This is the accessible text file for an audit report on the Design of Library-wide Internal Controls for Tracking Information Technology Investments, issued by Office of the Inspector General in March 2015 FOR PUBLIC RELEASE, Report No. 2014-IT-101. This text file was formatted by the LOC-OIG to be accessible to users with visual impairments. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, photos & consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. Report for Design of Library-wide Internal Controls for Tracking Information Technology Investments Library of Congress Office of the Inspector General Office of the inspector general Library of Congress 101 Independence ave Washington, D.C. 20540 March 13, 2015 MEMORANDUM FOR: James H. Billington Librarian of Congress FROM: Kurt W. Hyde Inspector General SUBJECT: Audit Report No. 2014-IT-101 Report on the Design of Library-wide Internal Controls for Tracking Information Technology Investments This transmits the audit report summarizing the results of Hewlett Packard Company’s (HP) Report for Design of Library-wide Internal Controls for Tracking Information Technology Investments. The Executive Summary begins on page i, and the full text of HP’s findings and recommendations appear in Appendix A. Management’s responses to HP’s recommendations appear in Appendix B. Based on management’s written responses to the draft report, we consider all of the recommendations resolved. Please provide, within 30 calendar days, an action plan addressing implementation of the resolved recommendations, including an implementation date, in accordance with LCR 2023‐9, Rights and Responsibilities of Library Employees to the Inspector General, §6.A. We appreciate the cooperation and courtesies extended by Information Technology Services, the Office of the Chief Financial Officer, and Members of the Information Technology Steering Committee during this audit. cc: Deputy Librarian of Congress Chief of Staff Chief Financial Officer Acting Chief Information Officer Report for Design of Library-wide Internal Controls for Tracking Information Technology Investments page i Executive Summary As part of the Office of the Inspector General’s (OIG) continuing emphasis on the Library’s top management challenges of Information Technology (IT) infrastructure and building digital collections, we engaged the consulting firm Hewlett Packard Company (HP) to perform a review of the Library’s internal controls for tracking IT investments. Footnote 1. HP conducted its fieldwork from October 2014 through January 2015. The review objectives were to determine whether the Library’s system of internal controls over IT investments is adequately designed to: • Identify all systems qualifying for Information Technology Steering Committee (ITSC) oversight under Library of Congress Regulation (LCR) 1600, Information Resource Management Policy and Responsibilities, beginning with the LCR’s required Pre-Select phase investment concept proposal; • Link strategic planning, budgeting, and financial accounting to ensure that the ITSC effectively supports the IT investment management, enterprise architecture, and information resource management processes; • Deliver an adequate audit trail between budgeting, the ITSC, and the Library’s general ledger for investments under ITSC oversight; and • Initiate corrective action by the Office of the Chief Financial Officer, or other appropriate executives, when IT investment compliance breakdowns occur with ITSC policies and procedures. The attached HP report provides seven detailed findings and related recommendations resulting from its engagement. HP’s report also provides an executive summary that describes its findings and recommendations; therefore, we believe it is not necessary to duplicate their efforts here. However, we would like to provide some perspective on their findings and conclusions by emphasizing certain key themes from HP’s report. HP found management has made some progress in strengthening the Library’s IT investment oversight since prior OIG audits in 2009 and 2011 identified weaknesses in that area. Those improvements resulted primarily from the Library establishing the ITSC in 2010. However, many weaknesses continue to inhibit Library management’s ability to effectively manage its IT investments. HP determined that a principal weakness was that the ITSC operated with little or no oversight from the Librarian, the then Deputy Librarian, the Executive Committee, or the Acting Chief Information Officer. In this void, the members and leadership of the ITSC appeared to be operating as an independent entity with little guidance on Library priorities. HP concluded that the Library does not have a fiscal framework in place for managing its IT investments. Normally, a framework defines the internal controls as well as the linkages between the agency’s stakeholders, agency strategic plans, and budget planning for capital investments. Another necessary element in a fiscal framework that is missing is a capital planning and investment process that identifies the complete costs of projects and ensures an agency adequately plans, selects, manages, and evaluates its IT investments to maximize its return on investment and minimize risk. Library senior management must make developing a sufficient fiscal framework a priority. Many of the findings and recommendations have been made to Library senior management previously in audit and consulting reports. However, without comprehensive action the Library will lose ground in its control and oversight of IT investments. Some of this may result from the absence of the required IT investment planning and reporting imposed on executive branch agencies but not required of legislative branch agencies. The introduction of many, if not all, of those requirements in some fashion may serve the Library well in its efforts to improve its IT investment stewardship. Recognizing this, HP’s final finding and recommendation determined that Library management needed to emphasize its pursuit of IT best practices and continuous improvement, suggesting that both senior management as well as IT management will benefit from this approach. Management’s Response and Commitment to Action In response to HP’s audit findings (see appendix B), Library senior management overwhelmingly agreed with the findings and recommendations stating that it would take the recommended actions to improve IT governance and accountability while developing a fiscal framework to support those mechanisms. It also committed to establishing an IT culture guided by and committed to industry best practices. During the course of our audit, OIG issued a memorandum to the Librarian and the then Deputy Librarian with preliminary recommendations to enable the leadership to take any immediate actions before this and another OIG audit report was issued. Although there was a significant change in senior management during the issuance of our draft report, the new senior leadership has taken critical action on the IT issues, and we commend the Library leadership for taking those steps. While we await senior management’s formal plan of action for these improvements, the Interim Associate Librarian for Strategic Initiatives/Chief Information Officer (CIO) has advised OIG of the following Library actions that are occurring in response to the audit. These actions further demonstrate management’s commitment to addressing OIG’s recommendations. Senior leadership has: • Begun the recruitment of a permanent CIO. • Initiated a step by step analysis of all LOC information technology governance programs. Management’s goal is an integrated information technology governance program that incorporates the 1996 Clinger Cohen act as appropriate, where all information technology proposals are evaluated for consistency with strategic direction, reviewed by the appropriate governance structures, and tracked through to completion. • Started developing an IT Capital plan covering both developmental projects and infrastructure. The capital plan will become a multi-year planning tool, similar to OMB’s requirements for Executive Branch agencies and will integrate LOC strategic and tactical planning along with the budget. The governance structure will ensure integration of all governance components. • Appointed an interim CIO and Deputy CIO, with the CIO leading the ITSC. • Identified legal requirements that require the LOC service units to operate independently to meet their mandates while seeking integration at key governance points and following specific standards to assure sufficient senior management oversight. • Incorporated variance tracking as a Library-wide governance mechanism as well as pursuing other cost accounting and historical IT cost analysis. Through their responses to the audit, Library management has conveyed to OIG a sense of urgency for improving Library IT governance. This page left blank intentionally TABLE OF CONTENTS APPENDIX A: HEWLETT PACKARD COMPANY (HP) FINAL FINDINGS REPORT FOR DESIGN OF LIBRARY-WIDE INTERNAL CONTROLS FOR TRACKING INFORMATION TECHNOLOGY INVESTMENTS page 1 APPENDIX B: MANAGEMENT RESPONSE page 35 This page left blank intentionally Appendix A: Hewlett Packard Company (HP) Final Findings Report for Design of Library-wide Internal Controls for Tracking Information Technology Investments A report describing findings and recommendations related to the Library of Congress agency-wide internal controls for tracking technology investments by the Information Technology Steering Committee. February 11, 2015 Contents Executive Summary. page 2 Background 5 Objective, Scope, and Methodology page 7 Objective page 7 Scope. page 7 Methodology page 7 Finding 1 page 9 Finding 2 page 14 Finding 3. page 19 Finding 4. page 21 Finding 5. page 24 Finding 6. page 27 Finding 7. page 30 Appendix List of Acronyms page 33 Executive Summary The purpose of this engagement was to conduct an evaluation of the Library of Congress (Library) design of agency-wide internal controls for tracking technology investments. The engagement focused on determining whether the agency’s system of internal controls provide assurance that the Information Technology Steering Committee (ITSC) oversight occurs for all qualifying information technology (IT) systems as prescribed by Library of Congress Regulation (LCR) 1600, Information Resource Management Policy and Responsibilities. Specifically, the engagement evaluated whether the Library’s system of internal control is adequately designed to: • Identify all systems qualifying for ITSC oversight under LCR 1600 beginning with the LCR’s required Pre-Select Phase Investment Concept Proposal; • Provide linkages between strategic planning , budgeting, and financial accounting to ensure that ITSC effectively supports the Information Technology Investment Management (ITIM), Enterprise Architecture (EA), and Information Resource Management (IRM) processes; • Deliver an adequate audit trail between budgeting, the ITSC, and the Library’s general ledger for investments under ITSC oversight; and • Initiate corrective action by the Office of the Chief Financial Officer (OCFO) or other appropriate executive, when information technology investment compliance breakdowns occur with ITSC policies and procedures. There has been some progress in strengthening the Library’s IT investment oversight since two previous reviews: one in 2009. footnote 2, and a follow-up in 2011, footnote 3. Improvements are due in large part to the establishment of the ITSC in 2010 that was formed and charged with overseeing Library-wide ITIM processes, guiding information investments and making recommendations to the Executive Committee (EC) for prioritizing IT investments. footnote 4. However, the engagement team found several weaknesses that continue to plague the Library’s IT oversight. As a result, we have identified opportunities for improvements and made recommendations based on the team’s findings summarized below. 1. IT LEADERSHIP NEEDS STRENGTHENING - Incomplete assignment of executive responsibility for the ITSC has the potential to negatively impact management of IT investments. Library policy documents for IT governance (LCR 1600 and ITSC Charter) do not fully clarify the roles and responsibilities of the Deputy Librarian, Chief of Staff, Chief Information Officer (CIO), Chief Financial Officer (CFO) and ITSC members. Executives who could provide leadership to the ITSC are uncertain of their current responsibilities and are not held accountable. This absence of executive leadership within the ITSC has led to problems with funding availability of technology investments, setting priorities, communicating issues, and coordination across Library Service Units (SU). 