
Adequately prepared Alternatives Analyses are crucial for both SSA and OMB to make sound IT investment decisions. SSA needs to ensure Alternatives Analyses are performed according to OMB Circular A-94 and the analyses are properly documented for all major IT investments.
The Agency agreed with and began addressing our suggestions. SSA developed and conducted new Alternatives Analysis training. The new training materials and detailed Alternatives Analysis template generally met OMB’s requirement for Alternatives Analysis.
WEAKNESSES IN SECURITY COSTS ALLOCATION PROCESS
Our review found weaknesses in how security costs were allocated to individual projects. OMB requires that agencies identify project-specific IT security costs and integrate these costs into the overall costs of investment. For security management activities that support multiple applications, agencies should allocate the related costs to the impacted applications.
SSA has generally integrated project-specific security costs into the overall costs of its investment projects. SSA also allocates enterprise security costs to individual projects according to the number of workstations impacted by the individual projects. However, SSA management determines the basis of the allocation method, the numbers of impacted workstations by the projects, without proper support. For example, we found that OCIO determined there were 10,000 workstations (or users) impacted by 1 project. However, the system the project supported had only about 1,500 direct and indirect users according to the project management team. To ensure SSA accurately allocates security costs, we suggest SSA use the most accurate information available.
SSA has included system- or application-specific costs in the cost pool for allocation. We found that the Certification and Accreditation (C&A) costs were not being directly charged to specific projects but allocated to all projects. OMB requires that agencies perform C&As at least every 3 years or when significant changes are made for Federal information systems. SSA conducted C&As for 13 major applications and systems in FY 2007. Some of the C&As were directly traceable to SSA’s Exhibit 300 projects, such as FACTS, SSA Unified Measurement System and Title II Redesign, but these costs were still included in the allocation pool and distributed to all projects as enterprise security costs. As a result, the security costs allocated to individual projects were not as accurate as they should have been. SSA should only allocate costs for security activities that support multiple applications and systems.
RISK MANAGEMENT
We found that SSA did not complete the risk assessments per OMB criteria. OMB requires that agencies perform a risk assessment at the initial stage of a project and demonstrate active management of the risks throughout the life of the investment. Risk assessment must include 19 mandatory risk elements, such as schedule, costs, technology obsolescence, security, and project resources for IT investments. Agencies must discuss these risks and present plans to eliminate, mitigate, or manage them, with milestones and completion dates.
SSA has established risk management policies and procedures for its IT projects. However, the policies and procedures were not consistently followed. We found the following risk management weaknesses for the projects we reviewed.
• The FACTS project had a risk management plan that addressed the mandatory risk elements. However, the plan had not been updated since it was initially completed in FY 2005.
• The Second Data Center project team provided a repository of technical issues as the project’s risk management plan. However, it did not address critical risk elements required by OMB.
The Second Data Center project is one of the high-risk projects SSA reports to OMB. The project’s progress was delayed because the planned occupation of the facility was delayed by more than 1 year. When the project started, SSA should have had plans to handle risks related to such delays, as required by OMB for risk management. The risk management plan should have been documented and updated and used to adjust project cost estimates accordingly. SSA needs to ensure all projects comply with OMB’s risk management requirements and its own policy.
ADDRESSING EXHIBIT 300 QUESTIONS
SSA did not always fully address all the Exhibit 300 questions and requirements. OMB uses the Exhibit 300 questions as a management tool. OMB relies on the accuracy and reliability of the Exhibits 300 to make budget and management decisions. OMB requires that information reported in Exhibit 300 be supported by documentation and supporting documents be available upon request.
For example, certain responses to the questions were unsupported. One of the three Exhibit 300 projects we reviewed reported wrong percentage breakdowns of funding requests for hardware, software and services for FY 2009. One project used performance measures that were not measurable or were difficult to link to the Agency’s goal. OMB requires that performance measures be both measurable and linked to Agency goals. We found that SSA’s response and statement of its compliance with earned value management standards was not fully supported, and we identified a number of errors and omissions in the related Exhibit 300 section.
SSA’s Exhibit 300 process includes four phases of review and revision. However, this process needs to be improved to better prevent errors and ensure all answers are supported with documentation. This will help to improve the quality and integrity of the Exhibit 300. OMB has established a scoring method and has linked funding decisions with the quality of agencies’ Exhibit 300 submissions. SSA needs to implement controls to ensure its Exhibits 300 are free of errors and supported with complete documentation.
