Skip to main content

Financial Management Systems: Lack of Disciplined Processes Puts Implementation of HHS' Financial System at Risk

GAO-04-1008 Published: Sep 23, 2004. Publicly Released: Sep 30, 2004.
Jump To:
Skip to Highlights

Highlights

In June 2001, the Secretary of HHS directed the department to establish a unified accounting system that, when fully implemented, would replace five outdated accounting systems. GAO was asked to review HHS' ongoing effort to develop and implement the Unified Financial Management System (UFMS) and to focus on whether the agency has (1) effectively implemented disciplined processes; (2) implemented effective information technology (IT) investment management, enterprise architecture, and information security management; and (3) taken actions to ensure that the agency has the human capital needed to successfully design, implement, and operate UFMS.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff determine the system capabilities that are necessary for the CDC deployment.
Closed – Implemented
In a September 2004 statement and related UFMS Release Implementation Strategy, HHS announced that it was going to deploy certain capabilities (general ledger and payroll) in October 2004 at CDC and delay deployment of the remaining functionalities until April 2005.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff identify the relevant requirements related to the desired system capabilities for the CDC deployment.
Closed – Implemented
Requirements were identified for the capabilities and functionality needed for each release. HHS used a Requirements Traceability Verification Matrix for Release 3 on August 1, 2006, to track all UFMS requirements and design constraints, which were identified in a central information repository, and to verify that all system requirements are met by the system deliverable. This results in requirements that can be traced to the appropriate testable area of Oracle and verifies that system requirements for CDC deployment have been satisfied.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff clarify, where necessary, any requirements to ensure they (1) fully describe the capability to be delivered, (2) include the source of the requirement, and (3) are unambiguously stated to allow for quantitative evaluation.
Closed – Not Implemented
The independent verification and validation (IV&V) contractor "closed" the "Incomplete Specification of Requirements" issue saying that the implementation activities at CDC were already beyond the requirements definition phase and as such the issue was irreversible. The IV&V acknowledged that risks associated with incomplete or ambiguous requirements were still a concern and the IV&V will continue to monitor requirements activities for subsequent releases.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff maintain traceability of the CDC-related requirements from their origin through implementation.
Closed – Implemented
A release-specific requirements traceability verification matrix was built to verify that all requirements were met by the system deliverable and to demonstrate to HHS and outside parties that HHS has satisfied the system requirements allocated to the release (e.g. the CDC deployment).
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff use a testing process that employs effective requirements to obtain the quantitative measures necessary to understand the assumed risks.
Closed – Implemented
HHS described and provided several measures related to its defect-tracking processes that are associated with its system testing efforts and confirm that requirements are met.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff validate that data conversion efforts produce reliable data for use in UFMS.
Closed – Implemented
While HHS originally planned to conduct only two mock data conversions prior to implementation at CDC, they conducted seven mock data conversions based on our recommendation. These conversion validation efforts provided reasonable assurance that the data used in the UFMS deployment were reliable.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff verify that systems interfaces function properly so that data exchanges between systems are adequate to satisfy system needs.
Closed – Implemented
HHS verified system interfaces through pre-deployment system-level test efforts that were focused on verifying the reliability of code developed for HHS specific interfaces.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff measure progress based on quantitative data rather than the occurrence of events.
Closed – Implemented
HHS has implemented several measures (i.e. percent of release requirements tested, number of requirement change requests, and number of defects detected) related to its defect-tracking processes and earned value metrics that capture requirements related defects and track the UFMS project status with respect to cost and schedule performance.
Department of Health and Human Services To help reduce risks associated with deployment of UFMS at CDC to acceptable levels, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff delay deployment of UFMS at CDC if these actions are not completed.
Closed – Implemented
In a September 2004 statement and related UFMS Release Implementation Strategy, HHS announced that it was going to deploy certain capabilities (general ledger and payroll) in October 2004 at CDC and delay deployment of the remaining functionalities until April 2005.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff develop and effectively implement a plan on how HHS will implement the disciplined processes necessary to reduce the risks associated with this effort to acceptable levels. This plan should include the processes, such as those identified by SEI and IEEE, that will be implemented and the resources, such as staffing and funding, needed to implement the necessary processes.
