[House Hearing, 111 Congress]
[From the U.S. Government Printing Office]
CREATING ONE DHS: STANDARDIZING DEPARTMENT OF HOMELAND SECURITY
FINANCIAL MANAGEMENT
=======================================================================
HEARING
before the
SUBCOMMITTEE ON MANAGEMENT,
INVESTIGATIONS, AND OVERSIGHT
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
OCTOBER 29, 2009
__________
Serial No. 111-42
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
57-850 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California Peter T. King, New York
Jane Harman, California Lamar Smith, Texas
Peter A. DeFazio, Oregon Mark E. Souder, Indiana
Eleanor Holmes Norton, District of Daniel E. Lungren, California
Columbia Mike Rogers, Alabama
Zoe Lofgren, California Michael T. McCaul, Texas
Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania
Henry Cuellar, Texas Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania Paul C. Broun, Georgia
Yvette D. Clarke, New York Candice S. Miller, Michigan
Laura Richardson, California Pete Olson, Texas
Ann Kirkpatrick,Arizona Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emmanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy
I. Lanier Avant, Staff Director
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Conner, Minority Staff Director
______
SUBCOMMITTEE ON MANAGEMENT, INVESTIGATIONS, AND OVERSIGHT
Christopher P. Carney, Pennsylvania, Chairman
Peter A. DeFazio, Oregon Gus M. Bilirakis, Florida
Bill Pascrell, Jr., New Jersey Anh ``Joseph'' Cao, Louisiana
Al Green, Texas Daniel E. Lungren, California
Mary Jo Kilroy, Ohio Peter T. King, New York (Ex
Bennie G. Thompson, Mississippi (Ex Officio)
Officio)
Tamla T. Scott, Staff Director
Carla Zamudio-Dolan, Clerk
Michael Russell, Senior Counsel
Kerry Kinirons, Minority Subcommittee Lead
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Christopher P. Carney, a Representative in Congress
From the State of Pennsylvania, and Chairman, Subcommittee on
Management, Investigations, and Oversight...................... 1
The Honorable Gus M. Bilirakis, a Representative in Congress From
the State of Florida, and Ranking Member, Subcommittee on
Management, Investigations, and Oversight...................... 2
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 3
Witnesses
Mr. James L. Taylor, Deputy Inspector General, Department of
Homeland Security:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Ms. Kay L. Daly, Director, Financial Management and Assurance
Issues, Government Accountability Office:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Ms. Peggy Sherry, Acting Chief Financial Officer, Department of
Homeland Security:
Oral Statement................................................. 20
Prepared Statement............................................. 22
CREATING ONE DHS: STANDARDIZING
DEPARTMENT OF HOMELAND SECURITY
FINANCIAL MANAGEMENT
----------
Thursday, October 29, 2009
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Management, Investigations,
and Oversight,
Washington, DC.
The subcommittee met, pursuant to call, at 10:00 a.m., in
Room 311, Cannon House Office Building, Hon. Christopher P.
Carney [Chairman of the subcommittee] presiding.
Present: Representatives Carney, Pascrell, Green, and
Bilirakis.
Mr. Carney [presiding]. The Subcommittee on Management,
Investigation, and Oversight will come to order. The
subcommittee is meeting today to receive testimony on
``Creating One DHS: Standardizing Department of Homeland
Security Financial Management.''
Good morning, all. Please let me begin by stating that this
subcommittee has rules, and everyone is expected to follow
those rules. One of those rules, Rule 6, Subsection D, Item 1,
states that all testimony will be received no later than 48
hours in advance of a hearing.
It appears that the Department has a hard time complying
with this rule from time to time. I know we have had a
discussion before the hearing started, but this will be my last
verbal warning to the Department. All testimony will be
received 48 hours in advance of a hearing, or it will not be
accepted.
I would like to thank Mr. Taylor and Ms. Daly for getting
their testimony in on time and apologize that they needed to
sit here while I admonished the Department.
In any event, okay, this hearing is the first in a series
of hearings the Subcommittee on Management, Investigations, and
Oversight will conduct regarding the Department of Homeland
Security's intention to create One DHS.
One DHS in part will be achieved by consolidating various
operational functions from the legacy agencies into Department-
wide systems. It has been 6 years since the Department was
established. It has yet to implement a Department-wide
integrated financial management system. DHS receives billions
of taxpayer dollars every year and to date has been unable to
account for a majority of their appropriated funding the same
way that other departments and agencies can.
Today's hearing will examine the Department's myriad
financial management systems, the steps the Department is
taking to unify its financial operations into one integrated,
standardized, auditable system, and best practices that will
ensure the Department's accounting methodologies will meet the
existing standards and protocols.
eMerge2, the Department's initial attempt at financial
management consolidation, was unsuccessful. Unfortunately, some
3 years and millions of dollars after the effort ceased, many
of the problems experienced as part of eMerge2 are being
experienced with the Department's current effort, the
Transformation and Systems Consolidation, or TASC program.
The problems include integrating the Department's myriad
financial systems, determining how the Department can construct
a system that will result in accurate and timely financial
data, and ascertaining how that the limited results of eMerge2
fit within the Department's current efforts.
The Government Accountability Office has suggested steps
the Department could take to ensure a successful TASC program,
as well as how TASC RFPs should be crafted in a way that will
ensure DHS is satisfied with the financial--excuse me--with a
final financial system and accounting system.
The Department has yet to show that it is taking any of
these recommendations into consideration. Today I hope to hear
how the Department will ensure that TASC is a success,
including a clear strategy that describes how it will be
implemented and linked to existing Department business
processes, policies, and legacy systems.
I want to thank the witnesses for their participation and
look forward to their testimony.
We will now hear from the Ranking Member, the gentleman
from Florida, Mr. Bilirakis.
Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it
very much.
I am pleased the subcommittee is meeting to consider the
Department of Homeland Security's financial management
oversight and consolidation efforts. The Department of Homeland
Security currently has 13 separate financial management
systems, down from 19 it inherited when the Department was
created in 2003. The separate financial systems result in
inconsistent data across the Department and in part contribute
to the Department's inability to obtain a clean audit of its
financial statement.
With respect to the TASC program, I am interested in
learning more about the Department's concept of operations and
migration strategy. I would also like to hear about the
Department's plans for contract oversight. This estimated cost
of the TASC contract is $450 million. As with other large
procurements at the Department, there is the possibility for
cost overruns.
It has also been suggested that this estimate understates
the total cost of this contract. By the time eMerge2 was
canceled, the Department had spent $52 million of the more than
$250 million estimated project cost. While the GAO indicated
that ending the program was prudent to cut losses, the
Department was left with little to show after such a large
expenditure.
It is my hope that the Department will use the lessons
learned from eMerge2 to ensure that the funding for TASC is
spent in the most efficient and effective way possible. I will
also note that while important, a consolidated financial system
is not a silver bullet to fix the Department's financial
management issues. The Department must have strong internal
controls in place and provide oversight over its people and
processes to ensure compliance with the relevant policies.
That said, I would like to welcome our witnesses here
today. I look forward to your insights on all of these issues.
I want to thank the Chairman. Thank you, and I yield back
the balance of my time.
Mr. Carney. I thank you, Mr. Bilirakis.
Seeing that the Chairman and Ranking Member aren't here,
other Members of the subcommittee are reminded that under
committee rules opening statements may be submitted for the
record.
[The statement of Chairman Thompson follows:]
Prepared Statement of Chairman Bennie G. Thompson
October 29, 2009
The Department of Homeland Security has one of the largest budgets
in the Federal Government.
Each year approximately $40 billion in appropriated funds flows in
and out of the Department.
Among other things, these funds are used to pay over 200,000
employees, provide disaster aid to States and local governments and
purchase the equipment used by those protecting our borders.
We owe it to taxpayers to ensure that these funds are appropriately
used, fully accounted for, and auditable.
Unfortunately, this is not the case at the Department of Homeland
Security.
Six years into several attempts at integrating its financial
management systems, and millions of dollars later, the Department is
still using thirteen different systems that cannot talk to each other,
that do not adequately reflect where funds are located and is unable to
let the Department of Treasury know, at any given moment, how much
money is left in the Department of Homeland Security budget.
Fortunately, the Department knows that the way out of this
conundrum is to integrate its systems. Unfortunately, I am concerned
that it may be heading down the same path it took when previous
attempts to integrate the Department's financial management systems
failed.
There is a saying that goes: ``If you keep doing the same thing,
you will keep getting the same result.''
Yet, once again, the Department is relying on contractors to do the
work that should be performed by the Government.
In this instance, the Department intends to allow a contractor to
define what the Department needs, then design what it will receive,
then map out the strategy for implementation.
The fact that the Department released a Request for Proposal before
first defining its financial management strategy is troublesome, and
sounds like putting the cart before the horse.
Past lessons have taught us that over-relying on contractors can
lead to lack of proper oversight, performance problems, and
skyrocketing costs.
To that end, I would urge the Department, in an effort to reduce
costs, to develop its own strategy for integrating its financial
management systems and to establish a more solid road map.
Moreover, I am greatly concerned with the findings that the GAO
will be presenting us with today.
Although the Department has received much guidance from the GAO on
the steps that must be taken to successfully integrate its financial
management systems it appears as if this advice has fallen by the
wayside.
I look forward to listening to our witnesses' testimony today
regarding what steps are being taken to correct existing deficiencies
and whether those steps are enough to prevent an unacceptable outcome.
Mr. Carney. I want to welcome our witnesses. Our first
witness is Mr. James L. Taylor, who serves as the deputy
inspector general for the Department of Homeland Security. Mr.
Taylor was selected as the deputy inspector general in October
2005. He previously served as the deputy chief financial
officer, CFO, and director for financial management at the
Department of Commerce.
Prior to his work at Commerce, Mr. Taylor held the position
of deputy chief financial officer at the Federal Emergency
Management Agency, FEMA, where he was directly responsible for
all financial operations, with expenditures of $4 billion to
$10 billion annually.
Our second witness is Ms. Kay L. Daly. Ms. Daly currently
serves as the director for financial management and assurance
issues at the Government Accountability Office. She is
responsible for financial management systems, improper
payments, contracting, cost analysis, and health care financial
management issues.
She led GAO's report on key cases of financial management
system modernization failures that highlighted the need to
follow discipline processes in software implementation, use
effective human capital management, and employ other IT
management practices.
Our third and final witness is Ms. Peggy Sherry, the acting
chief financial officer for the Department of Homeland
Security. Ms. Sherry joined the Department in 2007 as the
director of the Office of Financial Management and is
responsible for developing Department-wide financial management
policy, leading the Department's financial audits and preparing
Department-wide financial reports.
Prior to joining the Department, she served as the deputy
chief financial officer for the United States Holocaust
Memorial Museum, where she oversaw the successful conversion to
the museum's new financial management system and instituted
processes to obtain several unqualified audit options--excuse
me--several unqualified audit opinions on the museum's
financial statements.
Without objection, the witnesses' full statements will be
inserted into the record. I now ask each witness to summarize
for 5 minutes their statements, beginning with Mr. Taylor.
STATEMENT OF JAMES L. TAYLOR, DEPUTY INSPECTOR GENERAL,
DEPARTMENT OF HOMELAND SECURITY
Mr. Taylor. Thank you, Mr. Chairman.
Mr. Chairman, Ranking Member Bilirakis, and Members of the
committee, thank you for the opportunity to appear before you
today on behalf of the Homeland Security Office of Inspector
General. My testimony today will focus on the financial
management challenges facing the Department and its components
and the progress made so far in addressing these challenges.
Inspectors general are required by law to annually report
on the top management challenges facing the departments or
agencies they oversee. For DHS the Office of Inspector General
has consistently placed financial management high on that list.
However, fixing financial management at DHS will require more
than just focusing on this one area singularly.
Rather, DHS needs continuous efforts to address its
financial processes, as well as two related areas identified in
our annual management challenges report: Information technology
management as well as acquisition management.
DHS must re-engineer and standardize its underlying
financial processes so they conform to the requirements of the
CFO Act of 1990. In addition, DHS must strengthen how it
manages information technology so it is able to develop and
implement integrated systems to support redesigned financial
processes.
Finally, DHS must address long-standing deficiencies in
acquisition management to ensure it can acquire effectively the
information technology needed to meet its financial management
responsibilities.
DHS has worked hard to improve financial management over
the last 6 years, and the OIG is proud of our relationship with
the CFO's office in trying to meet these challenges. However,
significant challenges do remain.
The Department has consistently been unable to obtain an
unqualified audit opinion or any audit opinion on its financial
statements. Additionally, the OIG has to issue a separate
opinion on internal controls. DHS is the only Federal
department that is required to have a separate audit opinion on
internal controls.
That opinion has also been a disclaimer for the last few
years. In other words the Department is not yet at a point
where any opinion can be rendered on either the Department's
financial statements or its internal controls or financial
reporting.
Obtaining unqualified opinions on financial statements and
internal controls should not be the end goal. Rather, it should
be a milestone in providing management and stakeholders with
useful, timely financial data for decision-making. The annual
financial statement audit provides insight into the progress
the Department is making in resolving weaknesses in processes
and systems, and an essential part of the Department's efforts
to improve financial reporting is improving the systems which
compile and maintain financial information.
Since 2003 IT general controls have been evaluated as part
of DHS's financial statement audit. This review has included
assessing key core financial systems at FEMA, Customs and
Border Protection, TSA, Coast Guard, Federal Law Enforcement
Training Center, U.S. Immigration and Customs Enforcement, and
U.S. Citizenship and Immigration Services.
Generally, DHS's IT financial systems are fragmented, do
not share data effectively, and over the years have developed
security control weaknesses that undermine the overall
reliability. Collectively, the IT control weaknesses we
identified limit DHS's ability to ensure that critical
financial and operational data were maintained in such a manner
to ensure confidentiality, integrity, and availability.
In addition, these weaknesses negatively impacted the
internal controls over DHS's financial reporting and its
operation, and we consider them to collectively represent
material weaknesses.
