U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Catalyst for Improving the Environment
Quick Reaction Report
EPA Should Delay Deploying
Its New Acquisition System until
Testing Is Completed
Report No. 09-P-0197
July 20, 2009
-------�
Report Contributors: Rudolph M. Brevard
Charles M. Bade
Corey Costango
Wen-Tswan Chen
Sabrena Stewart
Abbreviations
EAS EPA Acquisition System
EPA U.S. Environmental Protection Agency
OAM Office of Acquisition Management
OIG Office of Inspector General
RTM Requirements Traceability Matrix
-------�
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
09-P-0197
July 20, 2009
Catalyst for Improving the Environment
Why We Did This Review
We sought to determine to
what extent the U.S.
Environmental Protection
Agency (EPA) has planned
and executed information
system testing to make
informed decisions about the
release of the EPA
Acquisition System.
Backgrounds
EPA acquires approximately
$1.3 billion in goods and
services annually. The Office
of Acquisition Management
(CAM), within the Office of
Administration and Resources
Management, is responsible
for managing the Agency's
procurement of products and
services. A strategic goal of
OAM is "optimizing business
processes." As a part of this
effort, OAM is developing a
new acquisition system, the
EPA Acquisition System.
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.
To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2009/
20090720-09-P-0197.pdf
EPA Should Delay Deploying Its New Acquisition
System until Testing Is Completed
What We Found
OAM did not comply with EPA's System Life Cycle Management policy and
procedure while developing the new EPA Acquisition System (EAS). OAM did not
fully develop the system's requirements documents during the requirements phase and
requirements were incomplete. Test scripts were not developed to prove that the
system fulfilled all requirements and ensure that the system would function as required.
Although the EAS Project Manager developed a Draft Master Test Plan that contained
testing procedures, OAM management never approved, implemented, and enforced this
plan.
OAM management did not provide the oversight, authority, and support necessary to
ensure the EAS development project complied with EPA's System Life Cycle
Management policy and procedure. Because OAM had not completed the steps needed
to reasonably ensure that EAS would meet EPA's business needs if implemented by
June 29, 2009, as planned, OAM does not have a sound basis for deploying EAS as
scheduled. More management emphasis is needed to ensure the system development
control environment achieves the desired results and the end product meets EPA's
needs.
What We Recommend
We recommend that the Assistant Administrator for Administration and Resources
Management:
• Identify and document all system requirements, including functional, technical,
security, and EPA-specific requirements, in the EAS Requirements
Document(s).
• Update, review, and implement formal testing policies and procedures.
• Delay implementing EAS until OAM has successfully tested all system
requirements.
• Update the EAS Project Schedule to communicate the current status of and
future plans for EAS project activities.
• Develop and implement oversight procedures to ensure that further EAS system
development activities and future projects adhere to all requirements.
During a meeting on May 27, 2009, OAM management agreed with our findings and
informed the audit team that OAM has delayed EAS deployment until after the fiscal
year end.
-------�
\ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
0 S WASHINGTON, D.C. 20460
'"
OFFICE OF
INSPECTOR GENERAL
July 20, 2009
MEMORANDUM
SUBJECT: EPA Should Delay Deploying Its New Acquisition System
until Testing Is Completed
Report No. 09-P-0197
FROM: Rudolph M. Brevard
Director, Information Resources Management Assessments
TO: Craig H. Hooks
Acting Assistant Administrator for Administration and Resources Management
This is our Quick Reaction Report on the subject audit conducted by the Office of Inspector
General (OIG) of the U.S. Environmental Protection Agency (EPA). This report conveys
significant time-sensitive issues the OIG has identified and corrective actions the OIG
recommends. This report represents the opinion of the OIG and does not necessarily represent
the final EPA position. Final determinations on matters in this report will be made by EPA
managers in accordance with established audit resolution procedures.
The estimated cost of this report - calculated by multiplying the project's staff days by the
applicable daily full cost billing rates in effect at the time - is $249,019.
