PERFORMANCE AUDIT REPORT 100-Hour Audit

Similar documents
PERFORMANCE AUDIT REPORT

COMPLIANCE AND CONTROL AUDIT REPORT

LIMITED-SCOPE PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT R,EPORT Executive Summary

Report of the Joint Committee on Information Technology to the 2017 Kansas Legislature

MINUTES JOINT COMMITTEE ON INFORMATION TECHNOLOGY

Kansas Legislative Research Department December 13, 2005 MINUTES. November 16-17, 2005 Room 526-S Statehouse

Joint committee on agency rule review (JCARR) Procedure manual. Larry Wolpert Executive Director 77 S. High Street Columbus, Oh

rt One Contents Part One

CHAPTER House Bill No. 1123

Kitsap County Auditor Elections Division 2014 Voter Access Plan

<SHOW LIST OF FRAUDULENT CHECKS>

State of Illinois Internal Audit Advisory Board BYLAWS

O L A. Office of the Secretary of State January 1, 2005, through December 31, 2006 OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

LA14-20 STATE OF NEVADA. Performance Audit. Judicial Branch of Government Supreme Court of Nevada. Legislative Auditor Carson City, Nevada

SENATE BILL No service, wireless telecommunications service, VoIP

Internal Controls and Compliance Audit. July 2013 through March 2015

Report of the Joint Committee on Information Technology to the 2016 Kansas Legislature

NORTHWEST FLORIDA WATER MANAGEMENT DISTRICT REQUEST FOR PROPOSALS ("RFP") DISTRICT INSPECTOR GENERAL/INTERNAL AUDIT SERVICES RFP #12-002

Office of Inspector General Florida Independent Living Council (FILC)

4.10. Office of the Chief Electoral Officer. Chapter 4 Section. Background. Follow-up to VFM Section 3.10, 2005 Annual Report

Peace Officer Standards and Training Board July 1, 1997, through June 30, 2000

SNOHOMISH COUNTY DEMOCRATIC CENTRAL COMMITTEE BYLAWS

Election Guide for Jurisdictions

O L A. Emergency Medical Services Regulatory Board July 1, 1997, through June 30, 2002 OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

KANSAS SPECIAL EDUCATION ADVISORY COUNCIL. By-Laws

A Bill Regular Session, 2017 SENATE BILL 521

Public Purchasing and Contracting

Members Office Mail: Liberal Caucus January 1997 Province-wide Mailing

State of New York Office of the State Comptroller Division of Management Audit

KANSAS Internet Crimes Against Children Task Force

O L A. Campaign Finance and Public Disclosure Board OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA. Fiscal Years 2005, 2006, and 2007

Title VI Complaint Procedure

EXEMPT (Reprinted with amendments adopted on April 10, 2013) FIRST REPRINT A.B Referred to Committee on Government Affairs

Internal Controls and Compliance Audit. July 2012 through March 2015

O L A. Professional/Technical Services Contracts OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA. Financial Audit Division Report

NEW YORK STATE BOARD OF ELECTIONS ABSENTEE VOTING. Report 2007-S-65 OFFICE OF THE NEW YORK STATE COMPTROLLER

Integrity Oversight Monitor Training Session

Architectural Design Services for Project No African Hyena Housing Exhibit RFP# EN P File #095 Bid date 2:00 P.M.

Minnesota Campaign Finance and Public Disclosure Board cfb.mn.gov (651) (800)

BYLAWS OF ROTARY INTERNATIONAL DISTRICT 7450, INC. As amended November 9, 2012 A Pennsylvania Not-for-profit Corporation

APA Indiana Chapter Bylaws

53RD LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2018

LBB Contract Reporting & Oversight

Addendum to Board Policy a Delegation of Board Authority

CHAPTER Senate Bill No. 1204

SUPPLEMENTAL NOTE ON HOUSE BILL NO. 2753

TESTIMONY OF SENATOR CURT BRAMBLE PRESIDENT PRO-TEMPORE UTAH STATE LEGISLATURE President-elect, National Conference of State Legislatures

Chairman Bill Goetz May 2010 through April 2012 X. Vice Chairman Tom Kriege May 2010 through April 2012 X

Information about City of Los Angeles Campaign Finance Laws

INTERNAL AUDIT. April 21, Audit Committee Members Mayor McMillan and City Council City of Clarksville Clarksville, Tennessee 37040

NEW YORK CITY HOUSING DEVELOPMENT CORPORATION BOARD GOVERNANCE. Report 2007-N-17 OFFICE OF THE NEW YORK STATE COMPTROLLER

Municipal Lobbying Ordinance

KANSAS STATE BOARD OF EDUCATION

Distribution Restriction Statement Approved for public release; distribution is unlimited.