DHS has recognized that it needs to improve financial
management processes, as well as the systems that support those
processes. Toward that end, DHS is moving ahead with the TASC
system already mentioned, an enterprise-wide initiative aimed
at modernizing, transforming, and integrating the financial
acquisition and asset management capabilities of DHS
components.
TASC is DHS's third attempt to address comprehensively its
long-standing financial management process and systems
problems. The first, known as eMerge, was canceled December
2005 after DHS had spent millions on what DHS officials had
determined to be a failure. The second effort ended after a
successful court challenge.
These failures illustrate the critical need for close CFO-
CIO cooperation properly identifying the requirements for any
system and the need for sound oversight of the process by
trained and experienced contracts officers and specialists.
The latest effort is a high-risk initiative that would take
years to complete. It is now estimated to cost in excess of $1
billion. We are presently completing a review of DHS's efforts
in planning and implementing TASC and plan to report on the
results of our review in a few months.
In summary, Mr. Chairman, the DHS CFO and CIO, in
conjunction with component CFOs and CIOs, are responsible for
working together to standardize DHS's core financial systems.
However, weaknesses in financial management processes and IT
security controls over the systems continue to hinder the
Department's ability to effectively produce accurate financial
information.
DHS's ability to significantly improve the quality of its
financial reporting hinges on the successful implementation of
new systems and improved business processes in order to promote
sound financial management.
Mr. Chairman, this concludes my prepared statement. Thank
you for the opportunity, and I welcome any questions from you
or Members of the subcommittee.
[The statement of Mr. Taylor follows:]
Prepared Statement of James L. Taylor
October 29, 2009
Mr. Chairman and Members of the committee: Thank you for the
opportunity to appear before you on behalf of the Department of
Homeland Security Office of Inspector General. My testimony today will
focus on the financial management challenges facing the Department and
its components, and the progress made so far in addressing these
challenges.
Inspectors general are required by law to annually report on the
top management challenges for the departments or agencies they oversee.
For DHS, the Office of Inspector General has consistently placed
financial management high on that list. However, fixing financial
management in DHS will require more than just focusing on this one
area. Rather, DHS needs to continue its efforts to address its
financial management processes, as well as two related areas identified
in our November 2008 report: Information technology (IT) management and
acquisition management. Specifically, DHS must reengineer and
standardize its underlying financial processes so they conform to the
requirements of the Chief Financial Officer Act of 1990. In addition,
DHS must strengthen how it manages information technology, so it is
able to develop and implement integrated systems that support
redesigned financial processes. Finally, DHS must address long-standing
inefficiencies in acquisition management, to ensure it can acquire
effectively the information technology needed to meet its financial
management responsibilities.
dhs financial management
DHS has worked hard to improve financial management, but
significant challenges remain. The Department consistently has been
unable to obtain an unqualified audit opinion, or any audit opinion, on
its financial statements. For fiscal year 2008, the independent
auditors issued a disclaimer on DHS' financial statements and
identified significant deficiencies which were so serious they
qualified as material weaknesses. Additionally the OIG issued a
disclaimer on DHS' Internal Control Over Financial Reporting (ICOFR).
DHS' ability to obtain an unqualified audit opinion, and provide
assurances that its system of internal control is designed and
operating effectively, is highly dependent upon business process
improvements across the Department.
Aside from being required by the Chief Financial Officer Act of
1990, financial statement audits provide insight into the status of
financial management and progress in resolving weaknesses in processes
and systems. For fiscal year 2008, the Department was able to reduce
the number of conditions leading to the independent auditors'
disclaimer of opinion on DHS' financial statements from six to three.
As a result, the Office of Financial Management and the Office of
Health Affairs no longer contribute to the disclaimer conditions and
FEMA remediated all its prior year disclaimer conditions. However,
during the fiscal year 2008 audit, new disclaimer conditions were
identified at TSA and FEMA. TSA was unable to assert that its capital
asset balances were fairly stated and FEMA was unable to assert that
its capital asset balances were fairly stated, respectively.
The Departmental material weaknesses in internal control were
primarily attributable to the Coast Guard, FEMA, and TSA. The Coast
Guard's material weaknesses, which have existed since 1994,\1\
contribute to all six of the Department's material weaknesses, while
FEMA contributed to four and TSA contributed to three. The Coast Guard
also contributes to TSA's financial systems security material weakness
due to TSA's reliance on the Coast Guard's financial systems. Although
the other components did not have material weaknesses, some had
significant deficiencies that, when combined, contributed to the
Departmental material weaknesses.
---------------------------------------------------------------------------
\1\ DOT-OIG, Significant Internal Control Weaknesses Identified in
Audits of FY 1994 and 1995, R3-CG-6-011, August 1996.
---------------------------------------------------------------------------
dhs' it financial systems
Generally, DHS' IT financial systems are fragmented, do not share
data effectively, and over the years have developed security control
weaknesses that undermine their overall reliability. Fixing these
systems and eliminating security vulnerabilities will be critical to
DHS' efforts to improve financial management.
Since 2003, IT general controls have been evaluated as a part of
DHS's financial statement audit. This review has included assessing key
core financial systems at FEMA, Customs and Border Protection (CBP),
TSA, Coast Guard, Federal Law Enforcement Training Center (FLETC), U.S.
Immigration and Customs Enforcement, and U.S. Citizenship and
Immigration Services. As a part of these reviews, controls over
applications being processed on various platforms were evaluated,
including Oracle and SAP. The objective of these audits was to evaluate
the effectiveness of IT general controls over DHS' financial processing
environment and related IT infrastructure as necessary to support the
results of the financial statement audit.
We reported in April 2009 that DHS components have taken
significant steps to improve financial system security and address
prior year IT control weaknesses, which resulted in the closure of more
than 40% of our prior year IT control findings.\2\ Additionally, some
DHS components reduced the severity of the weaknesses when compared to
findings reported in the prior year. However, access controls and
service continuity continue to be issues at several components
including FEMA, Coast Guard, and TSA. The most significant weaknesses
from a financial statement audit perspective include:
---------------------------------------------------------------------------
\2\ Information Technology Management Letter for the FY 2008 DHS
Financial Statement Audit (OIG-09-50, April 2009).
---------------------------------------------------------------------------
Excessive unauthorized access to key DHS financial
applications;
Application change control processes that are inappropriate,
not fully defined, followed, or effective; and,
Service continuity issues impacting DHS' ability to ensure
that DHS financial data is available when needed.
Collectively, the IT control weaknesses we identified limited DHS'
ability to ensure that critical financial and operational data were
maintained in such a manner to ensure confidentiality, integrity, and
availability. In addition, these weaknesses negatively impacted the
internal controls over DHS' financial reporting and its operation, and
we consider them to collectively represent a material weakness. The
information technology findings were combined into one material
weakness regarding IT for the fiscal year 2008 audit of the DHS
consolidated financial statements.
We recommended that the DHS Chief Information Officer (CIO), in
conjunction with the DHS Chief Financial Officer (CFO) and the
component CIOs and CFOs make improvements in the areas of access
controls, application software development and change controls, service
continuity, entity-wide security, system software, and segregation of
duties.
component it financial systems
For fiscal year 2008, we issued separate IT management letter
reports for FEMA, CBP, TSA, Coast Guard, and FLETC and an overall
consolidated IT management letter report that summarized the IT issues
for all seven components. Each management letter addressed the IT
security issues at each component and provided individual component
level findings and recommendations. In each of these management letters
we recommended that the component CIOs and CFOs in conjunction with the
DHS CIO and CFO work to address the issues noted in our reports.
Coast Guard
We reported in March 2009 that the Coast Guard took corrective
action to address nearly half of its prior year IT control
weaknesses.\3\ However, we continued to identify IT general control
weaknesses. The most significant weaknesses from a financial statement
audit perspective related to the development, implementation, and
tracking of financial systems coding changes, and the design and
implementation of configuration management policies and procedures.
---------------------------------------------------------------------------
\3\ Information Technology Management Letter for the United States
Coast Guard Component of the FY 2008 DHS Financial Statement Audit
(OIG-09-47, March 2009).
---------------------------------------------------------------------------
Of the 22 findings identified during fiscal year 2008 testing, 21
were repeat findings, either partially or in whole from the prior year,
and one was a new IT finding. These findings represent weakness in four
of the six key control areas. The areas impacted included Application
Software Development and Change Controls, Access Controls, Service
Continuity, and Entity-Wide Security Program Planning and Management.
The majority of the findings were inherited from the lack of properly
designed, detailed, and consistent guidance over financial system
controls.
Specifically, the findings stem from: (1) Unverified access
controls through the lack of user access privilege re-certifications,
(2) entity-wide security program issues involving civilian and
contractor background investigation weaknesses, (3) inadequately
designed and operating change control policies and procedures, (4)
patch and configuration management weaknesses within the system, and
(5) the lack of updated disaster recovery plans which reflect the
current environment identified through testing. These weaknesses may
increase the risk that the confidentiality, integrity, and availability
of system controls and Coast Guard financial data could be exploited
thereby compromising the integrity of financial data used by management
and reported in the DHS financial statements.
CBP
We reported in April 2009 that CBP took corrective action to
address prior year IT control weaknesses.\4\ For example, CBP made
improvements in how it tracks the hiring, termination, and systems
access of contracted employees within the Office of Information
Technology (OIT). However, during fiscal year 2008, identified IT
general control weaknesses continued to exist at CBP. The most
significant weaknesses, from a financial statement audit perspective,
related to controls over access to programs and data.
---------------------------------------------------------------------------
\4\ Information Technology Management Letter for the FY 2008
Customs and Border Protection Financial Statement Audit (OIG-09-59,
April 2009).
---------------------------------------------------------------------------
Although improvement was noted in the audit, many of the conditions
identified at CBP in fiscal year 2007 have not been corrected because
CBP still faces challenges related to the merging of numerous IT
functions, controls, processes, and organizational resource shortages.
During fiscal year 2008, CBP took steps to address these conditions.
Despite these improvements, CBP needs further stress on the monitoring
and enforcement of access controls. CBP needs to further emphasize the
importance of developing and implementing well-documented procedures at
the system and entity-level.
FEMA
FEMA took corrective action to address prior year IT control
weaknesses. We reported in March 2009 that FEMA made improvements by
restricting access to off-line account tables, implementing an
alternate processing site for one of its financial applications, and
improving the process for retaining National Flood Insurance Program
(NFIP) change control documentation.\5\ However, during fiscal year
2008, IT general control weaknesses at FEMA still existed. The most
significant weaknesses from a financial statement audit perspective
related to controls over access to programs and data and controls over
program changes.
---------------------------------------------------------------------------
\5\ Information Technology Management Letter for the Federal
Emergency Management Agency Component of the FY 2008 DHS Financial
Statement Audit (OIG-09-48, March 2009).
---------------------------------------------------------------------------
Of the 26 findings identified during the fiscal year 2008 testing,
15 were repeat findings, either partially or in whole from the prior
year, and 11 were new findings. These findings were representative of
five of the six key control areas. Specifically, the findings stem
from: (1) Inadequately designed and operating access control policies
and procedures relating to the granting of access to systems and
supervisor re-certifications of user access privileges, (2) lack of
properly monitored audit logs, (3) inadequately designed and operating
change control policies and procedures, (4) patch and configuration
management weaknesses within the system, and (5) the lack of tested
contingency plans. These weaknesses may increase the risk that the
confidentiality, integrity, and availability of system controls and
FEMA financial data could be exploited, thereby compromising the
integrity of financial data used by management and reported in the DHS
financial statements.
FLETC
We reported in April 2009 that FLETC made minimal progress on its
control weaknesses.\6\ Therefore, many of the prior year Findings and
Recommendations (NFR) could not be closed completely due to the
reliance on the impending Momentum application upgrade, the
decommissioning of Procurement Desktop and the installation of new
hardware that would improve the overall IT security structure at FLETC.
As a result, there was one (1) prior year NFR closed, twenty (27)
reissued NFRs, and three (3) new NFRs issued to FLETC.
---------------------------------------------------------------------------
\6\ Information Technology Management Letter for the Federal Law
Enforcement Training Center FY 2008 Financial Statement Audit (OIG-09-
63, April 2009).
---------------------------------------------------------------------------
The IT testing at FLETC disclosed matters involving the internal
controls over financial reporting and its operation that we consider to
be a significant deficiency under AICPA standards. Deficiencies in the
design and operation of FLETC's internal controls which could adversely
affect the agency's financial statements were noted. Deficiencies also
existed in entity-wide security planning, access controls, application
development and change control, system software, segregation of duties,
and service continuity that have contributed to the significant
deficiency.
TSA
In fiscal year 2008, TSA took corrective action to address prior
year IT control weaknesses. We reported in April 2009 that TSA made
improvements in testing disaster recovery procedures, reviewing audit
logs, and implementing emergency response training for all personnel
with data center access.\7\ However, IT general control weaknesses that
impact TSA's financial data remain. The most significant weaknesses
from a financial statement audit perspective related to controls over
the termination of the contract with the software support vendor, the
design and implementation of configuration management policies and
procedures, and the development, implementation, and tracking of coding
changes to the software maintained for TSA by the Coast Guard.
---------------------------------------------------------------------------
\7\ Information Technology Management Letter for the Transportation
Security Administration FY 2008 Financial Statement Audit (OIG-09-62,
April 2009).
---------------------------------------------------------------------------
Of the 15 findings identified during our fiscal year 2008 testing,
13 are repeat findings, either partially or in whole from the prior
year, and two are new IT findings. These findings represent weaknesses
in four of the six key control areas. Specifically, (1) unverified
access controls through the lack of comprehensive user access privilege
re-certifications, (2) entity-wide security program issues involving
civilian and contractor background investigation weaknesses, (3)
inadequately designed and operating change control policies and
procedures, and (4) the lack of updated disaster recovery plans which
reflect the current environment identified through testing. These
weaknesses may increase the risk that the confidentiality, integrity,
and availability of system controls and TSA financial data could be
exploited thereby compromising the integrity of financial data used by
management and reported in TSA's financial statements.
dhs it disaster recovery efforts
Following a service disruption or a disaster, DHS must be able to
recover its IT systems quickly and effectively in order to continue
essential functions, including financial management support. In May
2005, we reported on deficiencies in the Department of Homeland
Security's disaster recovery planning for information systems.\8\ We
recommended that the Department allocate the funds needed to implement
an enterprise-wide disaster recovery program for mission critical
systems, require that disaster recovery capabilities be included in the
implementation of new systems, and ensure that disaster recovery-
related documentation for mission critical systems be completed and
conform to current Government standards.