2. BUDGET AND INFORMATION TECHNOLOGY INVESTMENTS ARE DISCONNECTED – There is no formal fiscal framework or process at the Library that integrates strategic planning with the IT investment process. Because the Library is not required to have a Capital Planning and Investment Control (CPIC) process, mandated by the Clinger-Cohen Act of 1996 (CCA) footnote 5, IT budgeting is not integrated with the Library’s overall planning, budget, financial and programmatic decision-making. Without a CPIC process, there are weak linkages among budget, accounting, acquisition, and IT investment processes. In addition, there is a weak linkage or no relationship between the development of a budget for IT and the ITSC. This could result in poor planning, acquisition of assets not being fully justified, higher acquisition costs, cancellation of major investments, the loss of sunk costs, or inadequate funding to maintain and operate the assets. 3. NON-PERMANENT CIO IN SUBORDINATE POSITION WEAKENS IT LEADERSHIP – Currently, the CIO position is in a programmatic SU, and a Directorate level officer heads the ITSC. Lack of a permanent CIO leaves a void in Library-wide IT governance and effective leadership of the ITSC. A temporary CIO with dual roles leads to organizational confusion, impedes continuity of decisions, weakens executive IT planning, and makes it difficult to get Library-wide IT strategies in place. 4. DECENTRALIZATION CONTRIBUTES TO IT OVERSIGHT WEAKNESS – Decentralized planning and control of IT services have allowed some SUs to act independently, virtually bypassing the ITSC and related oversight and review processes intended to provide IT control. There is no formal process to ensure all appropriate IT projects undergo ITSC review; nor is there any enforcement role to ensure compliance by all Library components to IT governance policy. Overspending and duplication of IT investments or services could result. Furthermore, IT investments may not support the Library’s strategic plan and priorities. 5. INADEQUATE COST ACCOUNTING LEADS TO INEFFICIENCIES - Costs for IT investments and variances are not developed or tracked accurately in the Library’s central financial management system, the Momentum Financial System (Momentum). footnote 6. Practices are inconsistent with the U.S. Governmental Accountability Office’s (GAO) prescribed methods for tracking and reporting costs on IT expenditures and none of the Library’s financial systems, specifically Momentum and Clarity, footnote 7, effectively track, categorize and report costs on IT expenditures. In addition, costs developed for IT investments going through ITSC review do not appear to be derived from financial systems, nor are they reviewed by the CFO. Further, SU’s are not required to notify the ITSC or CFO of cost overruns and variances. Instead costs are “absorbed” by cutting other expenditures in the SU’s budget. Without the implementation of adequate cost accounting protocols, it is difficult to measure progress and ensure there are sufficient funds to complete a project. 6. STRONGER LINK NEEDED BETWEEN IT STRATEGIC PLANNING PROCESS AND ITSC – By not having a synchronized planning cycle between the Library’s long range strategic plan (5-year), the ITSC annual plan (1-year) and data call, and the SU’s annual budget formulation process, opportunities may be missed to take advantage of common IT requirements and budgeting cycles. Without strategic alignment, it makes it difficult for the ITSC to prioritize IT investments across the Library. This misalignment also impacts EA’s future state because defined requirements are lacking. 7. ITSC LEADERSHIP NEEDS TO ADOPT IT GOVERNANCE BEST PRACTICES – The EC and ITSC need to systematically embrace or consistently implement best practices in the areas of IT management and program governance. Without an improvement program there are few opportunities to correct known IT issues or introduce new methods to optimize use of IT resources. These findings appear to reflect a general lack of consensus about the importance of effective IT oversight at the highest levels to successfully carry out the Library’s mission and the need to integrate IT management with agency plans, budgets and acquisitions. We believe that the Library’s executives should continue to focus on effective IT management across the agency and lead the continued progress for IT oversight improvements. This report makes seven recommendations to improve IT oversight. A discussion of these recommendations starts on page 10 of this report. Background Due to the current Federal Government environment of budget shortfalls, there is a greater need to do more with fewer resources. This translates into a requirement to increase productivity and obtain greater return on capital investments. Virtually every aspect of industrial, commercial and governmental activity has exponentially increased over recent years through the growth of information, demand for online services, and greater reliance on computer technology. As a result, government and private industry look to their IT for solutions and recognize the importance of aligning business and IT strategies for long-term success. One of the most information-based agencies in the Federal Government is the Library of Congress. The Library, an agency of the Legislative Branch of the Federal Government, is the world’s largest and most comprehensive library, maintaining a collection of more than 158 million items – many of them unique and irreplaceable – in more than 470 languages. footnote 8. It directly serves not only the Congress, but also the entire nation. The Library’s mission is focused primarily on the acquisition, organization, analysis and dissemination of information to Congress, the public, the education community, researchers and other libraries. Consequently, the information resources of the Library must be managed in a manner that ensures alignment with mission priorities. Every major IT investment should be scrutinized to ensure it supports and accomplishes the strategic objectives of the Library in the most cost-effective manner. In 2009, the Office of the Inspector General engaged a consulting firm to conduct an audit of the Library’s information technology strategic planning. footnote 9. This report as well as a follow-up report in 2011, footnote 10, among other things, pointed to the weaknesses in the Library’s IT governance. There were improvements that resulted from these audits, namely the establishment of an Information Resources Management (IRM) plan to provide the foundation for an overall approach to IRM and to connect strategic planning, EA, and IT investment management. In addition, the ITSC was established to incorporate the Library’s strategic objectives into IT decision-making and to advise the EC on IT policy issues. A significant determinant of the success of the Library’s IRM activities is the effectiveness by which they are governed. footenote 11. As such, the Library chartered the ITSC in 2010 to evaluate IT investments. The ITSC charter calls for membership to be comprised of dedicated business leaders, who also possess information technology knowledge, from service units across the Library and is to be chaired by the CIO. This group is responsible for overseeing the IT investment management processes and making recommendations to the EC for prioritizing investments. The ITSC is also responsible for monitoring the execution of the investments and providing direction for the Architecture Review Board’s EA oversight.footnote 12. These two initiatives continue to evolve and have helped strengthen IT governance at the Library. However, based on information collected during our assessment, more progress is needed to provide effective, solid, and consistent IT governance. Objective, Scope & Methodology Objective The principal objective of this review was to evaluate whether systems meeting LCR 1600, Information Resource Management Policy and Responsibilities thresholds are effectively managed through the existing processes and controls as described in the Library’s policy and guidance documents. Scope The engagement evaluated whether the Library’s system of internal control is adequately designed to: • Identify all systems qualifying for ITSC oversight under LCR 1600 beginning with the LCR’s required Pre-Select Phase Investment Concept Proposal; • Provide linkages between strategic planning, budgeting, and financial accounting to ensure that the ITSC effectively supports the ITIM, EA, and IRM processes; • Deliver an adequate audit trail between budgeting, the ITSC, and the Library’s general ledger for investments under ITSC oversight; and • Initiate corrective action by the Office of the Chief Financial Officer (OCFO), or other appropriate executive, when IT investment compliance breakdowns occur with ITSC policies and procedures. Methodology The engagement team collected and reviewed pertinent background information and documents. This included but was not limited to the LCR 1600, ITSC Charter (March 2010), the Web Governance Board Interim Project Approval Process, the Library’s strategic plans, pertinent laws, rules, regulations and ITSC reporting guidelines, Annual Report of the Librarian of Congress, budget and accounting information, previous, relevant audit reports, the Library’s EA, ITSC minutes and documentation of its decisions, Government-wide standards that provide guidance on IT investment management, GAO standards and cost estimating and assessment guides. A complete list of documents is provided in Appendix A. The team developed questions for interviews with key Library officials. We conducted interviews with ITSC members and other officials to gain an understanding of the ITSC processes and adequacy of controls. This included the Deputy Librarian, Acting Chief Financial Officer, Acting Chief Information Officer, Budget Officer, Strategic Planning Director, Financial Reporting Officer, Chairman of the ITSC, Acting Enterprise Architect, Chairman of the Architecture Review Board, IT Investment Manager Portfolio Officer, two of the seven ITSC voting members, and a system owner. The team also researched best practices, footnote 13, and as a benchmark, interviewed the CIO from the Nuclear Regulatory Commission, an agency similar in size and budget to the Library and a recognized leader in IT governance. In addition, we analyzed the Financial Reporting Office methods for identifying IT investments at the initiation stage, and identified the procedures for budget system tracking of IT expenditures (e.g., activity codes, budget operating classes, budget calls). We looked at the documentation of the Library’s “as-is” architecture and the EA’s documentation for the Library’s “to-be” architecture. Lastly, we examined and documented the Library’s workflows and related controls for IT investments meeting the ITSC thresholds from the strategic planning phase, through the budget system, ITSC, and general ledger. We conducted this review from October 2014 to January 2015. We planned and performed the review to obtain sufficient, appropriate evidence that we believe provides a reasonable basis for our findings and recommendations. Finding 1 We found that at the Library, the assignment for executive responsibility over the Information Technology Steering Committee (ITSC) was lacking both in actual practice, and in written policy. This condition causes a negative impact on the management of IT investments. Specifically we found that: 1. The ITSC is run by its members who operate without oversight and coordination from the Library’s executive staff, to include lack of oversight and input from the Deputy Librarian, Chief Financial Officer (CFO), and others such as Director of Budget. 