CONCLUSION AND RECOMMENDATIONS
The Exhibits 300 are required by OMB to determine what funds to provide SSA for its IT projects. We noted several areas in the process that SSA could improve to increase the reliability and accuracy of SSA's Exhibit 300 submissions to OMB.
SSA has leveraged its existing capital planning and budgeting, financial accounting, and project management processes and designed a collaborative system for Exhibit 300 reporting. This system involves many levels of reviews and requires extensive communication and cooperation among components at different organizational levels.
Our audit identified weaknesses and errors in different areas of SSA’s Exhibit 300 process that could be strengthened and improved. Specifically, (1) SSA’s Exhibit 300 did not always reflect best estimates of total project costs; (2) its Alternatives Analyses were not always performed and documented properly; (3) there were weaknesses in its security cost allocation process; (4) its risk management was not always performed properly; and (5) it did not always fully address some OMB Exhibit 300 questions.
Based our on review, we recommend that SSA:
1. Use the most accurate data and estimates available to prepare its Exhibits 300.
2. Ensure its summaries of spending for Exhibits 300 represent both budget decisions and its best estimates for the total costs for the IT projects.
3. Further integrate and automate its IT capital planning, budgeting, project management and reporting systems and processes to minimize manual operations and adjustments.
4. Conduct and document Alternatives Analyses according to Federal standards for all projects.
5. Allocate costs for security activities that support multiple applications and systems in an accurate and complete manner.
6. Comply with OMB’s risk management requirements and its own policy for all projects.
7. Implement controls to ensure its Exhibits 300 are free of errors and supported with complete documentation.
AGENCY COMMENTS
SSA agreed with all of our recommendations. The Agency also provided technical comments, which we considered and addressed as appropriate. See Appendix D for the text of SSA’s comments.
/s/
Patrick P. O’Carroll, Jr.
Appendices
APPENDIX A – Acronyms
APPENDIX B – Scope and Methodology
APPENDIX C – Background
APPENDIX D – Agency Comments
APPENDIX E – OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
C&A Certification and Accreditation
Call Center Call Center Network Solution
CBA Cost-Benefit Analysis
CEA Cost-Effectiveness Analysis
CIO Chief Information Officer
eCPIC Electronic Capital Planning and Investment Control System
FACTS Financial Accounting System
FTE Full Time Equivalent
FY Fiscal Year
IT Information Technology
ITAB Information Technology Advisory Board
IT Budget Information Technology Systems Budget
OCIO Office of the Chief Information Officer
OIG Office of the Inspector General
OMB Office of Management and Budget
OS Office of Systems
Second Data Center Information Technology Operations Assurance
Spending Table Summary of Spending for Project Phases Table
SSA Social Security Administration
Total Costs Life-Cycle Costs
Appendix B
Scope and Methodology
The objective of our review was to determine whether the Social Security Administration (SSA) Exhibit 300 submissions to the Office of Management and Budget (OMB) for its Information Technology (IT) projects were based on reliable and accurate data and information. Specifically, we evaluated the reliability and accuracy of SSA’s Exhibit 300 submissions to OMB.
To meet the objective of this audit, we reviewed relevant Federal laws, regulations and guidance. We reviewed SSA’s IT capital planning and budgeting and Exhibit 300 preparation processes. We reviewed and examined SSA policies, procedures, practices, internal controls and documentation, and conducted interviews with relevant SSA personnel as it related to Exhibit 300 submissions.
We reviewed the following Federal laws, regulations, and guidance:
• OMB Circular A-11, Part 2: Preparation and Submission of Budget Estimates, Section 53, Information Technology and E-government, and Part 7, Section 300: Planning, Budgeting, Acquisition and Management of Capital Assets, June 2005 and July 2007;
• OMB Capital Programming Guide Version 2.0, June 2006;
• OMB Circular A-94, Revised, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, October 29, 1992;
• OMB Memorandum M-05-23, Improving Information Technology (IT) Project Planning and Execution, August 4, 2005;
• OMB Memorandum M-04-19, Information Technology (IT) Project Manager (PM) Qualification Guidance, July 21, 2004; and
• Federal Acquisition Regulation 7.105, Contents of written acquisition plans.
We reviewed SSA policies, procedures, and documents, including the following:
• SSA OMB Exhibit 300 preparation instruction package for FY 2007 submission;
• SSA Target Information Technology (IT) Capital Planning and Investment Control Process (CPIC) Guide;
• Related IT Budget Justifications and Exhibits 3 and Office of Chief Information Officer (OCIO) review summaries related to the three projects selected for review;
• SSA’s worksheets and data files for Exhibit 300 project cost calculations for Fiscal Years 2007 to 2009;
• SSA’s allocation worksheets for Agency-Wide Support Services Contract;
• SSA Information Technology Advisory Board meeting materials and minutes;
• Alternatives Analysis reports for projects selected for review; and
• Other supporting documents and data for the Exhibits 300 for the projects selected for review.
