This is the accessible text file for GAO report number GAO-07-865 
entitled 'Information Technology: Treasury Needs to Strengthen Its 
Investment Board Operations and Oversight' which was released on July 
865, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

July 2007: 

Information Technology: 

Treasury Needs to Strengthen Its Investment Board Operations and 
Oversight: 

GAO-07-865: 

GAO Highlights: 

Highlights of GAO-07-865, a report to congressional requesters 

Why GAO Did This Study: 

The Department of the Treasury relies extensively on information 
technology (IT) to carry out its mission. For fiscal year 2007, 
Treasury requested about $2.8 billion—the third largest planned IT 
expenditure among civilian agencies. GAO’s objectives included (1) 
assessing Treasury’s capabilities for managing its IT investments and 
(2) determining any plans the agency has for improving its 
capabilities. GAO used its IT investment management framework (ITIM) 
and associated methodology to address these objectives, focusing on the 
framework’s stages related to the investment management provisions of 
the Clinger-Cohen Act of 1996. 

What GAO Found: 

While Treasury has established many of the capabilities needed to 
select, control, and evaluate its IT investments, the department has 
significant weaknesses that hamper its ability to effectively manage 
its investments. Specifically, the department has executed 19 of the 38 
key practices that the ITIM requires to build a foundation for IT 
investment management (Stage 2), including practices needed to ensure 
that projects support business needs and that a disciplined process 
exists for capturing investment information. In addition, the 
department has executed 11 of the 27 key practices required to manage 
investments as a portfolio (Stage 3), including documenting policies 
and procedures for conducting postimplementation reviews (see table). 
However, Treasury does not have an executive investment review board—a 
group of executives from IT and business units that is intended to be 
the final decision-making authority—that is actively engaged in the 
investment management process. In addition, the department does not 
have any policies and procedures for managing its nonmajor investments, 
although they represent almost 70 percent of the total number of 
investments. Until the department addresses these weaknesses, it will 
not have the investment management structure needed to effectively 
assess and manage the risks associated with its multibillion-dollar 
portfolio. 

To its credit, Treasury has initiated efforts to improve its investment 
management process. For example, it has recently implemented a process 
for identifying major projects that should receive additional 
oversight. However, the department has not developed a comprehensive 
improvement plan that (1) is based on an assessment of strengths and 
weaknesses; (2) specifies measurable goals, objectives, and milestones; 
(3) specifies needed resources; (4) assigns clear responsibility and 
accountability for accomplishing tasks; and (5) is approved by senior-
level management. GAO has previously reported that such a plan is 
instrumental in helping agencies coordinate and guide improvement 
efforts. Until Treasury develops this plan and the controls for 
implementing it, the department risks not being able to put in place an 
effective management process that will provide appropriate executive-
level oversight for minimizing risks and maximizing returns. 

Table: Treasury's IT Investment Management Capabilities: 

Source: GAO. 

[End of table] 

What GAO Recommends: 

To further strengthen Treasury’s investment management capability, GAO 
recommends that the department develop and implement a plan to 
establish an executive investment review board and policies and 
procedures to manage nonmajor investments and address the other 
weaknesses GAO identified. In e-mail comments on a draft of this 
report, Treasury stated that the report reflects both Treasury’s 
shortcomings as well as progress to date and recognized the need to 
take proactive steps to strengthen its investment board operations and 
oversight of information technology resources and programs. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-865]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David Powner at (202) 512-
9286 or pownerd@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Treasury Has Established Many Key Practices for Managing Its 
Investments, but Has Key Weaknesses with Its Board Operations and 
Investment Oversight: 

Treasury Does Not Have a Comprehensive Plan to Guide Its Improvement 
Efforts: 

Treasury CIO's Role in Managing IT Investments Has Been Mixed: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Governance Roles and Responsibilities: 

Table 2: Stage 2 Critical Processes--Building the Investment 
Foundation: 

Table 3: Summary of Results for Stage 2 Critical Processes and Key 
Practices: 

Table 4: Instituting the Investment Board: 

Table 5: Meeting Business Needs: 

Table 6: Selecting an Investment: 

Table 7: Providing Investment Oversight: 

Table 8: Capturing Investment Information: 

Table 9: Stage 3 Critical Processes--Developing a Complete Investment 
Portfolio: 

Table 10: Summary of Results for Stage 3 Critical Processes and Key 
Practices: 

Table 11: Defining the Portfolio Criteria: 

Table 12: Creating the Portfolio: 

Table 13: Evaluating the Portfolio: 

Table 14: Conducting Postimplementation Reviews: 

Table 15: CIO Involvement in Performing Investment Management 
Responsibilities: 

Figures: 

Figure 1: Treasury Organizational Chart (condensed): 

Figure 2: CPIC Process: 

Figure 3: ITIM Stages of Maturity: 

Abbreviations: 

CADE: Customer Account Data Engine: 
CIO: chief information officer: 
CPIC: Capital Planning and Investment Control: 
EA: enterprise architecture: 
E-board: Treasury Executive Investment Review Board: 
EVMS: earned value management system: 
FinCEN: Financial Crimes Enforcement Network: 
IRS: Internal Revenue Service: 
IT: information technology: 
ITIM: information technology investment management framework: 
OA: operational analysis: 
OCIO: Office of the Chief Information Officer: 
OMB: Office of Management and Budget: 
PIR: postimplementation review: 
SaBRe: Savings Bond Replacement System: 
TFIN: Treasury Foreign Intelligence Network: 
TIRB: Technical Investment Review Board: 
TRACS: Treasury Receivable, Accounting, and Collection System: 

United States Government Accountability Office: 
Washington, DC 20548: 

July 23, 2007: 

The Honorable Richard J. Durbin: 
Chairman: 
The Honorable Sam Brownback: 
Ranking Member: 
Subcommittee on Financial Services and General Government: 
Committee on Appropriations: 
United States Senate: 

The Honorable Christopher S. Bond: 
United States Senate: 

The Department of the Treasury relies extensively on information 
technology (IT) to carry out its responsibility of promoting the 
economic and financial prosperity and security of the United States. 
For fiscal year 2007, the department plans to spend about $2.8 billion-
-the third largest planned IT expenditure among civilian 
agencies.[Footnote 1] Given the size and significance of the 
department's IT investments, you asked us to (1) assess Treasury's 
capabilities for managing its IT investments, (2) determine any plans 
the agency has for improving its capabilities, and (3) evaluate the 
Chief Information Officer's (CIO) role in managing the department's IT 
investments. We used our IT investment management framework (ITIM) and 
associated methodology to address these objectives, focusing on the 
framework's stages related to the investment management provisions of 
the Clinger-Cohen Act of 1996.[Footnote 2] 

We performed our work from August 2006 through July 2007 in accordance 
with generally accepted government auditing standards. Appendix I 
contains details about our objectives, scope, and methodology. 

Results in Brief: 

While Treasury has established many of the capabilities needed to 
select, control, and evaluate its IT investments, the department has 
significant weaknesses that hamper its ability to effectively manage 
its investments. Specifically, the department has executed 19 of the 38 
key practices that the ITIM requires to build a foundation for IT 
investment management, (Stage 2) including practices needed to ensure 
that projects support business needs and that a disciplined process 
exists for capturing investment information. In addition, the 
department has executed 11 of the 27 key practices required to manage 
investments as a portfolio (Stage 3), including documenting policies 
and procedures for conducting postimplementation reviews. However, 
Treasury does not have an executive investment review board--a group of 
executives from IT and business units that is intended to be the final 
decision-making authority--that is actively engaged in the investment 
management process. In addition, the department does not have any 
policies and procedures for managing its nonmajor investments, although 
they represent almost 70 percent of the total number of investments. 
Until the department addresses these weaknesses, it will not have the 
investment management structure needed to effectively assess and manage 
the risks associated with its multibillion-dollar portfolio. 

To its credit, Treasury has initiated efforts to improve its investment 
management process. For example, it has recently implemented a process 
for identifying major projects that should receive additional 
oversight. However, the department has not developed a comprehensive 
improvement plan that (1) is based on an assessment of strengths and 
weaknesses; (2) specifies measurable goals, objectives, and milestones; 
(3) specifies needed resources; (4) assigns clear responsibility and 
accountability for accomplishing tasks; and (5) is approved by senior- 
level management. We have previously reported that such a plan is 
instrumental in helping agencies coordinate and guide improvement 
efforts. Treasury officials recognize the value of having a 
comprehensive plan and told us they plan to develop one once their new 
assistant secretary for management is confirmed; however, a time frame 
for completing the plan has not been established. Until Treasury 
develops this plan and the controls for implementing it, the department 
risks not being able to put in place an effective management process 
that will provide appropriate executive-level oversight for minimizing 
risks and maximizing returns. 

The Treasury CIO's role in managing the department's IT investments has 
been mixed---though it has gradually increased since September 2005, 
when the department's investment management policy was issued. 
Specifically, some responsibilities have been fully performed, some 
have been partially performed, and others have not been performed. 

To further strengthen Treasury's investment management capability, we 
are recommending that the department develop and implement a plan to 
establish an executive investment review board, develop policies and 
procedures to manage nonmajor investments, and address the other 
weaknesses we identified in this report. 

In e-mail comments on a draft of this report, the Acting CIO stated 
that the report reflects both Treasury's shortcomings as well as 
progress to date and recognized the need to take proactive steps to 
strengthen its investment board operations and oversight of information 
technology resources and programs. Treasury also agreed with the need 
for an executive investment review board that is actively engaged in 
the investment management process and noted that nonmajor investments 
have not been a priority because the major investments the department 
has chosen to devote its resources to represent the more significant 
portion of the portfolio in terms of dollar value, visibility to OMB 
and Congress, and importance to Treasury's mission. Treasury also 
commented on the department's authority to redirect funding from one 
Treasury bureau to another. We incorporated these comments into our 
report where appropriate. 

Background: 

Treasury's Mission and Organizational Structure: 

The Department of the Treasury is the primary federal agency 
responsible for the economic and financial prosperity and security of 
the United States, and as such is responsible for a wide range of 
activities, including advising the President on economic and financial 
issues, promoting the President's growth agenda, and enhancing 
corporate governance in financial institutions. 

To accomplish its mission, Treasury is organized into departmental 
offices and operating bureaus. The departmental offices are primarily 
responsible for the formulation of policy and management of the 
department as a whole, while the nine operating bureaus--including the 
Internal Revenue Service and the Bureau of Engraving and Printing-- 
carry out the specific functions assigned to Treasury. Figure 1 shows 
the organizational structure of the department. 

Figure 1: Treasury Organizational Chart (condensed): 

[See PDF for image] 

Source: Department of the Treasury. 

[End of figure] 

Treasury's Use of Information Technology: 

Information technology plays a critical role in helping Treasury meet 
its mission. For example, the Internal Revenue Service relies on 
information systems to process tax returns, account for tax revenues 
collected, send bills for taxes owed, issue refunds, assist in the 
selection of tax returns for audit, and provide telecommunications 
services for business activities, including the public's toll-free 
access to tax information. To modernize the systems it relies on to 
carry out these functions, Treasury is engaged in a Business Systems 
Modernization program. 

Treasury requested $11.4 billion in the President's fiscal year 2007 
budget. Of this amount, the department estimates it will spend 
approximately $2.8 billion for 235 IT investments--some $2.3 billion 
(about 80 percent) for 75 major investments and some $480 million 
(about 20 percent) for 160 nonmajor investments. 

Prior Reviews on IT Management Issues at Treasury: 

Since mid-1999, we have been reviewing the Internal Revenue Service's 
(IRS) progress in implementing its Business Systems Modernization 
program as part of our reviews of the service's associated expenditure 
plans.[Footnote 3] Our reviews have identified a number of weaknesses 
in IRS's modernization management controls and capabilities and, over 
the years, we have made numerous recommendations to address these 
weaknesses. IRS has addressed many of our recommendations; however, 
several weaknesses remain. 

In January 2004, we reported[Footnote 4] as part of a governmentwide 
review, that Treasury had significant weaknesses in investment 
management. We noted, for example, that the department had neither 
developed a capital planning and investment control guide nor developed 
work processes and procedures for the agency's IT investment management 
board. In addition, Treasury had not documented the alignment and 
coordination of responsibilities of its various boards for decision 
making related to investments, including the criteria for which 
investments--including crosscutting investments--were to be reviewed by 
the executive investment review board. We also reported that Treasury 
did not have a department-level control process; instead, each bureau 
could conduct its own reviews that address the performance of its IT 
investments and corrective actions for underperforming projects. We 
made several recommendations to address the weaknesses we identified. 
Treasury concurred with our recommendations, stating that it recognized 
its shortcomings and was working to correct them. 

In July 2006,[Footnote 5] we reported on Treasury's Financial Crimes 
Enforcement Network's (FinCEN) BSA Direct Retrieval and Sharing 
project, a nonmajor investment,[Footnote 6] noting that FinCEN did not 
always apply effective investment management processes to oversee this 
project. We recommended that the director of FinCEN direct its CIO to 
develop a plan for improving the agency's capabilities for overseeing 
this project. FinCEN officials concurred with our findings and 
recommendation. 

In January 2007, in an update to our high-risk series report on the 
Internal Revenue Service's Business Systems Modernization,[Footnote 7] 
which we first designated as high-risk in 1995, we reported that while 
the Internal Revenue Service had made progress in reducing risk with 
systems modernization and financial management, improvements made have 
not been sustained long enough to provide confidence that the program 
is fully stable. We also reported that many challenges remain, 
including improving processes for designing, developing, and delivering 
modernized IT systems. 

Several of Treasury's projects have been deemed to be poorly planned 
and managed by the Office of Management and Budget (OMB) and have 
warranted inclusion on OMB's Management Watch and High Risk 
Lists.[Footnote 8] 

Role of Department CIO in Investment Management: 

The Clinger-Cohen Act of 1996 requires agency heads to designate the 
CIO to lead reforms to help control system development risks; better 
manage technology spending; and achieve real, measurable improvements 
in agency performance through better management of information 
resources.[Footnote 9] The agency head, through the department-level 
CIO, is responsible for providing leadership and oversight for 
foundational critical processes by ensuring that written policies and 
procedures are established, repositories of information are created 
that support investment decision making, resources are allocated, 
responsibilities are assigned, and all of the activities are properly 
carried out where they may be most effectively executed. 

Treasury's Approach to Investment Management: 

Treasury's IT investment management process is to provide the framework 
for decision making and accountability required to ensure IT 
investments meet the strategic and business objectives of the 
department in an efficient and effective manner. In carrying out this 
process, the department makes a distinction between its major and 
nonmajor investments, to determine the extent and scope of the 
department's investment management oversight and the level of reporting 
requirements. 

An IT investment is classified as major if it meets at least one of the 
following criteria:[Footnote 10] 

* requires special management attention because of its importance to 
the mission or function of the agency, a component of the agency or 
another organization; 

* is for financial management and obligations of more than $500,000 
annually; 

* has significant program or policy implications; 

* has high executive visibility; 

* has high development, operating, or maintenance costs; 

* has total life-cycle costs exceeding $50 million; 

* has an annual budget of $5 million or more; or: 

* significantly impacts more than one bureau. 