---------------------------------------------------------------------------
\8\ Disaster Recovery Planning for DHS Information Systems Needs
Improvement (OIG-05-22, May 2005).
---------------------------------------------------------------------------
We conducted a follow-up audit last year and reported in April 2009
that the Department has made progress in establishing an enterprise-
wide disaster recovery program.\9\ Specifically, the Department has
allocated funds for this program since fiscal year 2005, and by August
2008 had established two new data centers. Further, the Department now
includes contingency planning as part of the system authorization
process and it has issued guidance to ensure that contingency planning
documentation conforms to Government standards.
---------------------------------------------------------------------------
\9\ DHS' Progress in Disaster Recovery Planning for Information
Systems (OIG-09-60, April 2009).
---------------------------------------------------------------------------
While the Department has strengthened its disaster recovery
planning, more work is needed. For example, the two new data centers
need interconnecting circuits and redundant hardware to establish an
active-active processing capability.
We noted that not all critical Departmental information systems
have an alternate processing site. Further, disaster recovery guidance
does not conform fully to Government standards. Finally, risk
assessments of the data centers are outdated.
In our fiscal year 2008 report, we recommended that the Chief
Information Officer implement the necessary circuits and redundant
resources at the new data centers; ensure that critical Departmental
information systems have complete contingency planning documentation;
and conform Departmental contingency planning guidance to Government
standards. Additionally, the Department should reassess data center
risks whenever significant changes to the system configuration have
been made.
The fiscal year 2008 financial statement audit noted that service
continuity issues continue to impact DHS' ability to ensure that DHS
financial data is available when needed, including instances where the
Continuity of Operations Plan (COOP) does not include an accurate
listing of critical information technology systems, did not have
critical data files and an alternate processing facility documented,
and was not adequately tested, and various weaknesses identified in
alternate processing sites. Service continuity is one of the main IT
general control areas that continue to present a risk to financial
systems data integrity for DHS' financial systems.
Among recommendations for service continuity for DHS' financial
systems were to update the COOP to document and prioritize an accurate
listing of critical IT systems, ensure that alternate processing sites
are made operational, and test backups at least quarterly.
transformation and systems consolidation (tasc)
DHS has recognized that it needs to improve its financial
management processes, as well as the systems that support those
processes. Toward that end, DHS is moving ahead with TASC, an
enterprise-wide initiative, aimed at modernizing, transforming, and
integrating the financial, acquisition, and asset management
capabilities of DHS components. According to DHS, TASC is not an update
of legacy systems, but an implementation of integrated financial,
asset, and procurement management capabilities that will subsume many
systems and standardize business processes. The resulting system, once
implemented, is aimed at providing a real-time (providing immediate
viewing of data), web-based system (accessed from anywhere) of
integrated business processes that will be used by component financial
managers, service providers, program managers, and auditors to make
sound business decisions to support the DHS mission.
The goals and objectives of the TASC initiative are numerous and
reflect the collective input from the components. TASC also represents
an effort to leverage the work done by Office of Federal Financial
Management (OFFM) and will achieve full compliance with the rigid
standards outlined by OFFM. TASC will implement enhanced capabilities
to achieve the following goals:
Create end-to-end standardized integrated business
processes;
Support timely financial management;
Enable the acquisition of best value goods and services that
meet the Department's quality and timeliness requirements;
Enable consolidated asset management across all components;
Create a standard central accounting line.
TASC is DHS' third attempt to address comprehensively its long-
standing financial management process and system problems. The first
effort, known as the Electronically Managing Enterprise resources for
Government Effectiveness and Efficiency (e-Merge) project, was canceled
in December 2005 after DHS had spent $24 million on what DHS officials
had determined to be a failure. The second effort focused on moving DHS
components to one of two financial systems platforms: SAP and Oracle.
However, a Federal court ruled in Savantage Financial Services, Inc.
vs. United States that DHS' decision to use Oracle and SAP financial
software systems via ``Brand Name Justification'' document is improper
sole source procurement in violation of the Competition in Contracting
Act. In response to this decision, RMTO revised its financial systems
consolidation strategy to the current approach.
TASC is a high-risk initiative that will take years to complete,
potentially costing over $1 billion. We are presently completing a
review of DHS' efforts in planning and implementing TASC, and plan to
report on the results of our review in a few months.
In summary, the DHS CFO and CIO in conjunction with the component
CFOs and CIOs are responsible for working together to standardize DHS'
core financial systems. However, weaknesses in financial management
processes and IT security controls over these systems continue to
hinder the Department's ability to effectively produce accurate
consolidated financial information. DHS is currently in the processes
of developing and implementing a new financial system solution that
will modernize, transform, and integrate financial, acquisition, and
asset management information for DHS components. Once DHS addresses the
current issues in financial processing and IT security controls and
successfully develops and implements a new financial systems solution,
the Department will be able to promote overall efficiency and
effectiveness in its financial management.
Mr. Chairman, this concludes my prepared statement. Thank you for
this opportunity and I welcome any questions from you or Members of the
subcommittee.
Mr. Carney. Okay. Thank you for your testimony.
I now recognize Ms. Daly to summarize her statement for 5
minutes.
STATEMENT OF KAY L. DALY, DIRECTOR, FINANCIAL MANAGEMENT AND
ASSURANCE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Daly. Mr. Chairman and Ranking Member Bilirakis, thank
you very much for the opportunity to discuss the Department of
Homeland Security's current effort to implement a consolidated
Department-wide financial management system.
Since DHS began operations in March 2003, it has faced a
daunting task of trying to bring together 22 diverse agencies
and developing an integrated financial system. In June 2007 we
reported that the Department had made little progress in
integrating its existing financial management systems and made
six recommendations focused on the need for DHS to define a
Department-wide strategy and embrace discipline processes to
reduce risk.
In June 2007 DHS officials announced its new financial
management systems strategy, called the TASC program. In
January 2009 DHS issued a request for proposal for an
integrated commercial off-the-shelf software system already in
use at a Federal agency. DHS is currently evaluating the
proposals it has received and expects to award a contract in
January 2010.
Today my testimony will focus on our preliminary
observations related to DHS's implementation of the six
recommendations that we made in June 2007 and two issues that
have surfaced during our recent review that pose challenges to
the TASC program.
Regarding the six recommendations we made in June 2007, our
preliminary analysis indicates that DHS has begun to take
action toward implementation of four of the recommendations,
but all six remain open. We do recognize that DHS cannot fully
implement all of our recommendations until a contract is
awarded because of its selected acquisition approach.
DHS has taken, but not completed, actions related to the
TASC strategy and plan, a concept of operations, discipline
processes, and key human capital practices and plans for such a
systems implementation. DHS has not taken necessary actions on
two remaining recommendations to standardize business processes
across the Department and to develop detailed consolidation of
migration plans.
I would like to focus on DHS's strategy. The strategy being
taken by DHS does not appropriately consider whether the
acquired system will provide the needed functionality. For
example, the strategy does not require DHS to perform a GAAP
analysis before the system is selected and to assess the extent
to which cost-based systems used at another agency have been
customized.
Studies have shown that when an effective GAAP analysis is
not performed, program officers, and contractors have later
discovered that the selected system lacked essential
capabilities. Adding these capabilities later during
implementation required expensive custom development and
resulted in cost and schedule overruns that could have been
avoided.
While updating the status of the six prior recommendations,
we also identified two issues that pose unnecessary risk to the
success of the TASC program. The first issue is DHS's
significant reliance on contractors to define and implement the
program. The Department plans to have the selected contractor
prepare a number of key plans needed to carry out discipline
processes and define additional business processes to be
standardized and propose a migration approach.
However, DHS has not developed the necessary contractor
oversight mechanism to ensure that a significant reliance on
contractors for TASC does not result in an unfavorable outcome.
Our work on other systems acquisition and implementation
efforts has shown that placing too much reliance on contractors
can result in systems efforts plagued with serious performance
and management problems.
The second issue we identified was that the contractor
hired to perform verification and validation functions for TASC
was not independent. DHS management has agreed, and they
indicated they have restructured the contract to address our
concerns.
In conclusion, Mr. Chairman and the other Members of the
subcommittee, 6 years after the Department was established, DHS
has yet to implement the Department-wide integrated financial
system. The open recommendations from our prior report continue
to be vital to the success of the TASC program.
Given the approach DHS has selected, it will be paramount
that DHS take steps to minimize risk associated with its
strategy in contractor oversight. Failure to do so could lead
to acquiring a system that does not meet cost, schedule, and
performance goals.
So, Mr. Chairman and the other Members of the subcommittee,
this completes my prepared statement, and I would be glad to
respond to any questions you may have at this time.
[The statement of Ms. Daly follows:]
Prepared Statement of Kay L. Daly (with Nabajyoti Barkakati)
October 29, 2009
Financial Management Systems: DHS Faces Challenges to Successfully
Consolidate Its Existing Disparate Systems
Mr. Chairman and Members of the subcommittee: Thank you for the
opportunity to discuss the Department of Homeland Security's (DHS)
current effort--the Transformation and Systems Consolidation (TASC)
program--to implement a consolidated Department-wide financial
management system. Since DHS began operations in March 2003, it has
faced the daunting task of bringing together 22 diverse agencies and
developing an integrated financial management system. DHS officials
have long recognized the need to integrate their financial management
systems, which are used to account for over $40 billion in annual
appropriated funds. The Department's prior effort, known as the
Electronically Managing Enterprise Resources for Government
Effectiveness and Efficiency (eMerge2) project,\1\ was expected to
integrate financial management systems Department-wide and address
existing financial management weaknesses. However, DHS officials
terminated the eMerge2 project in December 2005, acknowledging that
this project had not been successful. In June 2007, we reported \2\ the
Department had made little progress since December 2005 in integrating
its existing financial management systems, and that, from an overall
perspective, the decision to halt its eMerge2 project was prudent. We
made six recommendations focused on the need for DHS to define a
Department-wide strategy and embrace disciplined processes to reduce
risk to acceptable levels.\3\
---------------------------------------------------------------------------
\1\ The eMerge2 project was expected to establish the strategic
direction for migration, modernization, and integration of DHS'
financial, accounting, procurement, personnel, asset management, and
travel systems, processes, and policies.
\2\ GAO, Homeland Security: Departmentwide Integrated Financial
Management Systems Remain a Challenge, GAO-07-536 (Washington, DC: June
21, 2007); and GAO, Homeland Security: Transforming Department-wide
Financial Management Systems Remains a Challenge, GAO-07-1041T
(Washington, DC: June 28, 2007).
\3\ The use of the term ``acceptable levels'' acknowledges the fact
that any systems acquisition has risks and can suffer the adverse
consequences associated with defects.
---------------------------------------------------------------------------
In June 2007, DHS officials announced its new financial management
systems strategy, called the TASC program. At that time, the TASC
program was described as the migration of other DHS component systems
to two existing financial management systems already in use at several
components. After a bid protest was filed regarding the proposed
approach, the TASC request for proposal was revised to acquire an
integrated commercial off-the-shelf software (COTS) system to be
implemented Department-wide. In January 2009 DHS issued its TASC
request for proposal for the provision of an integrated financial,
acquisition, and asset management commercial off-the-shelf software
(COTS) system already in use at a Federal agency to be implemented
Department-wide. DHS is currently evaluating the proposals received and
expects to award a contract in January 2010.
Today, our testimony will focus on our preliminary observations
related to our audit of: (1) DHS' implementation of the six
recommendations we made in June 2007, and (2) two issues that have
surfaced that pose challenges to the TASC program. We have discussed
the preliminary observations included in this testimony with DHS
officials. To address these objectives, we reviewed the January 2009
request for proposal and its attachments, such as the Statement of
Objectives and Solution Process Overview, to understand DHS' plans for
implementing the TASC program. We also reviewed other available
planning documents, such as the Acquisition Plan and the draft concept
of operations, and determined the status of these plans and others to
see if DHS had fully implemented our recommendations. We interviewed
key officials from DHS' Office of the Chief Financial Officer and its
Resource Management Transformation Office (RMTO), including its
Director and Deputy Director for elaboration and to provide additional
perspectives to the information contained in these documents. We also
reviewed the Statement of Work for an independent verification and
validation (IV&V) contractor and confirmed key information about this
contract with the Director of RMTO.
We recently provided our draft report, including recommendations,
on the results of our audit to the Secretary of Homeland Security for
review and comment. We plan to incorporate DHS' comments as appropriate
and issue our final report as a follow-up to this testimony. We
conducted this performance audit from March through October 2009 in
accordance with generally accepted Government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
background
Bid protests and related litigation have resulted in changes to
DHS' approach for the TASC program and have contributed to a
significant delay in awarding a contract. The initial TASC approach was
to migrate its component systems to two financial management systems--
Oracle Federal Financials and SAP--that were already in use by several
DHS components.\4\ Figure 1 shows the key events that have occurred
affecting the TASC program. One of these key events was the filing of a
bid protest regarding DHS' initial TASC approach to migrate its
components to two financial management systems already in use. DHS
subsequently issued its January 2009 TASC request for proposal for the
provision of an integrated financial, acquisition, and asset management
COTS system already in use at a Federal agency to be implemented
Department-wide. A second bid protest was filed over this January 2009
request for proposal and the U.S. Court of Federal Claims dismissed the
protestor's complaint, allowing DHS to proceed with this request for
proposal. However, the protestor filed an appeal of this dismissal in
July 2009. DHS responded to the July 2009 appeal in September 2009 and
DHS officials indicated that the protestor responded to DHS' response
in October 2009.
---------------------------------------------------------------------------
\4\ Oracle Federal Financials was already in use within the U.S.
