Objectives

The objectives of the audit were to: 1) determine if the DEA was effectively managing its Enterprise Architecture; and 2) determine if the DEA was effectively managing its IT investments.

Scope and Methodology

The audit was performed in accordance with Government Auditing Standards, and included tests and procedures necessary to accomplish the audit objectives. We conducted work at the DEA Headquarters in Arlington, Virginia.

To perform our audit, we conducted approximately 17 interviews with 9 officials from the DEA, DOJ, GAO, and Bearing Point - the contractor being used to complete DEA EA. Additionally, we reviewed over 90 documents related to EA and IT management policies and procedures, project management guidance, strategic plans, IT project proposals, budget documentation, organizational structures, investment board minutes, and prior GAO reports.

To determine whether the DEA is effectively managing its EA, we used the GAO's EA Management Framework as criteria. As part of our assessment of the DEA's EA, the DEA completed a survey developed by the GAO to identify which of the core elements in the EA Management Framework were implemented. We reviewed the survey and obtained supporting documentation for the core elements that the DEA said were implemented. We did not test or review documentation for the core elements that the DEA considered not implemented or partially implemented. We did not perform an independent analysis of the DEA's current EA to determine if all business areas and IT systems were listed. We made an assumption that the DEA's current architecture represented the DEA's existing IT infrastructure.

To determine whether the DEA is effectively managing its IT investments, we applied the GAO's ITIM Framework and the associated assessment method. As part of the Framework's assessment method, the DEA completed a self-assessment of its IT investment management activities. In addition to the self-assessment, the DEA provided documentation; for example, polices and procedures, templates, program managers' presentations, meeting minutes, and training agenda and information, to support its claims within the self-assessment. We examined the documentation provided to determine if the DEA implemented the key practices within the critical processes. We did not review documentation for the key practices in the self-assessment that the DEA considered not implemented or partially implemented.