Investments that do not meet at least one of these criteria are 
considered to be nonmajor investments. 

Several groups and individuals play a role in the department's process 
to manage its IT investments at the department and bureau levels. They 
are involved in all aspects of the process, including reviewing and 
approving proposed investments, monitoring the investments through 
implementation, and evaluating the investments once they become 
operational. Table 1 identifies the groups and individuals that have a 
role in this process and shows their composition and responsibilities. 

Table 1: Governance Roles and Responsibilities: 

Governance entity: Treasury Executive Investment Review Board; (E- 
Board)[A]; 
Membership/description: Chaired by Treasury Deputy Secretary; co-vice-
chaired by Treasury CIO and Assistant Secretary for Management; 
membership consists of bureau heads; 
Example of responsibilities: 
* Approves and governs major investments; 
* Ensures proposed investments (IT and non-IT investments) meet 
strategic, business, and technical objectives; 
* Reviews periodic investment updates provided by Technical Investment 
Review Board; 
* Makes final decision to continue, modify, or terminate an investment 
that is outside of a plus or minus 10 percent cost/schedule variance; 
* Makes final decision for inclusion of investments in Treasury's IT 
portfolio. 

Governance entity: Technical Investment Review Board (TIRB); 
Membership/description: Chaired by Treasury CIO: membership consists of 
bureau CIOs; 
Example of responsibilities: 
* Makes recommendations on technical and funding matters to the E-
board; 
* Recommends policy on Capital Planning and Investment Control (CPIC), 
shared infrastructure, enterprise architecture, and security issues; 
* Conducts periodic reviews of the portfolio and key investments; 
* Evaluates major investment adherence to Treasury and OMB capital 
planning criteria; 
* Assesses investment alignment with Treasury's architecture and 
procurement standards. 

Governance entity: IT Governance subcouncils; 
Membership/description: Membership consists of four standing 
committees--Capital Planning, Enterprise Architecture, Security, and 
Telecommunications; 
Example of responsibilities: 
* Acts as liaison between the CIO and the bureaus to communicate and 
assist in the implementation of standards and guidelines; 
* Provides input into the development of departmentwide standards for 
CPIC, Enterprise Architecture (EA), and security; 
* Supports TIRB by providing leadership in formulating and implementing 
CPIC policies and programs; 
* Provides a forum for bureaus to discuss CPIC issues and requirements 
and make recommendations to TIRB. 

Governance entity: Treasury Capital Planning and Investment Control 
(CPIC) team; 
Membership/description: Membership consists of Treasury CIO personnel, 
known as desk officers; 
Example of responsibilities: 
* Responsible for investment management oversight of the CPIC process; 
* Develops bureau-level IT portfolio expertise and provides input and 
recommendations to bureaus, Treasury CIO, and TIRB; 
* Serves as points of contact for bureau CPIC coordinators and oversees 
one or more bureaus; 
* Responsible for scoring Exhibit 300s and coordinating information 
sharing with Treasury's budget office and other critical partners. 

Governance entity: Bureau CPIC coordinators; 
Membership/description: CPIC coordinators from each of the nine 
Treasury bureaus; 
Example of responsibilities: 
* Serves as the bureau's single point of contact to Treasury's CPIC 
team; 
* Disseminates information, instructions, and due dates to bureau 
investment project managers; 
* Coordinates all IT- related, bureau-specific input to bureau's Chief 
Financial Officer organizations and Treasury's CPIC team. 

Source: GAO analysis of Treasury data. 

[A] This board currently does not exist; however, according to Treasury 
officials, the department has initiated efforts to re-establish it. 

[End of table] 

Reviews by TIRB and the department's executive investment review board 
focus on IT investments that are defined as major strategic investments 
for the department. To support this process, Treasury uses an automated 
portfolio management tool for collecting and maintaining data during 
the four phases of the process. Various forms in the tool are available 
for staff to enter new and updated data on Treasury's IT investments. 

Process for Managing Investments: 

In September 2005, the department issued a Capital Planning and 
Investment Control Policy Guide defining a four-phase process for 
managing its IT investments.[Footnote 11] These phases consist of 
preselect, select, control, and evaluate. Completing the requirements 
of one phase is necessary before moving on to the subsequent phase. 
Each phase is to be overseen by Treasury's executive investment review 
board, which ultimately approves or rejects an investment's advancement 
to the next phase. 

* Preselect phase is the annual process by which potential new major 
investments seeking funding in the upcoming budget year are approved to 
move into the select phase and are considered for inclusion in the 
department's budget request. Only major IT investments are promoted 
through the preselect process and reviewed at the departmental level. 
During this phase, an investment's business owner is to document the 
business need for the investment and describe its anticipated alignment 
with bureau, Treasury, and e-government initiatives,[Footnote 12] and 
the President's Management Agenda[Footnote 13] strategic goals. The 
CPIC team is then expected to review and validate the preselect data 
and pass on its assessment and recommendation to TIRB, which is to 
provide recommendations to the department's executive investment review 
board. Once a major investment is approved by the executive investment 
review board, it moves forward to the select phase. The department's 
bureaus have the exclusive responsibility for the preselection of 
nonmajor investments within their respective bureaus, and the bureaus' 
executive leadership must approve a nonmajor investment in order for it 
to enter the select phase. 

* Select phase is the process by which new and existing major IT 
investments seeking funding in the upcoming budget year are annually 
screened, scored, and selected for inclusion in Treasury's IT 
investment portfolio. In this phase, Treasury is to ensure that only IT 
investments that best support its mission, investment principles, and 
approach to EA are chosen and that the investment owners have taken 
steps to be successful, such as having a qualified project manager and 
analyzing risks. As in the preselect phase, the CPIC team is expected 
to review and validate that all data is complete, score each investment 
based on Treasury's investment principles, and submit its findings and 
recommendations to TIRB. TIRB, in turn, is to review the scoring 
results and provide its recommendations to Treasury's executive 
investment review board, which is then to select which investments will 
be included in the department's IT investment portfolio that is 
ultimately submitted to OMB for funding considerations. Investments do 
not technically exit the select phase until they are terminated, since 
they must be reviewed annually for reselection. The bureaus are 
responsible for conducting their own select process for nonmajor 
investments. 

* Control Phase ensures, through timely oversight, quality control, and 
executive review, that IT investments are managed in a disciplined and 
consistent manner. This phase is characterized by Treasury's Office of 
the CIO initiating quarterly control reviews, which focus on ensuring 
that an investment's projected benefits are being realized; that cost, 
schedule, and performance goals are being met; that risks are minimized 
and managed; and that the investment continues to meet strategic goals. 
Through Office of the CIO quarterly data calls, bureau project managers 
are to update data as of the end of the previous quarter for cost and 
schedule, performance measures, and risk assessments for both major and 
nonmajor investments. This updated data is to be entered into the 
department's automated IT portfolio management tool, which the bureau 
project managers and the bureau CIOs are to certify for accuracy using 
a certification form within the tool. Next, Treasury's CPIC team is to 
evaluate the data and provide feedback to the bureaus through the 
bureaus' CPIC coordinators, giving the bureaus an opportunity to 
remediate missing or erroneous data. For major investments, the CPIC 
team is then expected to summarize the results, including identifying 
corrective actions planned, for presentation to TIRB. TIRB is to review 
the results for potential risk factors, such as schedule or cost 
slippages or major technical problems, before forwarding its 
recommendation to Treasury's executive investment review board. The 
executive investment review board is to review TIRB's recommendations 
before making a decision to continue, accelerate, modify, suspend, or 
terminate investments. While control data are captured for nonmajor 
investments, the department leaves it to the bureaus to conduct their 
own oversight process for these investments. However, TIRB and the 
executive investment review board may choose to review these 
investments on a random sample basis. 

In July 2006, Treasury adopted procedures for establishing an Internal 
Watch List of major investments at risk of not meeting established 
goals.[Footnote 14] The criteria for placement on this list include: 

1. cost or schedule variances greater than plus or minus 10 percent for 
two consecutive quarters; 

2. lack of validation of project manager's qualifications by the bureau 
CIO; 

3. lack of a current certification and accreditation;[Footnote 15] or: 

4. duplication of another investment within the department or with any 
of the President's e-government initiatives or lines of 
business.[Footnote 16] 

Treasury's Office of the CIO is to make this determination, and 
investments on this list are subject to additional reporting 
requirements, including development of an action plan to remediate the 
noncompliant conditions. Bureau CIOs are to report monthly to the 
Treasury CIO on the status of these investments. Once all requirements 
have been met and the Treasury CIO concurs, the investment can be 
removed from the list. 

* Evaluation phase involves an annual process to determine how well 
major investments are performing once they become operational. This 
process is to occur in the first quarter of the fiscal year and is 
composed of two subprocesses--the postimplementation review (PIR) and 
the operational analysis (OA). The age and the life cycle stage of the 
investment determine which of these two subprocesses is conducted on an 
investment. 

The purpose of the PIR is to assess the performance of an investment 
that has been fully developed and has moved into the operational and 
maintenance stage of its life cycle. An investment's project manager is 
to initiate a PIR 6 to 18 months after an investment has moved into its 
operational and maintenance stage. During a PIR, an investment's actual 
performance is compared to its expected performance to identify lessons 
learned for improving both the investment and Treasury's CPIC process. 
The PIR is also intended to measure the strategic impact, user 
satisfaction, and whether the investment is meeting cost, schedule, and 
performance metrics. The results of the PIR are to be documented in 
Treasury's portfolio management tool. Once the PIR is completed, 
Treasury's CPIC team is to evaluate the results, provide feedback to 
the project manager and the respective bureau management, and provide 
summary information to TIRB. TIRB, in turn, is to report lessons 
learned from the PIRs conducted and any recommendations it may have to 
the department's executive investment review board in order to promote 
the lessons learned across the department's IT investment portfolio. 

* The purpose of the OA is to identify those investments in operations 
and maintenance for which PIRs have been conducted that are likely to 
require modification, acceleration, replacement, or retirement, and to 
help determine the remaining useful life of an investment. However, 
because of the newness of Treasury's PIR requirement and the age of 
certain investments that have been in the operations and maintenance 
stage of their life cycle, a PIR may not have been performed on these 
investments prior to the required OA. Similar to a PIR, in conducting 
the OA, Treasury focuses on two key areas: (1) program objectives, 
looking at alignment to cost, schedule, and strategic goals; and (2) 
meeting user needs. In determining how well the investment aligns to 
program objectives, data are to be captured on an annual basis---most 
likely from established sources, such as the quarterly control reviews 
and annual select phase process. To determine whether user needs are 
still being met by the investment, the investment's project manager, in 
coordination with the investment's business owner, is to solicit user 
input, using such means as a survey, focus groups, or regular user 
group meetings. The results of the OA are to be documented in 
Treasury's portfolio management tool and can entail recommending the 
investment continue operations as is, be modified, or be terminated. 
Based on further analysis by the CPIC team, a review meeting may be 
scheduled to discuss the results and the recommendations. The results 
of these meetings are to be shared with TIRB and the executive 
investment review board, as appropriate. Prior to exiting the 
evaluation phase, the executive investment review board must approve 
the disposal, retirement, or replacement of major investments. 

Figure 2 shows the schedule of select, control, and evaluate activities 
that take place throughout the year. 

Figure 2: CPIC Process: 

[See PDF for image] 

Source; Department of the Treasury. 

[A] Budget year is a term used in the budget formulation process that 
refers to the fiscal year for which the budget is being considered, 
that is, with respect to a session of Congress, the fiscal year of the 
government that starts on October 1 of the calendar year in which that 
session of Congress begins. 

[B] E-board--Executive Investment Review Board. 

[C] TIRB--Technical Investment Review Board. 

[End of figure] 

ITIM Maturity Framework: 

To provide a method for evaluating and assessing how well an agency is 
selecting and managing its IT resources, GAO developed the Information 
Technology Investment Management framework (ITIM).[Footnote 17] The 
ITIM is a maturity model composed of five progressive stages of 
maturity that an agency can achieve in its investment management 
capabilities. It was developed on the basis of our research into the IT 
investment management practices of leading private-and public-sector 
organizations. In each of the five stages, the framework identifies 
critical processes for making successful IT investments. The maturity 
stages are cumulative; that is, in order to attain a higher stage, the 
agency must have institutionalized all of the critical processes at the 
lower stages in addition to the higher stage critical processes. 

The framework can be used to assess the maturity of an agency's 
investment management processes and as a tool for organizational 
improvement. The overriding purpose of the framework is to encourage 
investment processes that increase business value and mission 
performance, reduce risk, and increase accountability and transparency 
in the decision process. We have used the framework in several of our 
evaluations,[Footnote 18] and a number of agencies have adopted it. 
These agencies have used ITIM for purposes ranging from self-assessment 
to redesign of their IT investment management processes. 

ITIM's five maturity stages represent the steps toward achieving stable 
and mature processes for managing IT investments. Each stage builds on 
the lower stages, and the successful attainment of each stage leads to 
improvement in the organization's ability to manage its investments. 
With the exception of Stage 1, each maturity stage is composed of 
critical processes that must be implemented and institutionalized in 
order for the organization to achieve that stage.[Footnote 19] These 
critical processes are further broken down into key practices that 
describe the types of activities an organization should be performing 
to successfully implement each critical process. It is not unusual for 
an organization to be performing key practices from more than one 
maturity stage at the same time, but efforts to improve investment 
management capabilities should focus on implementing all lower stage 
practices before addressing higher stage practices. 

In the ITIM, Stage 2 critical processes lay the foundation for sound IT 
investment processes by helping the agency to attain successful, 
predictable, and repeatable investment control processes at the project 
level. Specifically, Stage 2 encompasses building a sound investment 
management foundation by establishing basic capabilities for selecting 
new IT projects. It involves developing the capability to control 
projects so that they finish predictably within established cost and 
schedule expectations and have the capability to identify potential 
exposures to risk and put in place strategies to mitigate that risk. It 
also involves instituting an IT investment board,[Footnote 20] which 
includes defining its membership, guidance policies, operations, roles, 
responsibilities, and authorities for one or, if applicable, more IT 
investment boards within the organization, and, if appropriate, each 
board's support staff. The basic selection processes established in 
Stage 2 lay the foundation for more mature selection capabilities in 
Stage 3, which represents a major step forward in maturity. In this 
stage, the agency moves from project-centric processes to a portfolio 
approach, evaluating potential investments by how well they support the 
agency's mission, strategies, and goals. 

Stage 3 requires that an organization continually assess both proposed 
and ongoing projects as parts of a complete investment portfolio--an 
integrated and competing set of investment options. It focuses on 
establishing a consistent, well-defined perspective on the IT 
investment portfolio and maintaining mature, integrated selection (and 
reselection), control, and evaluation processes, which are to be 
evaluated during PIRs. This portfolio perspective allows decision 
makers to consider the interaction among investments and the 
contributions to organizational mission goals and strategies that could 
be made by alternative portfolio selections, rather than focusing 
exclusively on the balance between the costs and benefits of individual 
investments. 

