This is the accessible text file for GAO report number GAO-09-841 
entitled 'DOD Business Systems Modernization: Navy Implementing a 
Number of Key Management Controls on Enterprise Resource Planning 
System, but Improvements Still Needed' which was released on 
September 15, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

September 2009: 

DOD Business Systems Modernization: 

Navy Implementing a Number of Key Management Controls on Enterprise 
Resource Planning System, but Improvements Still Needed: 

GAO-09-841: 

GAO Highlights: 

Highlights of GAO-09-841, a report to congressional requesters. 

Why GAO Did This Study: 

The Department of Defense (DOD) has long been challenged in effectively 
implementing key acquisition management controls on its thousands of 
business system investments. For this and other reasons, GAO has 
designated DODís business systems modernization efforts as high-risk 
since 1995. One major business system investment is the Navyís 
Enterprise Resource Planning (ERP) system. Initiated in 2003, it is to 
standardize the Navyís business processes, such as acquisition and 
financial management. It is being delivered in increments, the first of 
which is to cost about $2.4 billion over its 20-year useful life and be 
fully deployed by fiscal year 2013. To date, the program has 
experienced about $570 million in cost overruns and a 2-year schedule 
delay. GAO was asked to determine whether (1) system testing is being 
effectively managed, (2) system changes are being effectively 
controlled, and (3) independent verification and validation (IV&V) 
activities are being effectively managed. To do this, GAO analyzed 
relevant program documentation, traced random samples of test defects 
and change requests, and interviewed cognizant officials. 

What GAO Found: 

The Navy has largely implemented effective controls on Navy ERP 
associated with system testing and change control. For example, it has 
established a well-defined structure for managing tests, including 
providing for a logical sequence of test events, adequately planning 
key test events, and documenting and reporting test results. In 
addition, it has documented, and is largely following, its change 
request review and approval process, which reflects key aspects of 
relevant guidance, such as having defined roles and responsibilities 
and a hierarchy of control boards. However, important aspects of test 
management and change control have not been fully implemented. 
Specifically, the programís tool for auditing defect management did not 
always record key data about changes made to the status of identified 
defects. To its credit, the program office recently took steps to 
address this, thereby reducing the risk of defect status errors or 
unauthorized changes. Also, while the program officeís change review 
and approval procedures include important steps, such as considering 
the impact of a change, and program officials told GAO that cost and 
schedule impacts of a change are discussed at control board meetings, 
GAOís analysis of 60 randomly selected change requests showed no 
evidence that cost and schedule impacts were in fact considered. 
Without such key information, decision-making authorities lack an 
adequate basis for making informed investment decisions, which could 
result in cost overruns and schedule delays. 

The Navy has not effectively managed its IV&V activities, which are 
designed to obtain an unbiased position on whether product and process 
standards are being met. In particular, the Navy has not ensured that 
the IV&V contractor is independent of the products and processes that 
it is reviewing. Specifically, the same contractor responsible for 
performing IV&V of Navy ERP products (e.g., system releases) is also 
responsible for ensuring that system releases are delivered within cost 
and schedule constraints. Because performance of this system 
development and management role makes the contractor potentially unable 
to render impartial assistance to the government in performing the IV&V 
function, there is an inherent conflict of interest. In addition, the 
IV&V agent reports directly and solely to the program manager and not 
to program oversight officials. As GAO has previously reported, the 
IV&V agent should report the findings and associated risks to program 
oversight officials, as well as program management, in order to better 
ensure that the IV&V results are objective and that the officials 
responsible for making program investment decisions are fully informed. 
Furthermore, the contractor has largely not produced the range of IV&V 
deliverables that were contractually required between 2006 and 2008. To 
its credit, the program office recently began requiring the contractor 
to provide assessment reports, as required under the contract, as well 
as formal quarterly reports; the contractor delivered the results of 
the first planned assessment in March 2009. Notwithstanding the recent 
steps that the program office has taken, it nevertheless lacks an 
independent perspective on the programís products and management 
processes. 

What GAO Recommends: 

GAO is making recommendations to the Secretary of Defense aimed at 
improving the programís system change request review and approval 
process and its IV&V activities. DOD concurred with the recommendations 
and identified actions that it plans to take. 

View [hyperlink, http://www.gao.gov/products/GAO-09-841] or key 
components. For more information, contact Randolph C. Hite at (202) 512-
3439 or hiter@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Key Aspects of Navy ERP Testing Have Been Effectively Managed: 

System Changes Have Been Controlled, but Their Cost and Schedule 
Impacts Were Not Sufficiently Considered: 

Navy ERP IV&V Function Is Not Independent and Has Not Been Fully 
Performed: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Navy Systems Commands and Their Responsibilities: 

Table 2: Navy ERP Template 1 Releases: 

Table 3: Organizations Responsible for Navy ERP Oversight and 
Management: 

Table 4: Navy ERP Program Contracts: 

Table 5: Description of the Purpose of Navy ERP Tests: 

Table 6: Navy ERP Testing-Related Organizations and Respective Roles 
and Responsibilities: 

Table 7: Roles and Responsibilities for Change Review and Approval: 

Figures: 

Figure 1: Navy ERP Timeline: 

Figure 2: Navy ERP Life-Cycle Cost Estimates in Fiscal Years 2003, 
2004, and 2007: 

Figure 3: Navy ERP Deployment Schedule: 

Figure 4: Release 1.0 and 1.1 Test Activity Schedule: 

Abbreviations: 

DOD: Department of Defense: 

DON: Department of the Navy: 

ERP: Enterprise Resource Planning: 

FISC: Fleet Industrial Supply Center: 

FOC: full operational capability: 

FOT&E: follow-on operational test and evaluation: 

GCSS-MC: Global Combat Support System--Marine Corps: 

GDIT: General Dynamics Information Technology: 

IOC: initial operational capability: 

IOT&E: initial operational test and evaluation: 

IST: integrated system testing: 

IT: information technology: 

IV&V: independent verification and validation: 

MDA: milestone decision authority: 

NAVAIR: Naval Air Systems Command: 

NAVSEA: Naval Sea Systems Command: 

NAVSUP: Naval Supply Systems Command: 

NTCSS: Naval Tactical Command Support System: 

OT&E: operational test and evaluation: 

SAP: Systems Applications and Products: 

SPAWAR: Space and Naval Warfare Systems Command: 

TEMP: Test and Evaluation Master Plan: 

UAT: user acceptance testing: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 15, 2009: 

The Honorable Evan Bayh: 
Chairman: 
The Honorable Richard Burr: 
Ranking Member: 
Subcommittee on Readiness and Management Support: 
Committee on Armed Services: 
United States Senate: 

The Honorable John Ensign: 
United States Senate: 

For decades, the Department of the Defense (DOD) has been challenged in 
modernizing its timeworn business systems.[Footnote 1] In 1995, we 
designated DOD's business systems modernization program as high-risk, 
and continue to do so today.[Footnote 2] Our reasons include the 
modernization's large size, complexity, and its critical role in 
addressing other high-risk areas, such as overall business 
transformation and financial management. Moreover, we continue to 
report on business system investments that fail to effectively employ 
acquisition management controls and deliver promised benefits and 
capabilities on time and within budget.[Footnote 3] 

Nevertheless, DOD continues to invest billions of dollars in thousands 
of these business systems, 11 of which account for about two-thirds of 
the department's annual spending on business programs. The Navy 
Enterprise Resource Planning (ERP) program is one such program. 
Initiated in 2003, Navy ERP is to standardize the Navy's acquisition, 
financial, program management, plant and wholesale supply, and 
workforce management business processes across its dispersed 
organizational environment. As envisioned, the program consists of a 
series of major increments, the first of which includes three releases 
and is expected to cost approximately $2.4 billion over its 20-year 
life cycle and to be fully operational in fiscal year 2013. We recently 
reported that Navy ERP program management weaknesses had contributed to 
a 2-year schedule delay and about $570 million in cost overruns. 
[Footnote 4] 

As agreed, our objectives were to determine whether (1) system testing 
is being effectively managed, (2) system changes are being effectively 
controlled, and (3) independent verification and validation (IV&V) 
activities are being effectively managed. To accomplish this, we 
analyzed relevant program documentation, such as test management 
documents, individual test plans and procedures and related test 
results and defect reports; system change procedures and specific 
change requests and decisions; change review board minutes; and 
verification and validation plans and contract documents. We also 
observed the use of tools for recording and tracking test defects and 
change requests, including tracing a statistically valid sample of 
transactions through these tools. 

