Internal Audit Report. Information Management Division Contract Management - Transformation TxDOT Internal Audit Division

Transcription

1 Internal Audit Report Information Management Division Contract Management - Transformation TxDOT Internal Audit Division

2 Objective To evaluate the contract management for Information Technology (IT) transformation projects including managing the timeliness of the projects. Opinion Based on the audit scope areas reviewed, control mechanisms are effective and sustainable and substantially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization's system of internal controls provides reasonable assurance that key goals and objectives will be achieved despite improvement opportunities identified. Improvement opportunities identified include minor enhancements that would improve achievement of control objectives but are not currently resulting in negative impacts to the organization. Overall Engagement Assessment Satisfactory Finding 1 Title Project Change Control and Closeout Documentation Findings Control Design Operating Effectiveness Rating x x Satisfactory Management concurs with the above findings and prepared management action plans to address deficiencies. Control Environment Information Management Division (IMD) Vendor Management has the overall responsibility to manage the contractual obligation ( the Agreement ) between TxDOT and its third party IT service provider. IMD has established processes and procedures to help monitor and ensure transformation projects meet established goals and improve the overall IT infrastructure. Some of these processes include developing an annual Transformation Plan. The annual Transformation Plan outlines the transformation projects that will be completed during the year, and it is reviewed and approved annually by the Information Technology Governance Council, which is made up of four members of Administration. Once the transformation projects are established on the plan, IMD monitors these projects through standardized reporting and various meetings with the third-party vendor to review project status, milestones, and deliverables, as well as review of requested changes and the monthly invoice for project charges. August

3 Summary Results Finding Scope Area Evidence 1 Project Deliverable Review and Closeout Change Control Review and Approval Auditors evaluated fifteen IT projects, which included 36 supplemental work orders, and identified the following: Project Closeout Documentation (7 closed projects) 3 of 7 (43%) closed projects reviewed were not supported with sufficient closure documentation or required approvals Supplemental Work Orders (8 active and 7 closed projects) 3 of 36 (8%) supplemental work orders approved by IMD, did were not supported with documentation of the required project change request and/or approved contract change forms Audit Scope Audit scope included reviewing Information Technology (IT) transformation projects that were initiated between July 31, 2013 and March 11, Projects were selected to evaluate TxDOT s review of project deliverables compared to 1) scope of work, 2) weekly project reporting and communications, 3) review and approval of changes to the established milestones (i.e., supplemental work orders), and 4) project closing procedures. Auditor s selected 15 IT projects to test, including 8 active and 7 closed. The audit was performed by Jessica Esqueda, Jehryca Rayford, Rita Ruiz, and Cynthia Scheick (Engagement Lead). The audit was conducted during the period from March 14, 2016 to April 29, Methodology The following methodology used to complete the objectives of this audit: Reviewed TxDOT internal documents including policy and procedure manuals, IMD and the third-party vendor organizational charts and administrative memos Reviewed the Master Services Agreement (the Agreement) relating to Transformation projects Reviewed the current TxDOT Transformation Plan dated November 11, 2015 Interviewed key personal including the IMD Interim Director, IMD Vendor Management Director, the third-party vendor Project Manager, and staff involved in monitoring IT projects Interviewed two members of the IT Governance Council to determine level of communication regarding IT projects and involvement in establishing the annual Transformation Plan Evaluated transformation project process maps for the third-party vendor Deliverable Review, Data Change Control Process, and Data Work Order/Project Closeout Review Process Reviewed sixty-six Deliverable Review Summary Forms (DRSF) to determine if acceptance or rejection was completed within the fifteen day deadline for automatic acceptance per the Agreement August

4 Sampled fifteen IT projects to determine if project files contained key project documents including Statement of Work (i.e., Scope of Work), weekly status reports, meeting minutes, DRSFs, and change review forms Evaluated the closing process for seven of the sample IT projects to determine if project files had complete records and approval to close Reviewed all 36 supplemental work orders for the fifteen projects to assess the reasonableness of the work order change Evaluated both the project change and contract change request forms for the fifteen projects to validate TxDOT s review and approval, as well as, the corresponding supplemental work order approval by the IMD Director Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Information Management Division Contract Management Transformation audit which was conducted as part of the Fiscal Year 2016 Audit Plan. In 2013, TxDOT outsourced key areas of Information Technology (IT) in an effort to provide technology advancements, new and improved services, and operational efficiencies. Areas that were outsourced included the ongoing service delivery (e.g., IT service desk), and transformation services that improve the overall IT infrastructure. Transformation services can include consolidation activities, implementation of new technologies (e.g., new applications), and process changes. The IMD Vendor Management Section is responsible for the management of the Agreement, including processes for monitoring the IT transformation projects. Per the Agreement, a detailed Service Management Manual was created that outlines responsibilities for the third-party vendor and TxDOT relating to management of IT transformation projects. TxDOT has assigned responsibility for overseeing the technical aspects of projects to their IMD Transformation Management section. IMD Transformation Management staff includes transformation managers (TMs) that work closely with the thirdparty vendor project managers to monitor the status of projects, requests for changes that result in supplemental work orders, review of deliverables, and general project management. TMs also hold weekly meetings with the assigned project managers to review any issues with the project status or the deliverable. In addition, IMD leadership holds a weekly Project Review Committee meeting with the third-party vendor to discuss potential project issues identified. IT transformation project files, including closeout and supplemental work order documentation, are maintained electronically on a secure site where all related project information is to be retained. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified August

