In recent years, the Office of the Inspector General and the Government Accountability Office (GAO) have conducted several audits that are relevant to our review of DOJ IT systems. These audit reports resulted in many findings and recommendations to DOJ and component IT management, which focused on establishing and correcting existing IT investment management (ITIM) and Capital Planning and Investment Control (CPIC) structures. These reports did not audit the reliability of cost data for any specific projects.

Department of Justice, Office of the Inspector General

In December 2002, the OIG issued Audit Report 03-09, The Federal Bureau of Investigation's Management of Information Technology Investments, which reviewed the FBI’s IT management processes and IT-related strategic planning and performance measurement activities. The OIG reported that the FBI did not meet the fundamental elements of a sound ITIM. The OIG also reviewed the FBI’s management of Trilogy, the FBI’s largest and most critical IT project at the time. The OIG found that the lack of critical IT investment management processes contributed to missed milestones and led to uncertainties about cost, schedule, and technical goals.

Although the FBI took steps to improve IT management, the OIG report concluded that the FBI’s IT strategic planning and IT performance measurement were inadequate. Likewise, the FBI's strategic plan did not include goals for IT investment management, and the FBI’s strategic plan and performance plan was not consistent with DOJ’s annual performance plan.

In 2005, the OIG again looked at the FBI’s IT structure – specifically the Trilogy IT project. The OIG issued Audit Report 05-07, The Federal Bureau of Investigation’s Management of the Trilogy Information Technology Modernization Project, to assess FBI’s Trilogy project. In April 2004, the FBI had completed the infrastructure upgrade portion of the Trilogy project. However, at the time of the OIG audit the FBI was over budget and behind schedule for the Virtual Case File system of Trilogy. This report contained nine recommendations regarding the FBI’s management of the remaining aspects of the Trilogy project and its IT management in general, including one to ensure its financial systems could track Trilogy project costs accurately and completely.

The OIG has also reviewed enterprise architecture development and IT management at other DOJ components. In September 2004, the OIG issued Audit Report 04-36, The Drug Enforcement Administration's Management of Enterprises Architecture and Information Technology Investments. The OIG concluded that the DEA was effectively pursuing completion of both its enterprise architecture and ITIM. The OIG provided the DEA with seven recommendations for developing the enterprise architecture and ITIM.

In November 2005, the OIG issued Audit Report 06-02, The Status of Enterprise Architecture and Information Technology Investment Management in the Department of Justice. At the time of the OIG audit, DOJ had not yet established an Enterprise Architecture or ITIM processes and therefore was not in compliance with the Clinger-Cohen Act, OMB guidance, and DOJ regulations. However, DOJ was actively developing and implementing new frameworks aimed at establishing an Enterprise Architecture and ITIM processes. The OIG provided seven recommendations to JMD to improve DOJ’s IT management.

Government Accountability Office

The GAO has also reviewed the FBI Trilogy Project and other issues concerning management of IT at DOJ. In February 2006, GAO issued Federal Bureau of Investigation: Weak Controls over Trilogy Project Led to Payment of Questionable Contractor Costs and Missing Assets, which identified millions of dollars in questioned costs and missing assets.

In 2005 and 2006, the GAO reviewed government-wide IT and the Office of Management and Budget’s processes for overseeing these investments.³⁹ The GAO’s reports reviewed IT systems identified as high-risk projects and those listed on OMB’s Management Watch List. GAO concluded that OMB should develop single lists for both high risk and Management Watch List projects and their respective deficiencies, and direct agencies to consistently apply the criteria for designating projects at high risk.

In 2005, the GAO completed an update to Congress on government-wide high-risk areas.⁴⁰ The GAO identified 25 high risk areas, which included managing federal real property and protecting the federal government’s information system and the nation’s critical infrastructure. Similar to what the OIG found in the current audit, the GAO determined the actual cost data for IT systems at other agencies was unreliable. Further, the GAO found these agencies relied on ad-hoc costing processes rather than formal cost accounting systems with adequate controls.

39. Government Accountability Office. Information Technology: OMB Can Make More Effective Use of Its Investment Reviews, Report Number GAO-05-276, April 2005.

    Government Accountability Office. Information Technology: Agencies and OMB Should Strengthen Processes for Identifying and Overseeing High Risk Projects, Report Number GAO-06-647, June 2006.

40. Government Accountability Office. High-Risk Series: An Update