2. There is little oversight of the ITSC from the EC, including a lack of communication such as briefings, reporting and direction between the EC and ITSC. 3. LCR 1600 states the Chief Information Officer (CIO) is to chair the ITSC, but currently the Acting CIO has delegated the Chairmanship of the ITSC to a director. The Library policy documents (LCR 1600 and ITSC Charter) are incomplete regarding roles of members. The LCR 1600 does not assign appropriate ITSC responsibilities to the Deputy Librarian, CFO, CIO and others. The language describing these roles is vague. The Library of Congress Governance Structure found in the ITSC Charter speaks volumes about the true position of the ITSC at the Library. Although the Charter indicates the ITSC is to obtain mission and priorities from the Executive Committee (EC), we have found that in practice, the two committees seldom meet. The Charter does not mention interaction between the ITSC and any other Library executives. The lack of guidance regarding the roles and responsibilities of executives results in an absence of accountability at the executive level. The absence of executive leadership within the ITSC has the following impact on IT governance: • Potential negative impact to funding of technology investments, setting of priorities for investments, and communication of issues regarding investments. • Impeded coordination across Library SU’s. • Misalignment of budgetary decisions, timing, and availability of funding for investments. Lack of Oversight and Coordination from the Library’s Executive Staff. We found that the members of the ITSC, as well as the Acting Chair, with assistance from the Information Technology Investment Management Portfolio Officer (ITIMPO), and Architecture Review Board (ARB) did make commendable efforts to follow existing guidance to run the ITSC. However, there is still confusion and a lack of understanding among ITSC members regarding important areas such as alignment to Library strategy and funding. Unanswered questions arose regarding the timing of funding for approved investments, how to ensure that all investments are subject to ITSC review, and the tie in between strategic planning and the ITSC. Strong, cohesive management would ensure effective coordination and oversight of all Library service units; clarification of ITSC linkage to other Library divisions; and improved IT investment governance, Library-wide. For example, intervention by a CFO and Budget Officer would help ensure that investments are identified and funded. Participation from a Strategic Planning Officer (SPO) would ensure that investments are prioritized in the framework of overall Library strategic direction. Unlike Executive Branch agencies, Legislative Branch agencies are not subject to Office of Management and Budget (OMB) oversight, which forces close alignment between IT, budget, and planning. For example, OMB Exhibits 53 and 300 provide the budgetary and management information necessary for sound planning, management, and governance of IT investments. These artifacts help agencies explicitly align IT investments with strategic and performance goals, making investment and management of information more transparent. Without this strong alignment, the Library would require robust compensating governance structures in order to ensure adequate financial oversight of IT investments. Instead, interviews with Library executives revealed that key individuals were not engaged in the ITSC process. More importantly, these executives did not understand the need for ITSC executive direction and oversight to ensure that the ITSC process supports the future strategy of the Library, and that investment decisions are linked to the Library’s priorities. This was found across the board in every interview with Library executives, including the Deputy Librarian, the Acting CFO, the Acting CIO, the Budget Director, and the Strategic Planning Director. At other Federal government agencies, the CFO has a strong role in the governance of IT steering committees. We interviewed the CIO of the U.S. Nuclear Regulatory Commission, and he confirmed that the CIO and CFO co-chair the IT governing group at the NRC. Review of processes at the Department of Commerce, footnote 14, and the Department of Homeland Security detailed responsibilities for the CFO in the technology investment process. footnote 15. Within DHS, each Component (i.e., US Customs Service and Border Patrol, US Coast Guard, etc.) is also responsible for preparing and submitting the Component IT Budget for review by DHS CFO and CIO. (This is analogous with having each of the Library’s SUs submit an IT budget to the CFO and CIO for review and scrutiny. Currently, the CFO and CIO have little authority or influence over SU IT budgets.) Although normally there is no role for a SPO on an IT investment board, it is important to have close coordination and alignment of IT strategic plans across all areas of the Library, as with the financial process. Minimal Oversight of the ITSC from the EC We found little interaction between the EC and the ITSC, despite Library policy documenting a reporting chain from the ITSC to the EC. GAO looked at best practices in capital decision-making in their 1998 Executive Guide, footnote 16, and stated that, “Vision and leadership are crucial to the success of leading organizations—not only for capital planning and decision-making, but for all aspects of the organization’s activities. Leaders define the mission of the organization and identify new directions, strategies, and priorities. In leading organizations—including state governments—chief executives set goals and priorities for the organization or state as a whole based on the mission they have defined for the organization. They then determine which areas and, in some cases, which specific projects should receive increased emphasis and funding and which areas should remain stable or receive reduced emphasis.” The lack of this type of leadership over the ITSC greatly impacts the operational success of the ITSC, and leads to problems with identification of IT investments, funding, and priorities. The members and leadership of the ITSC appear to be operating as an independent entity without the oversight of the Librarian, Deputy Librarian, the EC, or the CIO. footnote 17. The following table shows the executive oversight responsibilities for the ITSC as documented in LCR 1600: TABLE 1. EXECUTIVE RESPONSIBILITIES UNDER LCR 1600 Role Responsibilities Librarian Responsible generally for oversight of the Library’s IRM plan and for all final determinations regarding the Library’s IRM policy and IT investments. EC 1. Appointing individuals to the ITSC and Architecture Review Board (ARB); LCR 1600 - Information Resource Management Policy and Responsibilities 2. Providing strategic mission and priority guidance to the ITSC, including: a. Guidance on the ITIM portfolio evaluation criteria; and b. Ruling on issues escalated by the ITSC. 3. Monitoring and directing appropriate actions on results of key efforts and executive-level reports and recommendations for ITIM processes. 4. Reviewing Congressional Budget request recommendations for Library IT investments made by the ITSC. 5. Ensuring that the Library’s Enterprise Architect and ARB assume responsibility for EA processes and have access to appropriate information technology strategic and policy documents, as well as expertise for the purpose of developing EA content. The executive responsibilities detailed under LCR 1600 are not as comprehensive as those that we found in looking at similar boards at a majority of other Federal agencies. Despite this, we found that the executives at the Library did not even follow their limited responsibilities under LCR 1600. We highlighted the areas that were not carried out by the Librarian or his deputy and EC (shaded in “yellow” in Table 1. Executive Responsibilities Under LCR 1600). Nor did we find any instance where the ITSC disapproved an IT project brought before the group. We found that on one occasion, the ITSC requested the EC escalate an issue with one of the SU’s. It was noted that the EC took prompt action. However, other than this incident, there was little or no evidence of any other involvement from the EC in ITSC matters. Our review of the ITSC minutes found no direct involvement by the Librarian or Deputy Librarian. Currently, the Acting CIO has delegated responsibility for chairing the ITSC to a director, further diluting the executive leadership. The Acting CIO has delegated the Chairmanship of the ITSC to a subordinate director. The Clinger-Cohen Act of 1996, clearly recognizes that CIOs should play a key leadership role in ensuring agencies manage their IT investments in a coordinated and integrated manner in order to improve efficiency and effectiveness of programs and organizations. LCR 1600 defines the role of the CIO regarding the ITSC. However, the documented responsibilities and authorities for the Library’s CIO are clearly lacking when compared to the prescribed roles of the CIO at other Federal government agencies (Table 2. CIO Responsibilities at Different Federal Agencies). TABLE 2. CIO RESPONSIBILITIES AT DIFFERENT FEDERAL AGENCIES Library CIO 1. Chair the ITSC; 2. Promote Library-wide understanding and buy-in of IRM policies and related benefits; 3. Appoint the Enterprise Architect; 4. Oversee the EA program; 5. Oversee the Information Technology Investment Management Portfolio Officer (ITIMPO); 6. Provide guidance for all information technology application and data stewards; 7. Issue IRM, ITIM, and EA directives, as needed, in coordination with the ITSC; and 8. Appoint the chair of the ARB, in collaboration with the ITSC. HHS CIO 1. Ensure that all HHS IT Investments adhere to Federally mandated requirements and to the requirements stipulated in the HHS Policies for CPIC, EA, Security, and Records Management; 2. Establish, implement and maintain an effective HHS CPIC process; 3. Ensure that individuals assigned to manage HHS enterprise IT Investments and IT projects are trained, qualified, and, as appropriate, certified as IT Investment or IT Project Managers; 4. Implement a Portfolio Management suite of tools to enable effective and efficient cost, schedule, and performance data collection, reporting, and analysis; 5. Ensure that each OPDIV adopts CPIC policies and procedures that comply with this policy and legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”; and, 6. Identify IT Investments requiring Departmental CPIC oversight and review. GSA CIO, footnote 18 The OCIO functions to: 1. Ensure the development of IT initiatives that support the GSA Strategic Plan and the missions, goals, strategies, and priorities of the Agency; 2. Ensure Agency and Government-wide guidance and training are provided to assist SSOs in their implementation and documentation of the IT CPIC processes; 3. Assist SSOs in carrying out the IT CPIC processes and conducting reviews of initiatives and processes; 4. Prepare and update the IT CPIC Policy Guide detailing guidelines and procedures for implementing IT capital planning; 5. Appoint analysts from the OCIO to participate in SSO ITRBs and assist each SSO in developing IT CPIC submissions and in monitoring and evaluating their initiatives; 6. Provide staff support to the ITC, the IT Planning Committee, and participate in the CIO Council’s Best Practices Committee; 7. Assist each SSO in developing submissions to the IT Capital Plan; 8. Review and analyze IT initiative selection documentation, including coordination of ITC and BSC initiative selection and control activities; 9. Provide assistance and training to help SSOs complete and document IT CPIC and lifecycle management processes and analyses; 10. Coordinate the development of OMB Circular A-11 Exhibit 53 (Agency Information Technology Investment Portfolio) and Part 3 (Planning, Budgeting, and Acquisition of Capital Assets) using the IT Capital Plan with the GSA Office of Budget; 11. Ensure compliance with appropriate GSA orders and handbooks; 12. Develop and publish IT plans, to include the GSA IT strategic, capital, and operational plans. Notify the SSOs and Regions when plans are published and make approved plans available electronically; and 13. Ensure that the IT CPIC process, EA, IT security, enterprise engineering and program management processes are properly synchronized and linked. The current CIO has been appointed in an acting capacity. She has delegated her role on the ITSC to a subordinate director. The lack of definitive executive responsibilities in Library policy documentation has resulted in a situation where the role of the CIO within the ITSC is unclear and further results in a lack of accountability for the CIO. RECOMMENDATIONS: • Condition 1 - Library policy documents (LCR 1600 and ITSC Charter) need to be updated with clear direction on members, roles, and responsibilities. The ITSC responsibilities are undefined in the ITSC Charter, Section 3, and page 2. • Condition 1 - Assign financial responsibility to the CFO to strengthen accountability for enforcement of internal controls and linkage to the Library IT budget. Articulate the level and responsibilities of voting members from each SU in the ITSC Charter. The Director of Strategic Planning should also be consulted to ensure that all IT Capitol investments have goals and appropriate metrics defined. • Condition 2- The ITSC should report directly to the Chief of Staff or higher position. Clarify the roles and responsibilities of the Deputy Librarian/Chief of Staff in the ITSC policy/charter to strengthen ITSC oversight of IT investments. • Condition 3 - Document the role and responsibilities of the CIO in the ITSC Charter. Restrict or eliminate the delegation of CIO responsibilities with respect to ITSC activities. MANAGEMENT RESPONSE: The Library substantially agrees with the above recommendations. Finding 2 We found that the lack of a formalized fiscal framework at the Library causes a disconnect between the budget process and ITSC process. Specifically we found that: 1. Unlike other Federal agencies, the Library does not have a Capital Planning and Investment (CPIC) process, mandated by the Clinger-Cohen Act of 1996, to ensure that IT investments are planned, selected, managed, and evaluated to maximize the value and minimize the risks of those investments. The CPIC process is to be utilized to acquire, use, maintain, and dispose of IT. It is typically integrated with the agency’s overall planning, budgeting, financial and programmatic decision-making. Without a CPIC process, there are weak linkages among the budgeting, accounting, acquisition, and IT investment processes. 