DHS Financial Management: Actions Needed to Improve Systems Modernization and Address Coast Guard Audit Issues
Fast Facts
There's still a lot of work to do to modernize the financial management systems at FEMA, Immigration and Customs Enforcement (ICE), and the Coast Guard within the Department of Homeland Security.
FEMA and ICE are in the planning phases of their modernization efforts. The Coast Guard has begun using a new financial management system—part of a larger $510 million modernization effort—but it's not working as expected.
Resolving issues identified during testing before moving on to the next phase would bolster modernization efforts. Our recommendations address this issue.
DHS financial management remains a topic on our High Risk List.
Highlights
What GAO Found
The Department of Homeland Security (DHS) has defined and implemented a tiered governance structure to provide oversight of its financial systems modernization programs. In 2018, DHS also established the Joint Program Management Office to lead all aspects of the modernization programs, in partnership with DHS components. DHS has both department-level and program-specific plans to modernize financial systems. Financial systems modernization plans at selected DHS components include U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE), among others.
- Coast Guard deployed its new financial management system in December 2021 as part of a $510 million modernization program, and declared initial operational capability in June 2022. However, Coast Guard did not achieve expected full operational capability in December 2022. The program office is developing a remediation plan.
- FEMA and ICE are in the planning phases of their financial systems modernization efforts. In November 2022, DHS awarded contracts for software licenses and stated that it plans to award contracts for system integration services for these components.
Additionally, DHS established a process and continues to document and consider lessons learned from current and past modernization attempts. These lessons are to be shared with upcoming modernization programs.
Although DHS identified, documented, and tracked metrics to assess Coast Guard's system deployment, DHS found that the system was not achieving expected capabilities. This is because DHS did not address and remediate known issues identified in operational testing. DHS's subsequent operational testing and evaluation of the system found that it was not effective, responsive, or reliable. Therefore, DHS could not proceed to full operational capability of the system. It is now in the process of developing a remediation plan to address outstanding issues.
DHS risks not fully achieving its goal of deploying systems that produce reliable data for management decision-making and financial reporting if it does not remediate serious issues identified by testing. Resolving deficiencies identified by testing before proceeding to the next phase in the acquisition process can help reduce the risk that future system modernization efforts at FEMA and ICE will not meet mission needs or expected capabilities.
GAO also found that corrective action plans Coast Guard developed to address its fiscal year 2021 audit findings did not always contain all of the data attributes recommended in applicable guidance. For example, although DHS guidance emphasizes the importance of root cause analyses in resolving deficiencies, such analyses were often not done. Therefore, Coast Guard is at an increased risk that its corrective actions will not effectively address identified deficiencies.
Why GAO Did This Study
Since DHS's creation in 2003, it has faced significant internal control and financial management systems deficiencies. These issues contributed to GAO designating DHS financial management as high risk. To address its financial management issues, DHS is executing a multiyear plan, to include implementing modern financial management systems at its components, including Coast Guard, FEMA, and ICE.
In this report, GAO (1) describes the oversight, program management, plans, and lessons learned from past and current financial systems modernization efforts; (2) examines the extent to which the Coast Guard is achieving expected capabilities with its newly deployed financial management system; and (3) examines the extent to which Coast Guard has addressed audit findings related to financial reporting and IT system weaknesses.
GAO met with DHS officials, reviewed key documents and plans related to modernization efforts, and assessed Coast Guard corrective action plans to address fiscal year 2021 audit findings.
Recommendations
GAO is making four recommendations, including that the Joint Program Management Office work with Coast Guard, FEMA, and ICE to remediate issues identified by testing; and that Coast Guard follow applicable guidance when developing corrective action plans. DHS concurred with the recommendations and described actions it has taken and will take to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | DHS's Under Secretary for Management should ensure that the Joint Program Management Office works with Coast Guard to remediate known issues identified from testing, prior to declaring full operational capability for the ongoing financial systems modernization efforts. (Recommendation 1) |
Open
In commenting on our draft report, DHS officials concurred with the recommendation and described actions they planned to take. Specifically, DHS stated that the Joint Program Management Office (JPMO) will work with Trio components (which includes the Coast Guard, Transportation Security Administration, and the Countering Weapons of Mass Destruction Office) and DHS acquisition oversight offices to identify and agree upon what needs to be improved in the modernized system so that components can support a full operational capability decision. In April 2023, DHS officials approved a breach remediation plan that included, among other things: high-level root causes for the performance breach and associated lessons learned, actions that JPMO will take to address the issues that were identified in the System Evaluation Report, and a re-baselining schedule for the necessary acquisition documentation. Based on this schedule, JPMO expects to submit a revised acquisition program baseline in February 2024 completing the re-baselining process. As part of the re-baselining effort, the updated Life Cycle Cost Estimate will address cost increases and provide guidance to the Components. After the expected full scope of funding required to meet all full operational capability requirements is identified, the JPMO will review the expected costs with the Components prior to proceeding with implementation. In April 2023, DHS signed a breach remediation plan. However, this recommendation will remain open until DHS has fully implemented its plan, remediated the known issues, and declared full operational capability.