We contacted or interviewed SSA staff in the following components:
• OCIO, Office of Information Technology Investment Management;
• Office of Systems (OS), Budget Staff;
• OS, Earned Value Management Program Management Office;
• OS, Office of Telecommunications and Systems Operations;
• Office of the Chief Strategic Officer, Office of Chief Strategic Management; and
• Office of Budget, Finance and Management, Office of Financial Policy and Operations, Office of Financial and Administrative Systems.
Our audit focused on SSA’s 2007 Exhibit 300 submissions to OMB. SSA had 13 projects that required preparing and reporting an Exhibit 300. OMB requires the completion of different parts of Exhibit 300 for projects in different life-cycle stages. To ensure our audit properly covered different areas of OMB Exhibit 300, we examined a sample of three major IT projects that SSA submitted Exhibits 300 to OMB in September 2007. Each of the projects selected was at a different life-cycle stage. The three projects were
• Financial Accounting System (FACTS);
• Call Center Network Solution (Call Center); and
• Information Technology Operations Assurance (Second Data Center).
Among the 13 projects, SSA had only 1 new project, the Call Center, and 1 operating project, FACTS. There was 1 discontinued project and 10 mixed life-cycle projects. We selected the Second Data Center project among the 10 projects by considering the risks and costs involved of each individual project. For each of the three projects, we reviewed and examined the related Exhibits 300 dated September 10, 2007 and the supporting documents and data.
Our audit scope was limited to the determination of whether accurate and reliable data were used and whether SSA’s responses to Exhibit 300 questions were supported with proper documentation. We did not examine the underlying processes that generated the data or the documentation. For example, we did not examine SSA's Earned Value Management System and process or cost-benefit analysis process.
We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We conducted our field work at SSA Headquarters in Baltimore, Maryland, from October 2007 through March 2008.
Appendix C
Background
OFFICE OF MANAGEMENT AND BUDGET EXHIBIT 300
Federal agencies are required to effectively manage their capital assets to ensure scarce public resources are wisely invested. The Office of Management and Budget (OMB) plays a central role in determining the amount the Government plans to spend for information technology (IT) and how these funds are allocated. A key component of OMB’s management and oversight of the IT budget process is the Capital Asset Plan and Business Case, also known as the Exhibit 300. OMB designed the Exhibit 300 as the one-stop document for many IT management issues, such as business cases for investments, IT security reporting, Clinger-Cohen Act implementation, E-Gov Act Implementation, agencies’ modernization efforts and overall investment management.
Each year, Federal agencies submit Exhibits 300 to OMB for budget justification and to satisfy reporting requirements for all major IT investments. The Exhibit’s content should reflect controls that agencies have established to ensure good project management, as well as showing they have defined cost, schedule, and performance goals. OMB relies on the accuracy and completeness of the information reported in the Exhibits 300.
Exhibits 300 submitted at the end of Fiscal Year (FY) 2007 were for a FY 2009 budget request. For FY 2007 submitted Exhibits 300, FY 2007 was the prior year, FY 2008 was the current year and FY 2009 was the budget year.
SOCIAL SECURITY ADMINISTRATION PROCESSES RELATED TO EXHIBIT 300 PREPARATION
The Social Security Administration (SSA) leveraged its existing capital planning and budgeting, financial accounting, and project management processes and designed a collaborated system for Exhibit 300 reporting. This system involves many levels of review and requires extensive communication and cooperation among components at different organizational levels.
SSA’s Exhibit 300 preparation and review process integrates the decisions and results of its IT capital planning and budgeting processes. SSA has separate processes for planning IT staff resources and other IT costs such as hardware, software and services
acquired outside the Agency. Many supporting documents for Exhibits 300 are generated during these processes. SSA uses data from various systems and sources in the Exhibit 300 preparation process.
The Information Technology Advisory Board Process
The planning process for IT staff resources is governed by SSA’s Information Technology Advisory Board (ITAB). The Agency’s ITAB is chaired by the Chief Information Officer (CIO), and its membership is comprised of the Deputy Commissioner for SSA, all Deputy Commissioners for the business components, as well as other Agency executives.
