![[logo] US EPA](http://www.epa.gov/epafiles/images/logo_epaseal.gif){kind=logo}
PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY REVIEW of APPLICATION SOFTWARE MAINTENANCE in FEDERAL AGENCIES
![[PCIE Seal]](images/pcie2.gif)
PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY REVIEW of APPLICATION SOFTWARE MAINTENANCE in FEDERAL AGENCIES
EXECUTIVE SUMMARY
In September 1986, the President's Council on Integrity and Efficiency (PCIE) initiated the Computer Systems Integrity Project (CSIP). The project is a multi-task effort focusing on controls, security, and other integrity issues related to the entire data processing systems life cycle. The objectives of the overall project are to assess the integrity of Federal computer systems and develop recommendations for Governmentwide improvements in standards, procedures, documentation, and operations affecting computer systems integrity.
To date, four tasks have been completed. Task 1, Survey of Agency Implementation of Computer Systems Integrity Requirements, was completed with the June 1988 issuance of a summary PCIE report. Task 2A, Review of General Controls in Federal Computer Systems, was completed in October 1988 when a summary PCIE report was issued. Task 2B, Review of Application Controls in Federal Contract Tracking Systems was completed with the April 1991 issuance of a summary PCIE report. The lead agency for Task 3, Followup Audit on the Implementation of the PCIE CSIP Task 1 and Task 2A Audit Report Recommendations, concluded that the issuance of a consolidated summary PCIE report would produce few benefits, and therefore such a report was not prepared. For a detailed description of these tasks see Appendix A, page 33.
In May 1992, the Committee approved sponsorship of CSIP Task 4, Review of Application Software Maintenance in Federal Agencies. Software maintenance was selected as an area for review for two primary reasons. First and foremost, controls over application software modifications are vital to maintaining the reliability and integrity of sensitive and mission-critical application systems of Federal agencies. Failure to adequately control application software maintenance exposes an organization to corruption of system information--which in turn can lead to erroneous management decisions and/or the inability to meet organizational missions. The rapidly growing inventory of Federal application software systems is increasing the need for a strong, disciplined, clearly defined software maintenance approach which will guarantee the usefulness and integrity of the data maintained by those systems. Second, Federal managers have historically undervalued the economic importance of a sound, comprehensive software maintenance program.
The primary objectives of Task 4 were to identify common software maintenance problems across Federal Agencies and to identify Governmentwide recommendations to oversight agencies. Specifically, agencies determined the (1) adequacy and completeness of agency software maintenance policies and procedures, (2) effectiveness of controls over software changes, (3) extent to which software maintenance is budgeted and tracked, and (4) effectiveness of agency management of software maintenance contractors. The Environmental Protection Agency Office of Inspector General had overall responsibility for coordinating this task. See Appendix E, page 51, for a description of the audit methodology.
Seven Inspectors General offices (listed in Appendix C, page 41) participated in this PCIE project task. The Inspectors General reviewed the management of the software maintenance process (e.g., policies and procedures, contract management, etc.) for major mission-support/administrative applications within their agencies. Based on the results of field work conducted between November 1992 through November 1995, six individual agency reports were prepared and issued (see Appendix D, page 49). The remaining participant, the Social Security Administration, made no recommendations and issued a close-out memorandum in lieu of a report.
This review identified three areas that need to be addressed Governmentwide in order to strengthen the management and implementation of agencys' software maintenance programs. These areas include: (1) improper identification and accounting for software maintenance costs; (2) ineffective controls and oversight over software maintenance contracts and contractors; and (3) inadequate management of the software change control processes. These issues are presented in the Software Maintenance Weaknesses section of this report, including comprehensive Governmentwide recommendations, and are summarized in the following paragraphs.
-
-- Federal Departments and Agencies do not properly identify and account for software maintenance costs. For example, agencies do not consistently include the costs of administrative and clerical salaries, materials, computer usage, telecommunications, overhead costs, and Federal employee salaries in software maintenance costs. In addition, agencies reported cost-benefit analyses are not consistently prepared, updated, and/or maintained for application systems. As a result, agencies are not in a position to make informed budgeting and planning decisions regarding systems operations and maintenance. In addition, software maintenance expenses are being inaccurately reported to the Office of Management and Budget (OMB). These weaknesses occurred primarily because agencies are not defining software maintenance consistently, and
Federal accounting requirements are not being followed.
-- The contracts used by agencies for software maintenance do not adequately protect the Government's interests. Agencies are not consistently awarding contracts that motivate contractors to perform at optimal levels. In addition, the monitoring of these contracts present an unstructured, poorly controlled approach to the management of maintenance for critical Government applications. Consequently, agencies lack control over software maintenance activities and rely heavily on contractors. These weaknesses are primarily due to the use of non performance-based contracting methods and agencies not specifying performance measures in software maintenance contracts. Furthermore, Federal employees lacked the technical expertise required to adequately oversee maintenance contractors.
-- Federal Departments and Agencies are not adequately managing the software change control and configuration management(1) processes. Specifically, Federal Departments and Agencies cited weaknesses with the change request process, change review and approval, and testing. As a result, agencies lack assurance that (1) applications will perform as intended and (2) management controls will adequately safeguard the integrity of the applications. These weaknesses resulted from agencies not following software maintenance policies, standards, and procedures for requesting, approving, and testing changes.
The actions prescribed for OMB, together with the agency-specific actions recommended by the respective Inspectors General, should substantially strengthen application software maintenance Governmentwide.
Footnotes
- Software configuration is defined as an arrangement of software parts, including all elements necessary for the software to work. Configuration management refers to the process of identifying and documenting the software configuration and then systematically controlling changes to it to maintain its integrity and to trace configuration changes.
![[Table of
Contents Icon]](http://www.epa.gov/icons/contents.gif){kind=icon} Table of Contents |
![[Audit Report Icon]](http://www.epa.gov/icons/rightarr.gif){kind=icon} Audit Report |
Created February 2, 1997