U.S. ENVIRONMENTAL PROTECTION AGENCY
        OFFICE OF INSPECTOR GENERAL

                          Catalyst for Improving the Environment
Quick Reaction Report
       EPA Should Delay Deploying
       Its New Acquisition  System until
       Testing Is Completed

       Report No. 09-P-0197
       July 20, 2009

-------
Report Contributors:                          Rudolph M. Brevard
                                             Charles M. Bade
                                             Corey Costango
                                             Wen-Tswan Chen
                                             Sabrena Stewart
Abbreviations

EAS         EPA Acquisition System
EPA         U.S. Environmental Protection Agency
OAM        Office of Acquisition Management
OIG         Office of Inspector General
RTM        Requirements Traceability Matrix

-------
                  U.S. Environmental Protection Agency
                  Office of Inspector General

                  At   a  Glance
                                                               09-P-0197
                                                             July 20, 2009
                                                                   Catalyst for Improving the Environment
Why We Did This Review

We sought to determine to
what extent the U.S.
Environmental Protection
Agency (EPA) has planned
and executed information
system testing to make
informed decisions about the
release of the EPA
Acquisition System.

Backgrounds

EPA acquires approximately
$1.3 billion in goods and
services annually.  The Office
of Acquisition Management
(CAM), within the Office of
Administration and Resources
Management, is responsible
for managing the Agency's
procurement of products and
services. A strategic goal of
OAM is "optimizing business
processes." As a part of this
effort, OAM is developing a
new acquisition system, the
EPA Acquisition System.

For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.

To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2009/
20090720-09-P-0197.pdf
EPA Should Delay Deploying Its New Acquisition
System  until Testing Is Completed
  What We Found
 OAM did not comply with EPA's System Life Cycle Management policy and
 procedure while developing the new EPA Acquisition System (EAS). OAM did not
 fully develop the system's requirements documents during the requirements phase and
 requirements were incomplete. Test scripts were not developed to prove that the
 system fulfilled all requirements and ensure that the system would function as required.
 Although the EAS Project Manager developed a Draft Master Test Plan that contained
 testing procedures, OAM management never approved, implemented, and enforced this
 plan.

 OAM management did not provide the oversight, authority, and support necessary to
 ensure the EAS development project complied with EPA's System Life Cycle
 Management policy and procedure.  Because OAM had not completed the steps needed
 to reasonably ensure that EAS would meet EPA's business needs if implemented by
 June 29, 2009, as planned, OAM does not have a sound basis for deploying EAS as
 scheduled. More management emphasis is needed to ensure the system development
 control environment achieves the desired results and the end product meets EPA's
 needs.
  What We Recommend
We recommend that the Assistant Administrator for Administration and Resources
Management:

   •   Identify and document all system requirements, including functional, technical,
       security, and EPA-specific requirements, in the EAS Requirements
       Document(s).
   •   Update, review, and implement formal testing policies and procedures.
   •   Delay implementing EAS until OAM has successfully tested all system
       requirements.
   •   Update the EAS Project Schedule to communicate the current status of and
       future plans for EAS project activities.
   •   Develop and implement oversight procedures to ensure that further EAS system
       development activities and future projects adhere to all requirements.

During a meeting on May 27, 2009, OAM management agreed with our findings and
informed the audit team that OAM has delayed EAS deployment until after the fiscal
year end.

-------
           \       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
 0           S                     WASHINGTON, D.C. 20460
       '"
                                                                           OFFICE OF
                                                                        INSPECTOR GENERAL
                                     July 20, 2009

MEMORANDUM

SUBJECT:   EPA Should Delay Deploying Its New Acquisition System
             until Testing Is Completed
             Report No. 09-P-0197
FROM:      Rudolph M. Brevard
             Director, Information Resources Management Assessments

TO:         Craig H. Hooks
             Acting Assistant Administrator for Administration and Resources Management
This is our Quick Reaction Report on the subject audit conducted by the Office of Inspector
General (OIG) of the U.S. Environmental Protection Agency (EPA). This report conveys
significant time-sensitive issues the OIG has identified and corrective actions the OIG
recommends. This report represents the opinion of the OIG and does not necessarily represent
the final EPA position. Final determinations on matters in this report will be made by EPA
managers in accordance with established audit resolution procedures.

The estimated cost of this report - calculated by multiplying the project's staff days by the
applicable daily full  cost billing rates in effect at the time - is $249,019.