2. The ITSC process does not contain the tie in between budget requests and investment packages that are included in the majority of technology investment processes at other agencies.footnote 19. Normally, the business case portion of the investment packages would be used for budget formulation and funding decisions. Instead, the Library budget decisions are made without this information. 3. The lack of a centralized fiscal framework for managing investments consisting of a coordinated and well-timed process, linking agency strategic needs and IT requirements, creates a condition where identifying IT investments that qualify for ITSC oversight is inconsistent. The fiscal framework defines internal controls and linkages between Library stakeholders, the long range IT Strategic Plan, and the budget calls by the budget office (identifying capital and commodity investments). The stakeholders in this process include the EC, ITSC, CFO, CIO, and Chief of Staff. The investment data calls must be coordinated to match-up with long- range planning and annual updates, carrying over the prior year’s approved investments with development variances that required additional funding. (On an annual basis, the existing portfolio and baseline budget should be reviewed and updated for investments that should be retired, and new investments that should be added, as appropriate.) Since there is no formal process at the Library that integrates strategic planning with the IT investment process, projects do not follow through the Library’s funding procedure in a consistent manner. The effect of this is a weak linkage or no relationship between the development of a budget for IT and the ITSC. This could result in poor planning, acquisition of assets not being fully justified, higher acquisition costs, cancellation of major investments, the loss of sunk costs, or inadequate funding to maintain and operate the assets. Absence of a Capital Planning and Investment (CPIC) process. The Library does not have a tie-in between their budget process and the ITSC. This lack of linkage was highlighted in all the interviews conducted for this engagement. It was only through “heroic” efforts of the members themselves that investments were found for ITSC review. ITSC members reviewed budgetary information obtained from the Office of Technology Services (OTS), and looked at investments in SU budgets, and elsewhere. We found that projects arrived at the ITSC at different stages of funding. In one instance, an investment deemed of interest after ITSC review could not be approved because there were no more funds available. If there had been an investment process tightly integrated with a budget process, this particular project would have been evaluated and scored as a potential investment. If the investment was deemed viable, then a specific budget request would be made as a part of the Library’s budget planning process. Rather than this ideal model, projects can arrive to the ITSC after the initial budget is formulated. Also, projects may come to the ITSC already funded through the realignment of a SU’s base budget. This creates a situation where projects worthy of funding may not obtain the funding they deserve, and where projects that should not be part of the Library’s IT portfolio, are funded. This also questions the validly and accuracy of the Library’s IT budget. If funding is obtained before the ITSC process, it potentially undermines the decision process, including supporting design and technical reviews. ITSC should not be making any decisions involving availability of budgetary funding. Instead, their determination should be focused on confirming that the costs developed for the budget are accurate, and most importantly in developing a prioritized portfolio of IT investments that support the future strategy and EA of the Library. The CPIC process is utilized to acquire, use, maintain, and dispose of IT. It is typically integrated with an agency’s overall planning, budget, financial and programmatic decision-making. Without a CPIC process, there are weak linkages at the Library among the budgeting, accounting, acquisition, and IT investment processes. An OMB Circular A-130 Transmittal Memorandum, footnote 20, states that “Agencies must establish and maintain a capital planning and investment control process that links mission needs, information, and information technology in an effective and efficient manner. The process will guide both strategic and operational IRM, IT planning, and the Enterprise Architecture by integrating the agency's IRM plans, strategic and performance plans prepared pursuant to the Government Performance and Results Act of 1993, financial management plans prepared pursuant to the Chief Financial Officer Act of 1990 (31 U.S.C.902a5), acquisition under the Federal Acquisition Streamlining Act of 1994, and the agency's budget formulation and execution processes. The capital planning and investment control process includes all stages of capital programming, including planning, budgeting, procurement, management, and assessment.” At DHS, the CPIC and Planning, Programming, Budgeting, and Execution (PPBE) process are tightly linked. The graphic below from the DHS CPIC directive shows this tight integration and timing. FIGURE 1, DHS CPIC AND PPBE DIRECTIVE It is this missing integration of the capital planning and investment process that leaves the Library and the ITSC without an effective funding process. No Relationship Between IT Budget Requests and ITSC Investment Packages. Normally, the business case portion of the IT investment packages would be used for budget formulation and funding decisions. Instead, Library budget decisions are made without this information. For Executive Branch agencies, “Exhibit 300A is designed to coordinate OMB’s collection of agency information for its reports to Congress, as required by the Federal Acquisition Streamlining Act of 1994 (FASA, Title V) and Clinger-Cohen Act of 1996. The business case (OMB Exhibit 300A) for investment should demonstrate support for the mission statements, long- term goals and objectives, and annual performance plans developed pursuant to the Government Performance and Results Modernization Act (GPRAMA). footnote 21, OMB Exhibit 300B establishes reporting requirements through the Federal IT Dashboard footnote 22, to ensure the proper execution of those investments against the established performance plans. footnote 23. There is no similar relationship at the Library. Instead, we found that the budget request process is completely separate. Lack of a Centralized Fiscal Framework for Managing IT Investments. Ideally, a fiscal framework would define internal controls and linkages between Library stakeholders, the long-range IT Strategic Plan, and the budget calls by the budget office (identifying capital and commodity investments). The stakeholders in this process include the Service Units, Executive Committee, ITSC, CFO, CIO, and Chief of Staff. The investment data calls would be coordinated to match-up with long range planning and annual updates carrying over prior year approved investments with development variances requiring additional funding. On an annual basis, the existing portfolio and baseline budget would be reviewed for investments that should be retired and updated with new investments as appropriate. At the Library, this framework is totally non-existent, as depicted in the Library’s ITIM Pre-Select Phase Swim lane diagram (Figure 2 - LOC ITIM Pre-Select Phase). FIGURE 2, LOC ITIM PRE-SELECT PHASE, footnote 24 A number of ITSC members spoke about removing Pre-Select from the ITSC. This demonstrates a lack of understanding within the ITSC of the need to closely align investments with the Library’s mission and budget. As stated in DHS’s investment process, “The program owner, in conjunction with the project manager, should assess the readiness of the investment proposal for submission to the budget process. At this point, the investment’s costs and benefits should be sufficiently developed to support the determination that 1) the project is worth doing and 2) the investment merits resources.” This is a vital step currently missing in the Library’s ITSC process. RECOMMENDATIONS: • Condition 1 - Implement a CPIC process, to include OMB Exhibit 300 data and information to enable IT investment alignment with the Library mission and support business needs while minimizing risks and maximizing returns throughout the investment’s life cycle. • Condition 1 - Research cost effectiveness of using the GSA-managed eCPIC tools as a method for institutionalizing capital planning activities. • Condition 2 - The ITSC should provide the CFO, Budget Officer, and Acquisition Officer with quarterly reports, to include summaries of costs and variances, so that there is internal assurance that all cost information on investments is captured. • Condition 3 - Document roles for CFO, Budget Officer, Director of Grants and Contracts Management in the development of in the ITSC Charter and LCR 1600 (guidance documentation) in the Library’s technology investment process. • Condition 3 - Improve internal budget/project communications and training on how to develop, capture, and report project costs uniformly across the SUs. MANAGEMENT RESPONSE: Management substantially agrees with the above recommendations. The Library will follow the spirit of OMB Circular A-11 section 55 as recommended. They will also assess as recommended the GSA-managed eCPIC tools for use at the library. For Condition 2 the Library agrees with the nature of recommendation but will use OCFO to provide the recommended data. Additionally the Library agrees with conditions of Recommendation 3. Finding 3 We found that the continued lack of a permanent CIO and the low organizational position of the CIO creates a leadership void negatively impacting Library IT governance and the ITSC. Specifically we found that: 1. The CIO position has been vacant since 2012 and Acting CIOs have been appointed for 3-month rotations. 2. The CIO function at the Library is buried in an organizational unit that also has programmatic responsibilities. The lack of a permanent CIO and the position of the CIO’s office lower within the Library’s structure has been an ongoing issue at the Library, and can be attributed as the direct cause of many problems facing the ITSC. Prolonged Vacancy of CIO Position has led to IT Leadership Void. According to Library guidance and policy, the CIO leads the ITSC as the appointed Chairman. This position has been vacant since 2012 and Acting CIOs have been appointed for 3-month rotations. Currently, the Acting CIO has appointed a Directorate level director (Director of Information Technology Services) to Chair the ITSC. Typically, CIOs need 3-5 years to implement their plan, so a short-term position is ineffective. footnote 25 In a 1996 audit of the Library, footnote 26, performed by Booz-Allen, a recommendation was made to “Establish a Chief Information Officer position to provide leadership in technology across the organization, which should help the Library function more effectively in the electronic information age.” The failure to fill the CIO position sends a negative message about the role of the CIO at the Library. When questioned concerning the vacancy, the Deputy Librarian stated that the position would be filled once the organizational structure was fixed and agency priorities were established. We found this explanation perplexing because the role has been vacant so long and the CIO typically plays a key role in developing agency IT strategy and priorities. The CIO function at the Library is buried in an organizational unit that also has programmatic responsibilities. According to the Library organizational chart, the CIO function is found in a programmatic SU, the Office of Strategic Initiatives (OSI). For a number of years, this placement has impeded leadership and the ability to effectively implement EA, IT strategy, and IT investment controls across the Library. The GAO 2004 survey stated, “The Library’s programmatic function under the CIO is unique among federal agencies. Generally, the CIO of the IT organization reports directly to the head of the organization. This establishes an identifiable line of accountability and recognizes the importance of CIOs being full participants in the executive team in order to successfully carry out their responsibilities.” An OIG report on strategic planning, footnote 27, recommended that the Library “separate the IT support functions from OSI and establish the Office of the CIO from the ITS Directorate and other IT support functions of OSI. The CIO will report directly to the Librarian or Chief Operating Officer with duties, responsibilities and authority consistent with best practices.” This lack of action on the Library’s part has led to a continual void in IT leadership. As all other government agencies move ahead, promoting the CIO to the highest level of the organization, the Library remains an anomaly. The recent passage of The Federal Information Technology Acquisition Reform Act (FITARA), will leave the Library further behind in IT governance. FITARA authorizes new planning, budgeting and execution authorities for CIOs, and requires use of PortfolioStat reviews. The PortfolioStat review process was first introduced by OMB in FY2012. OMB defines PortfolioStat as follows, “PortfolioStat will be a new tool that agencies use to assess the current maturity of their IT portfolio management process, make decisions on eliminating duplication, augment current CIO led capital planning and investment control processes, and move to shared solutions in order to maximize the return on IT investments across the portfolio.” footnote 28. RECOMMENDATIONS: • Condition 1 - The permanent CIO should serve as the ITSC Chairman in order to strengthen the ITSC process. • Condition 2 - Appoint a permanent CIO with overall responsibilities for IT investments, along with ensuring that OMB Exhibit 300 type information is included in budget requests for IT investments. • Condition 2 – Adopt aspects of H.R.1232 “Federal Information Technology Acquisition Reform Act”; a bill, passed by the House of Representatives and currently under review within the Senate. The legislation, if enacted, would increase the power of existing Chief Information Officers (CIO) within federal agencies so that they could be more effective. Each agency would also be reduced to having only one CIO in the agency, who is then responsible for the success and failure of all IT projects in that agency. FITARA has been included as a part of the 2015 National Defense Authorization Act. MANAGEMENT RESPONSE: The Library substantially agrees with the above recommendations. Finding 4 We found that decentralization of IT functions at LOC allows some SUs to bypass the ITSC and related oversight and review processes. Specifically we found that: 1. It is possible for SUs and others to bypass the ITSC review process and to fund IT projects from internal budgets. Current conditions have left the Library without an overall Portfolio management process, where investments across the Library were assessed and ranked according to priority. It is possible for SUs and others to bypass the ITSC review process. During interviews, the ITSC members expressed concern that it would be possible for SUs and others to bypass their process. Supporting members concerns, an audit conducted under the direction of the Library OIG, found a specific investment that met three of the six criteria requiring ITSC oversight (a. the projected cost was estimated at $1.8M, b. the system was to be used by multiple SUs, and c. had high visibility) and was not tracked or managed in compliance with ITIM policy. footnote 29 One problem expressed by interviewees was that decentralized planning and control of IT Services has enabled SUs to act independently without regard to ITSC control structures. For instance, Library SUs provide strategic functions that are funded through appropriation, grants, and gifts (donations) that provide autonomy in planning and funding projects. Several projects and programs did not follow the ITIM process (pre-select and select phase) because the investments were associated with mandates or special funding status that may have precluded them from the normal selection process. This problem is not unique to the Library. However, this problem is resolved elsewhere through a strengthened CIO role, and clear guidance. Some organizations within the Library, including the Copyright Office, have their own budget appropriations. This is not uncommon at other Federal agencies. However, because of the weak language in Library guidance, there is an added concern that an organization can bypass the ITSC process. This decentralized structure presents potential risk for over-spending on investments and duplication of existing IT portfolio investments or services. It also presents potential risk that IT investments may not support the Library’s overall strategic plan and priorities. We found that there is no formal process to ensure that all appropriate IT projects undergo ITSC oversight. Instead, projects are self-nominated. The ITSC guidance documentation did not outline the role of the SUs in the ITSC, and there are no authorities or responsibilities indicated for an enforcement role that would ensure compliance by all Library components. GAO performed a study of technology governance in the private sector and commented on this issue, “When asked about how they share authority for decisions regarding the management of IT assets, several CIOs spoke of balancing between centralization and decentralization of authority and described their efforts to move between the two extremes to find the right balance. The appropriate balance often depended on other events occurring in the companies, such as major strategic realignments or acquisitions. For example, one CIO described his current evolution from a relatively decentralized structure—an artifact of a major effort to enable growth in the corporation—to a more centralized structure in order to reduce costs and drive profits.” footnote 30 OMB’s Capital Program Guidance states that, “Good budgeting requires that appropriations for the full costs of asset acquisition be enacted in advance to help ensure that all costs and benefits are fully taken into account at the time decisions are made to provide resources. Full funding with regular appropriations in the budget year also leads to tradeoffs within the budget year with spending for other capital assets and with spending for purposes other than capital assets. Full funding increases the opportunity to use performance-based fixed price contracts, allows for more efficient work planning and management of the capital project (or investment), and increases the accountability for the achievement of the baseline goals…When full funding is not followed and capital projects (or investments) or useful segments are funded in increments, without certainty if or when future funding will be available, the result is sometimes poor planning, acquisition of assets not fully justified, higher acquisition costs, cancellation of major investments, the loss of sunk costs, or inadequate funding to maintain and operate the assets.” footnote 31 The language in the Library’s policy is weak in comparison with all other reviewed guidance at other agencies. The Library offered an “exception” policy and a “waiver” policy for ITSC review. Exception and waivers were not allowed elsewhere when reviewing policies at other Federal agencies. Allowing such language could create a greater likelihood of an investment bypassing ITSC scrutiny, and dilutes the authority of the ITSC. It allows for the ambiguity that caused the confusion experienced by ITSC regarding which investments needed review. To address situations where special funding creates compliance problems, as well as exceptions, the absence of an executive authority for enforcing ITIM compliance exposes the Library to greater financial risk. RECOMMENDATIONS: • Condition 1 - The CFO (or higher) should ensure that the ITIM process is followed by all SUs. • Condition 1- Provide training and awareness of the ITSC oversight process for mid- and senior-level managers across the Library (all SUs). MANAGEMENT RESPONSE: The Library substantially agrees with the above recommendations. Finding 5 We found that costs for IT investments at the Library and associated variances are not developed or tracked accurately. Specifically we found that: 1. Practices were identified that were inconsistent with GAO prescribed methods for tracking and reporting costs on IT expenditures, such as earned value. 2. The costs developed for the IT Investment costs did not appear to be derived from primary sources such as financial systems. Instead, SUs self-report costs. In our interviews with those responsible for budget and financial operations at the Library, we found that IT investment costs are not clearly identifiable in Momentum and Clarity. SUs are not required to notify the ITSC or CFO of cost overruns and variances. There are no policies that define fiscal tolerances to trigger proactive notification or action on behalf of the SU or the CFO. In the event of a cost variance, SUs “absorb” costs by cutting budget items or seeking additional funding. In 2004, the GAO reviewed the status of Federal Agencies’ strategic planning and investment management. They found that many of the agencies surveyed for this report were in a condition similar to the current state of the Library. The agencies had large gaps in the financial control portion of their IT investment process. The GAO commented that, “IT investment management provides a systematic method for minimizing risks while maximizing the return on investments and involves a process for selecting, controlling, and evaluating investments. These processes, too, are interdependent. For example, the investment management process is a principal mechanism to ensure the effective execution of an agency’s IT strategic plan.” footnote 32 Practices were identified that were inconsistent with GAO prescribed methods for tracking and reporting costs on IT expenditures, such as earned value. The Library does not have a mature process for developing costs for projects. When asked about cost variances, for instance, interviewees did not know whether projects exceeded their cost estimates or not. Costs for projects were developed by project sponsors. We found that there was no real process for estimating cost and ensuring consistency across SUs. When the Library’s process is compared to the cost estimating model in the Capital Programming Guide there is much in the Library’s process to be improved. The Capital Programming Guide, Version 3, is a supplement to OMB Circular No. A–11 (FY2014). (See Figure 3, Flow Chart Cost Estimating Model) FIGURE 3, FLOW CHART COST ESTIMATING MODEL Since IT costs are self-reported by SUs, there is no efficient or existing process to validate actual costs incurred for the investments. Therefore in the absence of reliable data, generated from official financial systems, that can be easily verified, there is the potential for underreporting of costs and running out of funds before an IT project is completed. One cannot track IT costs through the Library’s Budget and Accounting Systems. Costs are self-reported by SUs independent of official records. • Cost variances are not adequately tracked, which could lead to cost overruns. • Without using costing methods such as earned value, see below, it is difficult to measure costs versus progress to ensure that there is adequately funding available to complete the project. The Defense Contract Management Agency (DCMA) defines Earned Value as, “an objective measurement of how much work has been accomplished on a project.” Using the earned value process, members of management can readily compare how much work has actually been completed against the amount of work planned to be accomplished. Earned Value requires the project manager to plan, budget and schedule the authorized work scope in a time-phased plan. The time phased plan is the incremental "planned value" culminating into a performance measurement baseline. As work is accomplished, it is "earned" using the same selected budget term. Earned Value compared with planned value provides a work accomplished (percentage of completion) against plan. A variance to the plan is noted as a schedule or cost deviation. In their best practices guide, the GAO noted that, “because a reasonable and supportable budget is essential to a program’s efficient and timely execution, a competent estimate is the key foundation of a good budget. For a government agency, accurate estimates help in assessing the reasonableness of a contractor’s proposals and program budgets. Credible cost estimates also help program offices justify budgets to the Congress, OMB, department secretaries, and others. Moreover, cost estimates are often used to help determine how budget cuts may hinder a program’s progress or effectiveness.” footnote 33 RECOMMENDATIONS: • Condition 1 – Align current cost development processes for IT investments to coincide with requirements for OMB reporting, such as the use of an earned value management system to track costs on high risk projects, as discussed in Capital Programming Guide, V 3.0, Supplement To Office Of Management And Budget Circular A–11: Planning, Budgeting, And Acquisition Of Capital Assets. • Condition 1 - Implementation of these practices may require procedural changes used by the SUs for reporting expenditures and systemic modifications to the Library’s financial system (Momentum) and budget system (Clarity) used for tracking IT costs. • Condition 1 - Establish a formal process to reconcile cost variance reported by SUs to the ITIMPO. • Condition 2 - Use primary source documentation throughout the ITSC process. Part of the ITSC package should include financial system information, budgetary information, acquisition system information, as well as performance monitoring information. • Condition 2 - Include CFO review of costs (in summary form) before approval of a new project, and at major checkpoints (milestones) throughout a project lifecycle. • Condition 2 - Institute better tracking of IT investments through changes in Momentum and Clarity financial systems. MANAGEMENT RESPONSE: Management substantially agrees with the above recommendations. In response to Comment 1, the Library will consider the OMB reporting elements when developing costs and variance reports. Also in response to Comment 1, the Library will use OCFO to collect and generate costs and related data for reporting. Finding 6 We found that the IT Strategic Planning Process at the Library is not strongly linked to the ITSC investment process. Specifically we found that: 1. Findings from previous audits have not been adequately addressed in the area of IT planning and Investment process. 2. SUs are engaged in long-range planning (5 fiscal years) and annual planning cycles that do not align with the ITSC annual planning cycle. By not having a synchronized planning cycle the Library and ITSC may miss opportunities to take advantage of common IT requirements and budgeting cycles. 3. The lack of linkage impacts the development of a comprehensive IT portfolio. The objective of the IT portfolio process is to develop a system for prioritization of investments across the Library. This will allow for the optimal selection and funding of the most needed investments. Findings from previous audits have not been adequately addressed in the area of IT planning and Investment process. A lack of linkage between the strategic plan at the Library and subordinate Library plans, the budget process, and EA was highlighted in previous audit reports. This continues to be a condition of concern at the Library. A 2009 audit of strategic planning at the Library found that “the strategic planning process is not a unifying force at the Library of Congress and not incorporated into the organization’s culture.” footnote 34. We found that this condition continues and hampers the ability of the Library to invest in technology in a strategic coordinated manner. A 2011 follow-up to the 2009 audit found that, “An Updated OSI Strategic Plan is Needed–The Office of Strategic Initiatives (OSI) should update its strategic plan and ensure that it is in line with the Library’s Fiscal Year 2011 ‐ 2016 strategic plan. Additionally, the Library should continue developing its EA, with the goal of creating a transformational guide designed to move Library organizations strategically and technologically forward in unison.” footnote 35. As in the previous audit, strategic planning had not evolved to the point where it is the roadmap needed to determine the Library’s future path. We found that the Library’s strategic planning is still under development, and as in the past, existing strategic plans are not synchronized. Strategic Plans are not Synchronized. We found that SUs are engaged in long-range planning (5 fiscal years) and annual planning cycles that do not align with the ITSC annual planning cycle. By not having a synchronized planning cycle the Library and ITSC may miss opportunities to take advantage of common IT requirements and budgeting cycles. The plans also need updating for relevancy and currency. Interviews with the SPO did not demonstrate an awareness or linkage to the Library or SU investment process. In addition, review of ITSC policy does not speak to responsibilities for alignment with the Library’s Strategic Plan, although this alignment with the Strategic Plan is self- reported by ITSC applicants. In our review of the Library’s EA, the “To Be” (future state of the Library’s IT architecture) is lacking defined requirements for future technology. Without a solid strategic plan in place, developing a future architecture is much harder and would certainly lack validity. Current OMB guidance directs that: “Each IT investment must clearly demonstrate that the investment is needed to help meet the agency's strategic goals and mission. The agency must demonstrate how the investment supports a business line or enterprise service performance goal as documented in the agency’s EA and annual Enterprise Roadmap submission to OMB. Agency IT investment business cases (and other documents), the IT Capital Asset Summary (OMB Exhibit 300A), and Agency IT Investment Portfolio (Exhibit 53A) must demonstrate the agency’s management of IT investments and how governance processes are used to plan, select, develop, implement, and operate IT investments.” footnote 36. Without this basic synchronization, it is difficult to prioritize investments between the ITSC and Library SUs. The lack of linkage between strategic planning and IT investments impacts the development of a comprehensive IT Portfolio. At the Library, we found that the missing linkage between strategic planning and portfolio management complicates the ability to make effective decisions on Library investments and prevents the selection of the optimal investments to support the Library’s mission. Although projects are “scored” by project sponsors and the scoring is considered by the ITSC, there is no indication that the Library’s investments are prioritized collectively from an enterprise level, and closely tied to the Library’s strategic plan. Such a prioritization, based on strategic planning, would ensure that only the projects clearly meeting the business needs of the Library are selected. The Program Management Institute defines a portfolio as, “a collection of [IT projects], programs, sub-portfolios, and operations managed as a group to achieve strategic objectives”, and “they are linked to the organization’s strategic plan by means of the organization’s portfolio.” footnote 37. We found that the Library does not have an effective IT portfolio management process. An optimal process requires sound metrics (performance and fiscal) and inputs from an agency strategic plan. footnote 38. The portfolio management process recommended by OMB is structured around five discrete phases: (1) Baseline Data Gathering; (2) Analysis and Proposed Action Plan; (3) PortfolioStat Session; and (4) Final Action Plan Implementation, (5) Lessons Learned. In order to maximize the return on investments in IT, agency leadership must engage in proactive performance management using high-quality, targeted data on the maturity of agency portfolios, as well as architectural and asset inventory information. The Library’s IT strategic plan, a key input to the portfolio management process, is not fully developed or absent. . Without these plans in place and relevant, the foundation for a portfolio process is lost. (Portfolio management is a recurring issue within the library. See Finding 3, for discussion of PortfolioStat, and Finding 4, for discussion on portfolio challenges.) The lack of an IT portfolio process greatly undermines the ability of the Library to manage their IT investment as a whole. Without this process, there are constant struggles with funding and priorities. RECOMMENDATIONS: • Condition 1 - Update the Library’s strategic plans as appropriate to show linkage between strategy and investments, and focus on strongly defining the strategies and activities that will connect the 5 year strategic plan to the SUs’ annual plans. • Condition 2 - Document the role of the SPO in the ITSC process to ensure a synchronized planning cycle. Develop a process for proper timing of strategic planning for investments (early) and direct tie in between the strategic plans and ITSC process. • Condition 3 - Document a needed linkage between the ITSC and Strategic Planning Officer; including roles and responsibilities throughout the ITSC lifecycle. • Condition 3 - Implement a portfolio process, similar to OMB Exhibit 53. MANAGEMENT RESPONSE: Management substantially agrees with the above recommendations. Finding 7 We found that ITSC leadership has not systematically embraced or consistently implemented best practices in the areas of IT management and program governance. Specifically we found that: 1. The EC and ITSC have not uniformly adopted implementation of best practices in the charter or internal controls implemented by the ITSC. 2. There are few meaningful metrics and methodologies used to measure the effectiveness of the ITSC and the investments they review. The EC and ITSC have not uniformly adopted implementation of best practices in the charter or internal controls implemented by the ITSC. A review of the ITSC charter of policies and ITSC procedures confirmed that they did not reference best practices for technology investment oversight, such as IT Infrastructure Library (ITIL), Information Systems Audit and Control Association (ISACA) COBIT, Project Management Institute (PMI), Software Engineering Institute (SEI), National Institutes for Standards and Technology (NIST), and Government Accountability Office (GAO). Figure 4, Elements of COBIT 4.1 for IT Governance, shows some of the elements of COBIT 4.1 for governance of IT projects. The information below is contained in COBIT and provides questions that can be used to access the viability of an investment board. A best practice such as this could be used for improvements to the ITSC process. FIGURE 4, ELEMENTS OF COBIT 4.1 FOR IT GOVERNANCE • Does your enterprise’s IT support the business? • Is it aligned with the business? • Is your IT performing to its optimal capability? • Is your IT adding value to the business? • Are IT risks being effectively mitigated? • Are your IT investments being effectively managed throughout their life cycle? • Is the importance of governance understood at all levels of your enterprise? • Are the benefits of your IT being maximized? If you did not answer yes to all of the above questions, your enterprise does not have an effective IT governance framework in place. Most, if not all, business activities are affected by IT, with an increasingly visible impact to end users. Successful enterprises recognize the need to maximize the value of IT-related investments and that the need for the governance of IT is greater now than ever before. The best way to ensure this is to implement an IT governance framework. Although some of the ITSC members had reviewed practices of similar technology boards at other Federal agencies, we found that many interviewees could not identify a current process and practice within the ITSC that was exemplary of an industry or government best practice. All interview sessions included one question on best practices or improvements in the area of IT management and performance management. Of the 19 interviewees, four respondents (21%) were able to identify a best practice that the ITSC or functional area had implemented over the past year. One of the causes of this condition is that there are no roles within the EC or ITSC to sponsor awareness and adoption of best practices for IT governance. We found that there was no evidence of a continuous improvement program within the ITSC that would lead to opportunities to correct known issues or introduce new methods to optimize the ITSC governance process. At other Federal agencies, the CIO is generally tasked with development and implementation of IT best practices across an agency. Since there is no permanent CIO, it is unlikely that the Library will have continuity of effort to define or implement best practices. Lack of Methodologies and Metrics. We found that there was a lack of metrics and methodologies used to measure the effectiveness of the ITSC and the investments it reviews. The EC and ITSC governing bodies do not conduct planning within a framework or discipline that provides consistent outcomes of performance and governance of Library IT investments. The IT Steering Committee Threshold Policy and Process memo (Dated Oct 15 2010) has elements that are desirable for defining a framework for good governance. At the time of this engagement, it was inconclusive if all the changes had been implemented and used in the management of investments. Missing from the list of recommended changes are benchmarks for the ITSC. Defining benchmarks for ITSC management processes against appropriate public and private sector organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes would be another measure of steering committee effectiveness. Instituting a process such as MoP, footnote 39, (a process for Portfolio Management that is similar to ITIL), which defines portfolio management as: “A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual.” MoP goes on to describe optimal portfolio management, “Rather than representing a new discipline, portfolio management seeks to build on, and better coordinate, existing processes such as strategic planning, investment appraisal and project and program management. Portfolio management is not concerned with the detailed management of these projects and programs; rather, it approaches the management of change projects and programs from a strategic viewpoint, focusing on the key issues outlined above.” Leveraging existing best practices would enable the Library to implement a comprehensive ITSC process. RECOMMENDATIONS: • Condition 1 - The Chief of Staff should implement a continuous improvement program within the EC and ITSC to identify opportunities for process improvement in the areas of cost accounting, performance management, and all areas of the ITSC. • Condition 1- The Chief of Staff should take steps to update its existing IRM, ITIM and EA policies and practices. These existing standards need to be updated with lessons learned or improvements that are in alignment with the Library’s evolving strategic plan and leading or best practices. • Condition 2 - The CIO should champion a best practices governance methodology to build awareness and understanding of best practices in the areas of IT management and program governance. • Condition 2 - Define benchmarks for ITSC management processes against appropriate public and private sector standards, organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes to measure of steering committee effectiveness. MANAGEMENT RESPONSE: Management substantially agrees with all recommendations. Appendix A: List of Acronyms Acronym Meaning ARB Architecture Review Board CAO Chief Acquisition Officer CFO Chief Financial Officer CHCO Chief Human Capital Officer CIO Chief Information Officer CLARITY Library’s Budget System CPIC Capital Planning and Investment Control COBIT Control Objectives for Information and Related Technology COO Chief Operating Officer COS Chief of Staff CRS Congressional Research Service DCMA Defense Contract Management Agency DHS Department of Homeland Security DITS Director of Information Technology Services DL Deputy Librarian EA Enterprise Architecture EC Executive Committee FASA Federal Acquisition Streamlining Act of 1994 FITARA The Federal Information Technology Acquisition Reform Act GAO U.S. Government Accountability Office GPRA Government Performance and Results Act GSA General Services Administration HHS Health and Human Services IRB Investment Review Board IRM Information Resources Management ISACA Information Systems Audit and Control Association IT Information Technology ITIL Information Technology Infrastructure Library ITS Information Technology Services ITSC Information Technology Steering Committee ITIM Information Technology Infrastructure Management ITIMPO Information Technology Investment Management Portfolio Officer LCR Library of Congress Regulation Library or LOC Library of Congress MOMENTUM Library’s Finance System MoP Management of Portfolios (MoP®) NIST National Institutes for Standards and Technology OCFO Office of the Chief Financial Officer OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB Office of Management and Budget OSI Office of Strategic Initiatives OTS Office of Technology Services PIO Performance Improvement Officer PMI Project Management Institute PPBE Planning, Programming, Budgeting, and Execution SEI Software Engineering Institute SPO Strategic Planning Officer or Office SU Service Unit Appendix B: Management Response IR LI B RA RY O F CO N G R E SS OFFICE OF THF LIBRARIAN February 10, 2015 Kurt W. Hyde, Inspector General David S. Mao, Deputy Librarian of Congress Audit No. 2014-IT-101 - ITSC and Internal Controls - Management Comments on Draft Report Thank you for the opportunity to comment on the draft report for Audit No. 2014-IT-101, Report on the Design of Library-Wide Internal Controls for Tracking Information Technology Investments. Below please find management comments on the report findings and recommendations. Findings and Recommendations 1 • Lack of Oversight and Coordination from the Library Executive Staff. • Minimal Oversight of the ITSC from the EC. • The Acting CIO has delegated the Chairmanship of the ITSC to a Subordinate Director. Condition 1: Library policy documents (LCR 1600 and ITSC Charter) need to be updated with clear direction on members, roles, and responsibilities. The ITSC responsibilities are undefined in the ITSC Charter, Section 3, and page 2. Management Comment: The Library agrees with this recommendation. Condition 1: Assign financial responsibility to the CFO to strengthen accountability for enforcement of internal controls and linkage to the Library IT budget. Articulate the level and responsibilities of voting members from each service unit in the ITSC Charter. The Director of Strategic Planning should also be consulted to ensure that all IT capital investments have goals and appropriate metrics defined. Management Comment: The Library agrees that CFO-established internal controls and linkages to the Library's IT budget will strengthen accountability for service units. The Library agrees that the ITSC charter should reflect the level of responsibilities of the committee's members. The OCFO/SPO will be consulted to ensure appropriate goals and metrics are in place for IT capital investments. Condition 2: The ITSC should report directly to the Chief of Staff or higher position. Clarify the roles and responsibilities of the Deputy Librarian/Chief of Staff in the ITSC policy/charter to strengthen ITSC oversight of IT investments. Management Comment: The Library agrees that the ITSC should directly report to senior management. The CIO will chair the ITSC. The CIO will be a member of the Executive Committee. Condition 3: Document the role and responsibilities of the CIO in the ITSC Charter. Management Comment: The Library agrees with this recommendation. Findings and Recommendations 2 • Absence of a Capital Planning and Investment (CPIC) process. • No Relationship Between IT Budget Requests and ITSC Investment Packages. • Lack of a Centralized Fiscal Framework for Managing IT Investments. Condition 1: Implement a CPIC process, to include OMB Exhibit 300 data and information to enable IT investment alignment with the Library mission and support business needs while minimizing risks and maximizing returns throughout the investment's life cycle. Management Comment: The Library agrees that the Agency IT Portfolio Summary, Agency Cloud Spending Summary, and Major IT Business Case data that Executive agencies are required to capture by OMB Circular A-11 section 55 (formerly Exhibits 53 and 300 data) would provide useful information for the Library's IT planning, evaluation and portfolio management efforts. We will therefore follow the spirit of the OMB circular in capturing this data. Condition 1: Research cost effectiveness of using the GSA-managed eCPIC tools as a method for institutionalizing capital planning activities. Management Comment: The Library will assess whether using the GSA-managed eCPIC tools are an efficient way to capture and report on IT costs (without automatically reporting this data to the executive branch). Condition 2: The ITSC should provide the CFO, Budget Officer, and Acquisition Officer with quarterly reports, to include summaries of costs and variances, so that there is internal assurance that all cost information on investments is captured. Management Comment: The Library does not agree that the ITSC should provide the data. Rather than have ITSC develop and maintain its own system, OCFO is currently developing a system (with input from the ITSC and Inspector General) that will be able to provide appropriate cost and variance reporting for the ITSC and Library management. Condition 3: Document roles for CFO, Budget Officer, Director of Contracts and Grants Management in the development of in the ITSC Charter and LCR 1600 (guidance documentation) in the Library's technology investment process. Management Comment: The Library agrees with this recommendation, and both LCR 1600 and the ITSC Charter will reflect roles for the CFO (and Budget Officer) and the Director of Contracts and Grants Management. Condition 3: Improve internal budget/project communications and training on how to develop, capture, and report project costs uniformly across the SUs. Management Comment: The Library agrees with this recommendation. Findings and Recommendations 3 • Prolonged Vacancy of CIO Position has led to IT Leadership Void. • The CIO function at the Library is buried in an organizational unit that also has programmatic responsibilities. Condition 1: The permanent CIO should serve as the ITSC Chairman in order to strengthen the ITSC process. Management Comment: The Library agrees with this recommendation. Condition 2: Appoint a permanent CIO with overall responsibilities for IT investments, along with ensuring that OMB Exhibit 300 type-information is included in budget requests for IT investments. Management Comment: The Library agrees with this recommendation. Condition 2: Adopt aspects of H.R.1232 "Federal Information Technology Acquisition Reform Act"; a bill, passed by the House of Representatives and currently under review within the Senate. The legislation, if enacted, would increase the power of existing Chief Information Officers (CIO) within federal agencies so that they could be more effective. Each agency would also be