We conducted this performance audit from August 2008 to September 2009, 
in accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. Additional details on our 
objectives, scope, and methodology are in appendix I. 

Background: 

The Department of the Navy's (DON) primary mission is to organize, 
train, maintain, and equip combat-ready naval forces capable of winning 
wars, deterring aggression by would-be foes, preserving freedom of the 
seas, and promoting peace and security. Its operating forces, known as 
the fleet, are supported by four systems commands. Table 1 provides a 
brief description of each command's responsibilities. 

Table 1: Navy Systems Commands and Their Responsibilities: 

Systems command: Naval Air Systems Command (NAVAIR); 
Responsibilities: Developing, delivering, and supporting aircraft and 
weapons used by sailors and marines. 

Systems command: Naval Supply Systems Command (NAVSUP); 
Responsibilities: Providing supply, fuel, transportation, and other 
logistics programs. 

Systems command: Space and Naval Warfare Systems Command (SPAWAR); 
Responsibilities: Developing, delivering, and supporting specialized 
command and control technologies, business information technology, and 
space capabilities. 

Systems command: Naval Sea Systems Command (NAVSEA); 
Responsibilities: Acquiring and maintaining the department's ships and 
submarines. 

Source: GAO analysis of DON data. 

[End of table] 

To support the department's mission, these commands perform a variety 
of interrelated and interdependent business functions (e.g., 
acquisition and financial management), relying heavily on business 
systems to do so. In fiscal year 2009, DON's budget for business 
systems and associated infrastructure was about $2.7 billion, of which 
about $2.2 billion was allocated to operations and maintenance of 
existing systems and about $500 million to systems in development and 
modernization. Of the approximately 2,480 business systems that DOD 
reports having, DON accounts for 569, or about 23 percent, of the 
total. Navy ERP is one such system investment. 

Navy ERP: A Brief Description: 

In July 2003, the Assistant Secretary of the Navy for Research, 
Development, and Acquisition established Navy ERP to converge the 
functionality of four pilot systems that were under way at the four 
commands into one system.[Footnote 5] According to DOD, Navy ERP is to 
address the Navy's long-standing problems related to financial 
transparency and asset visibility. Specifically, the program is 
intended to standardize the Navy's acquisition, financial, program 
management, plant and wholesale supply, and workforce management 
business processes across its dispersed organizational components, and 
support about 86,000 users when fully implemented. 

Navy ERP is being developed in a series of increments using the Systems 
Applications and Products (SAP) commercial software package, augmented 
as needed by customized software. SAP consists of multiple, integrated 
functional modules that perform a variety of business-related tasks, 
such as finance and acquisition. The first increment, called Template 
1, is currently the only funded portion of the program and consists of 
three releases (1.0, 1.1, and 1.2).[Footnote 6] Release 1.0, Financial 
and Acquisition, is the largest of the three releases in terms of 
Template 1 functional requirements.[Footnote 7] See table 2 for a 
description of these releases. 

Table 2: Navy ERP Template 1 Releases: 

Release: 1.0 Financial and Acquisition; 
Functionality: 
* General Fund and Navy Working Capital Fund finance applications, such 
as billing, budgeting, and cost planning; 
* Acquisition applications, such as activity-based costing, contract 
awards, and budget exhibits; 
* Workforce management applications, such as personnel administration 
and training, as well as events management. 

Release: 1.1 Wholesale and Retail Supply; 
Functionality: 
* Wholesale applications, such as supply and demand planning, order 
fulfillment, and supply forecasting; 
* Retail supply applications, such as inventory management, supply and 
demand processing, and warehouse management. 

Release: 1.2 Intermediate-Level Maintenance; 
Functionality: 
* Maintenance applications, such as maintenance management, quality 
management, and calibration management. 

Source: GAO analysis of DON data. 

[End of table] 

DON estimates the life-cycle cost for Template 1 to be about $2.4 
billion, including about $1 billion for acquisition and $1.4 billion 
for operations and maintenance. The program office reported that 
approximately $600 million was spent from fiscal year 2004 through 
fiscal year 2008. For fiscal year 2009, about $190 million is planned 
to be spent. 

Program Oversight, Management, and Contractor Roles and 
Responsibilities: 

To acquire and deploy Navy ERP, DON established a program management 
office within the Program Executive Office for Executive Information 
Systems. The program office manages the program's scope and funding and 
is responsible for ensuring that the program meets its key objectives. 
To accomplish this, the program office performs program management 
functions, including testing, change control, and IV&V. In addition, 
various DOD and DON organizations share program oversight and review 
activities. A listing of key entities and their roles and 
responsibilities is provided in table 3. 

Table 3: Organizations Responsible for Navy ERP Oversight and 
Management: 

Entity: Under Secretary of Defense for Acquisition, Technology, and 
Logistics; 
Roles and responsibilities: Serves as the milestone decision authority 
(MDA), which according to DOD, has overall responsibility for the 
program, to include approving the program to proceed through its 
acquisition cycle on the basis of, for example, independent operational 
test evaluation and certification. 

Entity: Assistant Secretary of the Navy, Research, Development, and 
Acquisition; 
Roles and responsibilities: Serves as DON's oversight organization for 
the program, to include enforcement of Under Secretary of Defense for 
Acquisition, Technology, and Logistics policies and procedures. 

Entity: DON, Program Executive Office for Executive Information 
Systems; 
Roles and responsibilities: Oversees a portfolio of large-scale 
projects and programs designed to enable common business processes and 
provide standard capabilities, to include reviewing and approving 
overarching test plans and user acceptance test readiness. 

Entity: Navy ERP Senior Integration Board; 
Roles and responsibilities: Reviews progress in attaining acceptable 
system performance at systems commands, including approving new system 
capabilities. Chaired by the Principal Deputy Assistant Secretary of 
the Navy. 

Entity: Navy ERP Program Management Office; 
Roles and responsibilities: Performs day-to-day program management and 
serves as the single point of accountability for managing the program's 
objectives through development, testing, deployment, and sustainment. 

Source: GAO analysis of DOD data. 

[End of table] 

To deliver system and other program capabilities and to provide program 
management support services, Navy ERP relies on multiple contractors, 
as described in table 4. 

Table 4: Navy ERP Program Contracts: 

Contract: Release 1.0 System Integration; 
Award date: September 2004; 
Completion date: February 2008; 
Contract value: $176 million; 
Awarded to: BearingPoint; 
Purpose: Design and development of release 1.0; training and deployment 
at NAVAIR. 

Contract: Release 1.1 & 1.2 System Integration; 
Award date: June 2007; 
Completion date: September 2011; 
Contract value: $152.9 million; 
Awarded to: IBM; 
Purpose: Design and development of release 1.1 and 1.2. 

Contract: Professional Support Service 1; 
Award date: June 2006; 
Completion date: September 2010; 
Contract value: $163.7 million; 
Awarded to: IBM; 
Purpose: Business process analysis, training, organizational change 
management, and deployment and sustainment support. 

Contract: Professional Support Service 2; 
Award date: June 2006; 
Completion date: September 2010; 
Contract value: $69 million; 
Awarded to: General Dynamics Information Technology; 
Purpose: Support to the government in its oversight of the system 
integrators and other contractors, release management, and IV&V. 

