In March 2016, the Office of Inspector General (OIG) reported that the Department of State generally did not select IT investments following the defined process or in accordance with Office of Management and Budget (OMB) requirements. This occurred, in part, because the Bureau of Information Resource Management (IRM) did not have sufficient, centralized oversight; have controls to avoid duplicative IT investments; or fully use the IT portfolio management system.
In its compliance follow-up audit, OIG found that IRM completed corrective actions to close one recommendation that related to developing and implementing policy and additional guidance for recording details of IT investments in the Department’s IT portfolio management system. Specifically, OIG found that IRM adopted relevant OMB guidance and updated internal policies and procedures, as needed, to reflect the OMB guidance for IT investment tracking.
OIG also found that IRM took some actions to address four open recommendations, but further improvements are needed to fully address the 2016 audit findings. Specifically, IRM considered but has not developed and implemented policies and procedures related to reviewing IT portfolio reorganizations. In addition, although IRM had developed and implemented a process to compare requests for new IT investments to the existing IT portfolio to help identify duplicative systems, it has not performed a benchmark assessment, as previously recommended, of the entire IT portfolio to identify existing duplicative systems. Furthermore, although IRM designed and implemented a process to review and approve bureau-funded IT contracts, OIG found that not all IT procurements were appropriately routed to the Chief Information Officer for review and approval. Until additional actions are taken, IRM will not be able to fully identify duplicative systems and related cost-saving opportunities, optimize its IT investments, or promote shared services. OIG is therefore closing the previous four recommendations and issuing new recommendations to address the current situation.
Finally, OIG found that IRM had not taken sufficient corrective action related to two open recommendations. Specifically, IRM did not take action to develop and implement a process to identify and review bureau-specific IT investment methodologies. In addition, IRM has not developed and implemented policies and procedures to oversee and enforce requirements for bureaus and offices to avoid duplicative IT investments. These actions are needed to improve accountability and to further identify and avoid duplicative IT investments.