reduced to having only one CIO in the agency, who is then responsible for the success and failure of all IT projects in that agency. FITARA has been included as a part of the 2015 National Defense Authorization Act. Management Comment: The Library agrees that the CIO will have a significant role in all planning, budgeting and reporting requirements and in the management, governance and oversight of IT. In addition, the Library's CIO will be responsible for commodity IT and planning efforts Library-wide. The Library will also establish clear relationships between the Library's CIO and any CIOs in component units. Finding and Recommendations 4 • It is possible for SUs and others to bypass the ITSC review process. Condition 1: The CFO (or higher) should ensure that the ITIM process is followed by all service units. Management Comment: The Library agrees with this recommendation. Condition 1: Provide training and awareness of the ITSC oversight process for mid-and senior level managers across the Library (all service units). Management Comment: The Library agrees with this recommendation. Findings and Recommendations 5 • Practices were identified that were inconsistent with GAO prescribed methods for tracking and reporting costs on IT expenditures, such as earned value. • One cannot track IT costs through the Library's Budget and Accounting Systems. Costs are self-reported by SUs independent of official records. Condition 1: Align current cost development processes for IT investments to coincide with requirements for OMB reporting, such as the use of an earned value management system to track costs on high risk projects, as discussed in Capital Programming Guide, V 3.0, Supplement To Office Of Management And Budget Circular A-11: Planning, Budgeting, And Acquisition Of Capital Assets. Management Comment: Library management will consider the OMB reporting elements when developing our cost and variance reports. Condition 1: Implementation of these practices may require procedural changes used by the service units for reporting expenditures and systemic modifications to the Library's financial system (Momentum) and budget system (Clarity) used for tracking IT costs. Management Comment: The Library agrees with this observation. Condition 1: Establish a formal process to reconcile cost variance reported by service units to the ITIMPO. Management Comment: The Library does not agree with this recommendation as an appropriate assignment of duties. OCFO should manage financial reporting and the PMO should manage PM portfolio reporting. Under the proposed information technology reporting systems envisioned by the Inspector General, SU actual costs will be collected by OCFO, and then can be used to generate reports that can identify cost variances. Cost variance metrics provided by OCFO will inform the ITSC agenda and drive ITIM discussions as appropriate. Condition 2: Use primary source documentation throughout the ITSC process. Part of the ITSC package should include financial system information, budgetary information, acquisition system information, as well as performance monitoring information. Management Comment: The Library agrees with this recommendation. Condition 2: Include CFO review of costs (in summary form) before approval of a new project, and at major checkpoints (milestones) throughout a project lifecycle. Management Comment: The Library agrees that the CFO or another appropriate office will review costs before new projects are approved and at milestones throughout project lifecycles. Condition 2: Institute better tracking of IT investments through changes in Momentum and Clarity financial systems. Management Comment: The Library agrees that both changes in Momentum and Clarity and changes in service unit procedures will be necessary to track IT investments and expenditures. Findings and Recommendations 6 • Findings from previous audits have not been adequately addressed in the area of IT planning and Investment process. • Strategic Plans are not synchronized. • The lack of linkage between strategic planning and IT investments impacts the development of a comprehensive IT Portfolio. Condition 1: Update the Library's strategic plans as appropriate to show linkage between strategy and investments, and focus on strongly defining the strategies and activities that will connect the 5 year strategic plan to the service units' annual plans. Management Comment: The Library agrees with this recommendation. Condition 2: Document the role of the Strategic Planning Office (SPO) in the ITSC process to ensure a synchronized planning cycle. Develop a process for proper timing of strategic planning for investments (early) and direct tie in between the strategic plans and ITSC process. Management Comment: The Library agrees with this recommendation. Condition 3: Document a needed linkage between the ITSC and Strategic Planning Officer; including roles and responsibilities throughout the ITSC lifecycle. Management Comment: The Library agrees with this recommendation. Condition 3: Implement a portfolio process, similar to OMB Exhibit 53. Management Comment: As noted in our response to Finding 2, Condition 1the Library agrees that the data envisioned by OMB Circular A-11section 55 and its exhibit 53A provide useful information for IT planning, evaluation and portfolio management efforts. We will follow the spirit of this section of OMB Circular A-11. Findings and Recommendations 7 • The EC and ITSC have not uniformly adopted implementation of best practices in the charter or internal controls implemented by the ITSC. • Lack of Methodologies and Metrics. Condition 1: The Chief of Staff should implement a continuous improvement program within the EC and ITSC to identify opportunities for process improvement in the areas of cost accounting, performance management, and all areas of the ITSC. Management Comment: The Library agrees with this recommendation. If directed by the Chief of Staff, the CIO will be responsible for this effort. Condition 1: The Chief of Staff should take steps to update its existing IRM, ITIM and EA policies and practices. These existing standards need to be updated with lessons learned or improvements that are in alignment with the Library's evolving strategic plan and leading or best practices. Management Comment: The Library agrees with this recommendation. The CIO will be responsible for this effort. Condition 2: The CIO should champion a best practices governance methodology to build awareness and understanding of best practices in the areas of IT management and program governance. Management Comment: The Library agrees with this recommendation. Condition 2: Define benchmarks for ITSC management processes against appropriate public and private sector standards, organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes to measure of steering committee effectiveness. Management Comment: The Library agrees with this recommendation. Please let me know if you have any questions or would like to discuss this report. Footnotes in OIG Executive Summary 1. HP is responsible for the attached report dated February 11, 2015 and the conclusions expressed in the report. We performed limited oversight of HP’s work including defining deliverables in the contract’s statement of work, reviewing HP’s project plan, attending the entrance and exit conferences, and conducting regular engagement status meetings. We also facilitated communications between Library management and HP. Footnotes in HP Report 2. Library of Congress (LOC) Office of Inspector General (OIG) Report on Information Technology Strategic Planning, Report No. 2008-PA-105, March 2009. 3. Follow‐up Review: Information Technology Strategic Planning, Report No. 2011‐IT‐103, December 2011. 4. As of November 2014, there have been few instances of documented recommendations made by the ITSC to the EC. 5. The Clinger-Cohen Act of 1996 requires that executive agencies submit information on their respective information technology (IT) investment portfolios. The reporting artifacts submitted by each agency were known as Major IT Business Case (Exhibit 300) and Agency IT Portfolio Summary (Exhibit 53). 6. Momentum is the Library’s central financial management system that tracks all budgetary and financial transactions, included in the agency’s general ledger and subsidiary accounting systems. 7. Clarity is the Library’s subsidiary budget module that interfaces with Momentum. 8. About the Library: General Information. LOC. Web. 5 Jan 2015, http://loc.gov/about/general- information/ 9. Information Technology Strategic Planning: A Well-Developed Framework is Essential to Support the Library’s Current and Future IT Needs, Report No. 2008-PA-105, March 2009. 10. Follow-up Review: Information Technology Strategic Planning, Report No. 2011-IT-103, December 2011. 11. LC ITSC Charter, March 24, 2010, Pg. 1, Section 1 12. LC ITSC Charter, March 24, 2010, Pg. 1, Section 1 13. Best Practices as defined by Government Accountability Office (GAO), General Services Administration (GSA), Health and Human Services (HHS), and the Department of Homeland Security (DHS). 14. http://ocio.os.doc.gov/ITPolicyandPrograms/Policy_Standards/DEV01_002676 15. “The CFO is responsible for establishing policies for, and overseeing the integration of, the Planning, Programming, Budgeting, and Execution (PPBE) system of DHS. The CFO is responsible for reporting to the Acquisition Review Board on the status, authorization, appropriation, obligation, and expenditure of funding in a manner that is consistent with the approved structure of the acquisition.” 16. EXECUTIVE GUIDE, “Leading Practices in Capital Decision Making,” December 1998 17. LCR 1600 Information Resource Management Policy and Responsibilities Section 18. Source Link: http://www.gsa.gov/graphics/staffoffices/capplan.doc 19. The Clinger-Cohen Act of 1996 requires that executive agencies submit information on their respective information technology (IT) investment portfolios. The reporting artifacts submitted by each agency were known as Major IT Business Case (Exhibit 300) and Agency IT Portfolio Summary (Exhibit 53). 20. OMB Circular A-130 , Transmittal Memorandum #4, “Management of Federal Information Resources” (11/28/2000) 21. PUBLIC LAW 111–352—JAN. 4, 2011, GPRA MODERNIZATION ACT OF 2010 22. The Federal IT Dashboard is an OMB website enabling federal agencies, industry, the general public and other stakeholders to view details of federal information technology investments. 23. 2014 Guidance on Exhibits 53 and 300 – Information Technology and E-Government 24. ITSC Swim Lane Diagram – ITIM Pre-Select Process Phase 25. Federal Chief Information Officers – Responsibilities, Reporting Relationships, Tenure, and Challenges. GAO-04-823 26 .Library of Congress: Opportunities to Improve General and Financial Management,” T- GGD/AIMD-96-115: Published May 7, 1996 27. Information Technology Strategic Planning, Report No. 2008-PA-105, March 2009 28. OMB Memorandum M-12-10, Implementing PortfolioStat, March 2012 29. Report on Maturity of the Library’s System Development Lifecycle Processes and Procedures, Report No. 2013-IT-105, January 2015. 30. CHIEF INFORMATION OFFICERS Responsibilities and Information and Technology Governance at Leading Private-Sector Companies, September 2005 31. Capital Programming Guide, V 3.0, Supplement to Office of Management and Budget Circular A– 11: Planning, Budgeting, and Acquisition of Capital Assets. 32. GAO Guidance: Government-wide Strategic Planning, Performance Measurement, and Investment Management Can Be Further Improved (GAO-04-49/2004) 33. GAO Cost Estimating and Assessment Guide Best Practices for Developing and Managing Capital Program Costs, US GAO, GAO Applied Research and Methods, GAO-09-3SP, March 2009. 34. Library of Congress, OIG, Information Technology Strategic Planning: A Well Developed Framework Is Essential to Support the Library’s Current and Future IT Needs, Report No. 2008- PA-105 March 2009. 35. Library of Congress, OIG, Follow‐up Review: Information Technology Strategic Planning Report No. 2011‐IT‐103, December 2011. 36. OMB FY2015 Guidance on Exhibits 53 and 300 – Information Technology and E-Government. 37. "The Relationships Among Portfolios, Programs, and Projects", A Guide to the Project Management Body of Knowledge (PMBOK Guide). v5. ed. Newtown Square, PA: Project Management Institute, 2013. Pg. 4 38. OMB M-12-10, Implementing PortfolioStat, March 30, 2012 39. https://www.axelos.com/mop