![[logo] US EPA](http://www.epa.gov/epafiles/images/logo_epaseal.gif){kind=logo}
PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY REVIEW of APPLICATION SOFTWARE MAINTENANCE in FEDERAL AGENCIES
![[PCIE Seal]](images/pcie2.gif)
PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY REVIEW of APPLICATION SOFTWARE MAINTENANCE in FEDERAL AGENCIES
Background of the PCIE CSIP Completed Tasks
Task 1--Survey of Agency Implementation of Computer Systems Integrity Requirements
Task 1 focused on the compliance of eight agencies with mandated policies and other requirements dealing with computer security and controls. The participating IG offices evaluated their agencies' implementation of OMB Circulars A-123, A-127, and A-130 requirements relative to the following computer integrity functions: information resource management, internal controls, computer security, and quality assurance. Each IG office issued a report describing the implementation deficiencies found at their respective agencies.
The June 1988 consolidated PCIE report for Task 1 identified five common obstacles which limited the effectiveness of agency compliance activities. The obstacles involved (1) varying terminology and specificity of requirements; (2) lack of emphasis on systems quality; (3) delayed sharing of Triennial Information Resource Management Review results; (4) lack of a budget mechanism to identify and justify systems integrity requirements; and (5) nonstandardized computer systems integrity training. Accordingly, the report made five recommendations for overcoming these obstacles and strengthening agencies' implementation capabilities Governmentwide. Implementing these recommendations required action by OMB, General Services Administration (GSA), Office of Personnel Management (OPM), and NIST.
Task 2A--Review of General Controls in Federal Computer Systems
Task 2A was aimed at assessing management controls over system software(1) in MVS-based computer systems at ten Federal computer centers. Work on this task focused on two key system software controls subareas: (1) operating system software controls and (2) access (security) software controls. This Task also included an evaluation of management practices employed in the utilization of disk and tape storage resources, since the data pertaining to these resources was available as a byproduct of system software controls work. Each IG office issued one or more reports (a total of 20 in all) describing the system software internal control weaknesses and disk and tape management deficiencies found at their respective agencies.
The October 1988 Task 2A consolidated report described serious operating system and security software control deficiencies in all of the agency computer centers reviewed. By exploiting the operating system integrity exposures identified, a knowledgeable perpetrator would have been able to access, modify, and/or destroy an agency's computer data, programs, and other resources without leaving an audit trail. These exposures resulted from (1) inadequate controls over enhancements to the operating system; (2) inadequate administration of the Authorized Program Facility(2); (3) improper maintenance of operating system software; and (4) a lack of policies, standards, and procedures pertaining to system software management. In addition, improper technical implementation of security software features and inadequate administrative controls over security software further increased the risks to operational continuity as well as the integrity of critical applications which support agency missions. Finally, as described in the report, an estimated $17 million in inefficiently used disk storage resources could have been recovered and made available for reuse through the application of generally accepted disk storage management techniques--thereby reducing the need for future additional disk storage procurements. Agencies had a similar opportunity to save substantial computer resources when processing magnetic tape files by applying generally accepted tape storage management techniques. the report contained eight Governmentwide recommendations for strengthening computer center management of operating system and security software, and four Governmentwide recommendations for strengthening disk and tape storage at Federal computer centers. Implementing these recommendations required action by OMB, NIST, NSA, and GSA.
Task 2B--Review of Application Controls in Federal Contract Tracking Systems
Task 2B, Review of Application Controls, was aimed at assessing the data integrity of a common administrative application system (the centralized contract tracking system). Work on this task focused on identifying application controls which needed strengthening, and determining system development efforts at seven Federal computer centers. Each IG office issued a report describing the agency's assessment of the centralized contracting systems.
The April 1991 Task 2B consolidated report stated that the centralized contract tracking systems of three of seven agencies reviewed had generally accurate data and relatively good application controls, however the remaining four agencies had unreliable data. The identified data integrity deficiencies resulted from weaknesses in data preparation, data entry, computer processing, and management oversight controls (including quality assurance), which allowed erroneous or unreported contract amounts to remain undetected or uncorrected. Agencies with multiple local procurement management/contract systems experienced the greatest data integrity problems. Conversely, those agencies with a single, comprehensive agencywide procurement management system generally had better management and internal controls and more accurate data. The integration of procurement tracking and financial accounting/reporting systems was the most effective internal control identified. The report made eight recommendations to OMB and GSA to advocate better controls over centralized contract systems.