Action Required

In accordance with EPA Manual 2750, you are required to provide a written response to this
report within 90 calendar days.  You should include a corrective actions plan for agreed upon
actions, including  milestone dates. We would like to thank your staff for their cooperation. We
have no objections to the further release of this report to the public.  This report will be available
at http://www.epa.gov/oig.

If you or your staff have any questions regarding this report, please contact me at (202) 566-0893
or brevard.rudy@epa.gov: or Charles M. Dade, Project Manager, at (202) 566-2575 or
dade.chuck@epa.gov.

-------
EPA Should Delay Deploying Its New                                    09-P-0197
Acquisition System until Testing Is Completed
                    Table of Contents
Purpose	    1
Background	    1
Scope and Methodology	    2
Findings	    2
      OAM Did Not Fully Develop System Requirements and Test Scripts	   3
      OAM Did Not Approve, Implement, and Enforce Testing Procedures	   4
      OAM Lacked Approval Documentation	   5
Recommendations	    6
Agency Comments and OIG Evaluation	    6
Status of Recommendations and Potential Monetary Benefits	    8

Appendix
  A    Distribution	    9

-------
                                                                              09-P-0197
Purpose

We sought to determine to what extent the U.S. Environmental Protection Agency (EPA) has
planned and executed information system testing to make informed decisions about the release of
the EPA Acquisition System (EAS). Properly testing the system prior to deployment provides
management with the information needed to ensure that the system will meet all of EPA's
business needs and comply with federal and EPA requirements.

Background

EPA indicated it acquires approximately $1.3 billion in goods and services annually. These
acquisitions directly support EPA's mission to protect human health and safeguard the
environment. The Office of Acquisition Management (OAM), within the Office of
Administration and Resources Management, manages the Agency's procurement of goods and
services. A strategic goal of OAM is "optimizing business processes."  As a part of this effort,
OAM is in the process of developing a new acquisition system - EAS.

According to OAM's EAS Update briefing provided at the Administrative Officers/Management
Analysts Forum on May 6, 2009, initial deployment of EAS was scheduled for June 29, 2009.
EPA indicated EAS would provide a commercial-off-the-shelf application that can be accessed
from any EPA or secure flexiplace site through the Intranet.  Buyers, contract specialists, and
contracting officers throughout EPA Headquarters, regions, and laboratories will use the system
to create and manage  contracts and purchases. EPA indicated EAS would provide improved
internal and external reporting, and permit performing acquisition and business functions in a
streamlined, secure, and modern manner. EPA disclosed it would integrate EAS with the
Agency's financial system. The Agency indicated EAS would be used from acquisition request
through contract close-out.

EPA's System Life Cycle Management Policy promotes effective and efficient solutions for
designing and operating information systems.  Consistent with the policy, EPA's System Life
Cycle Management Procedure requires periodic, documented, management-level review of
projects by the sponsoring office.  The procedure requires program managers to oversee System
Life Cycle Management activities and establishes key  opportunities to review development as
the project progresses. Major decision points are called "control gates." At each control gate,
the system manager must present the required System Life Cycle Management documentation
corresponding to the phase being reviewed to receive appropriate management approval.

The EPA System Life Cycle Management Procedure dictates that the requirements phase be
successfully completed prior to starting the system acquisition/development phase.
Requirements must be documented and clearly define what the system must do to satisfy the
business need. Further, the test phase must be successfully completed prior to moving into the
implementation phase. The objective of the test phase, during which system tests are conducted
and evaluated, is to prove that the developed system satisfies all requirements.

The Federal Managers' Financial Integrity Act of 1982 requires Federal Agencies to establish
and maintain a reliable internal control structure and evaluate and report on implementation of

-------
                                                                            09-P-0197
internal controls. The report must include whether EPA financial management systems such as
EAS comply with federal requirements; the EPA Administrator reports instances where systems
do not conform.

The Federal Financial Management Improvement Act of 1996 requires the EPA Administrator to
determine whether EPA's financial management systems substantially comply with the Act's
requirements. If the Administrator determines that systems are not compliant, the Administrator
must establish a remediation plan. EPA must also determine whether these noncompliances
should be reported as nonconformances with Section 4 of the annual Federal Managers'
Financial Integrity Act statement.