IT proposals by SSA components are first prioritized according to their importance in achieving SSA’s goals. The Office of Systems (OS) then consolidates these prioritized IT projects with IT staff resource estimates to propose to ITAB an Agency IT Systems Plan covering 2 FYs. The CIO-chaired ITAB reviews these projects and reaches agreement on the allocation of IT staff and contractor resources on a component project level. During the July 2007 ITAB meeting, SSA’s FYs 2007 and 2008 allocations of OS staff and contractor work years were approved and allocated to individual projects.
Information Technology Systems Budgeting Process
The Information Technology Systems budget (IT budget) includes hardware, software, and services. OS issues an IT budget call to all SSA components at the beginning of each FY. Components prepare IT Budget Justifications with detailed budget estimates for the next 6 years and submit them to OS for review. OS in turn submits all IT budget requests with its recommendation to the Office of the CIO (OCIO) for funding approval. OCIO staff reviews the IT budget requests and provides funding recommendations to the CIO for his final IT budget recommendations to SSA’s Commissioner.
SSA’s Exhibit 300 Preparation Process
SSA’s OCIO and OS manage and lead its Exhibit 300 preparation and review process. SSA’s Exhibit 300 preparation and review process integrates the decisions of its IT capital planning and budgeting processes.
OCIO and OS work together to provide assistance, guidance and training to project management teams that are directly responsible for Exhibit 300 preparation. Each May, project management teams from SSA’s major IT projects begin developing SSA’s Exhibits 300 for the September submission to OMB. In the beginning of the Exhibit 300 process, OCIO and OS send out detailed preparation instructions and guidance; provide expertise support; and provide OMB guidance updates and training to project teams. In addition, OCIO and OS conduct four runs of review and discussion sessions for each of the Exhibit 300 projects before OMB submission.
Systems and Data Sources for Exhibit 300 Preparation Process
SSA’s Exhibit 300 process uses data and inputs from a variety of systems and sources. These include the financial accounting system, capital planning and budgeting systems, project management systems and manually maintained worksheets and data records. For example, to provide data to the Summary of Spending for Project Phases table of Exhibit 300 (spending table), OCIO budget staff use and refer to the following data from difference sources, including
• actual expenditure data from Social Security Online Accounting and Reporting System, SSA’s official accounting system;
• actual OS labor hours from Resources Accounting System;
• planned work years for approved OS work years and contractor work years from Systems Planning and Reporting System;
• manually maintained records of approved budgets for Information Technology System budgets;
• manually maintained allocation worksheets for security costs and some contractor services;
• non-Systems labor work years from separately provided data files;
• budget information from Automated Procurement Requisition System;
• historical data from Electronic Capital Planning and Investment Control; an application used for OMB Exhibit 300 preparation and records keeping; and
• Earned Value Management reports.
OCIO IT budget staff conducts intensive manual inputs, matching and adjustments to place the right amounts to the right projects and to the right year. This information is manually maintained and updated in an Excel file that calculates the numbers for the Exhibit 300 spending table of a project.
Appendix D
Agency Comments
MEMORANDUM
Date: September 11, 2008 Refer
Refer To: S1J-3
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster /s/
Executive Counselor to the Commissioner
Subject: Office of the Inspector General (OIG) Draft Report, “Reliability and Accuracy of the Social Security Administration’s Exhibit 300 Submissions to the Office of Management and Budget” (A 14-08-18018)--INFORMATION
We appreciate OIG’s efforts in conducting this review. Attached is our response to the recommendations.
Please let me know if we can be of further assistance. Please direct staff inquiries to
Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.
Attachment
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, “RELIABILITY AND ACCURACY OF THE SOCIAL SECURITY ADMINISTRATION’S EXHIBIT 300 SUBMISSIONS TO THE OFFICE OF MANAGEMENT AND BUDGET” (A-14-08-18018)
Thank you for the opportunity to review and provide comments on this draft report.
Recommendation 1
Use the most accurate data and estimates available to prepare Exhibits 300.
Comment
We agree in principle. Clearly Exhibits 300 should contain the most accurate data and estimates available at the time they are prepared. In practice, the workyear and information technology (IT) systems data we use are based on the Information Technology Advisory Board (ITAB) decisions made in late July or early August. We then make adjustments as a result of management or Office of Management and Budget (OMB) decisions through January updates to OMB. The examples OIG cites reflect software and clerical errors that we corrected upon discovery. We’ve added reviews to help ensure we discover and correct these types of errors in a timely manner. The audit report also cites an instance where estimates were based on the most expensive alternative rather than the one selected. However, we believe this was a valid risk-mitigating business decision.
Recommendation 2
Ensure summaries of spending for Exhibits 300 represent both budget decisions and best estimates for the total costs for IT projects.