2004 School Facilities Planning, Construction and Financing Workshop

UNIVERSITY STUDENT UNION CALIFORNIA STATE UNIVERSITY, NORTHRIDGE BYLAWS

Office of the Chief Electoral Officer

ROTARY INTERNATIONAL DISTRICT 5440, INC. BYLAWS

REQUEST FOR PROPOSAL for the SINGLE AUDIT OF THE STATE OF NEVADA

Kansas NG9-1-1 Regular Council Meeting Minutes

D. Statement on Internal Control Structure E. Management Summary G. Detailed Audit Findings II. MANAGEMENT'S RESPONSE...

Department of State Protection of Citizens Rights Programs

DEPARTMENT OF CULTURE, RECREATION AND TOURISM STATE OF LOUISIANA

PROPOSED AMENDMENT 3349 TO ASSEMBLY BILL NO. 272

March 19, Department of Administration--Contracts for State Building Projects--Listing of Subcontractors

PROCUREMENT POLICIES AND PROCEDURES. BOARD OF DIRECTORS POLICY AND PROCEDURE No. BOD 014

Office of the Attorney General

REQUEST FOR PROPOSALS

Standard Operating Procedures Manual

McLain called the meeting to order at 7:45 AM in the Village of Beverly Hills Municipal Building at W. Thirteen Mile Road.

SENATE STAFF ANALYSIS AND ECONOMIC IMPACT STATEMENT

RFP Issued: Tuesday, November 10, Amended December 7, 2015 Pages 2, 10, and 11

Communicating With City Council Guide Letters, Public Meetings, Deputations, Presentations, Open Delegations at Reference Committees

COMPLIANCE AND CONTROL AUDIT REPORT

Transitional Jobs for Ex-Prisoners

JOINT RULES of the Florida Legislature

CONFERENCE COMMITTEE REPORT. MADAM PRESIDENT and MR. SPEAKER: Your committee on conference on. On page 2, by striking all in lines 8 through 43;

PURCHASING ORDINANCE

070 KA KA CONTRACT PROPOSAL. DOT Form No. 202 Rev. 02/19

CHAPTER 5.14 PUBLIC RECORDS

Telecommunications Complaint Handling Process

Section moves to amend H.F. No as follows: 1.2 Delete everything after the enacting clause and insert:

OFFICE OF THE LEGISLATIVE AUDITOR

MASTER AGREEMENT FOR COMPUTER ASSISTED LEGAL RESEARCH (CALR) PURSUANT TO RFO #

Board of Trustees Bylaws

Van Alstyne ISD Board Operating Procedures. Revised October, 2015

PROPOSED REVISION TO GOVERNING REGULATIONS: EXECUTIVE COMMITTEE

KBA Harold A. Stones Public Affairs Conference & Legislative Reception

Vacancy Announcement

Assembly Bill No. 45 Committee on Legislative Operations and Elections

Department of the Treasury Office of the Public Defender

Procedures for Development of State Aid Construction Projects for Cities

Session of HOUSE BILL No By Committee on Energy, Utilities and Telecommunications 1-24

OMGA Executive Committee Meeting 1 st Quarter, February 2, a.m. 4 p.m.

Kansas Board of Emergency Medical Services. Board Articles

Interstate Compact for Adult Offender Supervision Report to the Legislature

Guide to 2011 Redistricting

For County, Cities, Schools and Special Districts

O L A STATE OF MINNESOTA

Transcription:

PERFORMANCE AUDIT REPORT 100-Hour Audit Information Technology Projects: Determining Whether the Chief Information Technology Officer Has Followed All Applicable Approval and Notification Requirements A Report to the Legislative Post Audit Committee By the State of Kansas 04-21