Stages 4 and 5 require the use of evaluation techniques to continuously 
improve both the investment portfolio and the investment processes in 
order to better achieve strategic outcomes. At Stage 4 maturity, an 
organization has the capacity to conduct IT succession activities and, 
therefore, can plan and implement the deselection of obsolete, high- 
risk, or low-value IT investments. An organization with Stage 5 
maturity conducts proactive monitoring for breakthrough information 
technologies that will enable it to change and improve its business 
performance. Organizations that have implemented Stages 2 and 3 have in 
place capabilities that assist in establishing the selection, control, 
and evaluation processes that are required by the Clinger-Cohen Act of 
1996.[Footnote 21] Stages 4 and 5 define key attributes that are 
associated with the most capable organizations. 

Figure 3 shows the five ITIM stages of maturity and the critical 
processes associated with each stage. 

Figure 3: ITIM Stages of Maturity: 

[See PDF for image] 

Source: GAO. 

[End of figure] 

As defined by the model, each critical process consists of key 
practices that must be executed to implement the critical process. 

Treasury Has Established Many Key Practices for Managing Its 
Investments, but Has Key Weaknesses with Its Board Operations and 
Investment Oversight: 

In order to have the capabilities to effectively manage IT investments, 
an agency, at a minimum, should (1) build an investment foundation by 
putting basic, project-level control and selection practices in place 
(Stage 2 capabilities) and (2) manage its projects as a portfolio of 
investments, treating them as an integrated package of competing 
investment options and pursuing those that best meet the strategic 
goals, objectives, and mission of the agency (Stage 3 capabilities). 
These practices may be executed at various organizational levels of the 
agency, including at the component level. However, overall 
responsibility for their success remains at the department level. 
Therefore, at a minimum, the department should effectively oversee 
component agencies' IT investment management processes. 

While Treasury has established many of the capabilities needed to 
select, control, and evaluate its IT investments, the department has 
significant weaknesses that hamper its ability to effectively manage 
its investments. Specifically, the department has executed 19 of the 38 
key practices that the ITIM requires to build a foundation for IT 
investment management (Stage 2), including practices needed to ensure 
that projects support business needs and that a disciplined process 
exists for capturing investment information. In addition, the 
department has executed 11 of the 27 key practices required to manage 
investments as a portfolio (Stage 3), including documenting policies 
and procedures for conducting postimplementation reviews. 

However, Treasury does not have an executive investment review board-- 
a group of executives from IT and business units that is intended to be 
the final decision-making authority--that is actively engaged in the 
investment management process. According to the Associate CIO for 
Capital Planning and Information Management, while efforts to establish 
an executive investment review board have been initiated, these efforts 
have been stymied by changes in executive leadership. In addition, the 
department does not have any processes in place for managing its 
nonmajor investments, although they represent about 70 percent of the 
total number of investments. According to officials, nonmajor 
investments have not been a priority because the department has instead 
chosen to devote its resources to major investments, which represent 
about 80 percent of its IT expenditures. While it is reasonable to 
focus attention on major investments, nonmajor investments represent a 
significant amount of funding (about $480 million) and constitute the 
bulk of most bureaus' investment portfolio and therefore also require a 
certain level of oversight. Until the department addresses these 
weaknesses, it will not have the investment management structure needed 
to effectively assess and manage the risks associated with its 
multibillion-dollar portfolio. 

In addition, until the department addresses these weaknesses, it will 
not have assurance that key investment management decisions are 
benefiting from the contribution of executives who are in the best 
position to make the full range of decisions needed to enable the 
agency to meet its mission most effectively. In addition, the 
department will not be able to ensure that it is effectively assessing 
and managing the risks associated with nonmajor investments costing 
hundreds of millions of dollars. 

Treasury Has Established Many of the Foundational Practices Needed to 
Manage its Investments: 

At the ITIM Stage 2 level of maturity, an organization has attained 
repeatable, successful IT project-level investment control and basic 
selection processes. Through these processes, the organization can 
identify expectation gaps early and take the appropriate steps to 
address them. According to ITIM, critical processes at Stage 2 include 
(1) defining IT investment board operations, (2) identifying the 
business needs for each IT investment, (3) developing a basic process 
for selecting new IT proposals and reselecting ongoing investments, (4) 
developing project-level investment control processes, and (5) 
collecting information about existing investments to inform investment 
management decisions. Table 2 describes the purpose of each of these 
Stage 2 critical processes. 

Table 2: Stage 2 Critical Processes--Building the Investment 
Foundation: 

Critical process: Instituting the investment board; 
Purpose: To define and establish an appropriate IT investment 
management structure and the processes for selecting, controlling, and 
evaluating IT investments. 

Critical process: Meeting business needs; 
Purpose: To ensure that IT projects and systems support the 
organization's business needs and meet users' needs. 

Critical process: Selecting an investment; 
Purpose: To ensure that a well-defined and disciplined process is used 
to select new IT proposals and reselect ongoing investments. 

Critical process: Providing investment oversight; 
Purpose: To review the progress of IT projects and systems, using 
predefined criteria and checkpoints, in meeting cost, schedule, risk, 
and benefit expectations and to take corrective action when these 
expectations are not being met. 

Critical process: Capturing investment information; 
Purpose: To make available to decision makers information to evaluate 
the impacts and opportunities created by proposed (or continuing) IT 
investments. 

Source: GAO. 

[End of table] 

Because of management attention that has recently been given to IT 
investment management, Treasury has put in place half of the key 
practices needed to establish the investment foundation. These include 
all of the key practices associated with identifying and collecting 
information to support investment decisions and some of the key 
practices for ensuring that projects and systems support organizational 
needs and meet users' needs as well as for selecting new 
proposals[Footnote 22] and reselecting ongoing investments. 

However, because no executive investment review board currently exists 
(see details in next section), the department has not executed many of 
the key practices for instituting the investment board. In addition, 
because of its limited involvement in managing nonmajor investments, 
the department has not executed many of the key practices related to 
providing investment oversight. Treasury officials stated that the 
management turnover present a challenge to establishing an executive 
investment review board. They also acknowledged the need for a process 
to oversee nonmajor investments, particularly in light of the recent 
failure of the BSA Direct project. 

Table 3 summarizes the status of Treasury's Stage 2 critical processes, 
showing how many associated key practices the department has executed. 

Table 3: Summary of Results for Stage 2 Critical Processes and Key 
Practices: 

Critical process: Instituting the investment board; 
Key practices executed: 3; 
Total required by critical process: 8; 
Percentage of key practices executed: 38. 

Critical process: Meeting business needs; 
Key practices executed: 2; 
Total required by critical process: 7; 
Percentage of key practices executed: 29. 

Critical process: Selecting an investment; 
Key practices executed: 6; 
Total required by critical process: 10; 
Percentage of key practices executed: 60. 

Critical process: Providing investment oversight; 
Key practices executed: 2; 
Total required by critical process: 7; 
Percentage of key practices executed: 29. 

Critical process: Capturing investment information; 
Key practices executed: 6; 
Total required by critical process: 6; 
Percentage of key practices executed: 100. 

Critical process: Total; 
Key practices executed: 19; 
Total required by critical process: 38; 
Percentage of key practices executed: 50. 

Source: GAO. 

[End of table] 

Treasury Does Not Have an Executive Investment Review Board: 

The establishment of decision-making bodies or boards is a key 
component of the IT investment management process. At the Stage 2 level 
of maturity, organizations define one or more boards, provide resources 
to support the boards' operations, and appoint members who have 
expertise in both operational and technical aspects of proposed 
investments. The boards should operate according to a written IT 
investment process guide that is tailored to the organization's unique 
characteristics, thus ensuring that consistent and effective management 
practices are implemented across the organization. The organization 
selects board members to ensure they are knowledgeable about policies 
and procedures for managing investments. Organizations at the Stage 2 
level of maturity also take steps to ensure that executives and line 
managers support and carry out the decisions of the investment board. 
According to ITIM, organizations should (1) establish an enterprisewide 
IT investment board composed of senior executives from IT and business 
units, (2) have a documented IT investment process directing each 
investment board's operations, and (3) ensure that the enterprisewide 
investment board has oversight responsibilities for the development and 
maintenance of the organization's documented IT investment process. 
(The complete list of key practices is provided in table 4.) 

Treasury has executed three of the eight key practices for this 
critical process. For example, the department has documented an IT 
investment process that directs investment board operations. In 
addition, adequate resources are provided to support board operations. 
However, Treasury currently does not have an executive investment 
review board composed of senior executives from IT and business units 
that is actively engaged in the investment management process. 
According to officials, such a board was established in 2005 but 
stopped functioning at the prompting of the assistant secretary for 
management because it was considered inefficient. In 2006, another 
executive investment review board structure was proposed under a new 
assistant secretary for management, but, according to the Associate CIO 
for Capital Planning and Information Management, it was not 
implemented, due to yet another change in executive leadership. 
Officials told us that one of the challenges in establishing the board 
has been the constant turnover in Treasury's management. They noted 
that many of the management positions, including the assistant 
secretary for management position, are currently being filled by 
temporary or "acting" officials, who may be replaced soon. Until the 
department establishes an executive investment review board with senior 
executives from IT and business units, its investment management 
process will not benefit from the contribution of those executives who 
are in the best position to make the full range of decisions needed for 
the department to meet its mission most effectively. 

Table 4 shows the rating for each key practice required to implement 
the critical process for instituting the investment board at the Stage 
2 level of maturity and summarizes the evidence that supports these 
ratings. 

Table 4: Instituting the Investment Board: 

Type of practice: Organizational commitments; 
Key practice: 1. An enterprisewide IT investment board composed of 
senior executives from IT and business units is responsible for 
defining and implementing the organization's IT investment governance 
process; 
Rating: not executed; 
Summary of evidence: According to Treasury's CPIC guide, the 
department's investment management structure includes an executive 
investment review board that is responsible for defining and 
implementing Treasury's IT investment governance process. However, this 
board does not exist to perform this practice. 

Key practice: 2. The organization has a documented IT investment 
process directing each investment board's operations; 
Rating: executed; 
Summary of evidence: Treasury's CPIC guide outlines the IT investment 
process that directs the operations of the executive investment review 
board and TIRB, which are part of the investment management structure. 
The guide specifies the roles of key entities involved in the 
organization's IT investment process and explains procedures for 
assigning responsibility for decision making for IT investments. The 
CPIC guide specifies that the bureaus retain decision-making authority 
for nonmajor IT investments, while adhering to the department-level IT 
investment management process. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, are provided for supporting the operations of each IT investment 
board; 
Rating: executed; 
Summary of evidence: Although the executive investment review board 
does not exist, adequate resources are provided to support its 
operations, including TIRB and CPIC office staff, with bureau desk 
officers that are responsible for, among other things, aiding in 
compiling relevant IT investment management data for the board's 
review. 

Key practice: 2. The board members understand the organization's IT 
investment management policies and procedures and the tools and 
techniques used in the board's decision-making process; 
Rating: not executed; 
Summary of evidence: Treasury has in place informal mechanisms they use 
to keep executives informed of the department's IT investment 
management policies, procedures, tools, and techniques, including 
presentations given to the bureaus regarding the CPIC process. However, 
no executive investment review board exists to perform this key 
practice. 

Key practice: 3. Each board's span of authority and responsibility is 
defined to minimize overlaps or gaps among the boards; 
Rating: executed; 
Summary of evidence: According to Treasury's CPIC guide and officials, 
although the executive investment review board does not exist, its 
defined responsibilities include defining and implementing the 
department's IT investment governance process. 

Type of practice: Activities; 
Key practice: 1. The enterprisewide investment board has oversight 
responsibilities for the development and maintenance of the 
organization's documented IT investment process; 
Rating: not executed; 
Summary of evidence: According to officials, Treasury's executive 
investment review board is supposed to be involved in the development 
and maintenance of the department's documented IT investment process 
through TIRB, which provides investment management policy change 
recommendations to the board for approval. However, this board does not 
exist to perform this activity. 

Key practice: 2. Each investment board operates in accordance with its 
assigned authority and responsibility; 
Rating: not executed; 
Summary of evidence: The Treasury CPIC guide outlines the roles and 
responsibilities of the department's executive investment review board; 
however, this board does not exist to perform this activity. 

Key practice: 3. The organization has established management controls 
for ensuring that investment boards' decisions are carried out; 
Rating: not executed; 
Summary of evidence: The Treasury CPIC Team is responsible for ensuring 
that board decisions are carried out. However, the executive investment 
review board does not exist to perform this activity. 

Source: GAO. 

[End of table] 

Treasury Has a Process for Ensuring Projects Are Aligned with Business 
Needs: 

Defining business needs for each IT project helps to ensure that 
projects and systems support an organization's business needs and meet 
users' needs. This critical process ensures that an organization's 
business objectives and its IT management strategy are linked. 
According to ITIM, effectively meeting business needs requires, among 
other things, (1) documenting business needs with stated goals and 
objectives, (2) identifying specific users and other beneficiaries of 
IT projects and systems, (3) providing adequate resources to ensure 
that projects and systems support the organization's business needs and 
meet users' needs, and (4) periodically evaluating the alignment of IT 
projects and systems with the organization's strategic goals and 
objectives. (The complete list of key practices is provided in table 
5.) 

Treasury has executed two of the seven key practices for ensuring 
business needs are met. Specifically, Treasury has a documented 
business mission, with stated goals and objectives in its Treasury 
Strategic Plan for fiscal years 2003 through 2008. In addition, 
resources are devoted to ensuring that IT projects and systems support 
the organization's business needs and meet users' needs, including 
Treasury's portfolio management tool, several subcouncils, an Exhibit 
300 scoring guide to help develop major IT investments business cases, 
and training manuals on the use of the portfolio management tool 
contained in an online resource called the CPICResource Link. 

Treasury's weaknesses in this area stem mostly from the fact that, 
while the department has delegated the management of nonmajors to the 
bureaus, it has no mechanism for ensuring that bureaus are effectively 
carrying out associated activities. In addition, while Treasury's 
system development life-cycle methodology requires user involvement in 
projects' life cycle, the investment management process does not have 
any steps for ensuring this is done. By not ensuring that bureaus are 
effectively aligning nonmajor investments with business needs, Treasury 
is incurring the risk that investments that make up approximately 20 
percent of their IT budget and represent the majority of their 
investments may not be supporting the department's priorities. In 
addition, without an executive investment review board actively 
involved in the process, Treasury cannot be assured it is making the 
best decisions regarding investments' ability to support ongoing and 
future business needs. 

Table 5 shows the rating for each key practice required to implement 
the critical process for meeting business needs at the Stage 2 level of 
maturity and summarizes the evidence that supports these ratings. 

Table 5: Meeting Business Needs: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for identifying IT projects or systems that support the 
organization's ongoing and future business needs; 
Rating: not executed; 
Summary of evidence: Treasury has policies and procedures for ensuring 
that major IT projects and systems support the department's ongoing and 
future business needs in its CPIC guide and the preselect section of 
its Enterprise Architecture Guidance. While Treasury has delegated the 
management of nonmajor investments to the bureaus, it does not have a 
mechanism for ensuring that the bureaus have policies and procedures to 
address this critical process. 