Scope  and  Methodology

We performed this audit from February through May 2009 at EPA Headquarters in Washington,
DC.  We  conducted the audit in accordance with generally  accepted government auditing
standards. These standards require that we plan and perform the audit to obtain sufficient and
appropriate evidence to provide a reasonable basis for our findings and conclusions based on the
audit objectives.  We believe the evidence obtained provides a reasonable basis for our findings
and conclusions.

We assessed the EAS testing process, and considered relevant internal controls associated with
the scope of our review. We performed a limited review of relevant System Life Cycle
Management documentation, such as project management plans, system requirements
documents, system testing documents, requirements traceability matrices, and evidence of
management reviews and approvals, based on requirements in applicable EPA policies and
procedures and related federal regulations. We also conducted interviews with the EAS Project
Management Team and contracting  staff overseeing contracts associated with this system
project.

We had not performed past audits of EAS. Thus, we performed no follow-up during this audit.

Findings

OAM did not comply with EPA's System Life Cycle Management policy and procedure while
developing the new EAS system.  OAM did not fully develop the system's requirements
documents during the requirements phase. The requirements were incomplete and test scripts
were not developed to prove that the system fulfilled all requirements and ensure that the system
would function as required. Although the EAS Project Manager developed a Draft Master Test
Plan that  contained testing procedures, OAM management never approved, implemented, and
enforced the  plan. OAM management did not provide the oversight, authority, and support
needed to ensure EAS development complied with EPA's System Life Cycle Management
policy and procedure.  Because EPA did not reasonably ensure that EAS would meet EPA's
business needs if it had been implemented by June 29, 2009, as planned,  OAM does not have a
sound basis for deploying EAS as scheduled.

-------
                                                                             09-P-0197
EPA plans to interface EAS with the following four systems:

   •   EPA's Financial Replacement System (EPA's new core financial management system
       being developed to replace EPA's Integrated Financial Management System; EAS would
       interact with the Integrated Financial Management System until it is replaced)
   •   Contract Payment System
   •   Payroll System
   •   Financial Data Warehouse

Given the above noted weaknesses and the substantial role EAS plays in EPA's financial
reporting, more management emphasis is needed to ensure the system development control
environment achieves the desired results and the end product meets EPA's needs.  We believe that
if EAS is deployed as planned, management would not have sufficient basis to determine whether
EAS "substantially complies" with the Federal Financial Management Improvement Act.
Consequently, EPA's Administrator may have to declare a substantial noncompliance in the
Fiscal Year 2009 Financial Statement audit report and declare a material weakness in conjunction
with EPA's 2009 Federal Managers' Financial Integrity Act annual assurance process.

       OAM Did Not Fully Develop System Requirements and Test Scripts

       The EAS Project Manager stated there is an unknown number of newly defined EAS
       system requirements that OAM had not documented in the formal EAS requirements
       documents. This occurred because the Program Management Office created more system
       requirements during meetings with the EAS system developer and EPA stakeholders but
       did not keep track of and update the requirements documents.  In response to our request,
       the EAS Project Manager tasked the support contractor with going through meeting
       minutes and identifying and updating the requirements documents. As of May 6, 2009,
       the Project Manager said the process was still taking place. As a result, EAS might be
       developed without the missing requirements and system  testing may not validate that the
       system fulfills the missing requirements  and functions as required.

       In addition, about one-fourth of the documented EAS system requirements did not have
       test scripts to ensure the system successfully meets EPA's needs. This occurred because
       OAM did not properly maintain the requirements traceability matrix to ensure that each
       requirement mapped to a test script. From July 2007 through April 2009, EAS functional
       and technical system requirements grew from approximately 410 to 1,350. In response to
       our request for a crosswalk of EAS system requirements and developed testing scripts,
       EPA conducted an analysis and indicated approximately 350 requirements were not
       mapped to  a test script. The importance of capturing all  requirements and developing
       associated test scripts is noted in OAM's Draft Master Test Plan:

              "The RTM [Requirements Traceability Matrix] serves as the basis for all
             project requirements management activities, by providing a traceability of
             each requirement and ensuring that tests map to all requirements. Every
             item in the RTM must first be uniquely identified	it is critical to
             ensure that all requirements are captured and Test Scripts are developed

-------
                                                                       09-P-0197
      for each requirement.  If a requirement is missing from the list, then there
       is a significant risk that the requirement will not be tested, resulting in
       incomplete testing. As a result, the product risks the possibility of passing
       testing without a thorough test of all requirements. "

By not maintaining the requirements traceability matrix, management did not have
reasonable assurance that each of the requirements was captured and tested to ensure the
system would function as required.