Legislative Post Audit Committee THE LEGISLATIVE POST Audit Committee and its audit agency, the Legislative Division of Post Audit, are the audit arm of Kansas government. The programs and activities of State government now cost about $9 billion a year. As legislators and administrators try increasingly to allocate tax dollars effectively and make government work more efficiently, they need information to evaluate the work of governmental agencies. The audit work performed by Legislative Post Audit helps provide that information. We conduct our audit work in accordance with applicable government auditing standards set forth by the U.S. General Accounting Office. These standards pertain to the auditor s professional qualifications, the quality of the audit work, and the characteristics of professional and meaningful reports. The standards also have been endorsed by the American Institute of Certified Public Accountants and adopted by the Legislative Post Audit Committee. The Legislative Post Audit Committee is a bipartisan committee comprising five senators and five representatives. Of the Senate members, three are appointed by the President of the Senate and two are appointed by the Senate Minority Leader. Of the Representatives, three are appointed by the Speaker of the House and two are appointed by the Minority Leader. Audits are performed at the direction of the Legislative Post Audit Committee. Legislators or committees should make their requests for performance audits through the Chairman or any other member of the Committee. Copies of all completed performance audits are available from the Division s office. LEGISLATIVE POST AUDIT COMMITTEE Senator Derek Schmidt, Chair Senator Bill Bunten Senator Anthony Hensley Senator Dave Kerr Senator Chris Steineger Representative John Edmonds, Vice-Chair Representative Tom Burroughs Representative Bill McCreary Representative Frank Miller Representative Dan Thimesch LEGISLATIVE DIVISION OF POST AUDIT 800 SW Jackson Suite 1200 Topeka, Kansas 66612-2212 Telephone (785) 296-3792 FAX (785) 296-4482 E-mail: LPA@lpa.state.ks.us Website: http://kslegislature.org/postaudit Barbara J. Hinton, Legislative Post Auditor The supports full access to the services of State government for all citizens. Upon request, Legislative Post Audit can provide its audit reports in large print, audio, or other appropriate alternative format to accommodate persons with visual impairments. Persons with hearing or speech disabilities may reach us through the Kansas Relay Center at 1-800-766-3777. Our office hours are 8:00 a.m. to 5:00 p.m., Monday through Friday.

LEGISLATURE OF KANSAS LEGISLATIVE DIVISION OF POST AUDIT 800 SOUTHWEST JACKSON STREET, SUITE 1200 TOPEKA, KANSAS 66612-2212 TELEPHONE (785) 296-3792 FAX (785) 296-4482 E-MAIL: lpa@lpa.state.ks.us June 9, 2004 To: Members, Legislative Post Audit Committee Senator Derek Schmidt, Chair Senator Bill Bunten Senator Anthony Hensley Senator Dave Kerr Senator Chris Steineger Representative John Edmonds, Vice-Chair Representative Tom Burroughs Representative Bill McCreary Representative Frank Miller Representative Dan Thimesch This report contains the findings, conclusions, and recommendations from our completed performance audit, Information Technology Projects: Determining Whether the Chief Information Technology Officer Has Followed All Applicable Approval and Notification Requirements (100-Hour Audit). The report includes a recommendation for the Joint Committee on Information Technology to amend K.S.A. 75-7201 et seq. to clarify that the project plan must be submitted to the CITO and approved before that project can be sent out for bids, and to clarify the procedures to be followed when the bidding process shows the project originally estimated to cost less than $250,000 will exceed that threshold. We would be happy to discuss these recommendations or any other items in the report with any legislative committees, individual legislators, or other State officials. Barbara J. Hinton Legislative Post Auditor

Get the Big Picture Read these Sections and Features: 1. Executive Summary - an overview of the questions we asked and the answers we found. 2. Conclusion and Recommendations - are referenced in the Executive Summary and appear in a box after each question in the report. READER S GUIDE 3. Agency Response - also referenced in the Executive Summary and is the last Appendix. Helpful Tools for Getting to the Detail In most cases, an At a Glance description of the agency or department appears within the first few pages of the main report. Side Headings point out key issues and findings. Charts/Tables may be found throughout the report, and help provide a picture of what we found. Narrative text boxes can highlight interesting information, or provide detailed examples of problems we found. Appendices may include additional supporting documentation, along with the audit Scope Statement and Agency Response(s). 800 SW Jackson Street, Suite 1200, Topeka, KS 66612-2212 Phone: 785-296-3792 E-Mail: lpa@lpa.state.ks.us Web: www.kslegislature.org/postaudit

