To properly manage its IT investments, the DEA is in the process of developing an Enterprise Architecture (EA) and an Information Technology Investment Management (ITIM) process. An EA establishes an agencywide roadmap to achieve an agency's mission through optimal performance of its core business processes within an efficient IT environment. ITIM involves implementing processes such as: identifying existing IT systems and projects, identifying the business needs for the projects, tracking and overseeing projects' costs and schedules, and selecting new projects rationally. Governmentwide reviews by the Government Accountability Office (GAO) and audits by the Office of the Inspector General (OIG) covering IT management in the DEA found weaknesses in aspects of EA, ITIM, and information security. Because of the importance of the DEA's management of its 38 IT systems, as listed in its current EA, we performed this audit to determine if the DEA is effectively managing its EA and its IT investments.

To perform the audit, we interviewed officials from the DEA, the DOJ, the GAO, and Bearing Point - the DEA contractor developing the EA. Additionally, we reviewed documents related to EA and IT management policies and procedures, project management guidance, strategic plans, IT project proposals, budgets, and organizational structures. To determine whether the DEA is effectively managing its EA, we requested that the DEA complete a survey originally developed by the GAO, to identify which core elements in the EA Management Framework have been implemented. We also used the GAO's ITIM Framework (Framework) and the associated assessment method to evaluate the management of the DEA's investments. As part of the Framework's assessment method, the DEA completed a self-assessment of its IT investment management activities.

The Information Technology Management Reform Act of 1996 (known as the Clinger-Cohen Act) requires the head of each federal agency to implement a process for maximizing the value of the agency's IT investments and for assessing and managing the risks of its acquisitions. A key goal of the Clinger-Cohen Act is for agencies to have processes in place to ensure that IT projects are being implemented at acceptable costs and within reasonable timeframes, and that the projects are contributing to tangible, observable improvements in mission performance. In addition, the Clinger-Cohen Act requires the head of each agency to develop, maintain, and facilitate the implementation of architectures as a means of integrating business processes and agency goals with IT. The Office of Management and Budget (OMB) Circular A-130 requires each federal agency to establish and maintain a capital planning and investment control process for IT.

The DEA is effectively pursuing completion of both its EA and ITIM. Although the EA is still being developed and the DEA has not established a target date for completing its ITIM processes, the DEA is using many sound practices from both. The DEA will be more fully effective in managing its EA and IT investments once its EA and ITIM processes are completed and mature.

Enterprise Architecture (EA)

If completed in September 2004 as scheduled, the DEA EA should provide a blueprint that will enable the DEA to more effectively and efficiently manage its current and future IT infrastructure and applications. The DEA has completed much of its EA, with the exception of developing a target architecture and a transition plan to accomplish the target architecture. To date, the DEA has established a foundation consistent with the EA Management Framework to build its EA program. The DEA has assigned roles and responsibilities for developing the EA, committed resources, and established plans for completing the remaining stages. In addition, the DEA has developed a general, high-level description of its existing, or "as is," architecture. However, without a completed EA, any organization assumes some degree of risk that it might invest in IT that is duplicative, not well-integrated, costly, or not supportive of the agency's mission. In continuing to develop its EA, the DEA is taking steps to mitigate such risks. By completing its EA, the DEA will minimize the risks even further and provide a realistic vision of its future IT requirements.

As of April 2004, the DEA had completed nearly 90 percent of the EA Management Framework criteria for meeting the second of five levels of maturity. The DEA estimates that it will cost approximately $2.7 million to complete the EA. In FY 2002, the DEA spent $667,000 from its base appropriations for EA development. In FY 2003 the DEA requested an additional $400,000 to continue development, but the funding was not approved. According to the DEA's EA Chief Architect, approval of the requested amount would have allowed the DEA to complete a detailed description of the existing architecture more quickly.

The DEA has allocated 4.25 full time equivalent staff - but assigned 3.25 full time equivalent staff (.5 managers, .5 staff members, and 2.25 contractors) - in support of EA efforts and completion of the current EA. The Deputy Assistant Administrator of the DEA's Office of Information Systems, which is the office tasked with developing the DEA's EA, is currently serving as the Chairman of the Department's EA Committee. The Chief Architect, who established the foundation for the DEA's EA, had transferred to the DEA from the Department's Justice Management Division where she had dealt with technology issues. The DEA's Program Office has two senior analysts and one junior analyst assigned to work on completing the EA. Additionally, the DEA hired a contractor in October 2003 to aid in the completion of the EA.

In addition to funding and human resources, the DEA has acquired tools and technology to support its EA activities. The DEA uses the Popkin System Architect (Popkin) as its automated EA tool. According to the Chief Architect, one reason the DEA chose Popkin is that the Department is also using Popkin, and the future integration of the DEA's EA with the Department's EA may be more easily achieved. Because the DEA has just recently begun using the Popkin tool, we did not assess its effectiveness in clearly and completely documenting the DEA's EA, but we agree that using the same tool as the Department should aid in the future integration of the agency's EA with the Department's EA.

The DEA has established three governing committees, or investment boards: 1) the Executive Review Board, 2) the Business Council, and 3) the Compliance Council. Together, the three governing committees are responsible for ensuring that the DEA's EA meets all federal and Departmental requirements.

The Executive Review Board is responsible for providing leadership to implement a managed IT capital planning and investment control process. The IT capital planning and investment control process includes the development and maintenance of an agencywide EA.

The Business Council's primary responsibility is to ensure that projects and investments recommended by program managers are consistent with the DEA's mission, strategic plan, capital planning goals, EA, and security policy. Business Council members function as the working level experts for the ITIM process by providing business expertise specific to their respective business unit.

The Compliance Council is responsible for evaluating IT investments and the DEA's EA to ensure compliance with legislative regulations and DEA policy. The Compliance Council consists of members whose day-to-day responsibilities involve a compliance area. The members work to ensure compliance with such areas as the Federal Enterprise Architecture, the Government Performance and Results Act, and the Government Information Security Reform Act. The Chief of the Strategic Business Management Section, Office of Information Systems, chairs this committee.

The EA Management Framework states that EA development and maintenance should be managed as a formal program. Accordingly, the DEA reorganized its Office of Information Systems to include a Strategic Business Analysis Section as the EA Program Office (Program Office). The Program Office is responsible for the development and maintenance of the DEA EA. To accomplish its responsibility, the Program Office coordinates with offices throughout the DEA as well as external IT organizations. The Program Office assists DEA customers in developing their concepts and plans for the application of IT to their business processes, and also assists customers with the ITIM process.

The DEA's methodology to develop its EA is a three-phase approach.

Phase 1. Includes documenting, at a high-level, what currently exists within the DEA in terms of business areas, applications, data, and technology.

Phase 2. Includes 1) providing more detail to the current architecture, 2) goals and objectives stated in the Department and the DEA strategic plans, 3) performance measures, 4) aligning the DEA's architecture with the Federal Enterprise Architecture reference models, and 5) aligning the architecture with the DEA's capital planning process.

Phase 3. Includes the establishment of the target architecture, including security compliance and the development of a transition plan.

The DEA completed Phase 1 of the EA development in September 2002. In February 2003, the DEA's CIO submitted the high-level description of the DEA's current EA to the three DEA IT governing boards for inclusion in the budget process. The DEA stated that its contractors completed Phase 2, and as of February 2004 the DEA was in the process of reviewing the contractor's work for compliance with the Federal Enterprise Architecture Framework requirements. The DEA has not yet begun Phase 3 of the EA project.

The DEA has not yet established measures of EA progress, quality, compliance, and return on investment, which are necessary to ensure that the EA meets the targeted milestones and complies with the necessary regulatory requirements. Measuring return on investment would tell the DEA what benefits are realized by the development of the EA in relation to the cost of the EA development.

The DEA did not establish a formal written and approved policy for developing the EA. However, the DEA did establish the required elements of the EA development policy in different ways:

• established the IT governing boards with representation from all DEA business areas to ensure agencywide commitment to EA development;

• established the EA Program Office with responsibility for developing the EA;

• created the EA Program Management Plan, which outlines the scope of the architecture including a description of the current and target architecture, as well as the transition plan, and addresses EA oversight, control, review, and validation responsibilities; and

• outlined the value of the EA, its relationship to the organization's strategic vision and plans, and the capital planning process in the DEA's IT Strategic Plan.

Yet, consolidating the EA development information in the form of an organization policy allows any DEA staff member to consult one document for information concerning the development and implementation of the DEA EA.

The DEA has developed one EA product, the high-level current architecture. In September 2002, the DEA documented its high-level current EA using DEA personnel assisted by a contractor. The high-level current EA provided the DEA with descriptions of its business processes, applications used to carry out the business processes, data used in accomplishing the business processes, technology used in implementing the business processes, and stakeholders affected by the business processes. The 2002 high-level current EA lacked the detail necessary to progress to the target architecture, but in April 2004 the contractor added the necessary detail, and the DEA accepted the product.

To complete its EA, the DEA must finish two additional products: 1) the target architecture, and 2) a transition plan from the current to the target architecture.