Source: GAO analysis of DON data. 

[End of table] 

Overview of Navy ERP's Status: 

Template 1 of Navy ERP was originally planned to reach full operational 
capability (FOC) in fiscal year 2011, and its original estimated life-
cycle cost was about $1.87 billion.[Footnote 8] The estimate was later 
baselined[Footnote 9] in August 2004 at about $2.0 billion.[Footnote 
10] In December 2006 and again in September 2007, the program was 
rebaselined. FOC is now planned for fiscal year 2013, and the estimated 
life-cycle cost is about $2.4 billion (a 31 percent increase over the 
original estimate).[Footnote 11] 

The program is currently in the production and deployment phase of the 
defense acquisition system, having completed the system development and 
demonstration phase in September 2007.[Footnote 12] This was 17 months 
later than the program's original schedule set in August 2004, but on 
time according to the revised schedule set in December 2006. Changes in 
the program's acquisition phase timeline are depicted in figure 1, and 
life-cycle cost estimates are depicted in figure 2. 

Figure 1: Navy ERP Life-Cycle Cost Estimates in Fiscal Years 2003, 
2004, and 2007: 

[Refer to PDF for image: illustration] 

Phase: Concept refinement and technology development; 
Fiscal year 2003-2004: Program established (activity prior to the 2004 
plan); 

Phase: System development and demonstration; 
Fiscal year 2004-2006: 2004 plan; 
Fiscal year 2004-2008: 2007 plan; 

Phase: Production and deployment; 
Fiscal year 2006-2011: 2004 plan; 
* 2006: Initial Operational Capability; 
* 2011: Full Operational Capability. 
Fiscal year 2007-2013: 2007 plan; 
* 2008: Initial Operational Capability; 
* 2013: Full Operational Capability. 

Source: GAO analysis of DON data. 

[End of figure] 

Figure 2: Navy ERP Life-Cycle Cost Estimates in Fiscal Years 2003, 
2004, and 2007: 

[Refer to PDF for image: vertical bar graph] 

Fiscal year: 2003; 
Navy ERP Cost estimate: $1.87 billion. 

Fiscal year: 2004; 
Navy ERP Cost estimate: $1.99 billion. 

Fiscal year: 2007; 
Navy ERP Cost estimate: $2.44 billion. 

Source: GAO analysis of DON data. 

[End of figure] 

Release 1.0 was deployed at NAVAIR in October 2007, after passing 
developmental testing and evaluation. Initial operational capability 
(IOC) was achieved in May 2008, 22 months later than the baseline 
established in August 2004, and 4 months later than the new baseline 
established in September 2007. According to program documentation, 
these delays were due, in part, to challenges experienced at NAVAIR in 
converting data from legacy systems to run on the new system and 
implementing new business procedures associated with the system. In 
light of the delays at NAVAIR in achieving IOC, the deployment 
schedules for the other commands were revised in 2008. Release 1.0 was 
deployed at NAVSUP in October 2008 as scheduled, but deployment at 
SPAWAR was rescheduled for October 2009, 18 months later than planned, 
and at NAVSEA General Fund in October 2010, and at Navy Working Capital 
Fund in October 2011, each 12 months later than planned. 

Release 1.1 is currently being developed and tested, and is planned to 
be deployed at NAVSUP in February 2010, 7 months later than planned, 
and at the Navy's Fleet and Industrial Supply Centers (FISC)[Footnote 
13] starting in February 2011. Changes in the deployment schedule are 
depicted in figure 3. 

Figure 3: Navy ERP Deployment Schedule: 

[Refer to PDF for image: illustration] 

Release: 1.0 Financial and Acquisition; 
NAVAIR: Late FY 2007 (2007 plan); 
NAVSUP: Late FY 2008 (2007 and 2008 plan); 
SPAWAR: Mid FY 2007 (2007 plan); Early FY 2010 (2008 plan); 
NAVSEA for General Fund: Early FY 2010 (2007 plan); Early FY 2011 (2008 
plan); 
NAVSEA for Working Capital Fund: Early FY 2011 (2007 plan); Early FY 
2012 (2008 plan). 

Release: 1.1 Wholesale and Retail Supply; 
NAVSUP: Late FY 2009 (2007 plan); Mid FY 2010 (2008 plan); 
FISC (first of seven deployments): Mid FY 2011 (2008 plan). 

Source: GAO analysis of DON data. 

[End of figure] 

Prior GAO Reviews of DOD Business System Investments Have Identified IT 
Management Weaknesses: 

We have previously reported that DOD has not effectively managed key 
aspects of a number of business system investments,[Footnote 14] 
including Navy ERP. Among other things, our reviews have identified 
weaknesses in such areas as architectural alignment and informed 
investment decision making, which are the focus of the Fiscal Year 2005 
Defense Authorization Act business system provisions.[Footnote 15] Our 
reviews have also identified weaknesses in other system acquisition and 
investment management areas, such as earned value management,[Footnote 
16] economic justification, risk management, requirements management, 
test management, and IV&V practices. 

In September 2008, we reported that DOD had implemented key information 
technology (IT) management controls on Navy ERP to varying degrees of 
effectiveness.[Footnote 17] For example, the control associated with 
managing system requirements had been effectively implemented, and 
important aspects of other controls had been at least partially 
implemented, including those associated with economically justifying 
investment in the program and proactively managing program risks. 
However, other aspects of these controls, as well as the bulk of what 
was needed to effectively implement earned value management, had not 
been effectively implemented. As a result, the controls that were not 
effectively implemented had, in part, contributed to sizable cost and 
schedule shortfalls. Accordingly, we made recommendations aimed at 
improving cost and schedule estimating, earned value management, and 
risk management. DOD largely agreed with our recommendations. 

In July 2008, we reported that DOD had not implemented key aspects of 
its IT acquisition policies and related guidance on its Global Combat 
Support System-Marine Corps (GCSS-MC) program.[Footnote 18] For 
example, we reported that it had not economically justified its 
investment in GCSS-MC on the basis of reliable estimates of both 
benefits and costs and had not effectively implemented earned value 
management. Moreover, the program office had not adequately managed all 
program risks and had not used key system quality measures. We 
concluded that by not effectively implementing these IT management 
controls, the program was at risk of not delivering a system solution 
that optimally supports corporate mission needs, maximizes capability 
mission performance, and is delivered on time and within budget. 
Accordingly, we made recommendations aimed at strengthening cost 
estimating, schedule estimating, risk management, and system quality 
measurement. The department largely agreed with our recommendations. 

In July 2007, we reported that the Army's approach for investing about 
$5 billion in three related programs--the General Fund Enterprise 
Business System, Global Combat Support System-Army Field/Tactical, and 
Logistics Modernization Program--did not include alignment with the 
Army enterprise architecture or use of a portfolio-based business 
system investment review process.[Footnote 19] Further, the Logistics 
Modernization Program's testing was not adequate and had contributed to 
the Army's inability to resolve operational problems. In addition, the 
Army had not established an IV&V function for any of the three 
programs. Accordingly, we recommended, among other things, use of an 
independent test team and establishment of an IV&V function. DOD agreed 
with the recommendations. 

In December 2005, we reported that DON had not, among other things, 
economically justified its ongoing and planned investment in the Naval 
Tactical Command Support System (NTCSS) and had not adequately 
conducted requirements management and testing activities.[Footnote 20] 
Specifically, requirements were not traceable and developmental testing 
had not identified problems that, subsequently, twice prevented the 
system from passing operational testing. Moreover, DON had not 
effectively performed key measurement, reporting, budgeting, and 
oversight activities. We concluded that DON could not determine whether 
NTCSS, as defined and as being developed, was the right solution to 
meet its strategic business and technological needs. Accordingly, we 
recommended developing the analytical basis necessary to know if 
continued investment in NTCSS represented a prudent use of limited 
resources, and strengthening program management, conditional upon a 
decision to proceed with further investment in the program. The 
department largely agreed with our recommendations. 