Coast Guard, the Transportation Security Administration, and the
Domestic Nuclear Detection Office. SAP was already in use within the
U.S. Customs and Border Protection.
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
dhs has made limited progress in implementing our prior recommendations
In June 2007, we made six recommendations \5\ to DHS to help the
Department reduce the risks associated with acquiring and implementing
a Department-wide financial management system. Our preliminary analysis
indicates that DHS has begun to take actions toward the implementation
of four of the recommendations, as shown in table 1. However, all six
recommendations remain open. We do recognize that DHS cannot fully
implement all of our recommendations until a contract is awarded
because of its selected acquisition approach.
---------------------------------------------------------------------------
\5\ GAO-07-536.
TABLE 1.--DHS' PROGRESS TOWARD ADDRESSING GAO'S RECOMMENDATIONS
----------------------------------------------------------------------------------------------------------------
Not Completed
Recommendation Completed -------------------------------------------------
Some Actions Taken No Action Taken
----------------------------------------------------------------------------------------------------------------
Clearly define and document a
Department-wide financial management
strategy and plan to move forward
with its financial management system
integration efforts.
Develop a comprehensive concept of
operations document.
Utilize and implement these specific
disciplined processes to minimize
project risk: (1) Requirements
management, (2) testing, (3) data
conversion and system interfaces,
(4) risk management, (5)
configuration management, (6)
project management, and (7) quality
assurance.
Reengineer business processes and
standardize them across the
department, including applicable
internal control.
Develop a detailed plan for migrating
and consolidating various DHS
components to an internal shared
services approach if this approach
is sustained.
Carefully consider key human capital
practices as DHS moves forward with
its financial management
transformation efforts so that the
right people with the right skills
are in place at the right time.
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of DHS information.
DHS Faces Significant Challenges To Implement Its Financial Management
Strategy and Plan
DHS has developed certain elements for its financial management
strategy and plan for moving forward with its financial system
integration efforts but it faces significant challenges in completing
and implementing its strategy. DHS has defined its vision for the TASC
program, which is to consolidate and integrate Department-wide mission-
essential financial, acquisition, and asset management systems, by
providing a seamless, real-time, web-based system to execute mission-
critical end-to-end integrated business processes. DHS has also
established several major program goals for TASC which include, but are
not limited to:
creating and refining end-to-end standard business processes
and a standard line of accounting;
supporting timely, complete, and accurate financial
management and reporting;
enabling DHS to acquire goods and services of the best value
that ensure that the Department's mission and program goals are
met; and,
enabling consolidated asset management across all
components.
DHS officials stated that this system acquisition is expected to
take a COTS-based system already configured and being used at a Federal
agency as a starting point for its efforts. This approach is different
than other financial management system implementation efforts reviewed
by GAO where an agency acquired a COTS product and then performed the
actions necessary to configure the product to meet the agency's
specific requirements.\6\
---------------------------------------------------------------------------
\6\ GAO, Business Modernization: Improvements Needed in Management
of NASA's Integrated Financial Management Program, GAO-03-507
(Washington, DC: April 30, 2003); and GAO, DOD Business Systems
Modernization: Navy ERP Adherence to Best Business Practices Critical
to Avoid Past Failures, GAO-05-858 (Washington, DC: Sept. 29, 2005).
---------------------------------------------------------------------------
Our review found that the strategy being taken by DHS does not
contain the elements needed to evaluate whether the acquired system
will provide the needed functionality or meet users' needs. For
example, it does not require DHS to: (1) Perform an analysis of the
current processes to define the user requirements to be considered when
evaluating the various systems, (2) perform a gap analysis \7\ before
the system is selected \8\ and (3) assess the extent to which the COTS-
based system used at another agency has been customized for the
respective Federal entities. Studies have shown that when an effective
gap analysis was not performed, program offices, and contractors later
discovered that the selected system lacked essential capabilities.
Furthermore, adding these capabilities required expensive custom
development, and resulted in cost and schedule overruns that could have
been avoided. \9\ Without a comprehensive strategy and plan that
considers these issues, DHS risks implementing a financial management
system that will be unnecessarily costly to maintain.
---------------------------------------------------------------------------
\7\ A gap analysis is an evaluation performed to identify the gaps
between needs and system capabilities.
\8\ Software Engineering Institute, Rules of Thumb for the Use of
COTS Products, CMU/SEI-2002-TR-032 (Pittsburgh, PA: December 2002).
\9\ U.S. Department of Defense, Commercial Item Acquisition:
Considerations and Lessons Learned (Washington, DC: June 26, 2000).
---------------------------------------------------------------------------
DHS Has Recently Developed a Concept of Operations for the TASC Program
The January 2009 request for proposal states that the selected
contractor will be required to provide a concept of operations for
TASC. This concept of operations is expected to provide an operational
view of the new system from the end users' perspective and outline the
business processes as well as the functional and technical architecture
for their proposed systems. On October 21, 2009, DHS provided us with a
concept of operations for the TASC program that we have not had the
opportunity to fully evaluate to assess whether it comprehensively
describes the new system's operations and characteristics. According to
DHS officials, this concept of operations document was prepared in
accordance with the Institute of Electrical and Electronics Engineers
(IEEE) standards.\10\ However, it is unclear how the DHS-prepared
concept of operations document will relate to the selected contractor's
concept of operations document called for in the request for proposal.
---------------------------------------------------------------------------
\10\ IEEE Guide for Information Technology--System Definition--
Concept of Operations (ConOps) Document, Standard 1362-1998.
---------------------------------------------------------------------------
According to the IEEE standards, a concept of operations is a user-
oriented document that describes the characteristics of a proposed
system from the users' viewpoint. A concept of operations document also
describes the operations that must be performed, who must perform them,
and where and how the operations will be carried out. The concept of
operations for TASC should, among other things:
define how DHS' day-to-day financial management operations
are and will be carried out to meet mission needs;
clarify which component and Department-wide systems are
considered financial management systems;
include a transition strategy that is useful for developing
an understanding of how and when changes will occur;
develop an approach for obtaining reliable information on
the costs of its financial management systems investments; and:
link DHS' concept of operations for the TASC program to its
enterprise architecture.
A completed concept of operations prior to issuance of the request
for proposal would have benefited the vendors in developing their
proposals so that they could identify and propose systems that more
closely align with DHS' vision and specific needs.
DHS Has Not Fully Incorporated Disciplined Processes into the TASC
Program
While DHS has draft risk management, project management, and
configuration management plans, DHS officials told us that other key
plans relating to disciplined processes generally considered to be best
practices will not be completed until after the TASC contract is
awarded. These other plans include the requirements management,\11\
data conversion and system interfaces,\12\ quality assurance, and
testing plans.\13\ Offerors were instructed in the latest request for
proposal to describe their testing, risk management, and quality
assurance approaches as well as component migration and training
approaches. The approaches proposed by the selected contractor will
become the basis for the preparation of these plans. While we recognize
that the actual development and implementation of these plans cannot be
completed until the TASC contractor and system have been selected, it
will be critical for DHS to ensure that these plans are completed and
effectively implemented prior to moving forward with the implementation
of the new system.
---------------------------------------------------------------------------
\11\ According to the Software Engineering Institute, requirements
management is a process that establishes a common understanding between
the customer and the software project manager regarding the customer's
business needs that will be addressed by a project. A critical part of
this process is to ensure that the requirements development portion of
the effort documents, at a sufficient level of detail, the problems
that need to be solved and the objectives that need to be achieved.
\12\ Data conversion is defined as the modification of existing
data to enable it to operate with similar functional capability in a
different environment.
\13\ Testing is the process of executing a program with the intent
of finding errors.
---------------------------------------------------------------------------
Disciplined processes represent best practices in systems
development and implementation efforts that have been shown to reduce
the risks associated with software development and acquisition efforts
to acceptable levels and are fundamental to successful system
implementations. The key to having a disciplined system development
effort is to have disciplined processes in multiple areas, including
project planning and management, requirements management, configuration
management, risk management, quality assurance, and testing. Effective
processes should be implemented in each of these areas throughout the
project life cycle because change is constant. Effectively implementing
the disciplined processes necessary to reduce project risks to
acceptable levels is hard to achieve because a project must effectively
implement several best practices, and inadequate implementation of any
one may significantly reduce or even eliminate the positive benefits of
the others.
DHS Has Not Yet Identified All Business Processes Needing Reengineering
and Standardization Across the Department
Although, DHS has identified nine end-to-end business processes
\14\ that will be addressed as part of the TASC program, the Department
has not yet identified all of its existing business processes that will
be reengineered and standardized as part of the TASC program. It is
important for DHS to identify all of its business processes so that the
Department can analyze the offerors' proposed systems to assess how
closely each of these systems aligns with DHS' business processes. Such
an analysis would position DHS to determine whether a proposed system
would work well in its future environment or whether the Department
should consider modifying its business processes. Without this
analysis, DHS will find it challenging to assess the difficulties of
implementing the selected system to meet DHS' unique needs.
---------------------------------------------------------------------------
\14\ These nine processes are Request to Procure, Procure to Pay,
Acquire to Dispose, Bill to Collect, Record to Report, Budget
Formulation to Execution, Grants Management, Business Intelligence
Reporting, and Reimbursable Management.
---------------------------------------------------------------------------
For the nine processes identified, DHS has not yet begun the
process of reengineering and standardizing those processes. DHS has
asked offerors to describe their proposed approaches for the
standardization of these nine processes to be included in the TASC
system. According to an attachment to the TASC request for proposal,
there will be additional unique business processes or sub-processes,
beyond the nine standard business processes identified, within DHS and
its components that also need to be supported by the TASC system. For
DHS' implementation of the TASC program, reengineering and
standardizing these unique business processes and sub-processes will be
critical because the Department was created from 22 agencies with
disparate processes. A standardized process that addresses, for
example, the procurement processes at the U.S. Coast Guard, Federal
Emergency Management Agency (FEMA), and the Secret Service, as well as
the other DHS components, is essential when implementing the TASC
system and will be useful for training and the portability of staff.
DHS Has Not Yet Developed Plans for Migrating the New System to its DHS
Components
Although DHS officials have stated that they plan to migrate the
new system first to its smaller components and have recently provided a
high-level potential approach it might use, DHS has not outlined a
conceptual approach or plan for accomplishing this goal throughout the
Department. Instead, DHS has requested that TASC offerors describe
their migration approaches for each of the Department's components.
While the actual migration approach will depend on the selected
system and events that occur during the TASC program implementation,
critical activities include: (1) Developing specific criteria requiring
component agencies to migrate to the new system rather than attempting
to maintain legacy business; (2) defining and instilling new values,
norms, and behaviors within component agencies that support new ways of
doing work and overcoming resistance to change; (3) building consensus
among customers and stakeholders on specific changes designed to better
meet their needs; and (4) planning, testing, and implementing all
aspects of the migration of the new system. For example, a critical
part of a migration plan for the new system would describe how DHS will
ensure that the data currently in legacy systems is fully prepared to
be migrated to the new system.
An important element of a migration plan is the prioritizing of the
conversion of the old systems to the new systems. For example, a FEMA
official stated that the component has not replaced its outdated
financial management system because it is waiting for the
implementation of the TASC program. However, in the interim, FEMA's
auditors are repeatedly reporting weaknesses in its financial systems
and reporting, an important factor to be considered by DHS when
preparing its migration plan. Because of the known weaknesses at DHS
components, it will important for DHS to prioritize its migration of
components to the new system and address known weaknesses prior to
migration where possible. Absent a comprehensive migration strategy,
components within DHS may seek other financial management systems to
address their existing weaknesses. This could result in additional
disparate financial management systems instead of the integrated
financial management system that DHS needs.
DHS Has Begun Hiring, But Has Not Developed a Human Capital Plan for
the TASC Program
While DHS' RMTO has begun recruiting and hiring employees and
contractors to help with the TASC program, the Department has not
identified the gaps in needed skills for the acquisition and
implementation of the new system. DHS officials have said that the
Department is unable to determine the adequate staff levels necessary
for the full implementation of the TASC program because the integrated
system is not yet known; however, as of May 2009, the Department had
budgeted 72 full-time equivalents (FTE) \15\ for fiscal year 2010. The
72 FTEs include 38 Government employees and 34 contract employees,
(excluding an IV&V contractor). DHS officials told us that this level
of FTEs may be sufficient for the first deployments of the new system.
---------------------------------------------------------------------------
\15\ According to OMB guidance, an FTE or work year generally
includes 260 compensable days or 2,080 hours. These hours include
straight-time hours only and exclude overtime and holiday hours.
---------------------------------------------------------------------------
According to RMTO officials, as of August 2009, RMTO had 21 full-
time Federal employees with expertise in project management, financial
business processes, change management, acquisition management, business
intelligence, accounting services, and systems engineering. In
addition, RMTO officials stated that there are seven contract workers
supporting various aspects of the TASC program. RMTO also utilizes the
services of the Office of the Chief Financial Officer and component
staff. According to RMTO officials, some of DHS' larger components,
such as Immigration and Customs Enforcement have dedicated staff to
work on the TASC program.
Many of the Department's past and current difficulties in financial
management and reporting can be attributed to the original stand-up of
a large, new, and complex Executive branch agency without adequate
organizational expertise in financial management and accounting. Having
sufficient human resources with the requisite training and experience
to successfully implement a financial management system is a critical
success factor for the TASC program.
planned tasc implementation efforts pose unnecessary risks
While updating the status of the six prior recommendations, we
identified two issues that pose unnecessary risks to the success of the
TASC program. These risks are DHS' significant reliance on contractors
to define and implement the new system and the lack of independence of
DHS' V&V function \16\ for the TASC program.
---------------------------------------------------------------------------
\16\ Institute of Electrical and Electronics Engineers Standard
1012-2004--Standard for Software Verification and Validation (June 8,
2005) states that the verification and validation processes for
projects are used to determine whether: (1) The products of a given
activity conform to the requirements of that activity and (2) the
software satisfies its intended use and user needs. This determination
may include analyzing, evaluating, reviewing, inspecting, assessing,
and testing software products and processes. The verification and
validation processes should assess the software in the context of the
system, including the operational environment, hardware, interfacing
software, operators, and users.