Action Required
In accordance with EPA Manual 2750, you are required to provide a written response to this
report within 90 calendar days. You should include a corrective actions plan for agreed upon
actions, including milestone dates. We would like to thank your staff for their cooperation. We
have no objections to the further release of this report to the public. This report will be available
at http://www.epa.gov/oig.
If you or your staff have any questions regarding this report, please contact me at (202) 566-0893
or brevard.rudy@epa.gov: or Charles M. Dade, Project Manager, at (202) 566-2575 or
dade.chuck@epa.gov.
-------�
EPA Should Delay Deploying Its New 09-P-0197
Acquisition System until Testing Is Completed
Table of Contents
Purpose 1
Background 1
Scope and Methodology 2
Findings 2
OAM Did Not Fully Develop System Requirements and Test Scripts 3
OAM Did Not Approve, Implement, and Enforce Testing Procedures 4
OAM Lacked Approval Documentation 5
Recommendations 6
Agency Comments and OIG Evaluation 6
Status of Recommendations and Potential Monetary Benefits 8
Appendix
A Distribution 9
-------�
09-P-0197
Purpose
We sought to determine to what extent the U.S. Environmental Protection Agency (EPA) has
planned and executed information system testing to make informed decisions about the release of
the EPA Acquisition System (EAS). Properly testing the system prior to deployment provides
management with the information needed to ensure that the system will meet all of EPA's
business needs and comply with federal and EPA requirements.
Background
EPA indicated it acquires approximately $1.3 billion in goods and services annually. These
acquisitions directly support EPA's mission to protect human health and safeguard the
environment. The Office of Acquisition Management (OAM), within the Office of
Administration and Resources Management, manages the Agency's procurement of goods and
services. A strategic goal of OAM is "optimizing business processes." As a part of this effort,
OAM is in the process of developing a new acquisition system - EAS.
According to OAM's EAS Update briefing provided at the Administrative Officers/Management
Analysts Forum on May 6, 2009, initial deployment of EAS was scheduled for June 29, 2009.
EPA indicated EAS would provide a commercial-off-the-shelf application that can be accessed
from any EPA or secure flexiplace site through the Intranet. Buyers, contract specialists, and
contracting officers throughout EPA Headquarters, regions, and laboratories will use the system
to create and manage contracts and purchases. EPA indicated EAS would provide improved
internal and external reporting, and permit performing acquisition and business functions in a
streamlined, secure, and modern manner. EPA disclosed it would integrate EAS with the
Agency's financial system. The Agency indicated EAS would be used from acquisition request
through contract close-out.
EPA's System Life Cycle Management Policy promotes effective and efficient solutions for
designing and operating information systems. Consistent with the policy, EPA's System Life
Cycle Management Procedure requires periodic, documented, management-level review of
projects by the sponsoring office. The procedure requires program managers to oversee System
Life Cycle Management activities and establishes key opportunities to review development as
the project progresses. Major decision points are called "control gates." At each control gate,
the system manager must present the required System Life Cycle Management documentation
corresponding to the phase being reviewed to receive appropriate management approval.
The EPA System Life Cycle Management Procedure dictates that the requirements phase be
successfully completed prior to starting the system acquisition/development phase.
Requirements must be documented and clearly define what the system must do to satisfy the
business need. Further, the test phase must be successfully completed prior to moving into the
implementation phase. The objective of the test phase, during which system tests are conducted
and evaluated, is to prove that the developed system satisfies all requirements.
The Federal Managers' Financial Integrity Act of 1982 requires Federal Agencies to establish
and maintain a reliable internal control structure and evaluate and report on implementation of
-------�
09-P-0197
internal controls. The report must include whether EPA financial management systems such as
EAS comply with federal requirements; the EPA Administrator reports instances where systems
do not conform.
The Federal Financial Management Improvement Act of 1996 requires the EPA Administrator to
determine whether EPA's financial management systems substantially comply with the Act's
requirements. If the Administrator determines that systems are not compliant, the Administrator
must establish a remediation plan. EPA must also determine whether these noncompliances
should be reported as nonconformances with Section 4 of the annual Federal Managers'
Financial Integrity Act statement.