Type of practice: Prerequisites; 
Key practice: 1. The organization has a documented business mission 
with stated goals and objectives; 
Rating: executed; 
Summary of evidence: The Treasury Strategic Plan for fiscal years 2003 
through 2008 defines the agency's mission goals and objectives. The 
plan defines goal categories, goals, and objectives linked to the 
goals. 

Key practice: 2. Adequate resources, including people, funding, and 
tools, are provided for ensuring that IT projects and systems support 
the organization's business needs and meet users' needs; 
Rating: executed; 
Summary of evidence: Treasury has adequate resources for ensuring that 
its IT projects and systems support the organization's business needs 
and meet users' needs. They include a portfolio management tool, TIRB, 
and several subcouncils. Also, Treasury has an Exhibit 300 scoring 
guide to help develop business cases and training manuals on the use of 
the portfolio management tool contained in an online resource called 
the CPICResource Link. 

Type of practice: Activities; 
Key practice: 1. The organization defines and documents business needs 
for both proposed and ongoing IT projects and systems; 
Rating: not executed; 
Summary of evidence: The preselect and select processes defined in 
Treasury's CPIC guide specify how Treasury defines and documents 
business needs for both proposed and ongoing major IT projects and 
systems. Major investments business needs are documented within the 
portfolio management tool. All of the major investments we reviewed--
TFIN, SaBRe, and CADE--had documented their business needs within the 
portfolio management tool. For nonmajor investments, Treasury has 
delegated this key practice to the bureaus; however, the department 
does not have a mechanism for ensuring the bureaus are effectively 
executing it. 

Key practice: 2. The organization identifies specific users and other 
beneficiaries of IT projects and systems; 
Rating: not executed; 
Summary of evidence: Users are supposed to be identified in the 
preselect and select phases, as outlined in the performance measurement 
section of Treasury's CPIC guide. The guide states that the following 
information be documented with regard to the users: identify who will 
use the system, describe the principal business task they will perform, 
and describe how they will use the system to help them perform their 
principal business task. We verified that the three major projects we 
reviewed--TFIN, SaBRE, and CADE--had identified the users of their 
system in the portfolio management tool. For nonmajor investments, 
Treasury has delegated this key practice to the bureaus; however, the 
department does not have a mechanism for ensuring the bureaus are 
effectively executing it. 

Key practice: 3. Users participate in project management throughout an 
IT project's or system's life cycle; 
Rating: not executed; 
Summary of evidence: Treasury's system development life-cycle 
methodology requires user involvement throughout projects' life cycle. 
For example, users are to be involved in quality and assurance and 
configuration management. Treasury's investment management process, 
however, does not include steps to ensure that this activity is 
actually being performed until investments are in operations and 
maintenance. 

Key practice: 4. The investment board periodically evaluates the 
alignment of its IT projects and systems with the organization's 
strategic goals and objectives and takes corrective actions when 
misalignment occurs; 
Rating: not executed; 
Summary of evidence: According to Treasury's CPIC guide, the investment 
board is supposed to evaluate the alignment of major IT projects and 
systems with the organization's strategic goals and objectives and take 
corrective action when misalignment occurs during the select phase. 
However, since the executive investment review board does not exist, 
this activity is not being performed. For the nonmajor investments, 
Treasury has delegated this key practice to the bureaus; however, the 
department does not have a mechanism for ensuring the bureaus are 
effectively executing it. 

Source: GAO. 

[End of table] 

Treasury Has Processes to Select Major Investments but Is Not 
Effectively Selecting Nonmajor Investments: 

Selecting new IT proposals and reselecting ongoing investments requires 
a well-defined and disciplined process to provide the agency's 
investment boards, business units, and developers with a common 
understanding of the process and the cost, benefit, schedule, and risk 
criteria that will be used both to select new projects and to reselect 
ongoing projects for continued funding. According to ITIM, this 
critical process requires, among other things, (1) providing adequate 
resources for investment selection activities; (2) making funding 
decisions for new proposals according to an established process; and 
(3) using a defined selection process to select new investments and 
reselect ongoing investments. (The complete list of key practices is 
provided in table 6.) 

Treasury has executed 6 of the 10 key practices associated with 
selecting an investment. Treasury's portfolio management tool contains 
a form for entering select data and provides staff, such as project 
managers and CPIC desk officers, with information to help manage the 
select process. We verified that three of the systems we reviewed-- 
TFIN, CADE, and SaBRe--did, in fact, use the select form in the 
portfolio management tool for entering select data. The department has 
aligned funding decisions with the budget process for new and ongoing 
investments through the department's budget formulation process, which 
is used to select both enterprisewide and bureau investments. Treasury 
has also documented criteria for analyzing, prioritizing, selecting, 
and reselecting new and ongoing major investments that address its 
strategic goals and its IT strategic goals, value, and risk. The 
criteria are incorporated into the department's portfolio management 
tool and adjusted within the tool to reflect organizational objectives. 

However, the executive investment review board that is supposed to make 
final selection and reselection decisions does not exist. Treasury 
officials state that, as part of the budget formulation process, the 
results of the select process are approved by executives and that the 
results of the fiscal year 2008 select process were approved by a group 
of executives, including the Treasury Assistant Secretary for 
Management and other department and bureau executives, prior to being 
forwarded to OMB. The officials recognized, however, that this group 
was convened only for that purpose and did not include business (i.e., 
mission) representation from the bureaus. 

In addition, Treasury has delegated the selection and reselection of 
the nonmajor systems to the bureaus; however, as previously noted, 
Treasury does not have a mechanism for ensuring that the bureaus are 
effectively carrying out these activities. Without such a mechanism, 
Treasury cannot have assurance that investments that make up 
approximately 20 percent of its budget and represent the majority of 
investments are being consistently and objectively selected and 
reselected. 

Table 6 shows the rating for each key practice required to implement 
the critical process for selecting an investment at the Stage 2 level 
of maturity and summarizes the evidence that supports these ratings. 

Table 6: Selecting an Investment: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for selecting new IT proposals; 
Rating: not executed; 
Summary of evidence: Treasury has documented policies and procedures 
for selecting major investments in its CPIC guide. The selection of 
nonmajor investments is delegated to the bureaus. However, Treasury has 
no mechanism for ensuring the bureaus have effective selection policies 
and procedures. 

Key practice: 2. The organization has documented policies and 
procedures for reselecting ongoing IT investments; 
Rating: not executed; 
Summary of evidence: Treasury has documented policies and procedures 
for reselecting major investments in its CPIC guide. The reselection of 
nonmajor investments is delegated to the bureaus. However, Treasury has 
no mechanism for ensuring the bureaus have effective reselection 
policies and procedures. 

Key practice: 3. The organization has policies and procedures for 
integrating funding with the process of selecting an investment; 
Rating: executed; 
Summary of evidence: The CPIC guide calls for the budget process to be 
aligned with the investment management process. The process for doing 
so is by integrating the select data calls with the budget exercises 
through the use of the CPIC calendar. Additionally, treasury officials 
stated that acquisition processes are also entered into the portfolio 
management tool, which helps to align the funding with the select 
process. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, are provided for identifying and selecting IT projects and 
systems; 
Rating: executed; 
Summary of evidence: Adequate resources are provided for identifying 
and selecting major IT projects and systems. They include the desk 
officers, CPIC team, the CPIC subcouncils, and the department's 
portfolio management tool, which contains forms for selecting IT 
projects and systems. Nonmajor investments are selected by the bureaus. 

Key practice: 2. Criteria for analyzing, prioritizing, and selecting 
new IT investment opportunities have been established; 
Rating: executed; 
Summary of evidence: Treasury has established criteria for analyzing, 
prioritizing, and selecting enterprise and bureau IT investments. They 
include strategic alignment, EA alignment, and cost, schedule, benefit, 
and risk factors. 

Key practice: 3. Criteria for analyzing, prioritizing, and reselecting 
IT investment opportunities have been established; 
Rating: executed; 
Summary of evidence: Treasury has established criteria for analyzing, 
prioritizing, and reselecting new IT investments for Treasury and its 
bureaus. They include strategic alignment, EA alignment, and cost, 
schedule, benefit, and risk factors. 

Key practice: 4. A mechanism exists to ensure that the criteria 
continue to reflect organizational objectives; 
Rating: executed; 
Summary of evidence: Treasury reviews and adjusts the select criteria 
through a working group called the Select Phase Optimization Working 
Group. This group meets and discusses changes to the select criteria 
and updates the guidance and the portfolio management tool to reflect 
the changes. 

Type of practice: Activities; 
Key practice: 1. The organization uses its defined selection process, 
including predefined selection criteria, to select new IT investments; 
Rating: not executed; 
Summary of evidence: Treasury's CPIC guide outlines the select process 
and directs all bureaus to use the reselect process to select new major 
investments. However, the executive investment review board that is 
supposed to make final selection decisions does not exist. In addition, 
the selection of nonmajor investments is delegated to the bureaus, but 
the department has no process for ensuring the bureaus are effectively 
carrying out selection activities. 

Key practice: 2. The organization uses the defined selection process, 
including predefined selection criteria, to reselect ongoing IT 
investments; 
Rating: not executed; 
Summary of evidence: Treasury's CPIC guide outlines the select process 
and directs all bureaus to use the select process to reselect new major 
investments. However, the board that is supposed to make final 
reselection decisions does not exist. In addition, reselection of 
nonmajor investments is delegated to the bureaus, but the department 
has no process for ensuring the bureaus are effectively carrying out 
reselection activities. 

Key practice: 3. Executives' funding decisions are aligned with 
selection decisions; 
Rating: executed; 
Summary of evidence: Treasury makes funding decisions for new and 
ongoing investments through the department's budget formulation 
process, which is used to reselect major ongoing enterprise and bureau 
investments. 

Source: GAO. 

[End of table] 

Treasury Is Not Effectively Overseeing Its Investments: 

An organization should effectively oversee its IT projects throughout 
all phases of their life cycles. An investment board should observe 
each project's performance and progress toward predefined cost and 
schedule expectations as well as each project's anticipated benefits 
and risk exposure. This does not mean that a departmental board should 
micromanage each project to provide effective oversight; rather, it 
means that the departmental board should be actively involved in all IT 
investments and proposals that are high cost or high risk or have 
significant scope and duration and, at a minimum, should have a 
mechanism for maintaining visibility of all investments. The board 
should also use early warning systems that enable it to take corrective 
actions at the first sign of cost, schedule, and performance slippages. 
According to ITIM, effect project oversight requires, among other 
things, (1) having written policies and procedures for management 
oversight; (2) developing and maintaining an approved management plan 
for each IT project; (3) making up-to-date cost and schedule data for 
each project available to the oversight boards; (4) having regular 
reviews by each investment board of each project's performance against 
stated expectations; and (5) ensuring that corrective actions for each 
underperforming project are documented, agreed to, implemented, and 
tracked until the desired outcome is achieved. (The complete list of 
key practices is provided in table 7.) 

Treasury has executed two of the seven key practices associated with 
effective project oversight. Treasury has adequate resources to support 
the executive investment review board for this critical process. The 
TIRB conducts quarterly control reviews of IT investments and can make 
recommendations to the executive investment review board based on these 
reviews. The department uses an automated portfolio management tool for 
the collection and maintenance of information to support the 
department's quarterly control reviews. Treasury's CPIC team, composed 
of Office of the Chief Information Officer (OCIO) personnel, assists 
the bureaus in compiling data on their respective IT portfolios, 
reviewing the data for accuracy and completeness prior to submission to 
TIRB for its quarterly control reviews. In addition, the bureaus have 
CPIC coordinators, each of which serve as a single point of quality 
control for their respective bureaus before information is released to 
OCIO's CPIC team and provide assistance in addressing CPIC team 
comments received during the department's quarterly control reviews. In 
addition, we verified that cost, schedule, benefits, and risk 
expectations were documented for the four projects we reviewed: CADE, 
SaBRe, TFIN, and TRACS. All four projects maintained project management 
plans or other documents that captured this information. 

However, although the department has written policies and procedures 
for management oversight of its investments, including its Capital 
Planning and Investment Control Policy Guide and its Earned Value 
Management Policy Guide, these policies and procedures are centered on 
the department's major investments. Treasury leaves oversight of its 
nonmajor investments to the bureaus. According to Treasury officials, 
the department has thus far focused on the major investments because 
they represent about 80 percent of its IT expenditures. Until the 
department develops a mechanism for TIRB and its executive investment 
review board to periodically conduct nonmajor portfolio reviews, as 
indicated in its CPIC guide, or develops a mechanism for ensuring that 
the bureaus are doing so, the department risks not being able to 
identify investment problems when it is easier and less costly to 
resolve them. 

In addition, because the executive investment review board does not 
exist, Treasury is not executing any of the activities associated with 
providing investment oversight. Specifically, there is no executive 
investment review board to receive actual investment performance data, 
review the performance of projects and systems against expectations, 
and ensure that appropriate actions are taken to correct or terminate 
underperforming projects. The TIRB is currently carrying out these 
activities. However, without the involvement of an executive investment 
review board, these reviews are being performed without the corporate 
perspective that is useful in determining the impact individual project 
decisions may have on other projects and on the attainment of 
organizational goals and objectives. 

Table 7 shows the rating for each key practice required to provide 
investment oversight and summarizes the evidence that supports these 
ratings. 

Table 7: Providing Investment Oversight: 

Type of practice: Organizational commitment; 
Key practice: 1. The organization has documented policies and 
procedures for management oversight of IT projects and systems; 
Rating: not executed; 
Summary of evidence: Treasury has documented policies and procedures 
for major investments in its CPIC guide and its Earned Value Management 
Policy Guide. These guides specify the oversight responsibilities of 
TIRB and the department's executive investment review board. Treasury 
has delegated management oversight of nonmajor investments to the 
bureaus. However, the department does not have any mechanism to ensure 
the bureaus have effective policies and procedures for carrying out 
this process. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, are provided for IT project oversight; 
Rating: executed; 
Summary of evidence: Treasury has adequate resources for providing IT 
project oversight. Specifically, TIRB conducts quarterly control 
reviews of IT investments and can make recommendations to the executive 
investment review board based on these reviews. The CPIC team in the 
department's Office of the CIO assists the bureaus in compiling data on 
the bureaus' IT investment portfolios for the quarterly TIRB control 
process. The bureaus' CPIC coordinators serve as the bureaus' single 
point of contact to the CPIC team, providing a point of quality control 
before information is released to the CPIC team. Also, the department 
has an automated tool to facilitate the collection and maintenance of 
information to support the agency's quarterly control process. 

Key practice: 2. IT projects and systems, including those in steady 
state (operations and maintenance), maintain approved project 
management plans that include expected cost and schedule milestones and 
measurable benefit and risk expectations; 
Rating: executed; 
Summary of evidence: Treasury guidance requires all projects to have a 
project plan documenting expected cost, schedule, benefit, and risk. 
Project managers are to track performance measures such as cost, 
schedule, and risk against the project management plan to support the 
control process. The four case study projects we reviewed maintained 
project management plans or other documents that contain this 
information. 

Type of practice: Activities; 
Key practice: 1. Data on actual performance (including cost, schedule, 
benefit, and risk performance) are provided to the appropriate IT 
investment board; 
Rating: not executed; 
Summary of evidence: Treasury's CPIC guide calls for data on actual 
performance of major systems to be provided to both TIRB and the 
executive investment review board. For the three major projects in our 
case studies (CADE, SaBRe, and TFIN), we verified that actual 
performance data were provided to TIRB. While TIRB receives this 
information on a quarterly basis, the executive investment review board 
that is supposed to make recommendations does not exist. In addition, 
this activity is delegated to the bureaus for the nonmajor investments, 
but Treasury has no mechanism for ensuring that the bureaus are 
effectively carrying out the review. 

Key practice: 2. Using verified data, each investment board regularly 
reviews the performance of IT projects and systems against stated 
expectations; 
Rating: not executed; 
Summary of evidence: During Treasury's quarterly control reviews, TIRB 
reviews the performance of major IT investments against expectations 
based on data provided by the bureaus. Following its review, TIRB can 
make recommendations to the department's executive investment review 
board. However, the department has not provided us with documentation 
on the results of TIRB reviews. Also, the executive investment review 
board does not exist to perform this activity. Treasury is in the 
process of restructuring this board. In addition, the department has 
delegated oversight of nonmajor investments to the bureaus, but does 
not have a process in place for ensuring that the bureaus are 
effectively carrying out this activity for nonmajor investments. 

Key practice: 2. For each underperforming IT project or system, 
appropriate actions are taken to correct or terminate the project or 
system in accordance with defined criteria and the documented policies 
and procedures for management oversight; 
Rating: not executed; 
Summary of evidence: The department's TIRB is provided information on 
the status of IT investments, including information on underperforming 
investments and corrective actions planned. Following its review, TIRB 
makes recommendations to the department's executive investment review 
board. However, the department has not provided us with documentation 
on the results of TIRB reviews. Also, the executive investment review 
board does not exist. Treasury is in the process of restructuring this 
board. In addition, the department has delegated oversight of nonmajor 
investments to the bureaus but does not have a process in place for 
ensuring that the bureaus are effectively carrying out this activity 
for nonmajor investments. 

Key practice: 4. The investment board regularly tracks the 
implementation of corrective actions for each underperforming project 
until the actions are completed; 
Rating: not executed; 
Summary of evidence: Because an executive investment review board does 
not exist, this key practice is not being performed. Also, the 
department has delegated oversight of nonmajor investments to the 
bureaus but does not have a process in place for ensuring that the 
bureaus are effectively carrying out this activity for nonmajor 
investments. 

Source: GAO. 

[End of table] 

Treasury Has a Structured Process for Capturing Investment Information: 

To make good IT investment decisions, an organization must be able to 
acquire pertinent information about each investment and store that 
information in a retrievable format. During this critical process, an 
organization identifies its IT assets and creates a comprehensive 
repository of investment information. This repository provides 
information to investment decision makers to help them evaluate the 
potential impacts and opportunities created by proposed or continuing 
investments. It can provide insights into major IT cost and management 
drivers and trends. The repository can take many forms and need not be 
centrally located, but the collection method should, at a minimum, 
identify each IT investment and its associated components. This 
critical process may be satisfied by the information contained in the 
organization's current enterprise architecture (EA), augmented by 
additional information--such as financial information and information 
on risk and benefits--that the investment board may require to ensure 
that informed decisions are being made. According to ITIM, effectively 
managing this repository requires, among other things, (1) developing 
written policies and procedures for identifying and collecting the 
information; (2) assigning responsibilities for ensuring that the 
information being collected meets the needs of the investment 
management process; (3) identifying IT projects and systems and 
collecting relevant information to support decisions about them; and 
(4) making the information easily accessible to decision makers and 
others. (The complete list of key practices is provided in table 8.) 

Treasury has in place all six key practices associated with capturing 
investment information. For example, the department's Capital Planning 
and Investment Control Policy Guide and Earned Value Management Policy 
Guide define the policies and procedures for identifying and collecting 
information to support its investment management process and, according 
to Treasury officials, the Associate CIO for Capital Planning and 
Information Management is assigned responsibility for ensuring that the 
information collected meets the needs of the investment management 
process. Also, the department has adequate resources for supporting the 
process, including the Office of the CIO's CPIC team, which is 
responsible for reviewing the information for accuracy and completeness 
before it is presented to TIRB for review prior to making its 
recommendations to the executive investment review board for final 
decisions. It also maintains an automated portfolio management tool for 
collecting and maintaining information on its IT investments. This tool 
is used by department and bureau components for updating information on 
their projects in response to data calls for the information required 
by TIRB to conduct its quarterly reviews. 

Table 8 shows the rating for each key practice required to implement 
this Stage 2 critical process and summarizes the evidence that supports 
these ratings. 

Table 8: Capturing Investment Information: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for identifying and collecting information about IT projects 
and systems to support the investment management process; 
Rating: executed; 
Summary of evidence: Treasury's CPIC guide and its Earned Value 
Management Policy Guide have documented policies and procedures for 
identifying and collecting information to support the investment 
management process. This includes the use of a portfolio management 
tool to collect and maintain information on IT investments. 

Key practice: 2. An official is assigned responsibility for ensuring 
that the information collected during project and systems 
identification meets the needs of the investment management process; 
Rating: executed; 
Summary of evidence: According to Treasury officials, the Associate CIO 
for Capital Planning and Information Management is the official 
responsible for ensuring that the information collected meets the needs 
of the investment management process. 

Type of practice: Prerequisite; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, are provided for identifying IT projects and systems and 
collecting relevant investment information about them; 
Rating: executed; 
Summary of evidence: The department has adequate resources for meeting 
this key practice, including Treasury's CPIC team, which assists the 
bureaus in compiling the relevant information on IT investments. Each 
bureau has a CPIC coordinator who serves as a point of quality control 
before information is released to the department level. Treasury also 
has an automated portfolio management tool to identify and collect 
information on the department's and bureaus' IT investments. 

Type of practice: Activities; 
Key practice: 1. The organization's IT projects and systems are 
identified, and specific information is collected to support decisions 
about them; 
Rating: executed; 
Summary of evidence: Treasury uses a portfolio management tool for 
maintaining information on its IT investments. Various forms within 
this tool are used to collect information on Treasury's major and 
nonmajor IT investments during the preselect, select, and control 
phases of the department's CPIC process. Treasury's CPIC team is 
responsible for reviewing the information for accuracy and 
completeness. We verified that information on our four case study 
projects was collected to support the IT investment management process. 

Key practice: 2. The information that has been collected is easily 
accessible and understandable to decision makers and others; 
Rating: executed; 
Summary of evidence: Treasury maintains information on its IT 
investments in its portfolio management tool. For example, a summary of 
each major investment is provided to TIRB as part of the quarterly 
control review process. 

Key practice: 3. The information repository is used by investment 
decision makers and others to support investment management; 
Rating: executed; 
Summary of evidence: The portfolio management tool (the department's 
information repository) is used by TIRB decision makers and others to 
support investment management. For example, the bureaus use this tool 
to update the information required for TIRB's quarterly control 
reviews. The CPIC team is responsible for reviewing the information in 
the tool for accuracy and completeness prior to consideration by TIRB. 

Source: GAO. 

[End of table] 

Treasury Lacks Key Capabilities Needed to Manage IT Investments as a 
Portfolio, and It Has Not Conducted Postimplementation Reviews: 

Once an agency has attained Stage 2 maturity, it needs to implement 
critical processes for managing its investments as a portfolio (Stage 
3). An IT investment portfolio is an integrated, agencywide collection 
of investments that are assessed and managed collectively based on 
common criteria. Managing investments as a portfolio is a conscious, 
continuous, and proactive approach to allocating limited resources 
among an organization's competing initiatives in light of the relative 
benefits expected from these investments. Taking an agencywide 
perspective enables an organization to consider its investments 
comprehensively, so that collectively the investments optimally address 
the organization's mission, strategic goals, and objectives. Managing 
IT investments as a portfolio also allows an organization to determine 
its priorities and make decisions about which projects to fund and 
continue to fund based on analyses of the relative organizational value 
and risks of all projects, including projects that are proposed, under 
development, and in operation. Although investments may initially be 
organized into subordinate portfolios--based on, for example, business 
lines or life cycle stages--and managed by subordinate investment 
boards, they should ultimately be aggregated into this enterprise-level 
portfolio. 

According to the ITIM, Stage 3 maturity includes (1) defining the 
portfolio criteria, (2) creating the portfolio, (3) evaluating the 
portfolio, and (4) conducting postimplementation reviews. Table 9 
summarizes the purpose of each critical process in Stage 3. 

Table 9: Stage 3 Critical Processes--Developing a Complete Investment 
Portfolio: 

Critical process: Defining the portfolio criteria; 
Purpose: To ensure that the organization develops and maintains IT 
portfolio selection criteria that support its mission, organizational 
strategies, and business priorities. 

Critical process: Creating the portfolio; 
Purpose: To ensure that IT investments are analyzed according to the 
organization's portfolio selection criteria and to ensure that an 
optimal IT investment portfolio with manageable risks and returns is 
selected and funded. 

Critical process: Evaluating the portfolio; 
Purpose: To review the performance of the organization's investment 
portfolios at agreed-upon intervals and to adjust the allocation of 
resources among investments as necessary. 

Critical process: Conducting postimplementation reviews; 
Purpose: To compare the results of recently implemented investments 
with the expectations that were set for them and to develop a set of 
lessons learned from these reviews. 

Source: GAO. 

[End of table] 

Treasury has executed 11 of the 27 key practices required by Stage 3. 
For example, the department has a working group in place that is 
responsible for managing the development and modification of the 
department's IT portfolio selection criteria. In addition, it has 
documented criteria to regularly assess its portfolio performance 
expectations through its portfolio tool. However, many key practices 
still need to be executed before Treasury can effectively manage its IT 
investments from a portfolio perspective. For example, the department 
has only addressed 3 of the 7 practices for evaluating the portfolio 
and 2 of the 6 practices for conducting PIRs. Until Treasury fully 
implements the critical processes associated with managing its 
investments as a complete portfolio, it will not have the data it needs 
to make informed decisions about competing investments. 

Table 10 summarizes the status of Treasury's Stage 3 critical processes 
and shows how many associated key practices the department has 
executed. 

Table 10: Summary of Results for Stage 3 Critical Processes and Key 
Practices: 

Critical process: Defining the portfolio criteria; 
Key practices executed: 4; 
Total required by critical process: 7; 
Percentage of key practices executed: 57. 

Critical process: Creating the portfolio; 
Key practices executed: 2; 
Total required by critical process: 7; 
Percentage of key practices executed: 29. 

Critical process: Evaluating the portfolio; 
Key practices executed: 3; 
Total required by critical process: 7; 
Percentage of key practices executed: 43. 

Critical process: Conducting postimplementation reviews; 
Key practices executed: 2; 
Total required by critical process: 6; 
Percentage of key practices executed: 33. 

Critical process: Total; 
Key practices executed: 11; 
Total required by critical process: 27; 
Percentage of key practices executed: 41. 

Source: GAO. 

[End of table] 

Treasury Has Portfolio Selection Criteria but Lacks Documented Policies 
and Procedures for Modifying Them: 

To manage IT investments effectively, an organization needs to 
establish rules or portfolio selection criteria for determining how to 
allocate scarce funding to existing and proposed investments. Thus, 
developing an IT investment portfolio requires defining appropriate 
cost, benefit, schedule, and risk criteria with which to evaluate 
individual investments in the context of all other investments. To 
ensure that the organization's strategic goals, objectives, and mission 
will be satisfied by its investments, the criteria should have an 
enterprisewide perspective. Further, if an organization's mission or 
business needs and strategies change, criteria for selecting 
investments should be re-examined and modified as appropriate. 
Portfolio selection criteria should be disseminated throughout the 
organization to ensure that decisions concerning investments are made 
in a consistent manner and that this critical process is 
institutionalized. To achieve this result, project management personnel 
and others should be aware of the criteria and address the criteria in 
funding submissions for projects. Resources required for this critical 
process typically include the time and attention of executives involved 
in the process, adequate funding, and supporting tools. (The complete 
list of key practices is provided in table 11.) 

Treasury has executed four of the seven key practices associated with 
defining the portfolio selection criteria. For example, according to 
Treasury officials, the department has adequate resources for portfolio 
selection activities, including the Associate CIO for Capital Planning 
and Information Management, the CPIC team, the CPIC subcouncil, which 
is responsible for managing the development and modification of the IT 
portfolio selection criteria, as well as a portfolio management tool. 
In addition, project management personnel and other stakeholders are 
made aware of the portfolio selection criteria through Treasury's CPIC 
team, and the department's internal Web site. 

Despite these important steps in defining portfolio selection criteria, 
weaknesses remain. Specifically, the department has not developed 
policies or procedures for modifying the portfolio selection criteria 
to reflect changes to its strategic initiatives. In addition, because 
Treasury does not have an executive investment review board, the 
activities that call for this board to review and approve the portfolio 
selection criteria are not being performed. Reviews of the portfolio 
selection criteria are performed by the department's CPIC subcouncil, 
which forwards its reviews to TIRB for approval of the criteria. Until 
Treasury fully defines and implements the practices required for 
defining the portfolio selection criteria, it will not have the tools 
it needs to effectively select the mix of investments that best meet 
the department's mission needs considering resource and funding 
constraints. 

Table 11 shows the rating for each key practice required to create a 
portfolio and summarizes the evidence that supports these ratings. 

Table 11: Defining the Portfolio Criteria: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for creating and modifying IT portfolio selection criteria; 
Rating: not executed; 
Summary of evidence: The department has documented policies and 
procedures for creating the IT portfolio selection criteria. However, 
the policies and procedures do not address how these criteria are to be 
modified. 

Key practice: 2. Responsibility is assigned to an individual or group 
for managing the development and modification of the IT portfolio 
selection criteria; 
Rating: executed; 
Summary of evidence: A Treasury CPIC subcouncil working group is 
responsible for managing the development and modification of the IT 
portfolio selection criteria. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, have been committed to portfolio selection criteria activities; 
Rating: executed; 
Summary of evidence: Adequate resources have been committed for 
portfolio selection criteria activities, according to officials. The 
resources include the Associate CIO for Capital Planning and 
Information Management, the CPIC team, and the CPIC subcouncil. 

Key practice: 2. A working group has been designated to be responsible 
for developing and modifying the IT portfolio selection criteria; 
Rating: executed; 
Summary of evidence: Treasury has established a CPIC subcouncil working 
group that is responsible for developing and modifying the portfolio 
selection criteria. 

Type of practice: Activities; 
Key practice: 1. The enterprisewide investment board approves the core 
IT portfolio selection criteria, including cost, benefit, schedule, and 
risk criteria, based on the organization's mission, goals, strategies, 
and priorities; 
Rating: not executed; 
Summary of evidence: According to officials, TIRB has been approving 
the portfolio selection criteria. However, the CPIC guide states that 
the executive investment review board is responsible for approving the 
IT portfolio selection criteria, but Treasury does not have an 
executive investment review board. 

Key practice: 2. Project management personnel and other stakeholders 
are aware of the portfolio selection criteria; 
Rating: executed; 
Summary of evidence: Project management personnel and other 
stakeholders are made aware of the portfolio selection criteria through 
Treasury's CPIC team, and the department's internal Web site. 

Key practice: 3. The enterprisewide investment board regularly reviews 
the IT portfolio selection criteria, using cumulative experience and 
event-driven data, and modifies the criteria as appropriate; 
Rating: not executed; 
Summary of evidence: Treasury does not have an executive investment 
review board to conduct portfolio selection criteria reviews. As a 
result, the CPIC subcouncil reviews the portfolio selection criteria, 
and TIRB approves them. 

Source: GAO. 

[End of table] 

Treasury Lacks Documented Policies and Procedures for Analyzing and 
Maintaining its Portfolio: 

At Stage 3, organizations create a portfolio of IT investments to 
ensure that IT investments are analyzed according to the organization's 
portfolio selection criteria and to ensure that an optimal IT 
investment portfolio with manageable risks and returns is selected and 
funded. According to ITIM, creating the portfolio requires 
organizations to, among other things, document policies and procedures 
for analyzing, selecting, and maintaining the portfolio; provide 
adequate resources, including people, funding, and tools for creating 
the portfolio; and capture the information used to select, control, and 
evaluate the portfolio and maintain it for future reference. In 
creating the portfolio, the investment board must also (1) examine the 
mix of new and ongoing investments and their respective data and 
analyses and select investments for funding and (2) approve or modify 
the performance expectations for the IT investments they have selected. 
(The complete list of key practices is provided in table 12.) 

Treasury has executed two of the seven key practices associated with 
creating the portfolio. For example, the department has adequate 
resources for creating its portfolio, including the CPIC subcouncil and 
the use of the department's portfolio management tool. In addition, 
information is captured and maintained for future reference in the 
department's portfolio management tool. The information in the tool is 
used to select, control, and evaluate all major IT portfolio 
investments. 

Nevertheless, Treasury has weaknesses in the way it creates a 
portfolio. First, it does not have a complete set of policies and 
procedures that address this critical process. Even though the 
department has policies and procedures for selecting the IT portfolio 
criteria, it lacks policies and procedures for using the criteria to 
analyze and maintain the department's IT investment portfolio. Second, 
since the department does not have an executive investment review 
board, board members are not knowledgeable about creating a portfolio. 
In addition, information comparing the performance of IT investments 
against expectations is not currently being provided to the board 
because Treasury does not have one. Even though TIRB board selects IT 
investments based on data associated with the mix of new and ongoing 
major investments, this activity is not done for nonmajors, and there 
is not an executive investment review board to select the IT 
investments. Moreover, the executive investment board does not approve 
or modify the performance expectations of the selected IT investments. 
Unless Treasury defines and implements the practices for creating a 
comprehensive portfolio of IT, it will not be able to determine whether 
it has selected the mix of investments that best meets its needs and 
considers resource and funding constraints. 

Table 12 shows the rating for each key practice required to create a 
portfolio and summarizes the evidence that supports these ratings. 

Table 12: Creating the Portfolio: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for analyzing, selecting, and maintaining the investment 
portfolio; 
Rating: not executed; 
Summary of evidence: While Treasury's CPIC guide documents policies and 
procedures for selecting the portfolio, the department does not have 
documented policies and procedures for analyzing and maintaining the 
investment portfolio. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, are provided for the process of creating the portfolio; 
Rating: executed; 
Summary of evidence: Adequate resources, including the CPIC subcouncil 
and a portfolio management tool, are provided for creating the 
portfolio. 

Key practice: 2. Board members are knowledgeable about the process of 
creating a portfolio; 
Rating: not executed; 
Summary of evidence: While TIRB members who are involved in creating 
the department's portfolio are knowledgeable about this process, 
Treasury does not have an executive investment review board. 

Key practice: 3. The investment board is provided with information 
comparing project and system performance with expectations; 
Rating: not executed; 
Summary of evidence: While TIRB is provided with information comparing 
project performance with expectations for major investment during the 
quarterly reviews, Treasury does not have an executive investment 
review board. 

Type of practice: Activities; 
Key practice: 1. Each IT investment board examines the mix of new and 
ongoing investments and their respective data and analyses and selects 
investments for funding; 
Rating: not executed; 
Summary of evidence: While the CPIC policy guide calls for the 
executive investment review board to examine the mix of new and ongoing 
major investments and to select IT investments for funding, Treasury 
does not have an executive investment review board. In addition, for 
nonmajor investments, Treasury has delegated this oversight 
responsibility to the bureaus but does not have a mechanism to ensure 
that the bureaus are effectively performing this responsibility. 

Key practice: 2. Each investment board approves or modifies the 
performance expectations for its selected IT investments; 
Rating: not executed; 
Summary of evidence: TIRB approves and modifies the performance 
expectations for selected IT investments. However, Treasury does not 
have an executive investment review board that is responsible for this 
activity. 

Key practice: 3. Information used to select, control, and evaluate the 
portfolio is captured and maintained for future reference; 
Rating: executed; 
Summary of evidence: Information from Treasury's portfolio management 
tool is used to capture and maintain investment information for the 
select, control, and evaluate process and for future reference. 

Source: GAO. 

[End of table] 

Treasury Does Not Have Documented Policies for Evaluating Its 
Portfolio: 

This critical process builds on the Stage 2 critical process--Providing 
Investment Oversight--by adding the elements of portfolio performance 
to an organization's investment control capacity. Compared with less 
mature organizations, Stage 3 organizations will have the foundation 
they need to control the risks faced by each investment and to deliver 
benefits that are linked to mission performance. In addition, a Stage 3 
organization will have the benefit of performance data generated by 
Stage 2 processes. Executive-level oversight of risk management 
outcomes and incremental benefit accumulation provides the organization 
with increased assurance that each IT investment will achieve the 
desired results. (The complete list of key practices is provided in 
table 13.) 

Treasury is executing three of the seven key practices for this 
critical process by providing adequate resources for reviewing the 
portfolio, including the use of a portfolio tool that captures data on 
cost, schedule, and risk and is used to produce scorecards on a 
quarterly basis that summarizes portfolio data. The performance data 
are consolidated in the portfolio tool and used by TIRB. The CPIC staff 
is responsible for ensuring that the data are consistent with the 
portfolio performance criteria and that it is modified as needed. For 
example, based on OMB guidance, the department has added and modified 
criteria related to the Exhibit 300s, EA, and earned value management 
reporting requirements. In addition, Treasury uses the portfolio tool 
to collect portfolio performance data in a consistent manner that 
aligns with Treasury's portfolio performance criteria. 

Despite these strengths, the department has yet to develop policies and 
procedures that address the review, evaluation, and improvement of its 
IT portfolio performance. In addition, TIRB members are not 
consistently provided with oversight review information for nonmajor IT 
investments by bureaus even though nonmajors make up about 70 percent 
of the department's total number of projects. Also, while the 
department has a process in place for ensuring that adjustments are 
made to major investments in response to actual portfolio performance, 
it does not have a process in place to ensure that the bureaus make the 
necessary adjustments to their nonmajor investments on a consistent 
basis. Until Treasury executes all the key practices associated with 
this critical process, senior executives will not have the information 
they need to determine whether the investments they have selected are 
delivering mission value at the expected cost and risk. 

Table 13 shows the rating for each key practice required to implement 
the critical process for portfolio performance oversight at the Stage 3 
level of maturity and summarizes the evidence that supports these 
ratings. 

Table 13: Evaluating the Portfolio: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for reviewing, evaluating, and improving the performance of 
its portfolios; 
Rating: not executed; 
Summary of evidence: Treasury does not have documented policies and 
procedures for reviewing, evaluating, and improving the performance of 
its IT portfolio as a whole. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, have been provided for reviewing the investment portfolio and 
its projects; 
Rating: executed; 
Summary of evidence: Treasury has adequate resources to review its 
investment portfolio and projects. They include: project managers, the 
CPIC team, and the portfolio management tool. 

Key practice: 2. Board members are familiar with the process for 
evaluating and improving the portfolio's performance; 
Rating: not executed; 
Summary of evidence: This key practice is not executed because Treasury 
does not have an executive investment review board. 

Key practice: 3. Results of relevant Providing Investment Oversight 
reviews from Stage 2 are provided to the investment board; 
Rating: not executed; 
Summary of evidence: While Treasury's policy specifies that the 
department's executive investment review board is to receive the 
results of relevant oversight reviews from Stage 2, it does not have an 
executive investment review board to perform this key practice. 

Key practice: 4. Criteria for assessing portfolio performance are 
developed, reviewed, and modified at regular intervals to reflect 
current performance expectations; 
Rating: executed; 
Summary of evidence: Treasury has criteria to regularly assess 
portfolio performance expectations. Portfolio performance criteria are 
developed and modified using the department's portfolio management tool 
that incorporates performance expectations such as cost and schedule. 

Type of practice: Activities; 
Key practice: 1. IT portfolio performance measurement data are defined 
and collected consistent with portfolio performance criteria; 
Rating: executed; 
Summary of evidence: Treasury has a process for collecting portfolio 
performance data that are defined and collected consistent with 
Treasury's portfolio performance criteria. 

Key practice: 2. Adjustments to the IT investment portfolio are 
executed in response to actual portfolio performance; 
Rating: not executed; 
Summary of evidence: Treasury has a process to ensure that adjustments 
are made to its major investment portfolio in response to actual 
portfolio performance. For its nonmajor investments, however, Treasury 
delegates this activity to the bureaus, but the department does not 
have a mechanism to ensure that the bureaus are effectively carrying 
out this activity. 

Source: GAO. 

[End of table] 

Treasury Has Not Institutionalized a Postimplementation Review Process: 

The purpose of a PIR is to evaluate an investment after it has been 
completely developed (that is, after its transition from the 
implementation phase to the operations and maintenance phase) in order 
to validate actual investment results. This review is conducted to (1) 
examine differences between estimated and actual investment costs and 
benefits and possible ramifications for unplanned funding needs in the 
future and (2) extract "lessons learned" about the investment selection 
and control processes that can be used as the basis for management 
improvements. Similarly, PIRs should be conducted for investment 
projects that were terminated before completion, to readily identify 
potential management and process improvements. (The complete list of 
key practices is provided in table 14.) 

Treasury has executed two of the six key practices for conducting PIRs. 
According to officials, in fiscal year 2006, the department finished 
revising its PIR policies and procedures as part of the last phase of 
its CPIC process, the evaluate phase. The PIR guidance states that PIRs 
are to be conducted 6 to 18 months after the investment has been 
deployed (transitioned into the steady state life-cycle stage) or after 
the investment has rolled out major functionality. In addition, the 
department's portfolio tool (PIR form) requires that reviews measure 
user satisfaction, achievement of strategic goals, and whether the 
investment met cost, schedule, and performance goals. The CPIC guidance 
also stipulates that project managers are responsible for conducting 
the reviews and collecting the information needed to document lessons 
learned, and who is responsible for approving the final PIR 
recommendations. 

Nevertheless, the department has not yet performed any PIRs since the 
CPIC policy was issued and therefore has not performed any of the 
activities associated with this critical process. Treasury officials 
stated that, since the issuance of their PIR policy, they have not 
conducted any PIRs because they have not had any investments 
transitioning from the development phase into the steady state phase. 
In 2005, the department conducted pilot PIRs on two major IT 
investments. Of the two, one review met its goals and the other review 
was recommended for a follow-up PIR because it was unable to provide 
information on customer satisfaction, benefits analysis, and systems 
performance due to schedule delays. Until PIRs are conducted on a 
regular basis with senior executive management involvement, Treasury 
will not be able to effectively evaluate the results of its IT 
investments to determine whether continuation, modification, or 
termination of an IT investment would be necessary in order to meet 
stated Treasury mission objectives. 

Table 14 shows the rating for each key practice required to conduct 
PIRs and summarizes the evidence that supports these ratings. 

Table 14: Conducting Postimplementation Reviews: 

Type of practice: Organizational commitments; 
Key practice: 1. The organization has documented policies and 
procedures for conducting PIRs; 
Rating: executed; 
Summary of evidence: Treasury's CPIC guide documents policies and 
procedures for conducting PIRs. 

Type of practice: Prerequisites; 
Key practice: 1. Adequate resources, including people, funding, and 
tools, have been provided for conducting PIRs; 
Rating: executed; 
Summary of evidence: Treasury has adequate resources for conducting 
PIRs, including the PIR form in its portfolio management tool, project 
managers, and the CPIC team. 

Key practice: 2. Individuals assigned to the investment board to 
conduct PIRs should be familiar with both the policies and the 
procedures for conducting such reviews; 
Rating: not executed; 
Summary of evidence: Individuals are not assigned to the executive 
investment review board to conduct PIRs. Treasury's CPIC guidance 
states that PIRs will be conducted by a project manager 6 to 18 months 
after the investment transitions from the development life-cycle stage 
to the operational stage. 

Type of practice: Activities; 
Key practice: 1. The investment board identifies which projects will 
have a PIR conducted; 
Rating: not executed; 
Summary of evidence: According to the CPIC guide, all investments are 
subject to PIRs 6 to 18 months after becoming operational. However, 
Treasury has not conducted any PIRS because no investments have 
transitioned from the developmental life-cycle stage to the operational 
stage. 

Key practice: 2. Quantitative and qualitative investment data are 
collected, evaluated for reliability, and analyzed during the PIRs; 
Rating: not executed; 
Summary of evidence: Treasury has not conducted any PIRs since 
documenting its PIR policies because no major investments have 
transitioned from the developmental life-cycle stage to the operational 
stage. 

Key practice: 3. Lessons learned and recommendations for improving the 
investment process are developed during the PIR, documented, and then 
distributed to all stakeholders; 
Rating: not executed; 
Summary of evidence: Treasury has not conducted any PIRs since 
documenting its PIR policies because no major investments have 
transitioned from the developmental life-cycle stage to the operational 
stage. 

Source: GAO. 

[End of table] 

Treasury Does Not Have a Comprehensive Plan to Guide Its Improvement 
Efforts: 

We have previously reported that to effectively implement IT 
investments management processes, organizations need to be guided by a 
plan that (1) is based on an assessment of strengths and weaknesses; 
(2) specifies measurable goals, objectives, and milestones; (3) 
specifies needed resources; (4) assigns clear responsibility and 
accountability for accomplishing tasks; and (5) is approved by senior- 
level management. Such a plan is instrumental in helping agencies 
coordinate and guide improvement efforts. 

Treasury has initiated efforts to improve its investment management 
process. 

* Treasury has contracted for a review of the CPIC governance process 
at each of its bureaus that entails performing portfolio investment 
validation and evaluation on the bureaus' major investments. The 
reviews involve visiting the respective bureaus to verify key CPIC 
documentation, the health of their governance and investment processes, 
and their compliance with the department's CPIC process. These reviews 
are to provide the department with a better understanding of the 
bureau's processes and help the department identify opportunities for 
investment management improvements. The reviews also are to provide the 
department with greater confidence in the investment information being 
provided by the bureaus. 