In September 2005, we reported that while Navy ERP had the potential to 
address some of DON's financial management weaknesses, it faced 
significant challenges and risks, including developing and implementing 
system interfaces with other systems and converting data from legacy 
systems.[Footnote 21] Also, we reported that the program was not 
capturing quantitative data to assess effectiveness, and had not 
established an IV&V function. We made recommendations to address these 
areas, including having the IV&V agent report directly to program 
oversight bodies, as well as the program manager. DOD generally agreed 
with our recommendations, including that an IV&V function should be 
established. However, it stated that the IV&V team would report 
directly to program management who in turn would inform program 
oversight officials of any significant IV&V results. In response, we 
reiterated the need for the IV&V to be independent of the program and 
stated that performing IV&V activities independently of the development 
and management functions helps to ensure that the results are unbiased 
and based on objective evidence. We also reiterated our support for the 
recommendation that the IV&V reports be provided to the appropriate 
oversight body so that it can determine whether any of the IV&V results 
are significant. We noted that doing so would give added assurance that 
the results were objective and that those responsible for authorizing 
future investments in Navy ERP have the information needed to make 
informed decisions. 

Key Aspects of Navy ERP Testing Have Been Effectively Managed: 

To be effectively managed, testing should be planned and conducted in a 
structured and disciplined fashion. According to DOD and industry 
guidance,[Footnote 22] system testing should be progressive, meaning 
that it should consist of a series of test events that first focus on 
the performance of individual system components, then on the 
performance of integrated system components, followed by system-level 
tests that focus on whether the entire system (or major system 
increments) is acceptable, interoperable with related systems, and 
operationally suitable to users. For this series of related test events 
to be conducted effectively, all test events need to be, among other 
things, governed by a well-defined test management structure and 
adequately planned. Further, the results of each test event need to be 
captured and used to ensure that problems discovered are disclosed and 
corrected. 

Key aspects of Navy ERP testing have been effectively managed. 
Specifically, the program has established an effective test management 
structure, key development events were based on well-defined plans, the 
results of all executed test events were documented, and problems found 
during testing (i.e., test defects) were captured in a test management 
tool and subsequently analyzed, resolved, and disclosed to decision 
makers. Further, while we identified instances in which the tool did 
not contain key data about defects that are needed to ensure that 
unauthorized changes to the status of defects do not occur, the number 
of instances found are not sufficient to conclude that the controls 
were not operating effectively. Notwithstanding the missing data, this 
means that Navy ERP testing has been performed in a manner that 
increases the chances that the system will meet operational needs and 
perform as intended. 

A Well-defined Test Management Structure Has Been Established: 

The program office has established a test management structure that 
satisfies key elements of DOD and industry guidance.[Footnote 23] For 
example, the program has developed a Test and Evaluation Master Plan 
(TEMP) that defines the program's test strategy. As provided for in the 
guidance, this strategy consists of a sequence of tests in a simulated 
environment to verify first that individual system parts meet specified 
requirements (i.e., development testing) and then verify that these 
combined parts perform as intended in an operational environment (i.e., 
operational testing). As we have previously reported,[Footnote 24] such 
a sequencing of test events is an effective approach because it permits 
the source of defects to be isolated sooner, before it is more 
difficult and expensive to address. 

More specifically, the strategy includes a sequence of developmental 
tests for each release consisting of three cycles of integrated system 
testing (IST) followed by user acceptance testing (UAT). Following 
development testing, the sequence of operational tests includes the 
Navy's independent operational test agency conducting initial 
operational test and evaluation (IOT&E) and then follow-on operational 
test and evaluation (FOT&E), as needed, to validate the resolution of 
deficiencies found during IOT&E. See table 5 for a brief description of 
the purpose of each test activity, and figure 4 for the schedule of 
Release 1.0 and 1.1 test activities. 

Table 5: Description of the Purpose of Navy ERP Tests: 

Test: Developmental testing: IST; 
Purpose: To validate that the technical and functional components of 
the system work properly together and operate as specified by the 
requirements. 

Test: Developmental testing: Cycle 1 (Scenario Testing); 
Purpose: To validate chains of business process transactions using 
small scenarios, such as a standard sales order, delivery, and 
invoicing. Also, independent evaluators observe scenario testing in 
preparation for operational test and evaluation. 

Test: Developmental testing: Cycle 2 (Scenario Testing and Conversions 
and Interfaces); 
Purpose: To validate more complex sequences of transactions plus 
customized software. 

Test: Developmental testing: Cycle 3 (Final Integration Testing); 
Purpose: To validate the entire system, including external components. 

Test: Developmental testing: UAT; 
Purpose: To allow the customer to ensure Navy ERP works properly and 
operates as specified by the requirements. 

Test: Operational testing: IOT&E; Purpose: To evaluate the operational 
effectiveness and suitability of the system. 

Test: Operational testing: FOT&E; Purpose: To verify the correction of 
deficiencies identified during IOT&E. 

Source: GAO analysis of DON data. 

[End of table] 

Figure 4: Release 1.0 and 1.1 Test Activity Schedule: 

[Refer to PDF for image: illustration] 

Release 1.0: Developmental testing: 
IST Cycle 1: Duration FY 2007, October-November; 
IST Cycle 2: Duration FY 2007, December-January; 
IST Cycle 3: Duration FY 2007, February-June; 
UAT: Duration FY 2007, July-August; 
Release 1.0: IOT&E: 
at NAVAIR: Duration, FY 2008, November-March; 
Release 1.0: FOT&E: 
at NAVAIR and NAVSUP: Duration, FY 2009, January-April. 

Release 1.1: Developmental testing: 
IST Cycle 1: Duration, FY 2009, January-February; 
IST Cycle 2: Duration, FY 2009, March-April; 
IST Cycle 3: Duration, FY 2009, May-October, 2010; 
UAT: Duration, FY 2010, October-December; 
Release 1.1: IOT&E: 
at NAVSUP: Duration, FY 2010, May-August. 

Source: GAO analysis of DON data. 

[End of figure] 

The TEMP also clearly identifies the roles and responsibilities of key 
Navy ERP testing organizations, as provided for in DOD and industry 
guidance. For example, it describes specific responsibilities of the 
program manager, system integrator, quality assurance/test team lead, 
and independent operational test and evaluation organizations. Table 6 
summarizes the responsibilities of these various test organizations. 

Table 6: Navy ERP Testing-Related Organizations and Respective Roles 
and Responsibilities: 

Testing-related organization: Program manager; 
Responsibilities: Provides overall management and direction of Navy ERP 
test and evaluation; Conducts test readiness reviews; Certifies that 
the program is ready to proceed from developmental to operational 
testing in a developmental test and evaluation report. 

Testing-related organization: System integrator; 
Responsibilities: Supports the execution of integration and user 
acceptance testing, including training system testers and users; 
Reports to the Navy ERP program manager. 

Testing-related organization: Quality assurance/test team lead; 
Responsibilities: Creates the test and evaluation strategy and 
developmental test and evaluation plan; Assists in planning, 
coordinating, and conducting developmental testing and evaluation, and 
reporting the results to the program manager; Conducts integration 
testing. 

Testing-related organization: Operational Test and Evaluation Force; 
Responsibilities: Plans and conducts Navy ERP operational test and 
evaluation (OT&E); Reports results and recommendations to DOD's 
Director, Operational Test and Evaluation; Performs follow-on OT&E to 
verify that deficiencies found during initial OT&E have been resolved. 

Testing-related organization: Joint Interoperability Test Command; 
Responsibilities: Certifies to the Joint Chiefs of Staff that 
interoperability requirements are met; Verifies readiness for 
interoperability to the responsible operational test agency during or 
prior to operational test readiness review. 

Testing-related organization: Office of Director, Operational Test and 
Evaluation; 
Responsibilities: Reviews and approves IOT&E and FOT&E plans; Analyzes 
OT&E results; Provides independent assessment to the MDA. 