Closed – Not Implemented
According to HHS's fiscal year 2009 Performance and Accountability Report, UFMS was completely implemented during fiscal year 2008 at all operating divisions. Consequently, GAO's recommendation is no longer applicable.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff develop a concept of operations in accordance with recognized industry standards such as those promulgated by IEEE. The concept of operations should apply to all HHS entities that will be required to use UFMS. This concept of operations should contain a high-level description of the operations that must be performed, who must perform them, and where and how the operations will be carried out, and be consistent with the current vision for the HHS information system enterprise architecture.
Closed – Not Implemented
According to HHS's fiscal year 2009 Performance and Accountability Report, the implementation of UFMS was completed during fiscal year 2008 at all operating divisions. Therefore, this recommendation is no longer applicable.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff implement a requirements management process that develops requirements that are consistent with the concept of operations and calls for each of the resulting requirements to have the attributes associated with good requirements: (1) fully describing the functionality to be delivered, (2) including the source of the requirement, and (3) stating the requirement in unambiguous terms that allows for quantitative evaluation.
Closed – Not Implemented
According to HHS's fiscal year 2009 Performance and Accountability Report, the implementation of UFMS was completed during fiscal year 2008 at all operating divisions. Therefore, this recommendation is no longer applicable.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff maintain traceability of requirements among the various implementation phases from origin through implementation.
Closed – Implemented
A release specific requirements traceability verification matrix was built to verify that all requirements were met by the system deliverable and to demonstrate to HHS and outside parties that HHS has satisfied the system requirements allocated to the release.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff confirm that requirements are effectively used for determining the functionality that will be available in UFMS at a given location.
Closed – Implemented
Requirements were identified for the capabilities and functionality needed for each release.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff confirm that requirements are effectively used for implementing the required functionality.
Closed – Implemented
HHS used a Requirements Traceability Verification Matrix to confirm that requirements were utilized for implementing the desired functionality for each release.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff confirm that requirements are effectively used for supporting an effective testing process to evaluate whether UFMS is ready for deployment.
Closed – Implemented
HHS provided several measures related to confirming that system requirements are met as part of its defect-tracking processes that are associated with its system testing efforts.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff confirm that requirements are effectively used for validating that data conversion efforts produce reliable data for use in UFMS.
Closed – Implemented
HHS has taken action to confirm practices related to data conversion in order to help ensure that their efforts produce reliable data for use in meeting UFMS requirements.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff confirm that requirements are effectively used for verifying that systems interfaces function properly so that data exchanges between systems are adequate to satisfy each system's needs.
Closed – Implemented
HHS verified system interfaces through system-level test efforts that focused on code developed for HHS specific extensions and interfaces to verify that data exchanges were adequate to interfaced systems user needs.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff develop and implement a testing process that uses adequate requirements as a basis for testing a given system function.
Closed – Implemented
A testing process was developed and implemented for each testing phase that uses requirements as a basis for testing a given system function (e.g., integration testing, performance testing, and user acceptance testing) and to evaluate whether UFMS is ready for deployment.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff formalize risk management procedures to consider that all risks currently applicable to the UFMS project are identified.
Closed – Implemented
HHS agreed with our recommendation and revised its risk management processes to identify all risks currently applicable and established appropriate related risk management procedures.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff formalize risk management procedures to consider that a risk is only closed after the risk is no longer applicable rather than once management has developed a mitigation strategy.
Closed – Implemented
HHS agreed with our recommendation and revised its risk management processes to keep all risks open until the risks are actually materialized or an appropriate mitigation has been successful.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff develop and implement a program that will identify the quantitative metrics needed to evaluate project performance and risks.
Closed – Implemented
HHS developed and implemented a Performance Measurement Plan that includes various quantitative metrics used to evaluate project performance and risks.