* In April 2007, Treasury issued an Internal Watch List that identifies 
major investments at risk of not meeting established goals. Among the 
criteria for placement on this list is cost or schedule variances 
greater than plus or minus 10 percent for two consecutive quarters. The 
department's Office of the CIO is responsible for overseeing the 
Internal Watch List. Investments placed on this list are subject to 
additional reporting requirements, including development of an action 
plan to remediate the investment's noncompliant conditions. Bureaus are 
to report on the status of their corrective actions to the CIO monthly. 
Once the corrective actions have been implemented and the CIO concurs, 
the investment may be removed from the list. According to officials, as 
of May 2007, bureaus were beginning to submit their corrective action 
plans to the CIO. The Internal Watch List process should improve 
project oversight by providing greater assurance that actions are taken 
to address deficiencies. 

Although Treasury has initiated these efforts, the department has not 
developed a comprehensive plan with the characteristics listed above 
that would help guide improvements to its investment management 
process. Treasury officials recognize the value of having a 
comprehensive plan and told us they plan to develop one once their new 
assistant secretary for management is confirmed; however, a time frame 
for completing the plan has not been established. Until Treasury 
develops this plan, the department risks not being able to put in place 
an effective management process that will provide appropriate executive-
level oversight for minimizing risks and maximizing returns. 

Treasury CIO's Role in Managing IT Investments Has Been Mixed: 

The Clinger-Cohen Act, E-Government Act of 2002,[Footnote 23] and 
implementing guidance from OMB provide a number of investment 
management responsibilities to CIOs that generally entail working with 
the agency head and senior managers to define and implement processes 
for selecting, controlling, and evaluating investments. Our IT 
investment management framework defines practices that are consistent 
with these provisions. Because CIOs are to carry out their investment 
management functions with the support of an enterprisewide investment 
review board, many of the responsibilities we used to evaluate the 
Treasury CIO's role relate to key practices discussed earlier in the 
report as part of our evaluation of the department's investment 
management capabilities. 

The Treasury CIO's[Footnote 24] role in managing the department's IT 
investments has been mixed, although it has gradually increased since 
September 2005, when the department's CPIC policy was issued. 

* Many responsibilities have been fully performed, including 
responsibilities for establishing investment management policy, several 
associated with selecting investments, and some associated with 
controlling investments. 

* Several responsibilities have been partially performed--including 
some associated with selecting investments, and others associated with 
controlling investments--either because the department has not extended 
them to nonmajor investments or because some activities have not yet 
been completed. 

* A few responsibilities--most of them associated with controlling 
investments--have not yet been performed, primarily because they are 
just getting under way and have yet to produce results. 

Table 15 shows the CIO's role in performing key investment management 
responsibilities. 

Table 15: CIO Involvement in Performing Investment Management 
Responsibilities: 

General. 

Investment management responsibility: Implement investment governance 
process as a member of executive investment review board; 
Role in performing responsibility: While the CIO plays a significant 
role in implementing Treasury's investment governance process, he is 
not operating as a member of an executive investment review board. (As 
noted in the report, this board currently does not exist.); 
CIO involvement: Not performed. 

Investment management responsibility: Provide oversight of development 
and maintenance of documented investment process; 
Role in performing responsibility: In the absence of an executive 
investment review board, the CIO has been carrying out this 
responsibility as head of TIRB. TIRB, for example, approved the CPIC 
guidance first issued in September 2005; 
CIO involvement: Fully performed. 

Investment management responsibility: Develop comprehensive earned 
value management policy; 
Role in performing responsibility: The CIO issued an earned value 
management policy to the department in December 2005; 
CIO involvement: Fully performed. 

Selecting investments. 

Investment management responsibility: Approve selection criteria 
(including portfolio selection criteria); 
Role in performing responsibility: The selection criteria are first 
defined in the CPIC policy, which the CIO issued in September 2005. 
Changes to the selection criteria are approved by TIRB, which the CIO 
chairs; 
CIO involvement: Fully performed. 

Investment management responsibility: Regularly review and modify 
selection criteria (including portfolio selection criteria), as 
appropriate; 
Role in performing responsibility: Changes to the selection criteria 
are approved by TIRB, which the CIO chairs; 
CIO involvement: Fully performed. 

Investment management responsibility: Use defined selection process to 
select/reselect investments; Role in performing responsibility: TIRB, 
which the CIO chairs, uses the defined selection process to select/ 
reselect major investments. The CIO is not involved in the selection/ 
reselection of nonmajor investments; CIO involvement: Partially 
performed. 

Investment management responsibility: Align funding decisions with 
investment selection decisions; 
Role in performing responsibility: The CIO works with other executives, 
including the Assistant Secretary for Management/Chief Financial 
Officer, to make funding decisions that are aligned with investment 
selection decisions; 
CIO involvement: Fully performed. 

Investment management responsibility: Ensure qualified project managers 
are assigned to all projects; 
Role in performing responsibility: During the quarterly control 
reviews, TIRB determines whether projects have qualified project 
manager, in accordance with OMB guidance. The CIO issued a memo to 
bureau CIOs in December 2005 requiring them to certify project manager 
qualifications. In April 2007, the CIO issued a memo specifying 
criteria for identifying major projects that will be subject to 
additional CIO oversight and reporting requirements. These criteria 
include lack of a validation of project managers' qualifications by the 
bureau CIO. According to officials, as of May 2007, this process was 
just getting under way; 
CIO involvement: Partially performed. 

Investment management responsibility: Leverage interagency and 
governmentwide investments to support common missions; 
Role in performing responsibility: The CIO oversees this activity (it 
is carried out by EA staff); 
CIO involvement: Fully performed. 

Investment management responsibility: Use information repository to 
support executive decision-making reselection; 
Role in performing responsibility: TIRB uses information from the 
department's repository to inform its selection decisions and 
recommendations to executives; 
CIO involvement: Fully performed. 

Investment management responsibility: Ensure all investments have 
acceptable business cases; 
Role in performing responsibility: For the fiscal year 2008 budget 
formulation process, the Office of the CIO instituted several policies 
aimed at improving the quality of these business cases, including 
requiring bureau project managers and CIOs to certify the accuracy of 
the data in their business cases, and establishing an independent 
validation program to examine both bureau CPIC processes and selected 
Exhibit 300s. This program is currently under way; 
CIO involvement: Partially performed. 

Investment management responsibility: Evaluate the alignment of IT 
projects/systems with strategic goals and objectives and provide 
corrective actions if needed; 
Role in performing responsibility: The TIRB, which the CIO chairs, 
performs this activity for major projects as part of the select 
process. The CIO does not carry out this activity for nonmajor 
projects; 
CIO involvement: Partially performed. 

Controlling investments. 

Investment management responsibility: Approve/modify the performance 
expectations of selected investments; 
Role in performing responsibility: For major investments, the CIO 
carries out this responsibility by approving the business cases and 
other documents that specify performance expectations and approving 
baseline change requests. The CIO does not carry out this 
responsibility for nonmajor investments; 
CIO involvement: Partially performed. 

Investment management responsibility: Conduct integrated baseline 
reviews on contracts with an earned value management system (EVMS) 
requirement; 
Role in performing responsibility: According to the Associate CIO for 
Capital Planning and Information Management and the Director for 
Capital Planning and Investment Control, this responsibility has been 
delegated to the bureaus. Because this responsibility involves working 
with contract officer technical representatives, the office of the CIO 
has engaged the Office of the Chief Procurement Officer. The two 
offices are currently working to develop guidance; 
CIO involvement: Partially performed. 

Investment management responsibility: Receive data on actual cost and 
schedule performance; 
Role in performing responsibility: The CIO--as head of TIRB--receives 
data on actual cost and schedule performance of major investments on a 
quarterly basis. The CIO does not carry out this responsibility for 
nonmajor investments; 
CIO involvement: Partially performed. 

Investment management responsibility: Review, on a regular basis, the 
performance of IT projects against expectations using verified data; 
Role in performing responsibility: TIRB reviews the performance of 
major IT projects against expectations, using verified data as part of 
its quarterly reviews. The CIO does not carry out this responsibility 
for nonmajor investments; 
CIO involvement: Partially performed. 

Investment management responsibility: Manage and measure projects to a 
10 percent variance of baseline using EVMS; 
Role in performing responsibility: The TIRB quarterly reviews of 
performance data include a measure of 10 percent variance of baseline 
using EVMS. The CIO, however, issued a memo in April 2007 requiring 
projects experiencing cost or schedule variances greater than plus or 
minus 10 percent for two consecutive quarters to develop an action plan 
to remediate the condition and report to the CIO on the status of 
actions taken on a monthly basis. According to Treasury officials, as 
of May 2007, this process was just getting under way; 
CIO involvement: Not performed. 

Investment management responsibility: Take corrective actions for 
underperforming IT projects; 
Role in performing responsibility: In April 2007, the CIO issued a memo 
regarding the identification of major projects to be placed on an 
Internal Watch List based on not meeting certain criteria for two 
consecutive quarters. These projects are to develop corrective actions 
and report to the CIO on the status of these actions on a monthly 
basis. According to officials, as of May 2007, this process was just 
getting under way; 
CIO involvement: Not performed. 

Investment management responsibility: Track implementation of 
corrective actions on projects; 
Role in performing responsibility: In April 2007, the CIO issued a memo 
regarding the identification of major projects to be placed on an 
Internal Watch List based on not meeting certain criteria for two 
consecutive quarters. These projects are to develop corrective actions 
and report to the CIO on the status of these actions on a monthly 
basis. According to officials, as of May 2007, this process was just 
getting under way; 
CIO involvement: Not performed. 

Investment management responsibility: Use information repository to 
support control decisions; 
Role in performing responsibility: TIRB uses information from the 
department's repository to make control decisions and investment 
recommendations to executives; 
CIO involvement: Fully performed. 

Investment management responsibility: Coordinate "high risk" project 
identification with OMB; 
Role in performing responsibility: The CIO worked with OMB to identify 
its initial list of high-risk projects and continues to provide updates 
of this list on a quarterly basis; 
CIO involvement: Fully performed. 

Investment management responsibility: Assess, confirm, and document the 
performance of high-risk projects; 
Role in performing responsibility: Every quarter, the CIO submits to 
OMB a report that assesses, confirms, and documents the performance of 
the department's high-risk projects; 
CIO involvement: Fully performed. 

Evaluating investments. 

Investment management responsibility: Identify IT projects for 
postimplementation reviews; 
Role in performing responsibility: According to Treasury's CPIC 
policies, postimplementation reviews are required for all projects 6 to 
18 months after they become operational. According to officials, Office 
of the CIO staff keep track of when projects reach that phase. These 
officials also note, however, that no project has become eligible for 
PIRs since the CPIC policy was issued; 
CIO involvement: Not performed. 

Source: GAO. 

[End of table] 

The CIO's involvement in managing the department's investments has 
strengthened the investment management process. For example, by 
regularly reviewing and modifying investment selection criteria, as 
appropriate, to reflect organizational objectives, the CIO, as Chair of 
the TIRB, has helped ensure investments supporting organizational goals 
are selected. 

However, several responsibilities have not been fully performed. For 
example, several responsibilities for selecting and controlling 
investments have not been performed for nonmajor investments. As 
discussed earlier in the report, Treasury officials stated they have 
not made the nonmajor investments a priority because they have instead 
chosen to devote their resources to the major investments, which 
represent about 80 percent of the department's IT expenditures. As 
noted earlier, while it is reasonable to focus on the major 
investments, the nonmajor investments also require a certain level of 
oversight, given the significant amount of funding (about $480 million) 
and number of investments (160) involved. Because several 
responsibilities have not been fully performed, there is increased risk 
that investments will not be effectively managed. 

Conclusions: 

Given the importance of IT to Treasury's mission, it is vital that the 
department manage its investments effectively. To its credit, because 
of the attention that has recently been given to investment management, 
Treasury has established many of the practices needed to build the 
investment foundation and manage its projects as a portfolio and, as 
such, has made progress since we examined the department's process as 
part of our governmentwide review 3 years ago. However, the absence of 
an executive investment review board actively engaged in the investment 
management process and the department's limited involvement in the 
management of nonmajor investments are significant weaknesses that 
hamper the department's ability to effectively manage its investments. 
As a result, the department cannot ensure that it is managing the mix 
of investments that will maximize returns to the organization, taking 
into account the appropriate level of risk. 

Critical to Treasury's success going forward will be the development 
and implementation of a plan that (1) is based on the assessment of 
strengths and weaknesses identified in this report; (2) specifies 
measurable goals, objectives, and milestones; (3) specifies needed 
resources; (4) assigns clear responsibility and accountability for 
accomplishing tasks; and (5) is approved by senior management. Without 
such a plan and procedures for implementing it, it will be difficult 
for the department to maintain steady progress in improving its 
investment management process. As a result, Treasury will continue to 
be challenged in its ability to make informed and prudent investment 
decisions in managing its annual multibillion-dollar IT budget. 

By fully performing selected investment management responsibilities, 
the CIO has taken positive steps toward strengthening the department's 
process for selecting, controlling, and evaluating investments. 
However, the department's investments will continue to be at risk as 
long as there are responsibilities that are partially performed or not 
performed. 

Recommendations for Executive Action: 

To strengthen Treasury's investment management capability, we recommend 
that the Secretary of the Department of the Treasury direct the 
Assistant Secretary for Management, in collaboration with the CIO, to 
develop and implement a plan to address the following two actions: 

(1) Establish an executive investment review board, composed of 
executives representing IT and business units, that would be actively 
engaged in the investment management process. 

(2) Develop and implement policies and procedures to manage nonmajor 
investments. 

We also recommend that the plan include actions to address the 
weaknesses in eight critical processes identified in this report, 
beginning with those identified in our Stage 2 analysis and continuing 
with those identified in our Stage 3 analysis. The plan should, at a 
minimum, provide for fully implementing the following: 

In Stage 2: 

* instituting the investment board, 

* meeting business needs, 

* selecting an investment, and: 

* providing investment oversight. 

In Stage 3: 

* defining the portfolio criteria, 

* creating the portfolio, 

* evaluating the portfolio, and: 

* conducting postimplementation reviews. 

In developing the plan, the Secretary of the Department of the Treasury 
should direct the Chief Information Officer to ensure that the plan 
draws together ongoing and additional efforts needed to address the 
weaknesses identified in this report, including those relating to the 
CIO's role in performing investment management responsibilities. The 
plan should also (1) specify measurable goals, objectives, and 
milestones; (2) specify needed resources; (3) assign clear 
responsibility and accountability for accomplishing tasks; and (4) be 
approved by senior management. In implementing the plan, the Chief 
Information Officer should ensure that the resources are available to 
carry out the plan and that progress is measured and reported 
periodically to the Secretary of the Department of the Treasury. 