The DEA's target architecture will define the vision of the DEA's future business operations and supporting technology and will also describe the desired capability and structure of the business processes, information needs, and IT infrastructure at some point in the future. Just as the current architecture captured the existing business practices, functionality, and information flows, the target architecture will reflect what the DEA needs to evolve its information resources.

The DEA's transition plan will provide a step-by-step process for moving from a current architecture to a target architecture. Such a plan is the primary tool used for program management and investment decisions because the plan represents the current environment as well as any development programs that are planned or underway. To remain current and to support continued coordinated improvements across the DEA, the transition plan should be maintained and updated as time and circumstances dictate. In addition, the DEA must ensure that all EA products when completed undergo configuration management - a process of managing changes to IT systems or hardware - and that the target architecture addresses security as outlined in the EA program plan.

Information Technology Investment Management

The DEA manages its IT investments through agencywide replicable processes rather than through a single office. To illustrate the processes, the DEA created a graphic illustration called "The House" (see Appendix 5) showing how strategic planning, budgeting, procurement, ITIM, quality management, IT security, System-Development-Life-Cycle program management, and EA work together to accomplish the DEA's mission.

Most DEA divisions (Operations, Intelligence, Financial Management, Operational Support, and Inspection) manage major IT systems and initiatives. The Office of Information Systems is responsible for ensuring that the procedures and applications developed by DEA divisions and their offices are in compliance with the DEA-wide programs for IT strategic planning, IT capital planning and investment control, and the EA. The divisions are responsible for specific networks and applications supporting their respective missions.

In December 2001, in an effort to improve its IT investment management practices and comply with the Department's and other statutory regulations, the DEA developed the "ITIM Process Guide and Transition Plan." The purpose of the plan is to better ensure that technological resources are linked to the DEA mission and IT Strategic Plan while providing a solid return on investment. According to the plan, the DEA would introduce ITIM over three years, in three phases. Each phase would correspond to one fiscal year: Phase 1 would focus on the business and budget side of ITIM, while Phases 2 and 3 would focus on the technical side. Also, in Phase 2, ITIM would integrate security activities, and in Phase 3 ITIM would integrate EA activities.

The DEA has attained a basic ITIM capability (Stage-2 maturity) to establish the foundation for effective and replicable IT project-level investment selection and control processes. Selection processes ensure that the DEA has an effective methodology for approving only those IT projects that are consistent with its needs and goals. Effective control processes ensure that deviations from cost and schedule baselines can be identified quickly.

To ensure that the select and control processes were carried out, the DEA chartered three investment boards: the Executive Review Board, Business Council, and Compliance Council. The DEA created a hierarchical approach to the operation of the investment boards to ensure that no overlaps or gaps existed within the scope of the boards' authorities and responsibilities.

Before the boards become involved in the ITIM process, the Management Group works closely with the project and program managers to ensure the completeness of the IT investment proposals and monitor the performance of the investments after funding.¹ The proposals are first forwarded to the Business Council for review and scoring based on the DEA mission and goals. Based on the results of its review, the Business Council makes recommendations to the Executive Review Board on the IT projects for which funding has been requested. The Executive Review Board evaluates the recommendations to ensure that the DEA's mission and goals are being met through the investments and then makes final recommendations to the DEA Administrator. The Compliance Council ensures that IT investments comply with legislative regulations and DEA policy.

The DEA has completed one selection cycle within the ITIM process and as of March 2004 was in the process of completing a second cycle for the 2006 budget year. We reviewed the minutes of the Business Council meeting to determine if the DEA was actually using its prescribed selection process. According to the minutes, the program managers made presentations to the Business Council, which were ranked and prioritized based on how the projects met mission goals and objectives. The Business Council's decision was forwarded to the Executive Review Board for further evaluation and a funding recommendation.

To meet the requirement of the ITIM Framework, the DEA has required each project to have a Project Management Plan (PMP). The PMP documents the purpose, scope, and background of the project, the project organization, and the management and technical approach. The PMP also contains the project schedule and funding information. A number of supplemental exhibits are included with the PMP, for example: project sizing and documentation requirements, project questionnaires, staff roles and responsibilities, the work breakdown schedule, primary points of contacts, and a system risk matrix.

In addition, the OMB requires all major IT investment plans to be summarized and reported in the Exhibit 300.² The Exhibit 300 captures cost, schedule, and performance data along with earned-value, project assumptions, and risks. Further, the DEA Investment Guide states that after a project's concept proposal is approved, a business case must be developed for each project for further consideration. A business case consists of a project plan, feasibility study, cost-benefit analysis, and concept of operations. These documents are all part of the PMP.

Our review of the DEA PMP determined that the DEA includes a change control page to track all changes made to the project. We also found that the DEA Investment Guide requires that, during the control phase, investments are subject to periodic progress reviews to assess cost management, schedule variance, and the realization of planned benefits. According to the DEA, the investment boards' activities are evolving and will include more activities during the Control Phase in 2004. In addition, the DEA investment repository is to be updated to reflect all changes and the results of the reviews. The EA, including the investment repository, is made available to the investment boards as part of the budgetary process to aid in making funding decisions.

The development of the IT investment portfolio is an ongoing process that includes decision-making, prioritization, review, realignment, and reprioritization of projects that are competing for resources and funding. The process for creating the portfolio should ensure that each IT investment board manages investments according to an organizational, strategic-planning perspective. The boards should collectively analyze and compare all investments and proposals to select those that best fit with the strategic business direction, needs, and priorities of the entire organization.

The DEA has documented the processes for selecting an investment portfolio in its ITIM Process Guide. The ITIM Process Guide provides policies and procedures that supplement and support guidance from DOJ Order 2880.1A and OMB Circular A-11 regarding investment analysis. The ITIM Process Guide contains detailed processes for analyzing, selecting and maintaining the investment portfolio. In addition, the DEA requires program managers to develop an Exhibit 300, as explained in OMB Circular A-11, for all projects to be submitted for final funding approval.

We also found that the DEA has taken steps to ensure that information used to select, control, and evaluate the portfolio are captured and maintained for future reference. The DEA is maintaining the minutes and action items electronically from investment boards' meetings for retrieval at a later date. The DEA also uses an Information Technology Investment Portfolio System (ITIPS), which tracks the planning, acquisition, and operations of Automated Information Systems and IT investments. The ITIPS also complies with federal requirements such as the Government Performance and Results Act, the Paperwork Reduction Act, and the Clinger-Cohen Act. The DEA is assessing other tools to better capture the required information about IT investments. The DEA's ability to effectively capture investment information on past and present IT decisions in one system can translate into better decisions on IT investments during control phase activities, as well as during the evaluation and selection processes. The ITIM Framework states that IT information systems that deliver information that is up-to-date, encompassing, and presented in a useful format will enhance the decision process.

In an effort to streamline the Business Council's and the Executive Review Board's access to current information on the status of DEA IT investments, the DEA is working to adopt a Departmental database that would provide the Department's CIO, component CIOs, and project managers with current status information on major and other highly visible IT systems in the Department's portfolio. Once implemented, the Business Council, Executive Review Board members, and project managers may use the database to gain a quick reference to determine the cost, schedule, and risks for investments contained in the DEA IT portfolio.

The DEA has made progress toward obtaining a mature ITIM process. However, the DEA has not established a schedule for completing the remaining stages of the ITIM process. Also, the DEA has not provided formal training for investment board members to ensure that they are familiar with portfolio evaluation and improvement procedures. However, at the beginning of the meeting, the DEA ITIM Management Group outlines for the Business Council the process to be used for IT investment review. A formal training session would enable board members to become more familiar with the ranking categories and to understand what each category entails and how each category is important to the evaluation of each IT investment.

For the DEA to attain a mature ITIM process as described by the ITIM Framework, the DEA must: 1) evaluate the performance of the portfolio and use the information gained from the evaluation to improve both current IT investment processes and the future performance of the investment portfolio, 2) manage the succession of information systems by replacing low-value systems with higher-value systems, 3) optimize the investment process by ensuring that best practices of other organizations are captured and incorporated within the DEA's IT investment process, and 4) use IT to strategically transform work processes, while exploring new and more effective ways of executing the DEA's mission.

The recommendations we made to the DEA are to:

1. apply metrics to measure EA progress, quality, compliance, and return on investment;

2. establish an organization policy for EA development and maintenance that meets the requirements of the EA Management Framework;

3. ensure that the completed EA undergoes configuration management;

4. ensure that the target architecture addresses security as outlined in the EA Program Plan;

5. complete and implement the remaining EA stages to ensure that IT investments are not duplicative, are well integrated, are cost effective, and support the DEA's mission;

6. train members of the investment boards on the criteria for evaluating IT investments; and

7. establish a schedule for completing the remaining stages of the ITIM process to control and evaluate DEA's IT investments.

1. The Management Group within the Strategic Business Analysis Section provides support, advice, and guidance on carrying out the ITIM process.

2. OMB Exhibit 300 is a format used to represent a strong business case, or purpose, for the proposed investment to agency management and the OMB.