5 were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Internal Audit Division uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance, particularly in areas not included in the scope of this audit. August

6 Detailed Findings and Management Action Plans (MAP) Finding No. 1: Project Change Control and Closeout Documentation Condition The change control and project closeout process for Information Technology (IT) transformation projects does not always ensure that required documentation and approvals are completed and retained. Effect/Potential Impact Without sufficient support for project costs incurred, changes made, or end results for transformation projects, the ability to determine project value and return on investment is limited. Three closeout projects totaling $1.7 million and three projects with changes to original statement of work (consisting of an overall increase in costs of $99,000) were not supported with sufficient documentation, as required. Criteria The Service Management Manual outlines procedures for document retention of project closure and project changes. The manual procedures include documenting TxDOT review and approval of project completion, documenting change requests for assessment and approval, and storing all project documents for reference and future process improvement. Cause TxDOT Information Management Division (IMD) has not clearly defined a quality assurance process that would formally review the project file prior to the closeout meeting with stakeholders and their third-party provider of IT services. In addition, exceptions to the change order process (e.g., when all required forms are not needed) were not covered in the current procedures, specifically when the change is initiated by IMD or when the complete statement of work should be replaced. Evidence Auditors evaluated 15 IT transformation projects, which included 7 closeout projects and 36 supplemental work orders used to support the change control process for projects. The following was noted: Project Closeout Documentation (7 closed Projects) 3 of 7 (43%) closed project files did not include closure documentation (close-out report, issue log, closure meeting minutes) or approvals, as required: o 1 project totaling $292,000, for hardware provisioning, did not include closure documentation in the project file o 1 project totaling $1,223,000, to broaden the current enterprise level communications, did not include documentation confirming TxDOT and stakeholder approval of the project prior to closing out o 1 project totaling $215,000, developing the Fleet Navigator system, did not include required stakeholders from Fleet Division in the closure meeting which is the venue to obtain their approval of the project work and closure August

7 Supplemental Work Orders (8 active and 7 closed projects) 3 of 36 (8%) supplemental work orders approved by IMD, did not include the required project change request and/or approved contract change forms: o 1 supplemental work order that increased the project cost by $133,000 on a $1.3 million transformation project did not include a corresponding contract change request form o 1 supplemental work order that credited $14,000 of the $1.0 million contract amount did not include a corresponding project change request form o 1 supplemental work order that credited $21,000 of the $315,000 contract amount did not include IMD approval signatures on the contract change request form Management Action Plan (MAP): MAP Owner: Anne Hotze, IT Business Analyst, Information Management Division (IMD) MAP 1.1: Closeout Documentation - update existing project closeout process to require TxDOT verification of project documentation prior to close-out approval Change Controls - update existing contract change process flow to indicate acceptable process exceptions including the change being initiated by IMD Completion Date: August 15, 2016 August

8 Observations and Recommendations Audit Observation (a): Timeliness of Project Deliverable Review Deliverable reviews were not completed within the acceptance review period as noted in local procedures. Auditors tested 66 project deliverables reviewed between December 2013 and April 2016 by appropriate Information Management Division (IMD) employees and identified 10 of 66 (15%) project reviews that were not accepted or rejected within the required 15 day acceptance review period. The ten exceptions identified were in calendar year 2014 and no exceptions were identified in calendar year 2015 and 2016, indicating process improvement. Effect/Potential Impact Project deliverables that were not reviewed within the 15 day acceptance review period increases the risk that TxDOT waives its rights and remedies for any noncompliance for that deliverable as noted in the contract with their third-party service provider. If adjustments or corrections were needed with that deliverable, additional cost may be incurred. Recommendation IMD implemented a paperless process for routing the deliverable review forms for approval which improved compliance with the acceptance review period. IMD should continue to emphasize the importance of meeting the acceptance review period for deliverables and provide monitoring of this review period to prevent any timeliness issues from occurring in the future. August

9 Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with Information Management Division (IMD) Interim Director, IMD Vendor Management Director, and IMD Transformation Management Director on June 10, We appreciate the assistance and cooperation received from employees of the Information Management Division and its third-party service provider contacted during this audit. August