Source: GAO analysis of DOD data. 

[End of table] 

Well-defined Plans for Developmental Test Events Were Developed: 

According to relevant guidance,[Footnote 25] test activities should be 
governed by well-defined and approved plans. Among other things, such 
plans are to include a defect triage process, metrics for measuring 
progress in resolving defects, test entrance and exit criteria, and 
test readiness reviews. 

Each developmental test event for Release 1.0 (i.e., each cycle of 
integrated systems testing and user acceptance testing) was based on a 
well-defined test plan. For example, each plan provided for conducting 
daily triage meetings to (1) assign new defects a criticality level 
using documented criteria,[Footnote 26] (2) record new defects and 
update the status of old defects in the test management tool, and (3) 
address other defect and testing issues. Further, each plan included 
defect metrics, such as the number of defects found and corrected and 
their age. In addition, each plan specified that testing was not 
complete until all major defects found during the cycle were resolved, 
and all unresolved defects' impact on the next test event were 
understood. Further, the plans provided for holding test readiness 
reviews to review test results as a condition for proceeding to the 
next event. By ensuring that plans for key development test activities 
include these aspects of effective test planning, the risk of test 
activities not being effectively and efficiently performed is reduced, 
thus increasing the chances that the system will meet operational 
requirements and perform as intended. 

Test Results Were Documented and Reported, but Key Information about 
Changes to the Status of Reported Defects Was Not Always Recorded: 

According to industry guidance[Footnote 27], effective system testing 
includes capturing, analyzing, resolving, and disclosing to decision 
makers the status of problems found during testing (i.e., test 
defects). Further, this guidance states that these results should be 
collected and stored according to defined procedures and placed under 
appropriate levels of control to ensure that any changes to the results 
are fully documented. 

To the program's credit, the relevant testing organizations have 
documented test defects in accordance with defined plans. For example, 
daily triage meetings involving the test team lead, testers, and 
functional experts were held to review each new defect, assign it a 
criticality level, and designate someone responsible for resolving it 
and for monitoring and updating its resolution in the test management 
tool. Further, test readiness reviews were conducted at which entrance 
and exit criteria for each key test event were evaluated before 
proceeding to the next event. As part of these reviews, the program 
office and oversight officials, command representatives, and test 
officials reviewed the results of test events to ensure, among other 
things, that significant defects were closed and that there were no 
unresolved defects that could affect execution of the next test event. 

However, the test management tool did not always contain key data for 
all recorded defects that are needed to ensure that unauthorized 
changes to the status of defects do not occur. According to information 
systems auditing guidelines,[Footnote 28] audit tools should be in 
place to monitor user access to systems to detect possible errors or 
unauthorized changes. For Navy ERP, this was not always the case. 
Specifically, while the tool has the capability to track changes to 
test defects in a history log,[Footnote 29] our analysis of 80 randomly 
selected defects in the tool disclosed two instances in which the tool 
did not record when a change in the defect's status was made or who 
made the change. In addition, our analysis of 12 additional defects 
that were potential anomalies[Footnote 30] disclosed two additional 
instances where the tool did not record when a change was made and who 
made it. While our sample size and results do not support any 
conclusions as to the overall effectiveness of the controls in place 
for recording and tracking test defect status changes, they do show 
that it is possible that changes can be made without a complete audit 
trail surrounding those changes. After we shared our results with 
program officials, they stated that they provided each instance for 
resolution to the vendor responsible for the tracking tool. These 
officials attributed these instances to vendor updates to the tool that 
caused the history settings to default to "off." To address this 
weakness, they added that they are now ensuring that the history logs 
are set correctly after any update to the tool. This addition is a 
positive step because without an effective information system access 
audit tool, the probability of test defect status errors or 
unauthorized changes is increased. 

System Changes Have Been Controlled, but Their Cost and Schedule 
Impacts Were Not Sufficiently Considered: 

Industry best practices and DOD guidance[Footnote 31] recognize the 
importance of system change control when developing and maintaining a 
system. Once the composition of a system is sufficiently defined, a 
baseline configuration is normally established, and changes to that 
baseline are placed under a disciplined change control process to 
ensure that unjustified and unauthorized changes are not introduced. 
Elements of disciplined change control include (1) formally documenting 
a change control process, (2) rigorously adhering to the documented 
process, and (3) adopting objective criteria for considering a proposed 
change, including its estimated cost and schedule impact. 

To its credit, the Navy ERP program has formally documented a change 
control process. Specifically, it has a plan and related procedures 
that include the purpose and scope of the process--to ensure that any 
changes made to the system are properly identified, developed, and 
implemented in a defined and controlled environment. It also is using 
an automated tool to capture and track the disposition of each change 
request. Further, it has defined roles and responsibilities and a 
related decision-making structure for reviewing and approving system 
changes. In this regard, the program has established a hierarchy of 
review and approval boards, including a Configuration Control Board to 
review all changes and a Configuration Management Board to further 
review changes estimated to require more than 100 hours or $25,000 to 
implement. Furthermore, a Navy ERP Senior Integration Board was 
recently established to review and approve requests to add, delete, or 
change the program's requirements. In addition, the change control 
process states that the decisions are to be based on, among others, the 
system engineering and earned value management (i.e., cost and 
schedule) impacts the change will introduce, such as the estimated 
number of work hours that will be required to effect the change. Table 
7 provides a brief description of the decision-making authorities and 
boards and their respective roles and responsibilities. 

Table 7: Roles and Responsibilities for Change Review and Approval: 

Review and approval organizations: Navy ERP Senior Integration Board; 
Roles and responsibilities: Reviews and approves Engineering Change 
Proposals, which are proposed changes that would impact system scope, 
configuration, cost, or schedule by adding, deleting, or changing 
requirements. The board is chaired by the Principal Deputy Assistant 
Secretary of the Navy, Research, Development, and Acquisition. 

Review and approval organizations: Configuration Management Board; 
Roles and responsibilities: Reviews and approves change requests 
requiring more than 100 hours or $25,000 to implement. The board is 
chaired by the program manager and includes representatives from the 
earned value management team (i.e., cost and schedule). 

Review and approval organizations: Configuration Control Board; 
Roles and responsibilities: Reviews all change requests and approves 
those requiring less than 100 hours or $25,000 to implement. The board 
is chaired by the systems engineer and includes representatives from 
the earned value management team (i.e., cost and schedule). 

Review and approval organizations: Engineering Review Board; 
Roles and responsibilities: Ensures change requests are ready to 
proceed to the Configuration Control Board by reviewing and 
recommending changes. This board is facilitated and chaired by the 
systems engineer and the configuration manager to ensure the change 
request documentation is complete. 

Review and approval organizations: Technical Change Control Board; 
Roles and responsibilities: Approves or defers transport change 
requests, which are requests to release changes into the deployed 
system. The board is chaired by the production manager. 

Source: GAO analysis of DON documentation. 

[End of table] 

Navy ERP is largely adhering to its documented change control process. 
Specifically, our review of a random sample of 60 change requests and 
minutes of related board meetings held between May 2006 and April 2009 
showed that the change requests were captured and tracked using an 
automated tool, and they were reviewed and approved by the designated 
decision-making authorities and boards, in accordance with the 
program's documented process. 

However, the program has not sufficiently or consistently considered 
the cost and schedule impacts of proposed changes. Our analysis of the 
random sample of 60 change requests, including our review of related 
board meeting minutes, showed no evidence that cost and schedule 
impacts were identified or that they were considered. Specifically, we 
did not see evidence that the cost and schedule impacts of these change 
requests were assessed. According to program officials, the cost and 
schedule impacts of each change were discussed at control board 
meetings. In addition, they provided two change requests to demonstrate 
this. However, while these change requests did include schedule impact, 
they did not include the anticipated cost impact of proposed changes. 
Rather, these two, as well as those in our random sample, included the 
estimated number of work hours required to implement the change. 
Because the cost of any proposed change depends on other factors 
besides work hours, such as labor rates, the estimated number of work 
hours is not sufficient for considering the cost impact of a change. In 
the absence of verifiable evidence that cost and schedule impacts were 
consistently considered, approval authorities do not appear to have 
been provided key information needed to fully inform their decisions on 
whether or not to approve a change. System changes that are approved 
without a full understanding of their cost and schedule impacts could 
result in unwarranted cost increases and schedule delays. 