---------------------------------------------------------------------------
Significant Reliance Placed on Contractors to Define and Implement the
TASC Program
The Department plans to have the selected contractor prepare a
number of key documents including plans needed to carry out disciplined
processes, define additional business processes to be standardized, and
propose a migration approach. However, DHS has not developed the
necessary contractor oversight mechanisms to ensure that its
significant reliance on contractors for the TASC program does not
result in an unfavorable outcome.
Work with other systems acquisition and implementation efforts have
shown that placing too much reliance on contractors can result in
systems efforts plagued with serious performance and management
problems. For example, DHS' Office of Inspector General (OIG) recently
reported \17\ that the U.S. Customs and Border Protection (CBP) had not
established adequate controls and effective oversight of contract
workers responsible for providing Secure Border Initiative (SBI)
program support services. Given the Department's aggressive SBI program
schedule and shortages of program managers and acquisition specialists,
CBP relied on contractors to fill the staffing needs and get the
program underway. However, CBP had not clearly distinguished between
roles and responsibilities that were appropriate for contractors and
those that must be performed by Government employees. CBP also had not
provided an adequate number of contracting officer's technical
representatives (COTR) to oversee support services contractors'
performance. As a result, according to the OIG report, contractors were
performing functions that should have been performed by Government
workers. According to the OIG, this heavy reliance on contractors
increased the risk of CBP relinquishing its responsibilities for SBI
program decisions to support contractors, while remaining responsible
and accountable for program outcomes.
---------------------------------------------------------------------------
\17\ Department of Homeland Security, Office of Inspector General,
Better Oversight Needed of Support Services Contractors in Secure
Border Initiative Programs, OIG-09-80 (Washington, DC: June 17, 2009).
---------------------------------------------------------------------------
Verification and Validation (V&V) Review Function for the TASC Program
Was Not Independent
DHS' V&V contractor was not an independent reviewer because RMTO
was responsible for overseeing the contractor's work and authorizing
payment of the V&V invoices. On October 21, 2009, DHS officials
indicated that they have restructured the V&V contract to address our
concerns by changing the reporting relationship and the organization
that is responsible for managing the V&V contract. Under the previous
arrangement, the V&V contractor was reporting on work of the RMTO, the
program manager for the TASC program and the RMTO Director was serving
as the COTR \18\ for the V&V contract. As part of the COTR's
responsibilities, RMTO approved the V&V contractor's invoices for
payment. The independence of the V&V contractor is a key component to a
reliable verification and validation function.
---------------------------------------------------------------------------
\18\ COTRs are responsible for monitoring the contractor's progress
in fulfilling the technical requirements specified in the contract.
COTRs often approve invoices submitted by contractors for payment.
---------------------------------------------------------------------------
Use of the V&V function is a recognized best practice for large and
complex system development and acquisition projects, such as the TASC
program. The purpose of the V&V function is to provide management with
objective insight into the program's processes and associated work
products. For example, the V&V contractor would review system strategy
documents that provide the foundation for the system development and
operations. According to industry best practices, the V&V activity
should be independent of the project and report directly to senior
management to provide added assurance that reported results on the
project's status are unbiased.\19\ An effective V&V review process
should provide an objective assessment to DHS management of the overall
status of the project, including a discussion of any existing or
potential revisions to the project with respect to cost, schedule, and
performance. The V&V reports should identify to senior management the
issues or weaknesses that increase the risks associated with the
project or portfolio so that they can be promptly addressed. DHS
management has correctly recognized the importance of such a function
and advised us that they have taken prompt steps so that the V&V
function is now being overseen by officials in DHS' Office of the Chief
Information Officer. It is important that V&V is technically,
managerially, and financially independent of the organization in charge
of the system development and/or acquisition it is assessing.
---------------------------------------------------------------------------
\19\ To provide this objective evidence, V&V contractors analyze,
evaluate, review, inspect, assess, and test software products and
processes.
---------------------------------------------------------------------------
In conclusion, Mr. Chairman, 6 years after the Department was
established, DHS has yet to implement a Department-wide, integrated
financial management system. DHS has started, but not completed
implementation of the six recommendations we made in June 2007, aimed
at helping the Department to reduce risk to acceptable levels, while
acquiring and implementing an integrated Department-wide financial
management system. The open recommendations from our prior report
continue to be vital to the success of the TASC program. In addition,
as DHS moves toward acquiring and implementing a Department-wide
financial management system, it has selected a path whereby it is
relying heavily on contractors to define and implement the TASC
program. Therefore, adequate DHS oversight of key elements of the
system acquisition and implementation will be critical to reducing
risk. Given the approach that DHS has selected, it will be paramount
that DHS develop oversight mechanisms to minimize risks associated with
contractor-developed documents such as the migration plans, and plans
associated with a disciplined development effort including requirements
management plans, quality assurance plans, and testing plans. DHS faces
a monumental challenge in consolidating and modernizing its financial
management systems. Failure to minimize the risks associated with this
challenge could lead to acquiring a system that does not meet cost,
schedule, and performance goals.
To that end, our draft report includes specific recommendations,
including a number of actions that, if effectively implemented, should
mitigate the risks associated with DHS' heavy reliance on contractors
for acquiring and implementing an integrated Department-wide financial
management system. In addition, we also recommended that DHS designate
a COTR for the IV&V contractor that is not in RMTO, but at a higher
level of Departmental management, in order to achieve the independence
needed for the V&V function. As discussed earlier, DHS officials
advised us that they have already taken steps to address this
recommendation and we look forward to DHS expeditiously addressing our
other recommendations too.
Mr. Chairman, this completes our prepared statement. We would be
happy to respond to any questions you or other Members of the
subcommittee may have at this time.
Mr. Carney. Thank you, Ms. Daly.
I now recognize Ms. Sherry for 5 minutes.
STATEMENT OF PEGGY SHERRY, ACTING CHIEF FINANCIAL OFFICER,
DEPARTMENT OF HOMELAND SECURITY
Ms. Sherry. Thank you. Again, I would like to apologize
again to the committee for getting my testimony in late. Thank
you for your indulgence in that.
Thank you, Chairman Carney, Ranking Member Bilirakis and
Members of the committee, for the opportunity to testify before
you on the Department of Homeland Security's progress and plans
to create One DHS by standardizing financial management.
The DHS mission is to lead a unified National effort to
secure America. This requires a unified Department and an
integrated approach across our various operations, including
financial management. As you know, one of the Secretary's top
priorities is to unify the Department and to create a common
culture: One DHS, one enterprise, a shared vision with
integrated results-based operations.
We have many initiatives under way to continue to build a
One DHS culture, including our commitment to strengthening
internal controls and realigning business processes for
improved efficiency and effectiveness.
To this end I would like to thank the Congress for enacting
the Department of Homeland Security's Financial Accountability
Act. With the passage of the act, we launched an ambitious
multi-year effort to improve financial management and reporting
and to build assurances that internal controls are in place and
working effectively.
The foundation for One DHS strategy is to bring together
the varying perspectives of DHS components to build a
consolidated best practice approach to financial management. As
an example, DHS financial reporting working groups were
established recently to uniformly address financial management
and business process challenges.
Financial managers from the components work together to
identify common areas of weakness, such as accounting for
property, plant, and equipment or undelivered orders. Instead
of components developing individual action plans to address
areas of common weaknesses across the Department, they now work
together to find the best solutions that can be used by all the
components.
We continue to implement initiatives aimed at increasing
financial management competencies. This past fall we released a
DHS Financial Management Policy Manual. This on-line manual
provides Department-wide guidance on budget formulation,
execution, financial management, accounting, and reporting, and
introduces standardization throughout DHS with a focus on
strong internal controls.
We issued the third edition of the Internal Control
Playbook, which outlines our strategy and processes to
eliminate internal control weaknesses and to build management
assurances.
To further unify DHS financial management practices, we are
adopting a Department-wide standard accounting classification
structure. A common accounting line will improve our ability to
capture and report financial information in a consistent and
timely manner across the Department.
DHS received a disclaimer of opinion in its fiscal year
2008 financial statement. However, for the third consecutive
year, audit results show we continue to make steadfast
progress. Auditors noted the Department's progress in
implementing corrective actions and improving the quality and
reliability of our reporting.
Our multi-year corrective action plan led to reducing the
number of material weaknesses from 10 to seven to six in the
past 3 years. We also reduced the number of disclaimer
conditions from 10 to six to three in the past 3 years. Audit
challenges remain, but in more focused areas.
This year we have partnered with the United States Coast
Guard, Transportation Security Administration, and the Federal
Emergency Management Agency to address audit disclaimer and
material weaknesses conditions. As they make improvements on
our financial reporting and strengthen the skills of our
workforce, we continue to move forward to consolidate our
financial system, bringing forward lessons learned from our
previous effort.
Currently, DHS has 13 separate financial management
systems. These systems support different business processes,
numerous accounting lines, and have varying levels of systems
integration, with many still relying on manual processes. This
often results in inconsistent and inaccurate financial data.
DHS's ability to efficiently and effectively manage and
oversee our day-to-day operations and programs relies heavily
on our ability to have financial management systems that
produce complete, reliable, timely, and consistent financial
information for use by DHS managers and leaders.
Although modernization is complex, it is a critical element
of instituting strong financial management as called for by the
CFO Act, SFMIA, the Financial Accountability Act, and other
financial management reform legislation. As we work to address
our financial management challenges in increased transparency
and reporting, the Transformation and Systems Consolidation, or
TASC initiative, it is critical.
The Department will acquire an integrated system solution
that's already operating in the Federal space. We are in the
midst of the TASC acquisition and are on track to select a
vendor by second quarter fiscal year 2010. This important
initiative will enhance mission support and improve our ability
to report financial data in a timely and accurate way.
Financial management has come a long way at DHS, and I am
inspired by the extraordinary efforts of our dedicated staff at
headquarters and in the components to becoming One DHS. I am
committed to pursuing financial management success in the
Department. As we continue our progress to building One DHS, I
look forward to working with the GAO and the IG. Our
relationship will be able to help us improve our efforts to
build a consolidated and integrated Department.
I appreciate the support we have received from our IG, from
the GAO, this committee and Congress. Thank you for your
leadership and your continued support of the Department of
Homeland Security.
[The statement of Ms. Sherry follows:]
Prepared Statement of Peggy Sherry
October 29, 2009
Thank you Chairman Carney, Ranking Member Bilirakis, and Members of
the committee for the opportunity to testify before you on the
Department of Homeland Security's (DHS) progress and plans to create
One DHS by standardizing financial management.
DHS leads a unified National effort to secure America--this
requires a unified Department and an integrated approach across our
varying operations. The Secretary continues to prioritize unifying the
Department and creating a common culture: One enterprise, a shared
vision, with integrated results-based operations. In March, Secretary
Napolitano launched a Department-wide efficiency review to trim costs,
streamline operations, eliminate duplication, and better manage
resources across the Department. This effort includes more than two
dozen initiatives that will increase efficiency, leverage economies of
scale, create a culture of responsibility and fiscal discipline, and
save taxpayers millions of dollars.
We have many initiatives underway to continue to build one DHS
culture, including our commitment to strengthening internal controls
and realigning business processes for improved efficiencies and
effectiveness. To this end, I would like to thank Congress for enacting
the Department of Homeland Security's Financial Accountability Act.
With the passage of the act, we launched an ambitious multi-year effort
to improve financial management and reporting and build assurances that
internal controls are in place and working effectively. We have worked
to standardize business practices as well as executed systematic plans
to correct weaknesses. I look forward to continuing to work
collaboratively with Congress, the Government Accountability Office,
the DHS Office of the Inspector General, the Office of Management and
Budget, and our independent auditor to further strengthen internal
controls and improve and standardize financial management practices
across the Department.
strategies for standardizing financial management
The financial management community is employing multiple strategies
to bring together the varying perspectives of DHS components to build a
consolidated best-practice approach to financial management at DHS.
As an example, DHS financial reporting working groups were
established to uniformly address financial management and business
process challenges. Financial managers meet regularly to identify
common areas of weakness and develop strategies usable by all
components. This approach allows components to share success strategies
with other components struggling in the same area. We also created a
``Component Requirements Guide'' that contains approximately 40
standard financial reporting processes. Implementing standard processes
across the components has resulted in providing ample, reliable, timely
data and meeting financial statement submission deadlines.
Last fall, we published the first-ever DHS Financial Management
Policy Manual, which provides a standard set of financial management
policies with a focus on strong internal controls. This manual,
developed with input from all DHS components, is an on-line repository
of Department-wide guidance for program and budget formulation, budget
execution, financial management, accounting, and financial reporting.
To further unify DHS financial management practices, we are
adopting a Department-wide standard accounting classification
structure. To do this, we are defining the standard fields for the DHS
accounting line using the Common Government-wide Accounting
Classification (CGAC) structure issued by the Financial Systems
Integration Office in cooperation with the Office of Management and
Budget (OMB). A common accounting line will allow DHS to capture and
report financial information in a consistent and timely manner across
the Department. Staff from across DHS financial, budget, acquisition,
asset management, and program management communities are working
together to implement the new standard.
DHS has more than 230,000 employees, and we have more than 2,000 in
the financial management community dispersed throughout the United
States. In order to help bridge our geographic separation, my office
hosts a training session for all new employees in the DHS financial
management community. This program welcomes new employees into DHS,
provides a comprehensive introduction to financial management at DHS,
and trains employees on a common set of core competencies, including
the responsibilities of all financial managers to support and reinforce
strong internal controls and the principles of fiscal law. It also
provides an opportunity for staff in different components to meet,
share ideas, and form a valuable network with other financial
management professionals at DHS. Over the past 2 years, we have hosted
five of these events with over 450 employees attending, nearly 30
percent of whom were from outside the Washington, DC area.
strengthening internal controls to standardize and improve financial
management
DHS has been working diligently to correct its financial
weaknesses. When DHS was first stood up, there were an estimated 100
financial management systems across the 22 components. Further, we
inherited 30 significant financial reporting deficiencies, with 18
classified as material weaknesses. These conditions hampered the
Department's ability to produce timely, reliable financial data in
support of a clean audit. Over the last several years, however, the
annual financial statement audits have shown continued improvement
toward consistent and accurate financial reporting.