OAM Did Not Approve, Implement, and Enforce Testing Procedures

EPA management did not have a reasonable basis to rely upon the current EAS testing
process because OAM had not approved, implemented, and enforced testing procedures.
Further, OAM provided the vendor with too much control over developing the system
testing scripts without independent verification.

The vendor developing EAS also developed the test scripts used by EPA for the
Government Acceptance Testing and User Acceptance Testing. We found no
compensating controls in place to independently validate the completeness and adequacy
of test scripts prior to testing. The Government Acceptance Testing took place between
December 2008 and April 2009, but the test scripts did not go through a formal review
until April 2009 in response to our request for a complete listing of system requirements
and a crosswalk showing each requirement mapped to a test script.  Had EPA followed its
Draft EAS Master Test Plan, all of the EAS requirements and test scripts would have
been reviewed and approved at least 2 weeks before the start of testing.

Although OAM hired a second contractor to help with EAS project management, OAM
did not fully use the second contractor to track and reconcile system requirements and
test scripts. OAM had not:

   •   Implemented a change management procedure to ensure EAS project changes are
       vetted with all parties, approved by  EPA management,  and incorporated into the
       EAS system development process.

   •   Verified that testing scripts provided by the system developer were correctly
       designed to test the prescribed system requirements.

   •   Followed the steps outlined in the Draft EAS Master Test plan that requires EPA
       management to verify the test results once they complete a system test.

   •   Defined specific criteria in the Draft EAS Master Test Plan to indicate what
       constitutes a successful system test.

The EAS Project Manager could not provide any documented evidence to show that
anyone reviewed system requirements for accuracy and completeness before executing

-------
                                                                      09-P-0197
the Government Acceptance Testing.  The Project Manager also could not provide
documented evidence of formal review and approval of test results. Even though some
test results reports were generated, there was no evidence that those reports were
reviewed and approved because there was no formal signoff on those reports. If the Draft
EAS Master Test Plan were approved, implemented, and enforced, all of the EAS
requirements and test scripts would have been reviewed and signed off on by the
Functional Lead and Technical Lead before the start of the Government Acceptance
Testing. Further, key reports would have been used to summarize the testing results and
provide insight on the system's success at meeting requirements. In  addition, each round
of testing would not have been successfully completed until all requirements passed
testing or were marked for a future release by EPA and the results were formally
approved by EPA.

Without independently verifying the accuracy and completeness of system requirements
and test scripts prior to testing, OAM cannot properly plan and execute its testing.
Without reliable test scripts and documented independent reviews of test results, OAM
will not have the reasonable assurance that the system satisfies defined requirements and
mission needs. Further, inconsistencies in interpreting test results could result from not
having criteria for defining a successful test. As a result, OAM would not have had a
reasonable basis for concluding that EAS was ready for deployment by the June 29, 2009,
planned deployment date.

OAM Lacked Approval Documentation

OAM lacked approval documentation to support that the EAS Project Team completed
all the required system development activities outlined in EPA's System Life Cycle
Management policy and procedure.

Our review focused on EAS testing processes; as such, we did not perform detailed
reviews of all EAS  project management documents. However, in several instances,
management could  not provide documentation that it met prescribed Agency
requirements. For example, OAM proceeded to the Acquisition/Development Phase,
where it issued the Request for Proposal and made a vendor selection prior to completing
all of the required documents for the requirements phase. OAM had only identified about
30 percent (410 of 1,350) of the requirements as of the time of the Request for Proposal.
In addition, the EAS Project Management Team could not provide evidence that OAM:

   •   Performed a feasibility study during the EAS system planning phase.

   •   Approved and implemented the Configuration Management Plan during  the
       system planning phase.

   •   Completed and approved the Requirements Documents during the requirements
       phase.

-------
                                                                            09-P-0197
          •  Obtained the Chief Architect's certification on the EAS Solution Architecture
             before the EAS project moved into the development phase.

       The absence of key EAS documentation is an indicator that the management control
       structure for EAS development requires more emphasis. Project reviews and subsequent
       approvals provide management with a reasonable basis to evaluate whether the EAS
       Project Management team took the necessary steps to manage the project's risks and
       ensure the developed application meets EPA's needs.

Recommendations

We recommend that the Assistant Administrator for Administration and Resources Management:

    1.   Identify and document all system requirements, including functional, technical, security,
       and EPA-specific requirements, in the EAS Requirements Document(s).

    2.   Update, review, and implement formal testing policies and procedures that would
       enforce:

          a.  the review and approval of all system requirements prior to testing,
          b.  the completion of Requirement Traceability Matrices mapping each system
             requirement to a test script,
          c.  the independent validation of vendor-supplied test scripts prior to testing, and
          d.  the review and approval of testing results at the end of each round of testing.

    3.   Delay EAS implementation until OAM has successfully tested all of the system
       requirements.

    4.   Update the EAS Project Schedule to communicate the current status of and future plans
       for EAS project activities.

    5.   Develop and implement oversight procedures to ensure that further EAS  system life cycle
       activities, as well as any future System Development/Acquisition projects, adhere to all
       requirements outlined in EPA's System Life Cycle Management policy and procedure.

Agency Comments and OIG Evaluation

On May 27, 2009, the audit team met with OAM management to discuss the finding outline for
our report. OAM management agreed with our findings, acknowledged our concerns regarding
prematurely deploying the system, and informed the audit team that OAM has delayed EAS
deployment until some time after the fiscal year end. OAM management contended that using
vendor-supplied testing scripts does not automatically mean the testing process is fundamentally
flawed.  OAM management also stated that they have documentation to support test script
review activities.

-------
                                                                              09-P-0197
We changed the report, where appropriate, to address OAM management's concerns. We agree
that using vendor-supplied testing scripts does not automatically mean the testing process is
fundamentally flawed. However, performing thorough, independent reviews of those vendor-
supplied testing scripts will provide a compensating control for the lack of independence and
significantly improve the process. After our meeting with OAM management, the audit team
received an Excel spreadsheet that contained a list of test scripts and comments.  However, based
on the spreadsheet alone, we could not determine who performed the test script review nor
ascertain that OAM management reviewed and approved the entire listing of test scripts.
Therefore, the audit team did not consider it as acceptable evidence of test script review and
approval. We consider all of the recommendations open with agreed-to actions pending.

-------
                                                                                                         09-P-0197
                      Status  of Recommendations  and
                            Potential Monetary  Benefits
                                    RECOMMENDATIONS
Rec.    Page
No.    No.
                            Subject
                                                   Status1
                                                               Action Official
                       Planned
                      Completion
                        Date
                                    POTENTIAL MONETARY
                                      BENEFITS (in $OOOs)
Claimed    Agreed To
Amount     Amount
            Identify and document all system requirements,
            including functional, technical, security, and EPA-
            specific requirements, in the EAS Requirements
            Document(s).

            Update, review, and implement formal testing
            policies and procedures that would enforce:
              a. the review and approval of all system
                 requirements prior to testing,
              b. the completion of Requirement Traceability
                 Matrices mapping each system requirement
                 to a test script,
              c. the independent validation of vendor-supplied
                 test scripts prior to testing, and
              d. the review and approval of testing results at
                 the end of each round of testing.

            Delay EAS implementation until 0AM has
            successfully tested all of the system requirements.
            Update the EAS Project Schedule to communicate
            the current status of and future plans for EAS
            project activities.

            Develop and implement oversight procedures to
            ensure that further EAS system life cycle activities,
            as well as any future System Development/
            Acquisition projects, adhere to all requirements
            outlined in EPA's System Life Cycle Management
            policy and procedure.
Assistant Administrator for
   Administration and
 Resources Management


Assistant Administrator for
   Administration and
 Resources Management
Assistant Administrator for
   Administration and
 Resources Management

Assistant Administrator for
   Administration and
 Resources Management

Assistant Administrator for
   Administration and
 Resources Management
 0 = recommendation is open with agreed-to corrective actions pending
 C = recommendation is closed with all agreed-to actions completed
 U = recommendation is undecided with resolution efforts in progress

-------
                                                                            09-P-0197
                                                                        Appendix A

                                 Distribution
Office of the Administrator
Acting Assistant Administrator for Administration and Resources Management
Acting Assistant Administrator for Environmental Information and Chief Information Officer
Acting Chief Financial Officer
Acting Director, Office of Technology Operations and Planning
Agency Follow-up Official (the CFO)
Agency Follow-up Coordinator
Acting General Counsel
Acting Associate Administrator for Congressional and Intergovernmental Relations
Acting Associate Administrator for Public Affairs
Audit Follow-up Coordinator, Office of Administration and Resources Management
Acting Inspector General

-------