Navy ERP IV&V Function Is Not Independent and Has Not Been Fully 
Performed: 

The purpose of IV&V is to independently ensure that program processes 
and products meet quality standards. The use of an IV&V function is 
recognized as an effective practice for large and complex system 
development and acquisition programs, like Navy ERP, as it provides 
objective insight into the program's processes and associated work 
products.[Footnote 32] To be effective, verification and validation 
activities should be performed by an entity that is managerially 
independent of the system development and management processes and 
products that are being reviewed.[Footnote 33] Among other things, such 
independence helps to ensure that the results are unbiased and based on 
objective evidence. 

The Navy has not effectively managed its IV&V function because it has 
not ensured that the contractor performing this function is independent 
of the products and processes that this contractor is reviewing and 
because it has not ensured that the contractor is meeting contractual 
requirements. In June 2006, DON awarded a professional support services 
contract to General Dynamics Information Technology (GDIT), to include 
responsibilities for, among other things, IV&V, program management 
support, and delivery of releases according to cost and schedule 
constraints. According to the program manager, the contractor's IV&V 
function is organizationally separate from, and thus independent of, 
the contractor's Navy ERP system development function. However, the 
subcontractor performing the IV&V function is also performing release 
management. According to the GDIT contract, the release manager is 
responsible for developing and deploying a system release that meets 
operational requirements within the program's cost and schedule 
constraints, but it also states that the IV&V function is responsible 
for supporting the government in its review, approval, and acceptance 
of Navy ERP products (e.g., releases). The contract also states that 
GDIT is eligible for an optional award fee payment based on its 
performance in meeting, among other things, these cost and schedule 
constraints. Because performance of the system development and 
management role makes the contractor potentially unable to render 
impartial assistance to the government in performing the IV&V function, 
the contractor has an inherent conflict of interest relative to meeting 
cost and schedule commitments and disclosing the results of 
verification and validation reviews that may affect its ability to do 
so. 

The IV&V function's lack of independence is amplified by the fact that 
it reports directly and solely to the program manager. As we have 
previously reported,[Footnote 34] the IV&V function should report the 
issues or weaknesses that increase the risks associated with the 
project to program oversight officials, as well as to program 
management, to better ensure that the verification and validation 
results are objective and that the officials responsible for making 
program investment decisions are fully informed. Furthermore, these 
officials, once informed, can ensure that the issues or weaknesses 
reported are promptly addressed. 

Without ensuring sufficient managerial independence, valuable 
information may not reach decision makers, potentially leading to the 
release of a system that does not adequately meet users' needs and 
operate as intended. 

Beyond the IV&V function's lack of independence, the program office has 
not ensured that the subcontractor has produced the range of 
deliverables that were contractually required and defined in the IV&V 
plan. For example, the contract and plan call for weekly and monthly 
reports identifying weaknesses in program processes and recommendations 
for improvement, a work plan for accomplishing IV&V tasks, and 
associated assessment reports that follow the System Engineering Plan 
and program schedule. However, the IV&V contractor has largely not 
delivered these products. Specifically, until recently, it did not 
produce a work plan and only monthly reports were delivered, and these 
reports only list meetings that the IV&V contactor attended and 
documents that it reviewed. They do not, for example, identify program 
weaknesses or provide recommendations for improvement. According to 
program officials, they have relied on oral reports from the 
subcontractor at weekly meetings, and these lessons learned have been 
incorporated into program guidance. According to the contractor, the 
Navy has expended about $1.8 million between June 2006 and September 
2008 for IV&V activities, with an additional $249,000 planned to be 
spent in fiscal year 2009. 

Following our inquiries about an IV&V work plan, the IV&V contractor 
developed such a plan in October 2008, more than 2 years after the 
contract was awarded, that lists program activities and processes to be 
assessed, such as configuration management and testing. While this plan 
does not include time frames for starting and completing these 
assessments, meeting minutes show that the status of assessments has 
been discussed with the program manager during IV&V review meetings. 
The first planned assessment was delivered to the program in March 2009 
and provides recommendations for improving the program's configuration 
management process, such as using the automated tool to produce certain 
reports and enhancing training to understand how the tool is used. 
Further, program officials stated that they have also recently begun 
requiring the contractor to provide formal quarterly reports, the first 
of which was delivered to the program manager in January 2009. Our 
review of this quarterly report shows that it provides recommendations 
for improving the program's risk management process and organizational 
change management strategy. 

Notwithstanding the recent steps that the program office has taken, it 
nevertheless lacks an independent perspective on the program's products 
and management processes. 

Conclusions: 

DOD's successes in delivering large-scale business systems, such as 
Navy ERP, are in large part determined by the extent to which it 
employs the kind of rigorous and disciplined IT management controls 
that are reflected in department policies and related guidance. While 
implementing these controls does not guarantee a successful program, it 
does minimize a program's exposure to risk and thus the likelihood that 
it will fall short of expectations. In the case of Navy ERP, living up 
to expectations is important because the program is large, complex, and 
critical to addressing the department's long-standing problems related 
to financial transparency and asset visibility. 

The Navy ERP program office has largely implemented a range of 
effective controls associated with system testing and change control, 
including acting quickly to address issues with the audit log for its 
test management tool, but more can be done to ensure that the cost and 
schedule impacts of proposed changes are explicitly documented and 
considered when decisions are reached. Moreover, while the program 
office has contracted for IV&V activities, it has not ensured that the 
contractor is independent of the products and processes that it is to 
review and has not held the contractor accountable for producing the 
full range of IV&V deliverables required under the contract. Moreover, 
it has not ensured that its IV&V contractor is accountable to a level 
of management above the program office, as we previously recommended. 
Notwithstanding the program office's considerable effectiveness in how 
it has managed both system testing and change control, these weaknesses 
increase the risk of investing in system changes that are not 
economically justified and unnecessarily limit the value that an IV&V 
agent can bring to a program like Navy ERP. By addressing these 
weaknesses, the department can better ensure that taxpayer dollars are 
wisely and prudently invested. 

Recommendations for Executive Action: 

To strengthen the management of Navy ERP's change control process, we 
recommend that the Secretary of Defense direct the Secretary of the 
Navy, through the appropriate chain of command, to (1) revise the Navy 
ERP procedures for controlling system changes to explicitly require 
that a proposed change's life-cycle cost impact be estimated and 
considered in making change request decisions and (2) capture the cost 
and schedule impacts of each proposed change in the Navy ERP automated 
change control tracking tool. 

To increase the value of Navy ERP IV&V, we recommend that the Secretary 
of Defense direct the Secretary of the Navy, through the appropriate 
chain of command, to (1) stop performance of the IV&V function under 
the existing contract and (2) engage the services of a new IV&V agent 
that is independent of all Navy ERP management, development, testing, 
and deployment activities that it may review. In addition, we reiterate 
our prior recommendation relative to ensuring that the Navy ERP IV&V 
agent report directly to program oversight officials, while 
concurrently sharing IV&V results with the program office. 

[Refer to PDF for image] 

[End of figure] 

Agency Comments: 

In written comments on a draft of this report, signed by the Assistant 
Deputy Chief Management Officer and reprinted in appendix II, the 
department concurred with our recommendations, and stated that it will 
take the appropriate corrective actions within the next 7 months. 