Agency Comments and Our Evaluation: 

In e-mail comments on a draft of this report, the Acting CIO stated 
that the report reflects both Treasury's shortcomings as well as 
progress to date and recognized the need to take proactive steps to 
strengthen its investment board operations and oversight of information 
technology resources and programs. Treasury also commented on the need 
for an executive review board, nonmajor investments, and the 
department's authority to redirect funding from one Treasury bureau to 
another. 

Regarding the need for an executive investment review board, Treasury 
noted that, in addition to the Technical Investment Review Board 
chaired by the CIO, an E-Board consisting of Treasury executives 
previously existed. We acknowledge the establishment of these boards in 
our report but emphasize that there currently is no executive 
investment review board composed of executives from IT and business 
units that is actively engaged in the investment management process. 
The department recognizes this in its comments, stating that it agrees 
it needs to reconstitute its executive board such that it is actively 
engaged in the investment management process. 

Regarding nonmajor investments, Treasury commented that nonmajor 
investments have not been a priority because the major investments the 
department has chosen to devote its resources to represent the more 
significant portion of the portfolio in terms of dollar value, 
visibility to OMB and Congress, and importance to Treasury's mission. 
We recognize the importance of the major investments in our report and 
acknowledge that it is reasonable to focus attention on these 
investments. Nevertheless, we maintain that nonmajor investments should 
require a certain level of oversight given the amount of funding 
involved (about $480 million in estimated expenditures for fiscal year 
2007) and the fact that they represent the bulk of most bureaus 
investment portfolio. Treasury also stated that its CPIC guide contains 
guidance on managing nonmajor IT investments and that the department 
conducts quarterly control reviews of all IT investments, both major 
and nonmajor. While the guide requires all IT investments to comply 
with its provisions, it clearly states that the select phase described 
applies to major investments and that bureaus are responsible for 
conducting their own select process for nonmajor investments. In 
addition, while, as we note in the report, Treasury requires bureaus to 
report on the cost, schedule, and performance of its nonmajor 
investments on a quarterly basis, this information is not provided to 
TIRB for review. Treasury noted that it is currently developing 
guidance and reporting requirements for nonmajors that integrates 
enterprise architecture and capital planning. 

In its comments, Treasury also noted that the department's ability to 
exercise effective management of its IT portfolio requires that the CIO 
(as chairman of the Technical Investment Review Board) be empowered to 
make recommendations to the executive board concerning IT budgetary 
requests across the department. Additionally, the executive board needs 
to be empowered to make decisions across organizational lines on behalf 
of the department. Treasury added that, currently, neither the Treasury 
Department, including the Acting CIO, nor the executive board has the 
prerogative (authority) to redirect IT funding from one Treasury bureau 
to another. While this particular authority was not the subject of our 
review, we agree that not having it could present a challenge to 
effectively managing the IT portfolio. Nevertheless, effective 
portfolio management requires the collective decisionmaking of 
executives from both IT and business units, which highlights the 
importance of having an executive investment review board that is 
actively engaged in the investment management process. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of other Senate and House committees that have 
authorization and oversight responsibilities for Treasury and other 
interested congressional committees; the Director of the Office of 
Management and Budget; the Secretary of the Treasury; the Assistant 
Secretary for Management and Chief Financial Officer; and the Chief 
Information Officer. We also will make copies available to others upon 
request. In addition, the report will be available at no charge on the 
GAO Web site at http://www.gao.gov. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-9286 or pownerd@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. Key contributors to this report are 
listed in appendix II. 

Signed by: 

David A. Powner:
Director, Information Technology Management Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) assess the Department of the 
Treasury's capabilities for managing its IT investments, (2) determine 
any plans Treasury might have for improving those capabilities, and (3) 
evaluate the CIO's role in managing the department's IT investments. 

To address our first objective, we reviewed the results of the 
department's self-assessment of Stages 2 and 3 practices using our IT 
investment management framework and validated and updated the results 
of the self-assessment through document reviews and interviews with 
officials. We reviewed written policies, procedures, and guidance and 
other documentation providing evidence of executed practices, including 
Treasury's Capital Planning and Investment Control Policy Guide, Earned 
Value Management Policy Guide, Exhibit 300 Scoring Guide, Alternative 
Analysis Policy Guide, FY06 IT Portfolio Alignment Summary, IT 
Modernization Blueprint Volume 2: IT Strategic Plan, portfolio 
management tool guidance, and various memorandums. We also reviewed 
TIRB and CIO Council meeting materials. In addition, we conducted 
interviews with officials from the Office of the CIO, whose main 
responsibility is to oversee and ensure that Treasury's IT investment 
management process is implemented and followed. 

We compared the evidence collected from our document reviews and 
interviews to the key practices in ITIM. We rated the key practices as 
"executed" on the basis of whether the agency demonstrated (by 
providing evidence of performance) that it had met the criteria of the 
key practice. A key practice was rated as "not executed" when we found 
insufficient evidence of a practice during the review or when we 
determined that there were significant weaknesses in Treasury's 
execution of the key practice. In addition, Treasury was provided with 
the opportunity to produce evidence for key practices rated as "not 
executed." We did not assess progress in establishing the capabilities 
found in Stages 4 and 5 because the department acknowledged it had not 
executed the key practices in these higher maturity stages. 

To determine the level of guidance the department is providing to its 
bureaus, we interviewed officials and obtained written responses from 
the Bureau of the Public Debt, Financial Management Service, and the 
Internal Revenue Service (IRS) to determine the level of investment 
management guidance and oversight that is provided by the department. 
As part of our analysis, we selected one enterprisewide and three 
bureau-level IT projects as case studies to verify that the critical 
processes and key practices were being applied. The projects selected 
(1) are in different life-cycle phases, (2) represent a mix of 
headquarters and component bureau investments, (3) support different 
functional areas, and (4) required different levels of funding. The 
four projects are described as follows: 

1. Customer Account Data Engine (CADE). The database initiative is the 
foundation for managing taxpayer accounts in IRS's Business Systems 
Modernization[Footnote 25] effort. CADE is being incrementally 
designed, developed, and implemented to form the data foundation for a 
modernized IRS by replacing the Individual Master File[Footnote 26] and 
its related applications with new technology, new applications, and new 
databases. The system's purpose is to enable IRS tax specialists to 
post transactions and update taxpayer account and return data using an 
online interface tool. Updates are to be available daily to authorized 
personnel who have access to this data, which provide a complete, 
timely, and accurate account of the individual taxpayer's information. 
The project is a major investment and has an estimated life-cycle cost 
of over $1.3 billion. 

2. Savings Bond Replacement System (SaBRe). SaBRe supports two of the 
President's Management Agenda initiatives: financial performance and 
expanded e-government. It processes cash and security transactions that 
result when accrued savings bonds are sold or redeemed by Federal 
Reserve Bank processing sites or by financial institutions and 
corporate entities designated as fiscal agents. Federal Reserve Bank 
processing sites consolidate and report to SaBRe daily issue and 
retirement transactions generated by processing cash and security 
transactions. SaBRe processes the transactions, updates electronic 
records that are used for customer service, and reports daily financial 
transactions for inclusion in the Daily Treasury Statement. The project 
is a major investment and has an estimated life-cycle cost of over $57 
million. 

3. Treasury Receivable, Accounting, and Collection System (TRACS). 
TRACS is to provide Treasury's Financial Management Service with a tool 
for supporting its Payment Business Line for the accounting, debt 
billing, collection, and reporting requirements associated with 
Treasury's check claims business process. It is to aid in the 
processing of check claims accounting, authorization of payments, 
issuing of bills, debt collection, and funds transfers from and to 
federal program agencies. Currently all funding for TRACS will be used 
to maintain and enhance the system. The project is a nonmajor 
investment and has an estimated life-cycle cost of over $11 million 
through fiscal year 2012. 

4. Treasury Foreign Intelligence Network (TFIN). TFIN exists to assist 
Treasury analysts in their ongoing efforts to provide meaningful 
intelligence to senior Treasury management as well as to other agencies 
within the intelligence community. It was originally built as a 
customized in-house network over 10 years ago. In early fiscal year 
2005, Treasury identified a need to modernize TFIN due to the age of 
the system, outdated components, and performance issues, and to address 
Treasury's expanding mission in the fight against terrorism. The system 
is currently listed as a major department-level development, 
modernization, and enhancement effort, with total estimated life-cycle 
costs of $43 million. 

For these projects, we reviewed project management documentation, such 
as project plans, and status reports. We also obtained investment 
information from the bureau officials responsible for managing the 
projects. 

To address our second objective, we obtained and evaluated documents 
showing what management actions had been taken and what initiatives had 
been planned by the agency. This documentation included the IT 
Modernization Blueprint Volume 2, IT Strategic Plan, The Department of 
the Treasury's Strategic Plan, and a contractor work request for an 
independent validation and verification of Treasury's capital planning 
program support process. We also interviewed officials from the Office 
of the CIO to determine efforts undertaken to improve IT investment 
management processes. 

To address our third objective, we reviewed legislation, including the 
Clinger-Cohen Act of 1996 and the E-Government Act of 2002, and OMB 
guidance to determine the roles and responsibilities of CIOs regarding 
investment management. We also reviewed the practices laid out in GAO's 
IT investment management framework. We reviewed documentation and 
conducted interviews with Treasury officials, including the Associate 
CIO for Capital Planning and Information Management, to determine the 
extent of the CIO's involvement in selecting, controlling, and 
evaluating the department's IT investments. We conducted our work at 
Treasury headquarters in Washington, D.C., from August 2006 through 
July 2007 in accordance with generally accepted government auditing 
standards. 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David A. Powner, (202) 512-9286 or pownerd@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Sabine Paul, Assistant 
Director; William Barrick; Camille Chaires; Neil Doherty; Nancy Glover; 
and Tomas Ramirez; made key contributions to this report. 

FOOTNOTES 

[1] Office of Management and Budget, Report on Information Technology 
(IT) Spending for the Federal Government for Fiscal Years 2006, 2007, 
2008 (Washington, D.C., May 2007). 

[2] 40 U.S.C. §§ 11312-11313. 

[3] See, for example, GAO, Business Systems Modernization: Internal 
Revenue Service's Fiscal Year 2007 Expenditure Plan, GAO-07-247 
(Washington, D.C.: Feb.15, 2007). 

[4] GAO, Information Technology Management: Governmentwide Strategic 
Planning,Performance, Measurement, and Investment Management Can Be 
Further Improved, GAO-04-49 (Washington, D.C.: Jan. 12, 2004). 

[5] GAO, Information Technology Management: Observations on the 
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval 
and Sharing (BSA Direct R&S) Project, GAO-06-947R (Washington, D.C.: 
July 14, 2006). 

[6] According to officials, this investment was classified as nonmajor 
until August 2006. 

[7] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007). 

[8] OMB determines projects to be included on its Management Watch List 
based on an evaluation of Exhibit 300 business cases that agencies 
submit for major projects as part of the budget development process. 
The high-risk list consists of projects identified by the agencies with 
the assistance of OMB, using specific criteria established by OMB, and 
that are reported quarterly by the agencies to OMB. 

[9] 40 U.S.C. §§ 11312, 11313, 11315. 

[10] The first five criteria are OMB criteria outlined in OMB Circular 
A-11 for determining major investments. The remaining three criteria 
are Treasury-specific criteria. 

[11] The policy document has been updated a few times since it was 
issued. The most recent update was issued in October 2006. 

[12] The President's e-government initiatives are intended to improve 
services to citizens, to increase the efficiency and effectiveness of 
the government, and to provide savings to the taxpayer. 

[13] The President's Management Agenda, announced in 2001, is a 
strategy for improving the management of the federal government, 
focusing on five areas of management weaknesses across the government. 
One of these areas involves expanded use of electronic government for 
better serving the public. 

[14] In August 2005, OMB initiated an effort for agencies to improve IT 
project planning and execution. Through this effort, agencies are to 
identify "high risk projects" using specific criteria established by 
OMB and report quarterly to OMB on each project's performance noted 
shortfalls and planned corrective actions to address the shortfalls. 
The criteria Treasury used to establish its internal watch list mirrors 
the list of shortfalls OMB requires agencies to report on. 

[15] Certification is the comprehensive evaluation of the management, 
operational, and technical security controls in an information system 
to determine the effectiveness of these controls and identify existing 
vulnerabilities. Accreditation is the official management decision to 
authorize operation of an information system. This authorization 
explicitly accepts the risk remaining after the implementation of an 
agreed-upon set of security controls. 

[16] Similarly to the e-government initiatives, the line of business 
initiatives are intended to improve services to citizens, to increase 
the efficiency and effectiveness of the government, and to provide 
savings to the taxpayer. 

[17] GAO, Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity, GAO-04-394G (Washington, 
D.C.: March 2004). 

[18] GAO, Information Technology: DLA Needs to Strengthen Its 
Investment Management Capability, GAO-02-314 (Washington, D.C.: Mar. 
15, 2002); United States Postal Service: Opportunities to Strengthen IT 
Investment Management Capabilities, GAO-03-3 (Washington, D.C.: Oct. 
15, 2002); Information Technology: Departmental Leadership Crucial to 
Success of Investment Reforms at Interior, GAO-03-1028 (Washington, 
D.C.: Sept. 12, 2003); Bureau of Land Management: Plan Needed to 
Sustain Progress in Establishing IT Investment Management Capabilities, 
GAO-03-1025 (Washington, D.C.: Sept. 12, 2003); Information Technology: 
FAA Has Many Investment Management Capabilities in Place, but More 
Oversight of Operational Systems Is Needed, GAO-04-822 (Washington, 
D.C.: Aug. 20, 2004); Information Technology: HHS Has Several 
Investment Management Capabilities in Place, but Needs to Address Key 
Weaknesses, GAO-06-11 (Washington, D.C.: Oct. 28, 2005); Information 
Technology: Centers for Medicare & Medicaid Services Needs to Establish 
Critical Investment Management Capabilities, GAO-06-12 (Washington, 
D.C.: Oct. 28, 2005); Information Technology: DHS Needs to Fully Define 
and Implement Policies and Procedures for Effectively Managing 
Investments, GAO-07-424 (Washington, D.C.: Apr. 27, 2007). 

[19] Stage 1 is typified by the absence of an organized, executable, 
and consistently applied IT investment management process. 

[20] An IT investment board is a decision-making body, made up of 
senior program, financial, and information officials, that is 
responsible for making decisions about IT projects and systems on the 
basis of comparisons and trade-offs among competing projects and has an 
emphasis on meeting mission goals. 

[21] The Clinger-Cohen Act of 1996, 40 U.S.C. §§ 11312. 

[22] According to ITIM, new proposals include both (1) previously 
submitted IT proposals that were not originally selected for funding 
and (2) IT proposals that have never been submitted. 

[23] Pub. L. No. 107-347 (Dec. 17, 2002) 

[24] We are referring to both the current CIO who has been acting since 
January 2007 and the former CIO. 

[25] The Business Systems Modernization is a highly complex, 
multibillion-dollar effort to modernize IRS's technology and related 
business processes. 

[26] The Individual Master File is IRS's database that stores various 
types of taxpayer account information. This database includes 
individual, business, employee plans, and exempt organizations data. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm: 

E-mail: fraudnet@gao.gov: 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800: 

U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: