Compliance Follow-Up Audit of the Department of State Process To Select and Approve IT Investments

What OIG Audited
In March 2016, the Office of Inspector General (OIG) reported a that the Department of State (Department) generally did not select IT investments following the defined process or in accordance with Office of Management and Budget (OMB) requirements. This occurred, in part, because the Bureau of Information Resource Management (IRM) did not have sufficient, centralized oversight; have controls to avoid duplicative IT investments; or fully use the IT portfolio management system. OIG conducted this audit to determine whether (1) IRM took actions sufficient to warrant the closure of seven specific recommendations from the Audit of the Department of State Process To Select and Approve Information Technology Investments or (2) additional actions are needed to improve the IT investment selection and approval process.

What OIG Recommends
With the issuance of this report, OIG is closing five of seven selected recommendations from its 2016 report, offering four new recommendations, and leaving two open, pending further action. On the basis of management’s response to a draft of this report and related discussions, OIG considers all recommendations resolved, pending further action. A synopsis of management’s response to the recommendations offered and OIG’s reply follow each recommendation in the Audit Results section of this report. The Bureau of Administration’s response to a draft of this report is reprinted in its entirety in Appendix B.

What OIG Found
IRM completed corrective actions to close one recommendation that related to developing and implementing policy and additional guidance for recording details of IT investments in the Department’s IT portfolio management system. Specifically, OIG found that IRM adopted relevant OMB guidance and updated internal policies and procedures, as needed, to reflect the OMB guidance for IT investment tracking.

OIG also found that IRM took some actions to address four open recommendations, but further improvements are needed to fully address the 2016 audit findings. Specifically, IRM considered but has not developed and implemented policies and procedures related to reviewing IT portfolio reorganizations. In addition, although IRM had developed and implemented a process to compare requests for new IT investments to the existing IT portfolio to help identify duplicative systems, it has not performed a benchmark assessment, as previously recommended, of the entire IT portfolio to identify existing duplicative systems. Furthermore, although IRM designed and implemented a process to review and approve bureau funded IT contracts, OIG found that not all IT procurements were appropriately routed to the Chief Information Officer for review and approval. Until additional actions are taken, IRM will not be able to fully identify duplicative systems and related cost-saving opportunities, optimize its IT investments, or promote shared services. OIG is therefore closing the previous four recommendations and issuing new recommendations to address the current situation.

Finally, OIG found that IRM had not taken sufficient corrective action related to two open recommendations. Specifically, IRM did not take action to develop and implement a process to identify and review bureau-specific IT investment methodologies. In addition, IRM has not developed and implemented policies and procedures to oversee and enforce requirements for bureaus and offices to avoid duplicative IT investments. These actions are needed to improve accountability and to further identify and avoid duplicative IT investments.