Scope and Methodology
We performed this audit from February through May 2009 at EPA Headquarters in Washington,
DC. We conducted the audit in accordance with generally accepted government auditing
standards. These standards require that we plan and perform the audit to obtain sufficient and
appropriate evidence to provide a reasonable basis for our findings and conclusions based on the
audit objectives. We believe the evidence obtained provides a reasonable basis for our findings
and conclusions.
We assessed the EAS testing process, and considered relevant internal controls associated with
the scope of our review. We performed a limited review of relevant System Life Cycle
Management documentation, such as project management plans, system requirements
documents, system testing documents, requirements traceability matrices, and evidence of
management reviews and approvals, based on requirements in applicable EPA policies and
procedures and related federal regulations. We also conducted interviews with the EAS Project
Management Team and contracting staff overseeing contracts associated with this system
project.
We had not performed past audits of EAS. Thus, we performed no follow-up during this audit.
Findings
OAM did not comply with EPA's System Life Cycle Management policy and procedure while
developing the new EAS system. OAM did not fully develop the system's requirements
documents during the requirements phase. The requirements were incomplete and test scripts
were not developed to prove that the system fulfilled all requirements and ensure that the system
would function as required. Although the EAS Project Manager developed a Draft Master Test
Plan that contained testing procedures, OAM management never approved, implemented, and
enforced the plan. OAM management did not provide the oversight, authority, and support
needed to ensure EAS development complied with EPA's System Life Cycle Management
policy and procedure. Because EPA did not reasonably ensure that EAS would meet EPA's
business needs if it had been implemented by June 29, 2009, as planned, OAM does not have a
sound basis for deploying EAS as scheduled.
-------�
09-P-0197
EPA plans to interface EAS with the following four systems:
• EPA's Financial Replacement System (EPA's new core financial management system
being developed to replace EPA's Integrated Financial Management System; EAS would
interact with the Integrated Financial Management System until it is replaced)
• Contract Payment System
• Payroll System
• Financial Data Warehouse
Given the above noted weaknesses and the substantial role EAS plays in EPA's financial
reporting, more management emphasis is needed to ensure the system development control
environment achieves the desired results and the end product meets EPA's needs. We believe that
if EAS is deployed as planned, management would not have sufficient basis to determine whether
EAS "substantially complies" with the Federal Financial Management Improvement Act.
Consequently, EPA's Administrator may have to declare a substantial noncompliance in the
Fiscal Year 2009 Financial Statement audit report and declare a material weakness in conjunction
with EPA's 2009 Federal Managers' Financial Integrity Act annual assurance process.
OAM Did Not Fully Develop System Requirements and Test Scripts
The EAS Project Manager stated there is an unknown number of newly defined EAS
system requirements that OAM had not documented in the formal EAS requirements
documents. This occurred because the Program Management Office created more system
requirements during meetings with the EAS system developer and EPA stakeholders but
did not keep track of and update the requirements documents. In response to our request,
the EAS Project Manager tasked the support contractor with going through meeting
minutes and identifying and updating the requirements documents. As of May 6, 2009,
the Project Manager said the process was still taking place. As a result, EAS might be
developed without the missing requirements and system testing may not validate that the
system fulfills the missing requirements and functions as required.
In addition, about one-fourth of the documented EAS system requirements did not have
test scripts to ensure the system successfully meets EPA's needs. This occurred because
OAM did not properly maintain the requirements traceability matrix to ensure that each
requirement mapped to a test script. From July 2007 through April 2009, EAS functional
and technical system requirements grew from approximately 410 to 1,350. In response to
our request for a crosswalk of EAS system requirements and developed testing scripts,
EPA conducted an analysis and indicated approximately 350 requirements were not
mapped to a test script. The importance of capturing all requirements and developing
associated test scripts is noted in OAM's Draft Master Test Plan:
"The RTM [Requirements Traceability Matrix] serves as the basis for all
project requirements management activities, by providing a traceability of
each requirement and ensuring that tests map to all requirements. Every
item in the RTM must first be uniquely identified it is critical to
ensure that all requirements are captured and Test Scripts are developed
-------�
09-P-0197
for each requirement. If a requirement is missing from the list, then there
is a significant risk that the requirement will not be tested, resulting in
incomplete testing. As a result, the product risks the possibility of passing
testing without a thorough test of all requirements. "
By not maintaining the requirements traceability matrix, management did not have
reasonable assurance that each of the requirements was captured and tested to ensure the
system would function as required.
OAM Did Not Approve, Implement, and Enforce Testing Procedures
EPA management did not have a reasonable basis to rely upon the current EAS testing
process because OAM had not approved, implemented, and enforced testing procedures.
Further, OAM provided the vendor with too much control over developing the system
testing scripts without independent verification.
The vendor developing EAS also developed the test scripts used by EPA for the
Government Acceptance Testing and User Acceptance Testing. We found no
compensating controls in place to independently validate the completeness and adequacy
of test scripts prior to testing. The Government Acceptance Testing took place between
December 2008 and April 2009, but the test scripts did not go through a formal review
until April 2009 in response to our request for a complete listing of system requirements
and a crosswalk showing each requirement mapped to a test script. Had EPA followed its
Draft EAS Master Test Plan, all of the EAS requirements and test scripts would have
been reviewed and approved at least 2 weeks before the start of testing.
Although OAM hired a second contractor to help with EAS project management, OAM
did not fully use the second contractor to track and reconcile system requirements and
test scripts. OAM had not:
• Implemented a change management procedure to ensure EAS project changes are
vetted with all parties, approved by EPA management, and incorporated into the
EAS system development process.
• Verified that testing scripts provided by the system developer were correctly
designed to test the prescribed system requirements.
• Followed the steps outlined in the Draft EAS Master Test plan that requires EPA
management to verify the test results once they complete a system test.
• Defined specific criteria in the Draft EAS Master Test Plan to indicate what
constitutes a successful system test.
The EAS Project Manager could not provide any documented evidence to show that
anyone reviewed system requirements for accuracy and completeness before executing
-------�
09-P-0197
the Government Acceptance Testing. The Project Manager also could not provide
documented evidence of formal review and approval of test results. Even though some
test results reports were generated, there was no evidence that those reports were
reviewed and approved because there was no formal signoff on those reports. If the Draft
EAS Master Test Plan were approved, implemented, and enforced, all of the EAS
requirements and test scripts would have been reviewed and signed off on by the
Functional Lead and Technical Lead before the start of the Government Acceptance
Testing. Further, key reports would have been used to summarize the testing results and
provide insight on the system's success at meeting requirements. In addition, each round
of testing would not have been successfully completed until all requirements passed
testing or were marked for a future release by EPA and the results were formally
approved by EPA.
Without independently verifying the accuracy and completeness of system requirements
and test scripts prior to testing, OAM cannot properly plan and execute its testing.
Without reliable test scripts and documented independent reviews of test results, OAM
will not have the reasonable assurance that the system satisfies defined requirements and
mission needs. Further, inconsistencies in interpreting test results could result from not
having criteria for defining a successful test. As a result, OAM would not have had a
reasonable basis for concluding that EAS was ready for deployment by the June 29, 2009,
planned deployment date.
OAM Lacked Approval Documentation
OAM lacked approval documentation to support that the EAS Project Team completed
all the required system development activities outlined in EPA's System Life Cycle
Management policy and procedure.
Our review focused on EAS testing processes; as such, we did not perform detailed
reviews of all EAS project management documents. However, in several instances,
management could not provide documentation that it met prescribed Agency
requirements. For example, OAM proceeded to the Acquisition/Development Phase,
where it issued the Request for Proposal and made a vendor selection prior to completing
all of the required documents for the requirements phase. OAM had only identified about
30 percent (410 of 1,350) of the requirements as of the time of the Request for Proposal.
In addition, the EAS Project Management Team could not provide evidence that OAM:
• Performed a feasibility study during the EAS system planning phase.
• Approved and implemented the Configuration Management Plan during the
system planning phase.
• Completed and approved the Requirements Documents during the requirements
phase.
-------�
09-P-0197
• Obtained the Chief Architect's certification on the EAS Solution Architecture
before the EAS project moved into the development phase.