We have institutionalized a strong strategy, updated annually in
our Internal Control Playbook, across DHS to address the remaining
weaknesses. For each financial management weakness, we: Identify the
root cause(s); design strong, actionable plans to address the weakness;
and then track our progress against those plans. My office leads the
efforts, and I work closely with component CFOs to oversee and monitor
progress throughout the year. Our independent auditors report that the
Department continues to make good progress implementing corrective
actions and improving the quality and reliability of our financial
reporting. Consider the following accomplishments that offer validation
that our strategy is working:
DHS reduced the number of material weaknesses from 10 in
fiscal year 2006, to seven in fiscal year 2007, to six in
fiscal year 2008.
The Secretary's Financial Reporting Assurance Statement has
improved from a statement of no assurance in fiscal year 2005
to a statement that good internal controls are in place in
fiscal year 2008. For fiscal year 2009, the Department's goal
is to provide our first-ever assurance that internal controls
are working, with only a few exceptions.
The Department is on target to have five favorable opinions
on audits of individual component balance sheets in fiscal year
2009, and the goal is to have isolated the adverse conditions
that prevent completion of an audit area to one component which
has detailed multi-year plans to remedy these conditions.
Our remaining audit challenges are now contained to a few specific
areas. We continue to partner with and provide oversight of the U.S.
Coast Guard, Transportation Security Administration, and Federal
Emergency Management Agency to address the remaining audit disclaimer
and material weakness conditions. This joint effort has produced
significant improvements; for example, I expect the number of material
weaknesses at FEMA to be reduced for the second consecutive year.
Key to the Department's continued progress toward good financial
management is the ability of the components to produce consistent,
reliable financial data. An integrated, enterprise-wide financial
acquisition and asset management system will make it easier to
implement and maintain stronger internal controls and to ensure
consistent, accurate, and reliable financial information across DHS.
financial systems consolidation
DHS is moving forward with a financial system consolidation effort.
This will greatly improve the quality of and control over DHS financial
data, make the financial accounting process more efficient throughout
DHS, and reinforce standard business and financial management
practices. Currently, DHS has 13 separate financial management systems.
While we have made significant progress standardizing various aspects
of financial management in DHS, the 13 systems support different
business processes, numerous accounting lines, and have varying levels
of system integration--with many still relying on manual processes.
This often results in inconsistent and inaccurate financial data.
Further, maintaining multiple systems across the Department means
duplicative operations and maintenance costs, and high overhead when
upgrades, support services, and system changes are necessary.
As we work to address our financial management challenges and
increase transparency, consistency, and accuracy, the Transformation
and System Consolidation (TASC) initiative is critical. The Department
will acquire a proven, integrated system solution that meets Federally
defined financial business processes requirements, as issued by the
Financial Systems Integration Office in cooperation with OMB. We are in
the midst of the TASC acquisition and will select a vendor by the
second quarter of fiscal year 2010. We have also developed a strong
program management office to provide full-time, day-to-day oversight of
the integration process to help ensure success. This important
initiative will enhance mission support and improve our ability to
report financial data in a timely and accurate way.
lessons learned from previous efforts
In September 2006, the Department ended the Electronically Managing
Enterprise Resources for Government Effectiveness and Efficiency
(eMerge2) systems initiative since it failed to build the necessary
integration between the various commercial off-the-shelf software
solutions. The effort was budgeted at $252 million but was halted after
$52 million was spent on the project.
We have learned from eMerge2 and have applied those lessons to the
TASC initiative. Rather than building a new system from scratch, as was
the eMerge2 strategy, DHS is acquiring an existing, already integrated
Federal system that follows established standard Federal financial
business processes with defined key internal control requirements.
Putting in place an integrated system with standard processes will
allow us to produce data that is consistent and incorporates strong
internal controls to ensure financial transactions are properly
processed, verified, and accurately recorded. In addition, TASC will
take a phased approach to implementation rather than having the entire
Department go live at once.
Another key lesson learned from eMerge2 is the importance of having
adequate Federal staffing and strong oversight of contractor
performance. To this end, we have put in place a robust team of full-
time Federal employees with expertise in project management, systems
accounting, change management, acquisition management, business
intelligence, accounting services, and systems engineering. We also
have an on-site Independent Verification and Validation team in place
to monitor and evaluate every aspect of the program as we move forward.
conclusion
We have demonstrated our commitment to developing and executing
strong, actionable plans that improve our financial management with
strong internal controls. Consolidating our financial, asset, and
acquisition systems will accelerate and sustain Department-wide
progress in our efforts for efficiency, effectiveness, transparency,
and accountability. As DHS undertakes its transformation and system
consolidation effort, the Department's financial management
infrastructure will become more stable and will significantly
contribute to achieving the intended goals of the DHS Financial
Accountability Act.
Financial management has come a long way at DHS. I continue to be
inspired by the extraordinary efforts of our dedicated staff both at
headquarters and in the components, and I am committed to pursuing
financial management success. I appreciate the support that we have
received from our Office of Inspector General, the GAO, this committee,
and Congress. Thank you for your leadership and your continued support
of the Department of Homeland Security. I would be happy to answer any
questions you may have.
Mr. Carney. Thanks, Ms. Sherry.
I want to thank each of the witnesses for their testimony.
I remind each Member that he or she will have 5 minutes to
question the panel. I now recognize myself for 5 minutes.
Ms. Daly, let us begin with you. The news we heard is not
good. It seems like it might be improving, but we are 6 years
down the line now, over 6 years, and we are at a place where
accountability, you know, is trying to be the watchword of the
day, especially accountability for taxpayers' dollars, and we
are having a tough time with that at DHS.
From your opinion, you know, is the news improving? What
needs to be done that hasn't been done yet? What sort of time
frame are we looking at for improvement, I mean for doing
things in a standardized way that we have transparency and
accountability of taxpayers' dollars?
Ms. Daly. Mr. Chairman, I think DHS faces a monumental task
in pulling together the information needed. I am not familiar
with the time frames that they have in place, but I can assure
you from our review of the TASC program that we have certain
concerns with the strategy they are taking related to TASC and
not doing a detailed, structured GAAP analysis of the proposed
system to what they want their future business processes to be.
Without taking that particular step, I think they are
increasing their risk related to that program.
Mr. Carney. Mr. Taylor, how do you respond to that?
Mr. Taylor. Well, sir, we haven't completed our report on
TASC itself. However, in viewing the prior attempts of the
Department to try to have an integrated financial system, it
included a lack of identified requirements, clear requirements.
It included a lack of adequate oversight capabilities, the
trained contractor specialists we talked about, and it
included, as is mentioned by the committee, the over-reliance
on contractors.
If those three things still exist, then the Department is
truly in a high-risk environment for being able to implement
anything successfully.
Mr. Carney. Are we on track to fix that, Ms. Sherry?
Ms. Sherry. Thank you, sir, and yes. I appreciate the
comments from both the GAO as well as the IG and do know that
the Department is absolutely committed to working with you and
to making sure that the recommendations are fully implemented.
I do believe that we are on track, sir, to be able to
address some of these recommendations. I look forward to
working with them as they further develop their report.
We did learn quite a bit from the initial eMerge effort.
The initial eMerge initiative basically failed on the idea that
we were developing the system. What we were doing was gathering
thousands and thousands of requirements, and ultimately the
submission failed on its inability to be able to integrate
everything.
That is not the strategy the Department is implementing
currently. Instead, what we are doing is we are acquiring a
solution that is----
Mr. Carney. No, I think it was unplugged. She is doing
something down front here.
Thank you.
Mr. Taylor, the Department decided that it was going to use
a commercial off-the-shelf, or COTS, system to do this. Is that
a good idea?
Mr. Taylor. That is usually required by OMB. I have been
involved with this in the past, and when you do your own
development, you add a level of risk that most agencies are
going to find unacceptable.
Mr. Carney. So that was not a good idea, then.
Mr. Taylor. To use COTS is a good idea.
Mr. Carney. Yes, it is.
Mr. Taylor. It is. I am sorry, sir. Yes, it is. To do your
own development, to do a custom software development is a bad
idea, because then you are introducing a higher level of risk.
The COTS has been tested in the Federal environment, and there
are a number of vendors out there who can provide it and that
there was success, and there is usually an implementation you
can look at and learn from in terms of best practice.
Mr. Carney. Okay. Well, kind of along those lines, what
agencies use integrated systems that can serve as a model for
the Department's efforts? I mean, you know, we got a big
Government out there. There are probably some cases we could
have that we could point to which are the best.
Mr. Taylor. Sure, absolutely. Yes, sir. Most agencies have
been through the kind of agony, I guess, that the Department of
Homeland Security is going through now.
In my experience at the Department of Commerce, we went
through this between 1997 and 2003, implementing from a
decentralized approach to a centralized system. The Department
of Transportation has been through the same thing. I believe
Agriculture has been through it. There are a number of agencies
that have gone through this that had, and there are a number of
best practices.
There also are vendors out there in the Federal sphere or
other departments and agencies who provide these services, so
instead of having to do your own implementation, you can
purchase the support from those organizations instead of having
to do this for yourself.
Mr. Carney. Okay. I think we have a problem with the timers
here. I imagine my time is about up. I will recognize the
Ranking Member from Florida, Mr. Bilirakis, for 5 minutes, and
I guess I will be the official timekeeper here with my 12-year-
old Swiss Army watch.
Mr. Bilirakis. I won't take the 5 minutes.
Mr. Carney. There you go.
Mr. Bilirakis. Ms. Sherry, much was said about the
importance of leadership from the top to the success of the
financial consolidation efforts. Have the Secretary and deputy
secretary been briefed on TASC, the TASC initiative? Are they
supportive of the current plan?
Ms. Sherry. Yes, sir, thank you very much. Yes, we have had
the opportunity. I have had the opportunity to brief the
Secretary and the deputy secretary on not just the TASC
initiative, but also on the state of financial management at
DHS. They understand the criticality of having of having a
system solution in order to be able to move the Department
forward.
Mr. Bilirakis. So they are supportive.
Ms. Sherry. It is in line and in keeping with the One DHS
initiative that is so important to the Secretary.
Mr. Bilirakis. Okay. What impact has the lack of a
permanent under secretary for management and a permanent CFO
had on the Department's ability to implement TASC?
Ms. Sherry. Other than just making me really busy, it
really has not had much of an impact, sir. The under secretary
for management has been very engaged, and I think, as you may
or may not be aware, we actually have a deputy under secretary
for management as well, so they have been very engaged as well
as very supportive with us.
When I go back to my full-time job, or my regular job--I am
the deputy CFO also--and this is clearly a very important
initiative, and one that I will be primarily responsible for
sure, sir.
Mr. Bilirakis. Okay. How, if at all, has the Department's
financial management oversight and consolidation efforts
changed under the new administration?
Ms. Sherry. I don't really think that we have had a chance,
sir. I think that management--you know, having strong
management with the Secretary having been a former Governor, I
think that she is a very strong executive leader, and I think
that she really understands and completely supports either the
objectives and goals of my offices, you know, to continue to
standardize processes throughout the Department and to really
make financial management, good financial management, just
basic, you know, part of every day, you know, what it is that
we do, rather than something that we have to continually come
up and, you know, explain the reason why we are not doing very
well. She is very supportive of it.
Mr. Bilirakis. Can you explain why TASC will cost so much
more than eMerge2?
Ms. Sherry. I am sorry, sir. Can--why TASC would cost----
Mr. Bilirakis. Why it would cost so much more than eMerge2?
Ms. Sherry. I can't really speak to the total cost of what
eMerge2 was, sir. I know that the Department had spent about
$52 million before they actually stopped the initiative, so I
can take that for the record and possibly get back to you on
that.
Mr. Bilirakis. What controls do you have in place to make
sure the contract doesn't--there are no overruns?
Ms. Sherry. There are several things that we have got in
place currently, and I completely agree with both the GAO as
well as the IG to be able to say strong contractor oversight is
paramount. It will be paramount to the success of this
initiative, and I do believe that that may have been one of the
failings also of eMerge was the inability of the Department to
necessarily be able to, you know, make sure I have that
oversight over the contractors.
My office in particular has been staffing up very heavily
to have a very strong project management office. We have worked
with the other large acquisition efforts within the Department
to be able to really have lessons learned from them, to find
out how we should structure our PMO office.
We talked a little bit about some of the other departments
that have initiatives under way. We have done heavy outreach
with them to find out exactly what they--not only what the
lessons learned from the standpoint of what they have done
well, but also in particular what they haven't done well, so
that we can try to avoid those mistakes as well.
The other thing that we have within the Department which is
different, I think, than when the eMerge2 initiative was begun,
is a stronger oversight throughout DHS for large acquisition
projects.
We have the Management Directive 102, which really governs
the acquisition review process, where you have discipline
processes, including a--a con ops, as Ms. Daly referred to.
You have required documents that, you know, that the
project must be able to have completed, get reviewed, and to
have been accepted through the different keys throughout the
Department, as well as through the deputy secretary and in the
acquisition community within DHS, as well as having a systems
engineering lifecycle documentation and process that was really
intended to review the acquisition at every step of the
process.
So in other words, and before you are able to go to a next
particular gate, you have to go before the deputy secretary and
all the people that I just mentioned and to be able to
demonstrate why you are ready to do that.
Mr. Bilirakis. Okay. Thank you very much.
I hope I was under 5 minutes, Mr. Chairman.
Mr. Carney. Exactly 5 minutes, according to my watch.
The Chairman now recognizes my good friend from New Jersey,
Mr. Pascrell, for 5 minutes.