Comment
We agree in principle. The purpose of the Exhibit 300 is to justify project funding through the President’s budget year. OMB guidance (Circular A-11, Section 330.8) states, “The Exhibit 300 is one component of your agency’s total performance budget justification… OMB uses the Exhibit 300 to make both quantitative decisions about budgetary resources consistent with the Administration’s program priorities and qualitative assessments about whether the agency’s programming processes are consistent with OMB policy and guidance.” OMB specifically considers resource estimates beyond the budget year request to be for planning purposes only. OMB makes it clear that the emphasis of the Exhibit 300 is on the budget planning timeframe, though our practice was always to use the best estimates available for years beyond the budget year. However, it is the prerogative of ITAB to define the scope of major investments through its decisions. It would be inappropriate for any other agency to define initiatives beyond the standing ITAB decisions. In cases where we establish scope (e.g. major contract-driven initiative such as the Telephone Systems Replacement Project), outyear spending patterns are well defined and reflected in the Exhibit 300, but given the volatility of our project environment (new legislation, new directives, competing priorities, etc.) it is difficult to accurately predict these costs.
Recommendation 3
Further integrate and automate IT capital planning, budgeting, project management and reporting systems and processes to minimize manual operations and adjustments.
Comment
We agree. We have an ongoing effort to refine and enhance our IT capital planning, budgeting, project management, and reporting processes. We expect it to continue. We will continue to look for ways to improve in this area. We do not necessarily agree that automation is the answer. While we have various automation initiatives underway, we believe it is more a process integration issue than an automation issue.
Recommendation 4
Conduct and document the Alternatives Analysis according to Federal standards for all projects.
Comment
We agree. We should improve the way we conduct Alternatives Analyses. Earlier this year, we contracted with Booz-Allen-Hamilton (BAH) to conduct Alternatives Analysis training for all OMB 300 project managers. All project managers now use a template provided by BAH as a guide for developing and documenting their Alternatives Analysis. Currently BAH either prepares or reviews all Alternatives Analyses.
Recommendation 5
Allocate costs for security activities that support multiple applications and systems in an accurate and complete manner.
Comment
We agree. We believe we account for security costs accurately and agree with the recommendation regarding the distribution of certification and accreditation costs. We attribute Project-specific security costs to the projects to which they apply. We also distribute Enterprise-level security costs by a formula that uses the estimated number of workstations affected by each major project. We frequently revise workstation estimates as better information becomes available.
Recommendation 6
Comply with OMB’s risk management requirements and our policy for all projects.
Comment
We agree in principle. We monitor each Exhibit 300 for compliance and require risk management plans. The audit report cites two projects that lacked risk management plans. The Information Technology Operations Assurance (Second Data Center) had a risk management plan, but it was lacking some critical risk factors. In January 2008, we corrected the projects prior to the resubmission of the Exhibit 300 to OMB. The other project, Financial Accounting System (FACTS), had a risk management plan. Our review of the plan was done timely. The fact that no changes were necessary (it is a steady-state project) may not have been clearly communicated.
Recommendation 7
Implement controls to ensure Exhibits 300 are free of errors and supported with complete documentation.
Comment
We agree in principle. As your report recognizes that we already have controls in place, we infer that your recommendation refers to improving our existing controls. At the conclusion of each annual Exhibit 300 development process, we conduct lessons-learned sessions and implement the best ideas from these sessions. For example, earlier this year we began a SharePoint site for collecting all artifacts required to support the Exhibit 300s. We also agree with the audit finding regarding the lack of compliance reviews or annual surveillance reviews. Lack of funding prevents us from carrying out this OMB requirement.
[In addition to the information listed above, SSA also provided technical comments which have been considered and addressed where appropriate, in this report.]
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702
Phil Rogofsky, Audit Manager, Information Technology Division, (410) 965-9719
Acknowledgments
In addition to those named above:
Grace Chi, Auditor-in-Charge
Tina Nevels, Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General’s Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number
A-14-08-18018.
DISTRIBUTION SCHEDULE
Commissioner of Social Security
Office of Management and Budget, Income Maintenance Branch
Chairman and Ranking Member, Committee on Ways and Means
Chief of Staff, Committee on Ways and Means
Chairman and Ranking Minority Member, Subcommittee on Social Security
Majority and Minority Staff Director, Subcommittee on Social Security
Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives
Chairman and Ranking Minority Member, Committee on Oversight and Government Reform
Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives
Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations,
House of Representatives
Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Committee on Finance
Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy
Chairman and Ranking Minority Member, Senate Special Committee on Aging
Social Security Advisory Board
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.