The absence of key EAS documentation is an indicator that the management control
structure for EAS development requires more emphasis. Project reviews and subsequent
approvals provide management with a reasonable basis to evaluate whether the EAS
Project Management team took the necessary steps to manage the project's risks and
ensure the developed application meets EPA's needs.
Recommendations
We recommend that the Assistant Administrator for Administration and Resources Management:
1. Identify and document all system requirements, including functional, technical, security,
and EPA-specific requirements, in the EAS Requirements Document(s).
2. Update, review, and implement formal testing policies and procedures that would
enforce:
a. the review and approval of all system requirements prior to testing,
b. the completion of Requirement Traceability Matrices mapping each system
requirement to a test script,
c. the independent validation of vendor-supplied test scripts prior to testing, and
d. the review and approval of testing results at the end of each round of testing.
3. Delay EAS implementation until OAM has successfully tested all of the system
requirements.
4. Update the EAS Project Schedule to communicate the current status of and future plans
for EAS project activities.
5. Develop and implement oversight procedures to ensure that further EAS system life cycle
activities, as well as any future System Development/Acquisition projects, adhere to all
requirements outlined in EPA's System Life Cycle Management policy and procedure.
Agency Comments and OIG Evaluation
On May 27, 2009, the audit team met with OAM management to discuss the finding outline for
our report. OAM management agreed with our findings, acknowledged our concerns regarding
prematurely deploying the system, and informed the audit team that OAM has delayed EAS
deployment until some time after the fiscal year end. OAM management contended that using
vendor-supplied testing scripts does not automatically mean the testing process is fundamentally
flawed. OAM management also stated that they have documentation to support test script
review activities.
-------�
09-P-0197
We changed the report, where appropriate, to address OAM management's concerns. We agree
that using vendor-supplied testing scripts does not automatically mean the testing process is
fundamentally flawed. However, performing thorough, independent reviews of those vendor-
supplied testing scripts will provide a compensating control for the lack of independence and
significantly improve the process. After our meeting with OAM management, the audit team
received an Excel spreadsheet that contained a list of test scripts and comments. However, based
on the spreadsheet alone, we could not determine who performed the test script review nor
ascertain that OAM management reviewed and approved the entire listing of test scripts.
Therefore, the audit team did not consider it as acceptable evidence of test script review and
approval. We consider all of the recommendations open with agreed-to actions pending.
-------�
09-P-0197
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec. Page
No. No.
Subject
Status1
Action Official
Planned
Completion
Date
POTENTIAL MONETARY
BENEFITS (in $OOOs)
Claimed Agreed To
Amount Amount
Identify and document all system requirements,
including functional, technical, security, and EPA-
specific requirements, in the EAS Requirements
Document(s).
Update, review, and implement formal testing
policies and procedures that would enforce:
a. the review and approval of all system
requirements prior to testing,
b. the completion of Requirement Traceability
Matrices mapping each system requirement
to a test script,
c. the independent validation of vendor-supplied
test scripts prior to testing, and
d. the review and approval of testing results at
the end of each round of testing.
Delay EAS implementation until 0AM has
successfully tested all of the system requirements.
Update the EAS Project Schedule to communicate
the current status of and future plans for EAS
project activities.
Develop and implement oversight procedures to
ensure that further EAS system life cycle activities,
as well as any future System Development/
Acquisition projects, adhere to all requirements
outlined in EPA's System Life Cycle Management
policy and procedure.
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is undecided with resolution efforts in progress
-------�
09-P-0197
Appendix A
Distribution
Office of the Administrator
Acting Assistant Administrator for Administration and Resources Management
Acting Assistant Administrator for Environmental Information and Chief Information Officer
Acting Chief Financial Officer
Acting Director, Office of Technology Operations and Planning
Agency Follow-up Official (the CFO)
Agency Follow-up Coordinator
Acting General Counsel
Acting Associate Administrator for Congressional and Intergovernmental Relations
Acting Associate Administrator for Public Affairs
Audit Follow-up Coordinator, Office of Administration and Resources Management
Acting Inspector General
-------� |