Information Technology Management:
Small Business Administration Needs Policies and Procedures to Control Key IT Processes
T-AIMD-00-260, Jul 20, 2000
Pursuant to a congressional request, GAO discussed the Small Business Administration's (SBA) management of information technology (IT), focusing on five key areas: (1) investment management; (2) architecture; (3) software development and acquisition; (4) information security; and (5) human capital management.
GAO noted that: (1) SBA had made progress in establishing an investment review board and is beginning to define an investment selection process; (2) however, it had not yet established IT investment management policies and procedures to help identify and select projects that will provide mission-focused benefits and maximum risk-adjusted returns; (3) likewise, SBA had not yet defined processes for investment control and evaluation to ensure that selected IT projects will be developed on time, within budget, and according to requirements, and that these projects will generate expected benefits; (4) the agency had performed only limited reviews of major IT investments, and these reviews were ad-hoc since little data had been captured for analyzing benefits and returns on investment; (5) SBA had made progress with its target IT architecture by describing its core business processes, analyzing information used in its business processes, describing data maintenance and data usage, identifying standards that support information transfer and processing, and establishing guidelines for migrating current applications to the planned environment; (6) however, procedures did not exist for change management to ensure that new systems installations and software changes would be compatible with other systems and SBA's planned operating environment; (7) SBA lacked policies for software development and acquisition to help produce information systems within the cost, budget, and schedule goals set during the investment management process that at the same time comply with the guidance and standards of its IT architecture; (8) an existing systems development methodology was being adopted to replace outdated guidelines that lacked key processes for software development; (9) GAO's review of the selected software projects indicated that SBA's practices were typically ad-hoc for project planning, project tracking and oversight, quality assurance, and configuration management; (10) SBA had not conducted periodic risk assessments for its mission-critical systems; (11) the agency had only recently conducted a security workload assessment and a risk assessment for one system; (12) training and education had not been provided to promote security awareness and responsibilities of employees and contract staff; (13) SBA had not established policies and procedures to identify and address its short- and long-term requirements for IT knowledge and skills; and (14) further, SBA had not evaluated its progress in improving IT human capital capabilities or used data to continuously improve human capital strategies.