Department of Health and Human Services Before proceeding with further implementation of UFMS after deployment at CDC, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that the UFMS program staff use quantitative measures to assess progress and compliance with disciplined processes.
Closed – Implemented
HHS has several measures related to its defect-tracking processes, earned value metrics, and critical path analysis that tracks the extent to which requirements related defects have been addressed and tracks cost and schedule performance.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate, conduct assessments of operating divisions' information security general controls that have not been recently assessed.
Closed – Implemented
All of the operating divisions' information security general controls have been assessed based on the completion of related steps detailed, the UFMS Risk Assessment and Mitigation Plan, and interviews with cognizant UFMS Project Management Office staff.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate, establish a comprehensive program to monitor access to the network, including controls over access to the mainframe and the network.
Closed – Implemented
IT program management has taken action to establish a comprehensive program to monitor access to the network and monitoring controls over access to the mainframe and the network. Controlling access to the mainframe is no longer an issue because the network environment has changed from mainframe based to server based. This network is now located at the Center for Information Technology (CIT) within NIH. GAO's 2005 report on HHS Information Programs confirmed network monitoring and controls over access to the network were appropriate.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate, verify that the UFMS project management staff has all applicable information needed to fully ensure a comprehensive security management program for UFMS. Specifically, this would include identifying and assessing the reported concerns for all HHS entities regarding key general control areas of the information security management process, including entitywide security planning.
Closed – Implemented
UFMS project management staff have taken action to identify and assess reported concerns from HHS entities over general control areas. Specifically, the project management staff keeps apprised of security concerns before connecting UFMS to an operating divisions' systems by reviewing the certification and accreditation (C&A) and the plan of action and milestones (POA&M) for the particular operating division. The C&As and POA&Ms provide project management staff with the ability to identify and assess reported concerns for HHS entities regarding key general control areas such as: entity-wide security planning, access controls, systems software controls, segregation of duties and application development and change controls. Also, interviews with the UFMS Project Management Office provided verification of compliance with GAO recommendations.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate, verify that the UFMS project management staff has all applicable information needed to fully ensure a comprehensive security management program for UFMS. Specifically, this would include identifying and assessing the reported concerns for all HHS entities regarding key general control areas of the information security management process, including access controls.
Closed – Implemented
UFMS project management staff have taken action to identify and assess reported concerns from HHS entities over general control areas. The project management staff keeps apprised of security concerns before connecting UFMS to an operating divisions' systems by reviewing the certification and accreditation (C&A) and the plan of action and milestones (POA&M) for the particular operating division. The C&As and POA&Ms provide project management staff with the ability to identify and assess reported concerns for HHS entities regarding key general control areas such as: entity-wide security planning, access controls, systems software controls, segregation of duties and application development and change controls. Also, interviews with the UFMS Project Management Office provided verification of compliance with GAO recommendations.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate, verify that the UFMS project management staff has all applicable information needed to fully ensure a comprehensive security management program for UFMS. Specifically, this would include identifying and assessing the reported concerns for all HHS entities regarding key general control areas of the information security management process, including system software controls.
Closed – Implemented
UFMS project management staff have taken action to identify and assess reported concerns from HHS entities over general control areas. The project management staff keeps apprised of security concerns before connecting UFMS to an operating divisions' systems by reviewing the certification and accreditation (C&A) and the plan of action and milestones (POA&M) for the particular operating division. The C&As and POA&Ms provide project management staff with the ability to identify and assess reported concerns for HHS entities regarding key general control areas such as: entity-wide security planning, access controls, systems software controls, segregation of duties and application development and change controls. Also, interviews with the UFMS Project Management Office provided verification of compliance with GAO recommendations.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate verify that the UFMS project management staff has all applicable information needed to fully ensure a comprehensive security management program for UFMS. Specifically, this would include identifying and assessing the reported concerns for all HHS entities regarding key general control areas of the information security management process, including segregation of duties.
Closed – Implemented
UFMS project management staff have taken action to identify and assess reported concerns from HHS entities over general control areas. The project management staff keeps apprised of security concerns before connecting UFMS to an operating divisions' systems by reviewing the certification and accreditation (C&A) and the plan of action and milestones (POA&M) for the particular operating division. The C&As and POA&Ms provide project management staff with the ability to identify and assess reported concerns for HHS entities regarding key general control areas such as: entity-wide security planning, access controls, systems software controls, segregation of duties and application development and change controls. Also, interviews with the UFMS Project Management Office provided verification of compliance with GAO recommendations.
Department of Health and Human Services To help ensure that HHS reduces risks in the agencywide IT environment associated with its implementation of UFMS, the Secretary of Health and Human Services should direct the Assistant Secretary for Budget, Technology, and Finance to require that IT program management staff, as appropriate verify that the UFMS project management staff has all applicable information needed to fully ensure a comprehensive security management program for UFMS. Specifically, this would include identifying and assessing the reported concerns for all HHS entities regarding key general control areas of the information security management process, including application development and change controls.
Closed – Implemented
UFMS project management staff have taken action to identify and assess reported concerns from HHS entities over general control areas. The project management staff keeps apprised of security concerns before connecting UFMS to an operating divisions' systems by reviewing the certification and accreditation (C&A) and the plan of action and milestones (POA&M) for the particular operating division. The C&As and POA&Ms provide project management staff with the ability to identify and assess reported concerns for HHS entities regarding key general control areas such as: entity-wide security planning, access controls, systems software controls, segregation of duties and application development and change controls. Also, interviews with the UFMS Project Management Office provided verification of compliance with GAO recommendations.
Department of Health and Human Services To help improve the human capital initiatives associated with the UFMS project, the Secretary of Health and Human Services direct the Assistant Secretary for Budget, Technology, and Finance to require that UFMS program management staff assess the key positions needed for effective project management and confirm that those positions have the human resources needed. If needed, solicit the assistance of the Assistant Secretary for Budget, Technology, and Finance to fill key positions in a timely manner.
Closed – Implemented
Although staffing shortfalls have been a recurring issue on the UFMS implementation for federal and systems integrator personnel, the UFMS PMO and systems integrator conducts bi-weekly meetings with the ASBTF to address human resource concerns, such as staffing shortages and potential turnover, and to ensure that pertinent positions are filled.
Department of Health and Human Services To help improve the human capital initiatives associated with the UFMS project, the Secretary of Health and Human Services direct the Assistant Secretary for Budget, Technology, and Finance to require that UFMS program management staff finalize critical human capital strategies and plans related to UFMS such as the skills gap analysis.
Closed – Implemented
HHS developed and finalized human capital strategies and plans related to UFMS, including plans to identify and address any skills gaps. Specifically, HHS developed a skills gap analysis for CDC. For FDA and PSC, HHS performed an organizational impact analysis to identify workforce and training implications associated with the major changes that will occur as part of the UFMS implementation, and consistent with the intent of our recommendation, conducted an analysis of the skills, roles and responsibilities needed.
Department of Health and Human Services To help improve the human capital initiatives associated with the UFMS project, the Secretary of Health and Human Services direct the Assistant Secretary for Budget, Technology, and Finance to require that UFMS program management staff finalize critical human capital strategies and plans related to UFMS such as the workforce transition strategy.
Closed – Implemented
HHS has taken action to develop a workforce transition strategy and the operating divisions developed workforce transition plans in accordance with that strategy.
Department of Health and Human Services To help improve the human capital initiatives associated with the UFMS project, the Secretary of Health and Human Services direct the Assistant Secretary for Budget, Technology, and Finance to require that UFMS program management staff finalize critical human capital strategies and plans related to UFMS such as the training plans.
Closed – Implemented
HHS has taken action to finalize training plans to address human capital strategies related to UFMS.

Full Report

Office of Public Affairs

Topics

AccountingAccounting standardsAccounting systemsEnterprise architectureFinancial management systemsHuman capitalInformation resources managementInformation security managementInternal controlsPerformance measuresRisk managementStaff utilizationStrategic planningSystems conversionsSystems evaluationIT investment managementInvestment managementSystems development