Mr. Pascrell. Mr. Chairman, let me start by saying this,
that if we do not address the bureaucratic questions at
Homeland Security by the next go-round, I want to commit to
you, Mr. Chairman, that I will not vote for one dime for the
Department. I want to make it very clear right now, and I want
to agree with your opening remarks about we have heard a lot of
this before. It is kind of redundant. We need a re-do here.
I don't think we need so much financial consolidation as
consolidation with a capital C. This is a bureaucracy that has
become cumbersome.
I am sorry, Mr. Taylor, we cannot make comparison to other
departments, because this Department that we are talking about
today has the responsibility, as you better than I know, to
secure the homeland. This is a different--you are comparing
apples and oranges, and I really want us to focus in on the
very nature and uniqueness of this Department.
The demands that we place on Homeland Security are
unproductive. I can remember Secretary Chertoff sitting out
there, telling us, enumerating how many committees his folks
have to answer questions for. It is ridiculous. We haven't
changed anything about that. We are wasting your time most of
the time, when we fail to see our main objective in securing
the homeland.
How many committees do you have to answer to, Mr. Taylor?
You are still counting, I am sure.
Mr. Taylor. Yes, sir, we are counting on our fingers and
toes right now. Ninety-one.
Mr. Pascrell. Ninety-one committees. Now, 91 committees.
Your request for the budget was $55 billion--correct me if I am
wrong--$55-plus billion.
Mr. Taylor. I will defer to Ms. Sherry on that.
Mr. Pascrell. Is that correct?
Ms. Sherry. Yes, sir. The net number is $42.8 billion.
Mr. Pascrell. Yes, we have a very serious problem here.
This is not going to go away with one committee hearing, but I
want to commend you for zeroing in on it and not accepting. We
don't even know the percentage of procurements in the last
administration--how many were bid. We don't even know that.
So, Mr. Chairman, I want to thank you for calling the
hearing. I really hope that people understand the importance of
this topic. Clearly, if we get a hearing on terror threats or
vulnerabilities to attack, we would probably get more attention
from the media in public and the public.
But I want to be clear when I say this. One of the greatest
threats to the Nation's security is the bureaucracy itself. We
are fighting an enemy that is not State-based. They don't have
a large bureaucratic infrastructure of multi-layered control.
Their greatest asset is the ability to operate in relative
silence and to change direction quickly in order to attack our
vulnerabilities. A bloated Homeland Security bureaucracy is
one, I believe, of our biggest vulnerabilities.
After the attacks of September 11, 2001, Members of the
Congress from both sides of the aisle pushed the Bush
administration to create this Department. I certainly think
that was the right decision, but if all we have done is to
throw over 100 Federal entities together and call it a day,
well, then I believe we have made our Nation less safe and not
more safe.
The whole point of creating a Department of Homeland
Security was not only to increase coordination, which I think
we may be getting better at, but also to streamline the process
by which a threat reported in the field can quickly and
effectively get to higher command to take action. This is what
they should be all about.
I am not convinced that we have cut down on these layers
from top to bottom. I am not convinced at all. Few things make
this point more clear than the fact that 6\1/2\ years after its
creation, the Department of Homeland Security has yet to
implement a Department-wide integrated financial management
system--6\1/2\ years later.
If we can't even keep track of all the billions of dollars
in taxpayers' funds, then how can we find the excess, how can
we find the ways, how can we possibly get rid of the bloat in
the democracy? How can we defend the republic?
I have a couple of more questions. I will come back after--
my time is up?
Mr. Carney. Very good. I don't want this to turn into a
colloquy, but I think Mr. Pascrell is exactly right. If this
was about a specific threat to the homeland, CNN would be here,
and we would have a lot more coverage. But this is actually
what Government does. This is the nuts and bolts stuff that no
one pays attention to, but is absolutely as important to
protecting the homeland as anything else that we do, so we
can't underestimate the importance of getting this right.
So, you know, we have often heard that when in the private
sector you would take organizations of the size that comprise
now DHS and put them together, it would be a 5- to 7-year
transition to get them into one sort of unit. We are at the
6\1/2\-year mark now, and we sure see the seams and the
fissures that exist.
We got to do better, and we got to it thoughtfully, but
holy cow, folks, you know, this is getting to a point where we
need to start asking the tough questions about are we secure,
more secure, than we have been? I think we probably are, but we
have got to solidify. We have got to have the foundations in
place.
So to that end, you know, hearings like this occur and
questions like these are asked. You know, folks like Mr.
Bilirakis and Mr. Pascrell and I come and, you know, we want to
make it better for everyone.
Ms. Sherry, according to the GAO's most recent audit, the
Department has taken very limited action toward implementation
of four of its recommendations and since, you know, they made
those recommendations in June 2007, about a year-and-a-half
ago, it has taken no action on the remaining two. Can you tell
me why?
Ms. Sherry. Yes, sir. Part of the reason is because we have
not selected a solution. What the Department has done is we
have taken to heart all of the recommendations and have
implemented those that we can, sir, and we will continue to
work with the GAO as well as the IG to make sure that we fully
implement all of the recommendations at the time that we have
selected the actual solution.
So, for instance, one of the recommendations was to develop
a con ops, a concept of operations, and we have done that. It
is in accordance with the IEEE standard within, you know, the
recognized standards, and what we will do is it is based on all
the information that we know currently without actually knowing
the actual solution. What we will do is we will work to update
all of them once we have actually awarded the contract.
Mr. Carney. Once again, can I ask a time frame question?
Ms. Sherry. Absolutely, sir. We are on target currently to
be able to award the contract in second quarter of 2010.
Mr. Carney. Second quarter of 2010.
Ms. Sherry. Yes, sir.
Mr. Carney. Okay. So we will certainly see you back here
roughly in that time frame and----
Ms. Sherry. I look forward to it.
Mr. Carney [continuing]. Get more accountability there.
Mr. Bilirakis, any questions?
Mr. Bilirakis. Thank you, Mr. Chairman.
Ms. Daly, your written testimony expresses concern about
the Department's reliance--I know you touched on this--on
contractors for the implementation of TASC and notes that the
Department has not developed necessary contract oversight
mechanisms. I would have hoped that the Department would have
learned from its problems with SBI.
My question is what actions would you recommend that the
Department take to enhance contract oversight?
Ms. Daly. I think the Department could take a number of
steps that are based in what the Software Engineering Institute
has recommended for these types of software implementations.
There are a number of tasks that they have planned to do in the
future, but that have not been formalized yet. A lot of these
are very important. I think what we have seen at other agencies
is that if these steps are not taken, what can happen is the
cost and schedule overruns that none of us want to occur.
One of the key examples I can give you are things such as
having a good testing plan in place. What you often see on a
system that gets rolled out is that the people that are for the
Government are relying on the contractors to develop a good
testing plan, and the Government officials need to understand
what are the right testing steps to take so that a good
comprehensive test is done that identifies all the defects so
those defects can be addressed before they are ruled out. Those
are the types of mechanisms we think would be important for the
Department to have in place.
Mr. Bilirakis. Can you comment on that, Ms. Sherry?
Ms. Sherry. Yes, sir. Thank you. We are in complete
agreement with that. I think that we have learned quite a bit
since the eMerge initiative, and we are in complete agreement
that we really do need to have strong contractor oversight.
You know, referring to some of the systems engineering
lifecycle steps, we are absolutely going to make sure that we
incorporate all of them. We will be working with the contractor
on the testing plans. We are not going to hand over simply to
the contractor to be able to do the work for us.
It is somewhat different than the SBInet initiative. Again,
absolutely we have learned from the things that we did not do
right in that initiative. But this is not a development effort,
you know, that what the Department is doing is we are acquiring
an already integrated, proven system that is working currently
in the Federal space, you know. So we will know a lot about the
system, and we will not actually be developing the system.
But we are absolutely committed to being able to use all of
those discipline processes, such as making sure that you have a
strong testing plan, working with our science and technology
group that has lots of expertise in this particular area, and
also as we come before our acquisition review board, having to
prove to them before we are able to go on to next step that we
in fact do have solid test plans.
Mr. Bilirakis. Thank you.
Mr. Taylor, the inspector general has done considerable
work in the area of Department financial management. In your
opinion does the Department have sufficient personnel in both
the financial offices and the procurement offices to provide
sufficient oversight over the systems migration in the contract
without any over reliance on contractors? That is my question.
Mr. Taylor. Without speaking directly to TASC, because we
are working on that right now, based on the work we have done
previously, we have a lot of concern about that, concerns
because the component organizations have skills deficiencies in
both procurement as well as financial management. So to layer a
very comprehensive integration effort on top of that would be
posing even more risk. So we are very concerned about that,
sir.
Mr. Bilirakis. Thank you very much. Appreciate it.
I yield back, Mr. Chairman.
Mr. Carney. Thank you.
The Chair now recognizes Mr. Green for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. I thank you for--and
you, the Ranking Member, as well--for hosting this important
meeting.
I am honored to have an opportunity to speak to the
witnesses, and I thank you for being here today.
My concerns probably have been addressed, and I apologize,
because we have a Financial Services hearing that is taking
place, and we have Mr. Geithner, and we have a host of others,
and we are obviously having to deal with some of the great
issues of our time. But this does not in any way excuse me from
the issues that we have to contend with at Homeland Security.
They, too, are among the great issues of our time.
I am concerned about the means by which we can do some of
the small things. For example, we had the TWIC card issued, but
we did not have a card reader. It seems to me that that was
something that did not necessitate a real study to know that if
you are going to have the card and the reader, it would
probably be prudent--judicious, if you will--to have both the
card and the reader presented, make a debut, be put to use at
the same time.
Last time I checked, we still didn't have a reader that
would work with the cards and we are still exploring the
possibility of acquiring a reader for cards that we have
issued.
I remember when we had the former Secretary here, whom I do
not in any way intend to demean, but I do remember commitments
being made about the cards and the readers, and we never
actually got that done. So little things like that leave an
indelible memory such that it becomes difficult to get a grip
on how we can do some of these very complicated things if we
don't do these little things.
So let me ask, for fear that I may have missed something,
have we deployed the reader for the TWIC cards?
Ms. Sherry. I can find out for you, sir. I apologize. I
don't know that right off the top of my head. I will find out
and get back to you.
Mr. Green. Does the representative from GAO know?
Ms. Daly. Congressman Green, I am sorry. I am not aware of
the status of that.
Mr. Green. Okay. All right. That is one example.
Let us move to another one: P28. I had the good fortune to
be here while we had much said about P28. Most of what was said
by way of witnesses was good in the sense that P28 was supposed
to provide us with a model, a prototype that was to at some
point be replicated such that we would have this system that
allowed us to have a merging of various security devices as
well as something as simple as a fence such that we would be
able to monitor our border effectively.
The P28 didn't quite work out at build after we were billed
a lot of money. We spent a lot on P28, and it is a little bit
disappointing for us not to get the product that we paid for.
Taxpayers are demanding people, and when we spend their money,
they would like to see the results that are promised.
I am not going to ask you to give me an update on P28. I am
merely mentioning these things such that I can provide you
examples of how we clearly can do better with better
management, better oversight.
It is my hope--excuse me--it is my hope, my sincere desire
that we find a means by which we can have GAO, which plays an
important role in this process--GAO provide us with some of the
acid tests that we ultimately will have to confront at the
genesis of these operations, as opposed to what appears, from
my perch, to be an understanding that manifests itself after we
get into revelations.
Revelation is a bad time to know what is expected of you.
You ought to know what is expected of you somewhere at genesis
or shortly thereafter, so that you can perform and maybe you
will get some sort of heavenly blessing as a result of good
performance.
Unfortunately, we don't get, it seems to me, the marriage
between what GAO is going to monitor and what the contractors
are going to do by way of performance. We don't get that early
enough in the process. So my hope is that we will get that
done.
Mr. Chairman, I am 17 seconds over. I thank you, and I
yield back the balance of my time.
Mr. Carney. Thank you, Mr. Green.
Mr. Pascrell, for 5 minutes.
Mr. Pascrell. Thank you, Mr. Chairman.
Most of the bipartisan 9/11 Commission recommendations have
been addressed sooner or later in the past couple of years
except for one glaring oversight. That is what we are talking
about today: The bureaucracy in Homeland Security has not been
addressed.
I would suggest, Mr. Chairman, that the leadership of both
parties must be confronted on this particular issue. I just
gave one example before about how many committees they have to
come before and how many divisions and the total lack of
coordination, which does not help our intelligence apparatus
one iota. So I think they need to be confronted.
Ms. Sherry, I know in your testimony you talked about
Secretary Napolitano's efforts towards efficiency and effective
financial management. Can you talk specifically towards my
point and address how the new initiatives towards financial
management will lend themselves to streamlining operations in
the Department of Homeland Security?
Ms. Sherry. Yes, sir. Thanks for the question. I am happy
to address that. This initiative really does speak to the One
DHS issues that I think that you are addressing as far as the
bureaucracy. I think that we recognize that that is something
of an issue that can potentially hold us back from operating
efficiently and effectively. That is something, clearly, that
Secretary Napolitano is aware of.
Several of the things that we are going to be able to do in
this IT initiative that are outside of the actual financial
management initiatives that we have going on that I have
mentioned, such as the Financial Management Policy Manual, you
know, us having working groups where we are trying to come up
with collective solutions to common problems, some of the
things that this IT solution will do in addition to that will
be to standardize business processes throughout DHS.
There are requirements. There are FSIO standards, what are
called FSIO standards, which is done by OMB and the GSA with
input from the various agencies that basically talk about best
practices on how you do standard business processes throughout
the Government.
One of the objectives of the FMLoB initiative of the OMB is
to be able to make more standardization in some of those
processes that you can standardize that the Government, such as
paying a bill. The idea that you are going to be paying a
bill--you really shouldn't be doing it in a bunch of different
ways.
What we currently have at DHS are, you know, the different
components who pay bills differently, and the reason they have
to do that is because they maybe have different types of
systems. Some of them have legacy issues that come along with
them.
They have different integration so that in one instance you
have full integration, so once you put in a procurement or you
put in an award contract, it neatly populates your financial
system. In other components we don't have that. Well, you know,
what you do is you actually put something into the procurement
system and then you rely on a manual transfer over into your
financial system.