|
| Department of Homeland Security | DHS's Under Secretary for Management should ensure that the Joint Program Management Office works with FEMA to remediate issues as they arise from user testing prior to moving forward with subsequent milestones for the ongoing financial systems modernization efforts. (Recommendation 2) |
Open
In commenting on our draft report, DHS officials concurred with the recommendation and described actions they planned to take. Specifically, DHS stated that the Joint Program Management Office (JPMO) will ensure that lessons learned from the Trio implementation translate into appropriate actions for the ongoing FEMA financial systems modernization efforts. This includes comprehensive discovery efforts to develop functional requirements documentation, incorporating standard DHS business processes, and detailed user acceptance testing. Additionally, DHS stated that it will ensure the resolution of identified issues prior to go-live of the new system. DHS noted that one critical lesson learned that will be incorporated into the FEMA modernization efforts is the need for early and consistent hands-on user testing throughout the implementation. Finally, DHS stated that JPMO will work with FEMA to ensure that contingency plans are in place to ensure that system conversion does not impact the ability to make critical disaster-related payments timely. This includes ensuring that legacy systems are available to continue with operations and developing strategies for mid-year cutover, if outstanding issues prevent a cutover at the beginning of a fiscal year. In August 2023, DHS stated that JPMO remains on track for comprehensive discovery efforts, development of requirements, and starting the discovery process with the system integrator by October 2023. DHS's overall estimated completion date for these actions remains September 30, 2024. We will continue to monitor the department's progress towards implementing this recommendation.
|
| Department of Homeland Security | DHS's Under Secretary for Management should ensure that the Joint Program Management Office works with ICE to remediate issues as they arise from user testing prior to moving forward with subsequent milestones for the ongoing financial systems modernization efforts. (Recommendation 3) |
Open
In commenting on our draft report, DHS officials concurred with the recommendation and described actions they planned to take. Specifically, DHS stated that the Joint Program Management Office (JPMO) will ensure that lessons learned from the Trio implementation translate into appropriate actions for the ongoing ICE and ICE customer financial systems modernization efforts. This includes comprehensive discovery efforts to develop functional requirements documentation, incorporating business processes, and detailed user acceptance testing. Additionally, DHS stated that it will ensure the resolution of identified issues prior to go-live of the new system. DHS noted that one critical lesson learned that will be incorporated into the ICE modernization efforts is the need for early and consistent hands-on user testing throughout the implementation. In August 2023, DHS stated that JPMO remains on track for comprehensive discovery efforts, development of requirements, and starting the discovery process with the system integrator by October 2023. DHS's overall estimated completion date for these actions remains September 30, 2024. We will continue to monitor the department's progress towards implementing this recommendation.
|
| Department of Homeland Security | DHS's Under Secretary for Management should ensure that Coast Guard follows applicable guidance when developing corrective action plans to include documenting the root cause analysis and other recommended attributes. (Recommendation 4) |
Open
In commenting on our draft report, DHS officials concurred with the recommendation and described actions they planned to take. Specifically, DHS stated that Coast Guard Office of Financial Policy, Reporting, and Property follows applicable guidance, specifically using DHS's Mission Action Plan Guidance and templates to build out and track corrective action plans for deficiencies identified during audits. Senior Assessment Team meetings are held monthly to manage this process with the Key Process Owners' leadership. Additionally, the Coast Guard Comptroller briefs the Vice Commandant at least quarterly at higher level governance meetings. The Coast Guard Office of Internal Controls and the Office of Cyber Security Program management is currently developing corrective action plans for 19 material weaknesses and one control deficiency. The Key Process Owners will propose remediation timelines that are vetted by Coast Guard leadership, and then reviewed and approved by the DHS Risk Management and Assurance Office. In June 2023, Coast Guard provided updated Mission Action Plans (MAP). We are in the process of reviewing these plans to determine if actions meet the intent of our recommendation, but it is not clear whether DHS has conducted root cause analyses for each MAP. DHS's expected completion date for this effort was May 31, 2023. We will update the status of this recommendation once we complete our review.
|