We are sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Congressional Budget Office; and the Secretary of Defense. The report 
also is available at no charge on our Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staffs have any questions on matters discussed in this 
report, please contact me at (202) 512-3439 or hiter@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix III. 

Signed by: 

Randolph C. Hite: 
Director: 
Information Technology Architecture and Systems Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to determine whether (1) system testing is being 
effectively managed, (2) system changes are being effectively 
controlled, and (3) independent verification and validation (IV&V) 
activities are being effectively managed for the Navy Enterprise 
Resource Planning (ERP) program. 

To determine if Navy ERP testing is being effectively managed, we 
reviewed relevant documentation, such as the Test and Evaluation Master 
Plan and test reports and compared them with relevant federal and 
related guidance. Further, we reviewed development test plans and 
procedures for each test event and compared them with best practices to 
determine whether well-defined plans were developed. We also examined 
test results and reports, including test readiness review documentation 
and compared them against plans to determine whether they had been 
executed in accordance with the plans. Moreover, to determine the 
extent to which test defect data were being captured, analyzed, and 
reported, we inspected 80 randomly selected defects from a sample of 
2,258 defects in the program's test management system. In addition, we 
reviewed the history logs associated with each of these 80 defects to 
determine whether appropriate levels of control were in place to ensure 
that any changes to the results were fully documented. This sample was 
designed with a 5 percent tolerable error rate at the 95 percent level 
of confidence, so that, if we found 0 problems in our sample, we could 
conclude statistically that the error rate was less than 4 percent. In 
addition, we interviewed cognizant officials, including the program's 
test lead and the Navy's independent operational testers, about their 
roles and responsibilities for test management. 

To determine if Navy ERP changes are being effectively controlled, we 
reviewed relevant program documentation, such as the change control 
policies, plans, and procedures, and compared them with relevant 
federal and industry guidance. Further, to determine the extent to 
which the program is reviewing and approving change requests according 
to its documented plans and procedures, we inspected 60 randomly 
selected change requests in the program's configuration management 
system. In addition, we reviewed the change request forms associated 
with these 60 change requests and related control board meeting minutes 
to determine whether objective criteria for considering a proposed 
change, including estimated cost or schedule impacts, were adopted. In 
addition, we interviewed cognizant officials, including the program 
manager and systems engineer, about their roles and responsibilities 
for reviewing, approving, and tracking change requests. 

To determine if IV&V activities are being effectively managed we 
reviewed Navy ERP's IV&V contract, strategy, and plans and compared 
them with relevant industry guidance. We also analyzed the contractual 
relationships relative to legal standards that govern organizational 
conflict of interest. In addition, we examined IV&V monthly status 
reports, work plans, an assessment report, and a quarterly report, to 
determine the extent to which contract requirements were met. We 
interviewed contractor and program officials about their roles and 
responsibilities for IV&V and to determine the extent to which the 
program's IV&V function is independent. 

We conducted this performance audit at Department of Defense offices in 
the Washington, D.C., metropolitan area; Annapolis, Maryland; and 
Norfolk, Virginia; from August 2008 to September 2009, in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Appendix II: Comments from the Department of Defense: 

Office Of The Deputy Chief Management Officer: 
9010 Defense Pentagon: 
Washington, DC 20301-9010: 

August 21, 2009: 

Mr. Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Hite: 

This is the Department of Defense (DoD) response to the GAO draft 
report 09-841, "DOD Business Systems Modernization: Navy Implementing A 
Number Of Key Management Controls On Enterprise Resource Planning 
System, but Improvements Still Needed," dated July 21, 2009 (GAO Code 
310666). 

The Department concurs with all four of GAO's recommendations. The Navy 
Enterprise Resource Planning (ERP) program office will take the 
appropriate corrective actions within the next seven months. Detailed 
responses to each recommendation are attached. 

We appreciate the support of GAO as the Department further advances in 
its business transformation efforts, and look forward to continuing our 
partnership in achieving our shared goals. 

Signed by: 

Elizabeth A. McGrath: 
Assistant Deputy Chief Management Officer: 

Attachment(s): As stated: 

[End of letter] 

GAO Draft Report Dated July 21, 2009: 
GAO-09-841 (GAO Code 310666): 

"DOD Business Systems Modernization: Navy Implementing A Number Of Key 
Management Controls On Enterprise Resource Planning System, But 
Improvements Still Needed" 

Department Of Defense Comments To The GAO Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to revise the Navy Enterprise Resource Planning (ERP) 
procedures for controlling system changes to explicitly require that a 
proposed change's life cycle cost impact be estimated and considered in 
making change request decisions. (Page 31/GAO Draft Report). 

DOD Response: Concur. The Navy ERP program office will revise the 
Enterprise Change Request Process and Procedures document to require 
explicitly that a proposed change's life cycle cost impact be estimated 
as part of the change control decision process. Corrective actions to 
address GAO's recommendation will he taken by the beginning of Fiscal 
Year (FY) 2010. 

Recommendation 2: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to capture the cost and schedule impacts of each proposed 
change in the Navy ERP automated change control tracking tool. (Page 
31/GAO Draft Report). 

DOD Response: Concur. The Navy ERP program office will update its 
automated change control tracking tool to capture "dollarized" cost 
impacts and better identify schedule impacts of future proposed 
changes. Corrective actions to address GAO's recommendation will he 
taken by the beginning of FY 2010. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to stop performance of the Independent Verification and 
Validation (IV&V) function under the existing contract. (Page 31/GAO 
Draft Report). 

DOD Response: Concur. The Navy ERP program office plans to stop IV&V 
functions under the existing contract at the end of the current fiscal 
year (2009). 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command. to engage the services of a new IV&V agent that is independent 
of all Navy ERP management, development, testing, and deployment 
activities that it may review. (Page 31/GAO Draft Report). 

DOD Response: Concur. The Navy ERP program plans to execute future IV&V 
functions using contract support that is not associated with any of the 
other Navy ERP program activities to ensure there is no conflict of 
interest, real or perceived. Corrective actions to address GAO's 
recommendation will be taken no later than March 2010. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Randolph C. Hite, (202) 512-3439, or hiter@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, key contributors to this 
report were Neelaxi Lakhmani, Assistant Director; Monica Anatalio; Carl 
Barden; Neil Doherty; Cheryl Dottermusch; Lee McCracken; Karl Seifert; 
Adam Vodraska; Shaunyce Wallace; and Jeffrey Woodward. 

[End of section] 

Footnotes: 

[1] Business systems are information systems, including financial and 
nonfinancial systems that support DOD business operations, such as 
civilian personnel, finance, health, logistics, military personnel, 
procurement, and transportation. 

[2] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[3] See, for example, GAO, DOD Business Systems Modernization: 
Important Management Controls Being Implemented on Major Navy Program, 
but Improvements Needed in Key Areas, [hyperlink, 
http://www.gao.gov/products/GAO-08-896] (Washington, D.C.: Sept. 8, 
2008); DOD Business Systems Modernization: Key Marine Corps System 
Acquisition Needs to Be Better Justified, Defined, and Managed, 
[hyperlink, http://www.gao.gov/products/GAO-08-822] (Washington, D.C.: 
July 28, 2008); and DOD Business Transformation: Lack of an Integrated 
Strategy Puts the Army's Asset Visibility System Investments at Risk, 
[hyperlink, http://www.gao.gov/products/GAO-07-860] (Washington, D.C.: 
July 27, 2007). 

[4] [hyperlink, http://www.gao.gov/products/GAO-08-896]. 

[5] The four pilots are SIGMA, CABRILLO, NEMAIS, and SMART. 

[6] The Navy is considering deleting the third release, Release 1.2, 
from Template 1. 

[7] Release 1.0 accounts for about 56 percent of the requirements; 
Release 1.1, about 33 percent; and Release 1.2, about 10 percent. 

[8] This 2003 estimate, which was prepared to assist in budget 
development and support the Milestone A/B approval, was for 
development, deployment, and sustainment costs in fiscal years 2003 
through 2021. 

