The agency is doing better about reporting through its internal system but six of seven outstanding issues remain a concern for the inspector general.
The State Department has made some progress improving the management of its IT portfolio but continues to struggle with five-year-old recommendations from its inspector general’s office, according to a new report.
The new audit follows up on a March 2016 report that found State, and specifically the Bureau of Information Resource Management, or IRM, wasn’t following Office of Management and Budget process for selecting IT investments.
“This occurred, in part, because the Bureau of Information Resource Management did not have sufficient, centralized oversight; have controls to avoid duplicative IT investments; or fully use the IT portfolio management system,” the new report states.
The 2016 report made 30 recommendations, seven of which remained open but were considered resolved as State officials offered plans and timelines for correcting the issues. The latest report follows up on those seven, which included improving oversight from the chief information officer and making better use of the agency’s internal IT portfolio management system, the Integrated Management Analytics and Technology Resource for Information Exchange, or iMatrix.
“Because of these issues, stakeholders lacked visibility into the department IT portfolio, the department made duplicative IT investments, and the department was not well positioned to implement new mandates related to IT investments,” the 2016 report found.
State has made significant progress since 2016, according to the new report. And while the IG left two previous recommendations open and issued four new ones, the responses to those from State officials were solid enough for auditors to classify all open recommendations as resolved pending further action.
“Specifically, OIG found that IRM adopted relevant OMB guidance and updated internal policies and procedures, as needed, to reflect the OMB guidance for IT investment tracking,” the IG wrote, closing one of the more prominent open recommendations surrounding the use of iMatrix.
State officials “took some actions to address” four other recommendations but ultimately did not meet the intent of what the IG had previously suggested.
“Specifically, IRM considered but has not developed and implemented policies and procedures related to reviewing IT portfolio reorganizations,” the report states. “In addition, although IRM had developed and implemented a process to compare requests for new IT investments to the existing IT portfolio to help identify duplicative systems, it has not performed a benchmark assessment, as previously recommended, of the entire IT portfolio to identify existing duplicative systems. Furthermore, although IRM designed and implemented a process to review and approve bureau-funded IT contracts, OIG found that not all IT procurements were appropriately routed to the chief information officer for review and approval.”
The movement in the right direction but lack of follow-through prompted the IG to close those four recommendations and reissue them “to address the current situation.”
The IG is now recommending that IRM:
- Develop and implement policies and procedures related to reviewing IT investment reorganizations conducted by all bureaus and offices to ensure that the resulting investments comply with OMB requirements.
- Conduct an in-depth review of the entire agency IT portfolio to identify potential duplicative systems.
- Develop and implement, to the extent practicable, a strategy to combine, eliminate or replace the duplicative systems identified during its review of the entire agency IT portfolio as part of the second recommendation.
- Develop and implement a methodology for identifying requisitions of or exceeding $10,000 that have not been properly identified as IT-related acquisitions.
After conversations with State IT officials, the IG deemed these recommendations open but resolved, as the agency has plans to address each of them.
Two other hold-over recommendations—reviewing IT investment methodologies and rules for avoiding duplicative investments—saw little to no actions taken over the last five years. Those recommendations were carried forward and are only now considered resolved with the understanding that IRM is taking corrective actions.