So the idea that we can have the integration, which will
really bring about more of that One DHS and the standardization
of the processes, and what comes along with that are internal
controls, the idea that you should have strong key internal
controls as outlined in FSIO and as has been validated through
our A123 process, which is the Federal Government's equivalent
to, like, Sarbanes-Oxley, where we go out there, where
management goes out there and we identify how are we doing
business currently, such as paying a bill and identifying
within each component what should we be doing differently, such
as having segregation of duties and, you know, so that the
person who puts in the contract and approves the contract is
not the same person who actually ends up paying the bill, so
that we can minimize the risk of fraud.
So things of that nature, sir, and IT solution in addition
to these other initiatives that we have on-going will help
bring about standardization at the Department.
Mr. Pascrell. Thank you.
Mr. Taylor, the GAO has had the management study of
Homeland Security, made recommendations. A couple of them have
not been done. We know, and I think you would agree with me,
that we are not talking about bureaucracy in the Transportation
Department. We are talking about bureaucracy in defending the
country, which is a heck of a lot more serious, it would seem
to me.
Let me ask you this. Is this Department manageable?
Mr. Taylor. Sir, I believe it is.
Mr. Pascrell. You believe it is.
Mr. Taylor. That is my personal opinion. I don't have a
report to show you from the IG's office that that concludes
this is a manageable office. We have done work on the
organization of the Department, particularly before the second
stage review that was conducted 3 years ago. We concluded there
were inefficiencies, some of which were addressed in the second
stage review. We think the Congress addressed some of the
concerns when they mandated a reorganization of FEMA and the
grants program within the Department.
Is the Department perfectly constructed in terms of
inefficiencies? Absolutely not. But there has been progress
since 6\1/2\ years ago towards making it more manageable.
Mr. Pascrell. So at this point you would say, and what you
have seen and what you have done and what your GAO has
concluded, that the Department itself could be organized
differently, perhaps, which is a problem with results that we
have gotten. Or would you say that?
Like, you know, George Kennan used to talk about democracy
in that sense. It was like a huge dinosaur that needed its tail
whacked once in a while. I think of dinosaurs when I think of
the Homeland Security Department, having been in this effort
since
9/12.
This is in my bone marrow. This is important to protecting
our neighborhoods. I am not sure that we have created the right
Erector set. I am not so sure. So I am listening and reading
what you have to put out every time you do it.
Thank you, Mr. Chairman.
Mr. Carney. Thank you, Mr. Pascrell.
Let us for a moment talk about kind of specific numbers, as
long as we have the opportunity here.
Ms. Sherry, how much do you think it is going to cost to
actually implement TASC?
Ms. Sherry. Sir, the independent Government cost estimate
is at $450 million.
Mr. Carney. Okay.
Ms. Daly, would you care to comment on that?
Ms. Daly. Our work has not examined the dollars that are
associated with this effort yet, but we plan to look into that
more in our future work for the committee.
Mr. Carney. Mr. Taylor.
Mr. Taylor. In my testimony, sir, I mentioned $1 billion.
That was the figure that was provided in testimony 3 weeks ago
by the under secretary for management. I think that includes--
being from the CFO side originally, it depends on how you
measure things. You know, is it the core financial system we
are talking about? Is it everything, including all the
components efforts?
Depending on how you measure this, the under secretary for
management saying it is a billion-dollar effort, so we are
assuming it is a billion-dollar effort.
Mr. Carney. So more than twice what Ms. Sherry thinks the
price is.
Mr. Taylor. Depending on how you measure it, yes, sir.
Mr. Carney. So are you telling me we can't even come up
with a consistent definition or consistent measures of what we
are trying to accomplish here?
Mr. Taylor. I contend that the IG's office has not been
provided with an estimate and the definition of what that
estimate includes.
Mr. Carney. Can the IG's office tell me who is in charge of
defining what it is we are trying to do here?
Mr. Taylor. Our understanding is it is CFO.
Mr. Carney. Ms. Sherry, so we are somewhere between $450
million and $1 billion to implement that. You know, from my
chair and from practically everybody in this room, how do you
get a delta that large?
Ms. Sherry. Right, sir. What I can do is I can go back see
what the $1 billion is referring to, but I think Mr. Taylor is
exactly right as far as the question that I answered, and
possibly I didn't answer the question correctly, was the
independent Government cost estimate as it relates to migration
and operation and maintenance, which is really within the
purview of this particular contract.
Things such as the hardware and the software are not
included in that number. In addition, we have developed a life
cycle cost estimate. Again, we are standing up the data center.
It will be done in our data center down in Stennis so that the
costs that are associated with that data center is not included
in this number as well.
We do have a life cycle cost estimate that we are working
on and we are going to be sharing with Ms. Daly as well as Mr.
Taylor, which I believe--and again, without knowing what was in
the billion, and I promise I will go back and look at that, I
would imagine would include some of the things that Mr. Taylor
talked about, which are not in the $450 million that I referred
to, sir.
Mr. Carney. Okay. So the $450 million does not include the
hardware, the software, the data center or the lifecycle costs.
Ms. Sherry. It includes the implementation, and it includes
operation and maintenance for the implemented solution.
Mr. Pascrell. [Inaudible.]
Mr. Carney. Boy.
Mr. Taylor, is $450 million a reasonable price for what we
are getting?
Mr. Taylor. Well, sir, I am not sure. I am still not sure
what that includes, and so we would have to look at what
exactly is included in that cost estimate, which, of course, we
haven't had a chance to review.
I will say that what you are experiencing is the problem
with these kinds of initiatives.
Mr. Carney. Yes.
Mr. Taylor. What happens is that the core financial system
itself is just a small part of the activity and a part of the
cost.
When Mr. Bilirakis asked me about the financial management
and the components, do they have the kind of resources
necessary to carry this out, we are concerned because in my
personal experience the vast majority of the effort isn't in
hooking up a new box with new software.
The vast majority of the effort is involved in changing the
business processes at the feeder level, at the component level,
so that the information coming in makes sense, not so that you
are just having a really fancy way of computing bad data.
That is where the costs are. So any estimate of cost needs
to include all those kinds of activities and the plan has to
account for the weaknesses that we have identified in our
financial statement audits in the component organizations where
this is going to fall on.
Mr. Carney. So just kind of a back of the envelope figuring
here, it may be more than $1 billion in this transition. But
once again, we don't know, because we can't define what it is
we are trying to do.
Ms. Sherry. But I mean we can define what it is that we are
trying to do, and I would absolutely agree with Mr. Taylor that
the change of management piece of it is critical and having
that governance structure in place is critical.
So these are things that are outside of that $450 million
that I am talking about, because this is stuff that the Federal
workforce will be responsible for ensuring that we do stay on
track so that when we are doing the migrations, when we are
doing the analysis to be able to determine what are our
requirements, and we do know what our requirements are relative
to what the solution is, that we make sure that we have got
strong oversight of that.
We have stood up a program management office in my office.
It has all the different disciplines in it that are required,
such as change management. You know, we have CPAs, we have
project managers, we have systems engineers, we have data
warehouse specialists, business intelligence specialists. So we
have got those. You know, we have staffed up to be able to have
those people within my office.
We are working with the larger components to set up their
own project management offices. To the idea, to the
competencies, it will be critical for them to be able to have,
you know, their ability to be able to understand what it is
that the contractor is bringing in and to be able to have that
oversight and to be able to guide the actual implementation.
Mr. Carney. Ms. Sherry, you have signed up for an
exceptionally difficult job, and I applaud your courage for
doing that. We need people of goodwill and brains to take on
this kind of thing, and I really applaud you for that.
That said, this subcommittee is going to watch very closely
where we are in the cost for TASC. That is our task to watch
the cost of TASC, to put it indelicately here. We will come
back to this.
Mr. Bilirakis.
Mr. Bilirakis. Thank you, Mr. Chairman.
Ms. Sherry, the TASC award, which you have plans to be
awarded in early 2010, is for an indefinite delivery indefinite
quantity contract. Did you consider using a firm fixed-price
contract, which would limit the risk to the Department in the
event of cost overruns? If so, why would you ultimately decide
on the IDIQ?
Ms. Sherry. Yes, sir. Thank you very much for the question.
I appreciate the opportunity to add one other point, which I
think I have not talked about, and I believe that your question
here kind of leads into the idea that the Department is
absolutely undertaking a phased approach here.
So what we are not doing, what they had done initially with
the eMerge, where they tried to bring up the entire Department
all at once with all these, you know, 8,000-plus requirements
that they had gathered, we are doing this in a very phased
approach. So with this IDIQ contract, we will allow us to be
able to do that, sir, is to be able to issue specific task
orders so that we can do this within phased approach.
We have done an awful lot of outreach to other agencies to,
like I said, to learn the things that they have done well, but
also things that they wish that they could have changed.
One of the things that we heard is that if you go right out
of the box with a firm fixed-priced contract, there is a high
likelihood, sir, that as they get in there and they start
really understanding it and doing that analysis between what is
it that you want versus what is it that the solution has and
the things that you need to change, that basically you end up
with a lot of the items that are simply out of scope.
So what you thought that you were getting with your firm
fixed price, ultimately you end up just getting an awful lot of
out of scope issues.
The way that this contract is structured allows us to be
able to work with the contractor in phased approach starting
with maybe one of the smaller entities, and we learn. Not only
does the contractor learn, but the agency learns.
My PMO will be with them every step of the way, and what we
would do is we will learn. As we build on our knowledge and our
learning curve and our competencies, it will move us, sir, into
the ability to be able to do a firm fixed-price contract. So
that is within the realm of our ability to be able to issue a
firm fixed-price task order as well, sir.
Mr. Bilirakis. Customs and Border Protection has been doing
well on its current platform. Are you concerned that moving
them onto the new TASC system will impact their performance?
Mr. Taylor. I think the CBP has clean audit opinions and
has probably one of the better installations in DHS in terms of
financial systems. However, they aren't without their own
issues. Moving even a large organization like them in a phased
approach to a centralized system would probably still in the
long run be in the best interest of that organization.
That said, depending on how you plan this, how you carry it
out, there are a lot of risks involved in it, absolutely.
Mr. Bilirakis. Also, in your written testimony you note a
number of IT control weaknesses at the component level. How
many of these weaknesses will be resolved by the migration to
TASC?
Mr. Taylor. I think it is premature to answer the question,
sir, to be honest. I mean because some of the findings are
redundant, by definition if you have three organizations with
the same three material weaknesses, then you only have the
consolidated three, so you drop it from that standpoint.
But what we do is we take the component material weaknesses
and roll them up into a consolidated, so assuming that the
system had the proper internal controls and that the internal
processing, the way that they are identified and the way
planned, then they would reduce a lot of the material weakness
findings we had.
Mr. Bilirakis. Anyone else want to comment on that?
Okay. Thank you very much.
I yield back, Mr. Chairman.
Mr. Carney. Thank you, Mr. Bilirakis.
We have time for a few more questions.
Mr. Pascrell, 5 minutes.
Mr. Pascrell. Mr. Chairman, I hope you will follow up on
the two points that we need an immediate reduction of how many
committees these folks have to report to--I just think it
doesn't make any sense--that point, with leadership. We need to
do what we have been talking about, you know, around the edge
about it.
The other thing is that bureaucracy within the Department
itself. We need to do something about it. To establish, maybe
even take another look at how our committee system sets up
within the Homeland Security Committee's subcommittees, whether
we are feeding the bureaucracy.
We started out by wanting to look into the various
financial management systems throughout Homeland Security. You
need people in the Department that are hired within the
Department, have a lot to do about implementing the mission,
and your background before you come to the Department.
This is unlike HHS and Transportation and Labor and all of
those different departments, because we are talking about a
paramilitary. We are talking about the security of the Nation.
The people we attract to the Department are going to implement
these financial mechanisms and systems, but it would seem to me
that we should spent a lot more time attracting people who have
background in security, be it in the police, be it in the
military, because this is the kind of operation that we need to
defend the country.
We are going to debate numbers. We are going to debate
words, which are most of the time meaningless unless we have
results. How can we best defend the homeland? It would mean to
me that the people we hire in the Department should have some
background, some knowledge of how military or civilian police
operate.
I hope you would take that message back to the Secretary,
because I have not had any indication so far in the last 6
months that that is at the centerpiece of the people we are
attracting into the Department.
When I hear all of this stuff, Mr. Chairman, about quotas
and make sure everybody is represented in the Department--and I
put my record up against anybody--but if they don't know
anything about security, how in God's name can they be part of
this Department?
I would like to know who they are hiring, which is just as
significant to me as the different financial mechanisms in all
of these subdivisions of this Department. I don't want to
minimize, but I want to prioritize. To me the priority is who
is operating.
So I want to thank these three folks for your service to
your country. You did a great job of answering the questions,
all of you.
I think dearly of GAO. I really do. You have made a big
difference in the Congress and how we look at things.
I hope Ms. Daly and Ms. Sherry take back to the Secretary,
who I have a great respect for, but we are not playing
tiddlywinks here. We are not playing in the sandbox. This is
serious stuff. I know it is serious for you. It is serious for
us. Thank you.
Thank you, Mr. Chairman.
Mr. Carney. Thank you, Mr. Pascrell.
We will adjourn momentarily here. We have votes, and I
think we are at the end of the string as far as the questions
go.
We have seen the theme here. We started to talk about TASC
and financial management of the Department and moving and
migrating to a different system, but it doesn't take too many
scrapes of the trowel to really expose a lot of underlying
problems here.
We are trying to get to an organization that is efficient
and agile. We have one that is very inefficient and very
cumbersome. You know, we take a lot on ourselves here in
Congress to try to get that. Certainly, in this subcommittee we
try to do that. I think you have been able to determine the
passion that many of us have for this task at hand.
But, you know, we need good people focused on the right
questions, and please, I admonish every one of you, please let
common sense prevail. Please.
I want to thank the witnesses for their testimony. I
imagine we will see you back again before too long. With that,
we are adjourned.
[Whereupon, at 11:20 a.m., the subcommittee was adjourned.]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