Task 3--Followup Audit on the Implementation of the PCIE CSIP Task 1 and Task 2A Audit Report Recommendations
Task 3, Followup Audit on the Implementation of the PCIE CSIP Task 1 and Task 2A Audit Report Recommendations, was aimed at determining (1) what corrective actions were taken in response to the (a) recommendations made in the individual agency OIG reports issued under CSIP Task 1 and Task 2A; and (b) Governmentwide recommendations made to OMB, GSA, and NIST in the PCIE Task 1 and Task 2A summary reports; and (2) whether those actions adequately addressed the recommendations. In addition, task participants assessed how well their individual agencies complied with OMB's November 28, 1988 Directive M-89-06(3) to correct identified deficiencies, both in the specific systems reviewed in Task 2A and in other agency systems with similar system software.
In following up on their prior reports, the participating OIGs found that collectively, nearly half of their previous recommendations had not been fully implemented or the corrective actions taken did not fully satisfy the intent of the recommendations. Weaknesses identified in the prior tasks that continued to present integrity and security problems included (1) lack of emphasis on system quality; (2) inadequate administrative controls over security software; and (3) lack of policies, standards, and procedures pertaining to system software management. In addition, the participating OIGs found their agencies were either unaware of, or had not sufficiently complied with, OMB Directive M-89-06. The audit results at individual agencies were formally presented in 14 audit reports collectively containing 206 recommendations to those agencies.
The followup work on the Governmentwide recommendations, contained in the consolidated summary PCIE reports Task 1 and Task 2A, produced two groups of proposed new Governmentwide recommendations associated with Task 2A issues only. One group called for actions by OMB to spur Federal agencies to correct the continuing problems identified during the followup audit work. The correction of these problems was also the specific focus of the recommendations contained in the 14 audit reports issued to individual agencies. Accordingly, this group of proposed PCIE recommendations was aimed primarily at ensuring the specific corrective actions called for in the individual reports would be taken promptly. The other group of proposed Governmentwide recommendations called for the development and issuance of additional Governmentwide guidance. This thrust, however, was contrary to the decentralization and empowerment-related initiatives outlined in the Vice President's National Performance Review report. Finally, uncertainty existed regarding the appropriateness, applicability, and potential impact of the proposed recommendations in those Federal agencies where major changes in the technological environment had recently occurred or were in process. For these reasons, the Department of Transportation OIG (the task leader) concluded that issuance of a consolidated summary PCIE report for Task 3 would produce few benefits, and such a report was thus not issued.
Federal Software Maintenance Criteria and Guidance
P.L. 89-306, Automatic Data Processing Act. (October 30, 1965) This Act provides for the economic and efficient purchase, lease, maintenance, operation, and utilization of automatic data processing equipment by Federal departments and agencies.
P.L.96-511, Paperwork Reduction Act of 1980. (December 11, 1980) This Act requires Departments and Agencies to ensure (1) ADP and communications technologies are acquired and used in a manner which improves service delivery and program management; and (2) the collection, maintenance, use and dissemination of information by the Federal Government is consistent with applicable laws relating to confidentiality, including the Privacy Act.
P.L. 99-591, Paperwork Reduction Reauthorization Act of 1986, which amended the 1980 Paperwork Reduction Act. (October 30, 1986) This Act requires that Federal agencies periodically evaluate and, as needed, improve the accuracy, completeness, and reliability of data and records contained in Federal information systems.
P.L. 103-62, Government Performance and Results Act of 1993. (August 3, 1993) The purpose of the Act is to improve the confidence of the American people in the Federal government; initiate program performance reform including measuring performance against program goals; improve Federal program effectiveness; help Federal managers improve service delivery; improve congressional decision making; and improve internal management of the Federal Government. Specifically, each agency must prepare an annual performance plan covering each program activity with objective, quantifiable, and measurable goals.
P.L. 103-355, Federal Acquisition Streamlining Act of 1994. (October 13, 1994) Section 5052 of the Act states that results-oriented acquisition process guidelines will be developed that include the identification of quantitative measures and standards. These standards will be used for determining the extent to which an acquisition of items, other than commercial items, by a Federal agency satisfies the needs for which the items are being acquired.
P.L. 104-106, Division E--Information Technology Management Reform Act. (February 10, 1996) This Act seeks to improve Federal information management, and to facilitate Federal Government acquisition of state-of -the art information technology that is critical for improving the efficiency and effectiveness of Federal Government operations.
Office of Management and Budget
OMB Circular A-11, Preparation and Submission of Budget Estimates. (June 6, 1995) This directive provides detailed instructions and guidance on the preparation and submission of annual budgets and associated materials. This Circular requires agencies that obligate more than $50 million in a year for information technology activities to submit a report on obligations for information technology for the agency as a whole. The report will provide information on workyears and obligations for information technology activities. It will include obligations for: planning, including requirements, feasibility, and benefit-cost studies; system design, development, and acquisition; and voice and data telecommunications requirements, regardless of whether or not they are associated with an information system's installation, operations, maintenance, and support.
OMB Circular A-76, Performance of Commercial Activities. (August 4, 1983) This directive establishes Federal policy regarding the performance of commercial activities. The supplement to the circular sets forth procedures for determining whether commercial activities should be performed under contract with commercial sources or in-house using Government facilities and personnel.
OMB Circular A-109, Major System Acquisition. (April 5, 1976) This directive establishes policies to be followed by executive branch agencies in the acquisition of major systems. Specifically, OMB Circular A-109 requires each Agency acquiring major systems should maintain the capability to: (1) predict, review, assess, negotiate, and monitor lifecycle costs; (2) assess acquisition cost, schedule and performance experience against predications, and provide such assessments for consideration by the agency head at key decision points; (3) make new assessments where significant costs, schedule, or performance variances occur; (4) estimate lifecycle costs during system design, concept, evaluation, selection, full-scale development, facility conversion, and production, to ensure appropriate trade-offs among investment costs, ownership costs, schedules, and performance; and (5) use independent cost estimates, where feasible, for comparison purposes.
OMB Circular A-123, Internal Control Systems. (June 21, 1995) This directive requires agencies to establish and maintain a system of internal controls to provide reasonable assurance that Government resources, including information resources, are protected from fraud, waste, unauthorized use, and misappropriation.
OMB Circular A-130, Management of Federal Information Resources. (February 8, 1996) This Circular requires agency officials who administer a program supported by an information system to be responsible and accountable for the management of that information system throughout its lifecycle. Under Circular A-130, agencies are required to account for the full costs of operating information processing organizations. In addition, it requires agencies to prepare a cost-benefit analysis for each information system and update it as necessary throughout the information system lifecycle. The cost-benefit analysis must be (1) at a level of detail appropriate to the size of the investment, and (2) based on systematic measures of system performance which include: (a) effectiveness of program delivery; (b) efficiency of program administration; and (c) reduction in burden.
Office of Federal Procurement Policy Letter #91-2, Service Contracting. (April 9, 1991) This letter defines performance-based contracting as structuring all aspects of an acquisition around the purpose of the work to be performed, as opposed to either the manner by which the work is to be performed or a broad and imprecise statement of work. This approach provides the means to ensure the appropriate performance quality level is achieved, and payment is made only for services that meet contract standards. This policy emphasizes the use of performance requirements and quality standards in defining contract requirements, source selection, and quality assurance. It requires agencies to: (1) use performance based methods when developing SOWs; (2) develop formal, measurable performance standards and surveillance plans for assessing contractor performance; and (3) use contract types that motivate contractors to perform at optimal levels.
Office of Federal Procurement Policy Pamphlet #4, A Guide for Writing and Administering Performance Statements of Work for Service Contracts. (October 1980) This pamphlet provides guidelines for writing and administering performance Statements of Work for service contracts. It describes a systematic means to develop Statements of Work and quality assurance surveillance plans in order for agencies to define and measure the quality of contractors' performance.
Federal Information Processing Standards Publications
FIPS PUB. 64, Guidelines for Documentation of Computer Programs and Automated Data Systems for the Initiation Phase. (August 1, 1977) This publication provides a basis for determining the content and extent of documentation for the initiation phase of the software lifecycle--including project request documentation, feasibility study, and cost-benefit analysis.
FIPS PUB. 101, Guideline for Lifecycle Validation, Verification, and Testing of Computer Software. (June 6, 1983) This publication presents an integrated approach to validation, verification, and testing (VV&T) that should be used throughout the software lifecycle. The Guideline presents information on selection and use of VV&T techniques to meet project requirements and explains how to develop a VV&T plan to fulfill a specific project's VV&T requirements. The Guideline is intended for use by software developers, managers, verifiers, maintainers, and end users.
FIPS PUB. 106, Guideline on Software Maintenance. (June 15, 1984) This publication presents information on techniques, procedures, and methodologies to employ throughout the lifecycle of a software system to improve the maintainability of that system. The publication emphasizes the importance of the consideration of software maintenance throughout the lifecycle of a software system and stresses the need to plan, develop, use, and maintain a software system with future software maintenance in mind. It also presents guidance for controlling and improving the software maintenance process and includes suggested criteria for deciding whether continued maintenance of a software system is justified.
National Bureau of Standards Special Publications
NBS Special Publication 500-87, Management Guide for Software Documentation. (January 1982) This document assists in the establishment of policies and procedures for effective preparation, distribution, control, and maintenance of documentation which will aid in re-use, transfer, conversion, correction, and enhancement of computer programs. Such documentation, together with the computer programs themselves, will provide software product packages which can be transferred and used by people other than the originators of the programs.
NBS Special Publication 500-88, Software Development Tools. (March 1982) As part of the program to provide information to Federal agencies on the availability, capabilities, limitations, and applications of software development tools, a database of information about existing tools was collected over a three-year period. This document presents an analysis of the information contained in this database. In addition, abstracts of each tool are presented in an appendix.
NBS Special Publication 500-106, Guidance on Software Maintenance. (December 1983) This document addresses issues and problems of software maintenance and suggests actions and procedures which can help software maintenance organizations meet the growing demands of maintaining existing systems.
NBS Special Publication 500-129, Software Maintenance Management. (October 1985) This document focuses on the management and maintenance of software, and provides guidance to Federal government personnel to assist them in performing and controlling software maintenance. It presents an overview of the various aspects of software maintenance including the problems and issues identified during the Institute for Computer Sciences and Technology sponsored survey of Government and private industry maintenance organizations.
Profile of Agency Missions and Applications Reviewed
Department of Housing and Urban Development
HUD is the principle agency responsible for Federal housing programs, enforcing fair housing, and improving and developing the Nation's communities. The Department's major functions follow. HUD (1) insures mortgages for Single Family and multifamily dwellings and loans for home improvement and the purchase of manufactured homes; (2) makes capital grants for construction or rehabilitation of housing developments for the elderly and disabled; (3) channels funds from investors into the mortgage industry through the Government National Mortgage Association; (4) provides Federal housing subsidies for low and moderate income families; (5) provides grants to states and communities for community development activities; (6) promotes and enforces fair housing and equal housing opportunity; and (7) promotes empowerment of residents through Family Self Sufficiency and Homeownership for People Everywhere.
HUD examined seven application systems for this review. A brief description of each application system follows.
- Single Family Insurance System-Claims Subsystem, supports the Department's Single Family Insurance Claim payment processes. It provides on-line update and inquiry capability to Single Family Insurance and Claims databases and to cumulative history files.
- Subsidized Housing Accounting System, is an automated system of accounting and financial management related activities. This system assists lower income families in acquiring home ownership.
- Line of Credit Control System, is the Office of Finance and Accounting General and Program Accounting Group's primary vehicle for cash management.
- Program Accounting System, is an integrated budgetary accounting system for HUD's grant programs, including Community Development Block Grants. This system posts data for the automated project and general ledger accounts. In addition, it reports actual financial data for congressional budget reports.
- Computerized Homes Underwriting Management System, assists and supports Field staff in the processing of single family mortgage insurance applications from initial receipt through endorsement. In addition to tracking and processing assistance, this system provides automated assistance in appraisal and mortgage credit evaluation.
- Multifamily Insurance, provides automated on-line, interactive support in a data base environment for HUD's multifamily mortgage insurance programs. It maintains the inventory of multifamily insurance-in-force cases, and all pertinent and historical data.
- Title I Insurance and Claims, provides operational and management support for the execution of the Title I Property Improvement and Mobile Home Loan Program. It provides on-line inquiry and updating to support day-to-day operations. This includes loan inventory maintenance, billing, premium collection and reconciliation, claim processing, and Title I reserves maintenance and accounting.
The Department is responsible for overall direction, coordination, and supervision of U.S. Government activities overseas, except for certain military activities. It provides interdepartmental direction and leadership to other U.S. Government Foreign Affairs agencies. Through the Secretary of State, the Department serves as the President's principal advisor in the determination and execution of U.S. foreign policy. The Department supports the Secretary of State in the fulfillment of these duties and takes the lead with respect to such matters as international educational and cultural affairs, information activities, foreign assistance, food for peace, arms control and disarmament, supervision of programs authorized by the Peace Corps Act, social science research, immigration, and refugee assistance.
The Department has other major missions that are heavily dependent on automated systems. These missions include consular services for U.S. citizens overseas and providing both administrative and financial support to over 50 other agencies representing U.S. interests abroad.
DOS selected three financial systems for review. A brief description follows:
- Consolidated American Payroll Processing System, provides payroll and personnel services to American employees of the Department of State and Peace Corps in the U.S. and abroad. This system also provides payroll services to the overseas American staff of approximately 30 other Federal agencies.
- Central Finance Management System, a tailored version of the commercial, off-the-shelf, Federal Financial System, processes financial transactions under a single, standard accounting system using its decentralized processing capabilities. It permits consolidation of domestic accounts and aids in the Department's attempts to meet financial reporting requirements specified by the Chief Financial Officers Act .
- Serviced Post Financial Management System, permits individuals at a Serviced post to create their own funding, obligating/committing and vouchering files on a computer terminal. The data generated by a Post is then forwarded to Regional Administrative Management Centers for further processing and/or disbursing. This system will permit the Serviced Posts to take advantage of the many features available via the Overseas Financial Management System.
Environmental Protection Agency
EPA was established in December 1970 as an independent agency to execute the Federal laws for protecting the environment. The agency currently administers nine comprehensive environmental protection laws, such as the Clean Air Act; the Clean Water Act; the Resource Conservation and Recovery Act; and the Comprehensive Environmental Response, Compensation, and Liability Act (or "Superfund"). EPA performs its mission by coordinating effective Government action in reducing and controlling pollution through integration of a variety of research, monitoring, standard setting, and enforcement activities. EPA also coordinates and supports research and pollution prevention activities by state and local governments, private groups, individuals and education institutions. In total, EPA is designed to serve as the public's advocate for a liveable environment.
EPA reviewed ten application systems. A brief description of each is below:
- Aerometric Information Retrieval System, stores air quality, point source emissions, and area/mobile source data required by Federal regulations from the 50 States. Monitoring is required for the criteria pollutants based on population, pollutant sources, geographical area, etc.
- Comprehensive Environmental Response, Compensation, and Liability Information System, supports EPA Headquarters and regions for the management and oversight of the Superfund program. It has two purposes: (1) maintain an automated inventory of abandoned, inactive, or uncontrolled hazardous waste sites; and (2) act as a vehicle for Regions to report to Headquarters the status of major stages of site clean-up.
- Contract Payment System, provides a comprehensive financial database for the more than 3,200 Agency contracts. This system is a major sub-system to the Integrated Financial Management System, and provides detail and summary level information on contract award and invoice data.
- EPA Payroll System, provides a standardized nationwide data entry system for Time and Attendance, Payroll and Personnel data. The system also contains a labor distribution function for Agency payroll accounting and biweekly ability to distribute personnel management information to meet management and regulatory reporting requirements.
- Facility Index System, is a computerized inventory of facilities regulated or tracked by EPA.
- Grants Information and Control System, is the Agency's management information system for all grant programs. This national system is used by Headquarters, Regions, and States to administer and monitor grants.
- Integrated Financial Management System, performs funds control from commitments through payment; updates all ledgers and tables as transactions are processed; provides a standard means of data entry, edit, and inquiry; and provides a single set of reference and control files. The system was designed expressly for government financial accounting and supports GAO Title 2 requirements, OMB internal control requirements, and OMB's A-127 initiatives.
- Permit Compliance System, is a computerized management information system for tracking permit, compliance, and enforcement status for the National Pollution Discharge Elimination System program under the Clean Water Act. This system contains information on more than 63,000 active water discharge permits issued to facilities throughout the nation.
- Resource Conservation and Recovery Information System, is a national program management and inventory system of the Resource Conservation and Recovery Act Hazardous Waste handlers. This system captures identification and location data for all handlers and a wide range of information on Treatment, Storage, and Disposal Facilities regarding permits/closure status, compliance with Federal and State regulations, and cleanup activities.
- Storage and Retrieval of Water Quality Information, assists State and EPA officials in making pollution control decisions by providing a capability to store, retrieve, and analyze water quality information.
- Toxic Chemical Release Inventory System, contains all non-trade secret data submitted to EPA for chemicals and chemical categories listed by the Agency. Data include chemical identity, amount of on-site users, releases and off-site transfers, on-site treatment, and minimization and prevention actions.
National Aeronautics and Space Administration
NASA's mission is to (1) explore, use, and enable the development of space for human enterprises; (2) advance scientific knowledge and understanding of the Earth, Solar System, and the Universe, and use the environment of space for research; and (3) research, develop, verify, and transfer advanced aeronautics, space, and related technologies. NASA administers programs of a research and development nature that are designed to contribute to a number of national goals, including preeminence of the nation in the science and technology of aeronautics and space.
NASA selected three NASA-wide administrative application systems for review. A brief description follows:
- Acquisition Management Subsystem of the Procurement Management Technology Program, is a procurement tracking and management information system which automates many of the major procurement functions. It is a mainframe-based subsystem installed at each center in a decentralized mode.
- NASA Equipment Management System, maintains a general inventory of government-owned equipment. It is a mainframe-based system that operates independently at all centers and has a centralized data base.
- NASA Supply Management System, performs supply management functions including catalogue maintenance, inventory control, and commodity management. The system is mainframe-based and operates independently at all participating centers.
NSF is an independent agency in the government's executive branch and is governed by a presidentially appointed 24-member Board and a Director. NSF provides financial and other support for research, education, and related activities in science, mathematics, and engineering. NSF does not conduct research itself, but provides grants to academic institutions, private research firms, industrial labs, and major research facilities and centers.
NSF was established by the National Science Foundation Act of 1950, which gave NSF its original standards and policies. NSF derives its current direction from changes to this Act and the standards established by government monitoring organizations and agencies, combined with internal NSF policies and procedures. NSF developed internal issuances (i.e., bulletins, manuals, etc.) to further define how it will conduct its information management and technology activities.
NSF reviewed eight systems as part of this audit. A brief description follows.
- Awards Management System, maintains information on grants, contracts, cooperative and interagency agreements, and other instruments, and stores data on grantees, institutions, and budgets. The system provides on-line information about pending awards, and produces the official award letter.
- Budget Line Item Project, supports on-line entry and tracking of budgetary line item data for NSF awards.
- Electronic Time and Attendance System, automates the sign-in/sign-out function and replaces the daily flextime record.
- Financial and Accounting System, provides transaction processing and tracking for all NSF financial transactions.
- Principal Investigator System, provides detailed information about personal attributes of individuals who submit proposals to NSF, and supplies information to the Proposal and Reviewer systems.
- Program Officer's Information System, provides program officers with easy, on-line retrieval of summary and detailed proposal workload information.
- Proposal Management System, provides users with the tools to process, monitor, and report on various phases of proposal processing from the time of receipt until final action.
- Reviewer System, assists program officers in selecting reviewers for their proposals and tracks the reviews for each proposal.
The primary mission of the RRB is to administer the Railroad Retirement and Railroad Unemployment Insurance Acts, and to assist in the administration of the Social Security Act and the Internal Revenue Code. In carrying out this mission, the RRB will pay benefits to the right people, in the right amounts, in a timely manner; treat every person who comes into contact with the agency with courtesy and concern; and respond to all inquiries promptly and clearly.
The RRB reviewed seven application systems. A brief description of the systems reviewed follows:
- Daily Activity Input System Checkwriting Integrated Computer Operation, processes benefit payments under the Railroad Retirement Act.
- Medicare Information Recorded, Transmitted, Edited, and Logged, processes payments of Medicare health insurance benefits.
- Railroad Unemployment Insurance Act Daily Processing System, processes payment of unemployment and sickness benefits under the Railroad Unemployment Insurance Act.
- Federal Financial System, maintains the RRB's financial and accounting information.
- Program Accounts Receivable System, is a part of the Federal Financial System, but operated as a separate system.
- Payroll System, maintains RRB's payroll information.
- Personnel System, maintains RRB's personnel information.
Social Security Administration
On March 31, 1995, SSA became an independent agency under section 101 of the Social Security Independence and Program Improvements Act of 1994. The Agency's record-keeping activities cover everyone issued a Social Security Number, as well as the thousands of employers who report the earnings of these individuals.
In its Strategic Plan, Information Systems Plan, and other documents, SSA defines its role with the following statement: "It is the mission of the Social Security Administration to administer national Social Security programs as prescribed by legislation, in an equitable, efficient, and caring manner."
The SSA's data processing operations are highly centralized and integrated. Application software at SSA is either programmatic or administrative(4). The programmatic functions supported by application software are: (1) Enumeration; (2) Earnings; (3) Retirement, Survivors' and Disability Insurance; and (4) Supplemental Security Income. Each of these programmatic systems involve hundreds of software programs. These systems are all mainframe-based, batch processing operations with some modernized, on-line input capability. The major systems comprising the administrative structure are: (1) The Financial Accounting System; (2) The Human Resources Management Information System; (3) The Time and Attendance Processing System; (4) Retirement, Survivors' and Disability Insurance and Supplemental Security Income Quality Assurance System; (5) Security and Audit Trail System; (6) Control and Audit Test Facility; (7) The Commissioner's Correspondence Control System; (8) The Processor for the Analysis of Statistical Surveys; (9) Management Information Systems; (10) Debt Management System; and (11) Earnings Modernization. These administrative systems vary from small, localized, microcomputer based programs to large, widely used mainframe-based applications.
Because it is difficult, or in some cases impossible, to divide the agency's operations into discrete information systems, SSA treated the systems supporting each of the four major programmatic areas and the administrative area as the programmatic areas selected for this review. The application systems for this review are:
- Enumeration, establishes and maintains the data base of potential users of the Agency's services (i.e., all those issued a Social Security Number);
- Earnings, collects and maintains wage and salary data on all Social Security Number holders and employers to be used in administering the Agency's programs, as defined by the Social Security Act;
- Retirement, Survivors' and Disability Insurance, supports this major program mandated by the Social Security Act;
- Supplemental Security Income, supports this major program mandated by the Social Security Act; and
- Management Information Systems, supports various administrative functions within the Agency.
Individual Agency Reports Issued for Task 4
| Agency and Product Title | Report Type and Number | Date Issued | |
| Department of Housing and Urban Development | |||
| Controls Over Software Maintenance Must Be Significantly Strengthened | Audit Report 96-DP-166-0001 |
March 1996 | |
| Department of State | |||
| Management of Software Maintenance | Audit Report 6-IM-003 |
October 1995 | |
| Environmental Protection Agency | |||
| Management of Application Software Maintenance at EPA |
Audit Report E1NMF3-15-0072-5100240 |
March 1995 | |
| National Aeronautics and Space Administration | |||
| Computer Systems Integrity Project Management of Software Maintenance (PCIE Task 4) |
Audit Report HQ-95-004 |
June 1995 | |
| National Science Foundation | |||
| Review of NSF's Management of Application Software Maintenance |
Audit Report OIG 94-2109 |
September 1994 | |
| Railroad Retirement Board | |||
| Review of the Agency's Management of the Software Maintenance Process |
Audit Report 94-24 |
September 1994 | |
| Social Security Administration | |||
| Close-Out of Our Review on the PCIE--Computer Security and Integrity Task 4A-Management of Application Software Maintenance | Close-Out
Memorandum A-13-93-00423 |
June 1995 | |
Audit Methodology
The PCIE Task 4 review of software maintenance management at Federal agencies was divided into six areas: (1) policies, procedures, and standards; (2) application software maintenance lifecycle management; (3) contract management; (4) cost management; (5) IRM staff qualifications; and (6) internal control issues regarding the management of application software maintenance.
Policies, Procedures, and Standards
Agencies should have well established policies, procedures, and standards for efficiently and effectively maintaining agency software. Policies, procedures, and standards serve as a basis for management actions, and provide criteria upon which to evaluate the activities resulting from those actions. This set of audit steps involved determining whether agencies have (1) incorporated the software maintenance standards promulgated by higher monitoring authorities into its policies, procedures, and standards; (2) established policies promulgated by agency senior management which define the relationship between standards and agency implementation; and (3) developed procedures for implementing software maintenance policies.
Application Software Maintenance Lifecycle Management
Software maintenance is a critical element of an application system's lifecycle. Management of the system's lifecycle must not conclude with the introduction of the system into the production environment. The audit steps to evaluate the lifecycle management of an application system in production included a review of (1) the IRM strategic planning process; (2) the software maintenance initiation request process; (3) change control methodology; (4) the process by which changes are tested and accepted; (5) quality assurance controls; and (6) general controls affecting maintenance projects (e.g., separation of duties during maintenance).
A significant percentage of Governmentwide software maintenance work is performed by contractors. Inadequate contract management practices increase an agency's vulnerability to waste, fraud, and abuse. The audit steps for this section included reviewing a sample of software maintenance-related procurement documents (e.g., contracts, interagency agreements, cooperative agreements, cost-sharing, etc.) to determine whether (1) maintenance services were clearly specified in the scope of work; (2) adequate performance standards or criteria for acceptance or rejection of deliverables from the maintenance services was specified; and (3) test plans and test results were required as deliverables. In addition, participants determined if maintenance work was performed in accordance with the contract and user needs were met.
Software maintenance cost represents a significant percentage of the total cost of IRM in the Federal Government (estimates range from 20 to 70 percent). In order for IRM resources to be properly utilized, software maintenance costs must be properly accumulated and accurately reported. Both labor and computer costs should be maintained for each type of maintenance effort. The audit steps for cost management included determining (1) how agencies are tracking and maintaining software maintenance costs; (2) what types of costs are being maintained; and (3) if software maintenance costs are being capitalized or expensed.
Cost effective software maintenance of application systems depends heavily on having adequately qualified personnel. Accountability should also be established to ensure the tasks are effectively performed. To ensure that personnel are adequately qualified and can be held accountable, position descriptions should accurately reflect software maintenance responsibilities. In addition, performance standards must include specific criteria for evaluating employees performance in the software maintenance process. The audit steps for this section involved reviewing the position descriptions and performance requirements of employees responsible for performing software maintenance to determine if these documents reflected this aspect of their job.
In providing for implementation of the Federal Managers' Financial Integrity Act of 1982, OMB Circular A-123 requires agencies to establish and maintain a cost-effective system of internal controls to provide management with reasonable assurance that assets are safeguarded against waste, loss, and unauthorized use. This set of audit steps included reviewing agencies Federal Managers' Financial Integrity Act reports to the President and Congress in order to determine if any material internal control weaknesses related to software maintenance were reported. In addition, agencies were to determine if software maintenance was categorized as a separate assessable unit and if any software maintenance weaknesses identified during this review met OMB's materiality criteria.
Acronyms
| ADP | Automatic Data Processing |
| AQLs | Acceptable Quality Levels |
| CO | Contracting Officer |
| COR | Contracting Officer Representative |
| CPFF | Cost-Plus-Fixed Fee |
| CSIP | Computer Systems Integrity Project |
| DOS | Department of State |
| EPA | Environmental Protection Agency |
| FIPS | Federal Information Processing Standards |
| GAO | General Accounting Office |
| GSA | General Services Administration |
| HHS | Department of Health and Human Services |
| HUD | Department of Housing and Urban Development |
| IRM | Information Resources Management |
| IT | Information Technology |
| NASA | National Aeronautics and Space Administration |
| NBS | National Bureau of Standards |
| NIST | National Institute of Standards and Technology |
| NSF | National Science Foundation |
| OFPP | Office of Federal Procurement Policy |
| OIG | Office of Inspector General |
| OMB | Office of Management and Budget |
| OPM | Office of Personnel Management |
| PCIE | President's Council on Integrity and Efficiency |
| PRS | Performance Requirement Summary |
| QASP | Quality Assurance Surveillance Plan |
| RRB | Railroad Retirement Board |
| SOW | Statement of Work |
| SSA | Social Security Administration |
| VV&T | Verification and Validation Testing |
Footnotes
- System software refers to the computer programs that manage the processing workload and control user access to the various resources of the computer system.
- A Multiple Virtual Storage operating system mechanism for identifying and specifically authorizing programs which are to process in an unrestricted or privileged instruction mode.
- This Directive instructed Federal departments and agencies to take immediate action to address the deficiencies identified in both the specific systems reviewed in Task 2A and in other agency systems with similar system software. In addition, agencies were urged to pay special attention to the requirements of the Computer Security Act..
- Applications are programmatic if they directly support workload functions involving client services dictated by law or regulation; they are considered administrative if they do not.
![[Table of Contents Icon]](http://www.epa.gov/icons/contents.gif){kind=icon} Table of
Contents |
![[Audit Report Icon]](http://www.epa.gov/icons/leftarro.gif){kind=icon} Audit Report |
Created February 2, 1997