[9] According to DOD's acquisition guidebook, an Acquisition Program 
Baseline is a program manager's estimated cost, schedule, and 
performance goals. Goals consist of objective values, which represent 
what the user desires and expects, and threshold values, which 
represent acceptable limits. When the program manager determines that a 
current cost, schedule, or performance threshold value will not be 
achieved, the MDA must be notified, and a new baseline developed, 
reviewed by decision makers and, if the program is to continue, 
approved by the MDA. 

[10] According to the August 2004 Acquisition Program Baseline, this 
estimate is for acquisition, operations, and support for fiscal years 
2004 through 2021. 

[11] According to the September 2007 Acquisition Program Baseline, this 
estimate is for acquisition, operations, and support for fiscal years 
2004 through 2023. 

[12] The defense acquisition system is a framework-based approach that 
is intended to translate mission needs and requirements into stable, 
affordable, and well-managed acquisition programs. It was updated in 
December 2008 and consists of five key program life-cycle phases and 
three related milestone decision points--(1) Materiel Solution Analysis 
(previously Concept Refinement), followed by Milestone A; (2) 
Technology Development, followed by Milestone B; (3) Engineering and 
Manufacturing Development (previously System Development and 
Demonstration), followed by Milestone C; (4) Production and Deployment; 
and (5) Operations and Support. 

[13] Fleet and Industrial Supply Centers are located in San Diego, 
California; Norfolk, Virginia; Jacksonville, Florida; Puget Sound, 
Washington; Pearl Harbor, Hawaii; Yokosuka, Japan; and Sigonella, 
Italy; and provide worldwide logistics services for the Navy. 

[14] See, for example, [hyperlink, 
http://www.gao.gov/products/GAO-08-896]; GAO, DOD Business Systems 
Modernization: Planned Investment in Navy Program to Create Cashless 
Shipboard Environment Needs to be Justified and Better Managed, 
[hyperlink, http://www.gao.gov/products/GAO-08-922] (Washington, D.C.: 
Sept. 8, 2008); [hyperlink, http://www.gao.gov/products/GAO-08-822]; 
[hyperlink, http://www.gao.gov/products/GAO-07-860]; Information 
Technology: DOD Needs to Ensure that Navy Marine Corps Intranet Program 
Is Meeting Goals and Satisfying Customers, [hyperlink, 
http://www.gao.gov/products/GAO-07-51] (Washington, D.C.: Dec. 8, 
2006); DOD Systems Modernization: Planned Investment in the Navy 
Tactical Command Support System Needs to be Reassessed, [hyperlink, 
http://www.gao.gov/products/GAO-06-215] (Washington, D.C.: Dec. 5, 
2005); and DOD Business Systems Modernization: Navy ERP Adherence to 
Best Business Practices Critical to Avoid Past Failures, [hyperlink, 
http://www.gao.gov/products/GAO-05-858] (Washington, D.C.: Sept. 29, 
2005). 

[15] Ronald W. Reagan National Defense Authorization Act for Fiscal 
Year 2005, Pub. L. No. 108-375, Sec. 332 (2004) (codified at 10 U.S.C. 
Sections 186 and 2222). 

[16] Earned value management is a means for measuring actual program 
progress against cost and schedule estimates. 

[17] [hyperlink, http://www.gao.gov/products/GAO-08-896]. 

[18] [hyperlink, http://www.gao.gov/products/GAO-08-822]. 

[19] [hyperlink, http://www.gao.gov/products/GAO-07-860]. 

[20] [hyperlink, http://www.gao.gov/products/GAO-06-215]. 

[21] [hyperlink, http://www.gao.gov/products/GAO-05-858]. 

[22] See, for example, Office of the Under Secretary of Defense for 
Acquisition, Technology, and Logistics, Department of Defense 
Instruction 5000.02 (Arlington, VA: Dec. 2, 2008); Defense Acquisition 
University, Test and Evaluation Management Guide, 5th ed. (Fort 
Belvoir, VA: January 2005); Institute of Electrical and Electronics 
Engineers, Inc., Standard for Software Verification and Validation, 
IEEE Std 1012-2004 (New York, NY: June 8, 2005); Software Engineering 
Institute, Capability Maturity Model Integration for Acquisition, 
version 1.2 (Pittsburgh, PA: May 2008); and GAO, Year 2000 Computing 
Crisis: A Testing Guide, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-10.1.21] (Washington, D.C.: 
November 1998). 

[23] Office of the Under Secretary of Defense for Acquisition, 
Technology, and Logistics, Department of Defense Instruction 5000.02 
(Arlington, VA: Dec. 2, 2008); Defense Acquisition University, Test and 
Evaluation Management Guide, 5th ed. (Fort Belvoir, VA: January 2005); 
and Institute of Electrical and Electronics Engineers, Inc., Standard 
for Software and System Test Documentation, IEEE Std 829-2008 (New 
York, NY: 2008). 

[24] GAO, Secure Border Initiative: DHS Needs to Address Significant 
Risks in Delivering Key Technology Investment, [hyperlink, 
http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22, 
2008). 

[25] See, for example, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-10.1.21]. 

[26] According to program documentation, criticality levels range from 
1 to 5, as follows: 1 is a problem that prevents accomplishment of an 
operational or mission critical capability; 2 is a major technical 
problem with no work-around solution; 3 is a major technical problem 
with a work-around solution; 4 is a minor technical problem; and 5 is 
any other defect, such as a cosmetic problem. 

[27] Institute of Electrical and Electronics Engineers, Inc., Standard 
for Information Technology--Software Life Cycle Processes--
Implementation Considerations, IEEE/EIA Std 12207.2-1997 (New York, NY: 
April 1998) and Software Engineering Institute, Capability Maturity 
Model Integration for Acquisition, version 1.2 (Pittsburgh, PA: May 
2008). 

[28] Information Systems Audit and Control Association, Inc., IS 
Standards, Guidelines and Procedures for Auditing and Control 
Professionals (Rolling Meadows, IL: Jan. 15, 2009). 

[29] According to program documentation, the date a defect is entered 
into the system and the date the status of the defect is changed to 
"closed" are automatically populated. Further, changes to a defect's 
status, including from "new" to "open" and from "open" to "closed;" 
changes to the criticality level; and the user who makes the changes 
are tracked in a defect's history log. 

[30] These anomalies are defects that we found that (1) were attributed 
to integrated system test events, but were not detected until after the 
system was deployed; (2) had a criticality level that was different 
from the level that was reported at a test readiness review; (3) were 
deferred to a later test event or to post-deployment to be verified as 
resolved; or (4) had no criticality level. 

[31] See, for example, Electronics Industries Alliance, National 
Consensus Standard for Configuration Management , ANSI/EIA-649-1998 
(Arlington, VA: August 1998) and Department of Defense, Military 
Handbook: Configuration Management Guidance, MIL-HDBK-61A(SE) 
(Washington, D.C.: Feb. 7, 2001). 

[32] GAO, Homeland Security: U.S. Visitor and Immigration Status 
Indicator Technology Program Planning and Execution Improvements 
Needed, [hyperlink, http://www.gao.gov/products/GAO-09-96] (Washington, 
D.C.: Dec. 12, 2008); Homeland Security: Recommendations to Improve 
Management of Key Border Security Program Need to Be Implemented, 
[hyperlink, http://www.gao.gov/products/GAO-06-296] (Washington, D.C.: 
Feb. 14, 2006); and [hyperlink, 
http://www.gao.gov/products/GAO-05-858]. 

[33] Institute of Electrical and Electronics Engineers, Inc., Standard 
for Software Verification and Validation, IEEE Std 1012-2004 (New York, 
NY: June 8, 2005). 

[34] See [hyperlink, http://www.gao.gov/products/GAO-07-860] and 
[hyperlink, http://www.gao.gov/products/GAO-05-858]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAOís actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAOís Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: