Let’s start with the bad news: The Government Accountability Office last week added information technology acquisition to its watch-list of “high-risk” federal programs, reinforcing the perception that managing federal IT programs is inherently risky business.
Now for some good news: History shows federal agencies are actually pretty good about addressing GAO recommendations, especially when it comes to technology gaps identified by auditors.
A new analysis of more than 40,000 GAO recommendations spanning nearly 30 years, finds agencies are more adept at implementing recommendations related to IT management and information security than any other category examined by auditors.
Now, back to the bad news: Generally, by the time enough recommendations go unaddressed that a program gets added to the High-Risk List, it indicates an intractable problem that’s much harder for agencies to overcome.
The new report from Deloitte Public Sector Research, “Accountability Quantified: What 26 years of GAO reports can teach us about government management,” used text analytics to scan 1.3 million pages of GAO reports issued between 1983 and 2008.
The analysis is clear: GAO recommendations have proven a force for good over the years at turning around wayward agency programs. During that time frame, about 81 percent of GAO recommendations were successfully implemented by agencies.
Recommendations specifically related to IT management and information security led the pack, with the highest completion rates.
Nearly all information security recommendations -- 94 percent -- were implemented by agencies, according to the report; agencies addressed 87 percent of recommendations related to IT.
Those near-perfect scores may seems at odds with the “frequent and high-profile information security and information technology failures in the U.S. federal government,” the study noted.
One reason for the high success rate is that most of the recommendations in those particular categories focused on very specific, “tactical” recommendations, rather than “large-scale system implementation changes,” the study found.
“This does not mean that GAO never issues large-scale directives, but it does point to the fact that its recommendations are generally within the reach of the agencies it evaluates,” the study said.
In fact, given the government’s successful track record implementing IT recommendations, the study suggested GAO might get more bang for its buck in pushing for “more aggressive” recommendations in the future.
Still, it’s also important to note the adoption of watchdog recommendations was measured over the long haul. Currently, agencies have let many of the recommendations related to IT management and acquisition pile up. That’s one of the reasons GAO decided to add the area to the High Risk List.
Over the past five years, auditors have made a total of 747 recommendations related to IT acquisition. Yet as of January 2015, only about 23 percent of them have been “fully implemented” by agencies, GAO said in its latest high-risk update.
Now, for some even more bad news.
You might think that if GAO provides agencies repeated recommendations in a particular area -- say, IT acquisition -- then, you’d eventually see agencies successfully adopting more of these recommendations.
But that’s necessarily not the case.
“There is no meaningful relationship between how many recommendations an agency receives in a specific area and how often they succeed in that area,” the report concluded. “In other words, an agency seems no more likely to implement a recommendation in the ‘information systems’ category whether it receives 100 or 500 recommendations in that category.”
Despite persistent oversight by GAO and recommendations, some problems just seem beyond the reach of agencies to effectively fix on their own recognizance.
Congressional overseers who task GAO with looking into problems need to think of the watchdog’s recommendations as “as an effective scalpel but not a panacea for the federal government’s longstanding problems,” the study concluded. “GAO may sometimes succeed in helping agencies make meaningful changes, but problems often exist that are beyond GAO’s reach.”
In fact, that’s borne out by the very existence of the High-Risk List, the high-profile biennial roster of the government’s most troubled programs
Out of a total of 55 high-risk areas ever identified -- GAO published the first list in 1990 -- less than half have been successfully resolved by agencies and removed from the tally.
So what to make of IT acquisition’s entry on GAO’s naughty list? The study shows agencies have it in their power to make meaningful reforms. Still, it may be a while before managing federal IT isn’t considered quite so high-risk.