EXECUTIVE SUMMARY LEGISLATIVE DIVISION OF POST AUDIT Has the Executive Branch Chief Information Technology Officer Followed All Applicable Project Approval and Notification Requirements? The 1998 Legislature passed a law requiring all information technology projects expected to cost $250,000 or more to be formally approved before they could be implemented. The law requires agencies to develop and document a project plan and submit it to the Chief Information Technology Officer (CITO) for their branch of government. It also requires the agency head and CITO to approve the plan before the project goes out for bids. The CITOs are required to provide all information technology budget estimates as well as any amendments and revisions to those plans to the Joint Committee on Information Technology. Lastly, agency heads must consult with the Joint Committee before approving any increase in the planned cost of an approved project that s either 10% or $1 million over the authorized cost estimate, whichever is less. A 2003 law established the need for a new computer system to help implement the streamlined sales tax project. The law requires retailers to charge sales taxes based on where the buyer lives, rather than where the purchase is made. As passed, the law was supposed to be effective July 1, 2003, which provided the Department with little time to implement this project. In late April, the Department estimated the cost to be $250,000 with annual maintenance of $20,000.... page 3... page 6 The normal approval requirements weren t followed for the streamlined sales tax project. The Department of Revenue didn t submit a project plan for the CITO s approval before sending the project out for bid. When asked for preliminary information, Department officials told the executive branch CITO that the project would cost less than $250,000, which was below the threshold needed for CITO approval. When bids were received in late September, the Division of Purchases notified the CITO that none of the bids for this project were below $1 million. Even after receiving this information, the CITO didn t require the Department to submit the required documentation for her review and approval. The executive branch CITO and Secretary of Revenue never signed a letter formally approving this project. In early November, the CITO s chief staff member told the Division of Purchases the contract for this project could be awarded without the CITO s approval, and indicated the CITO would approve the project plan after the contract was awarded. The contract was awarded 2 days later and the vendor began implementation on November 17 th.... page 7 EXECUTIVE SUMMARY i

We noted several problems with the general project approval process the executive branch CITO told us she has been following. The process isn t consistent with State law which requires approval before projects are sent out for bids. It allows agencies to avoid doing the rigorous due diligence needed to determine such things as scope, tasks, costs, and funding for the project. Also, this process could severely limit the CITO s ability to question or change the project plan, and can prevent the Joint Committee on Information Technology from seeing the real differences between the costs State officials estimated for a project and the amount of the contract award. Because the typical approval letter was never signed, the Legislature didn t receive the usual notifications about the project s status. Normally, a copy of the approval letter would have gone to members of the Joint Committee at the time the project was approved. When the bids came in higher than original cost estimates, the Joint Committee should have been formally notified. Neither of these things happened. Also, a quarterly report designed to show the status of information technology projects costing more than $250,000 provided to the Joint Committee in November 2003 didn t mention the streamlined sales tax project, even though the CITO knew early in October that bids for the project were significantly more than $250,000. Our review of other projects showed it was common for them to begin before the CITO formally approved them. Of the 4 projects we reviewed, 3 began before the CITO formally approved them. The CITO s own staff reviewed at all 26 projects active during our audit, and found that 17 projects had a planned start date before the CITO s approval date. Conclusion Recommendation APPENDIX A: Scope Statement APPENDIX B: Typical approval letter and October 27, 2003 letter... page 9... page 11... page 12... page 13... page13... page 15... page 16 ii EXECUTIVE SUMMARY

Information Technology Projects: Determining Whether the Chief Information Technology Officer Has Followed All Applicable Approval and Notification Requirements Before an information technology project with an estimated cumulative cost of $250,000 or more can be implemented, that project must be approved by the head of the agency proposing the project and by Chief Information Technology Officer (CITO) for the branch of government the agency is part of. The executive and judicial branch CITOs also are required to notify the legislative branch CITO regarding progress in implementing IT projects and all proposed expenditures for such projects for the current and ensuing years. That information also is reviewed with the Joint Committee on Information Technology (JCIT), which advises the House Appropriations and Senate Ways and Means Committees on funding for those projects. Legislative concerns have been raised that the executive branch CITO may not have handled the Department of Revenue s streamlined sales tax information technology project in accordance with these approval and notification requirements. Reportedly, this project proceeded without formal approval or formal plans being submitted, and without notification to or review by the Legislature. This 100-hour performance audit answers the following question. Has the executive branch Chief Information Technology Officer followed all applicable project approval and notification requirements? To answer this question, we reviewed State laws and policies developed by the Information Technology Executive Council, the entity responsible for establishing policies and procedures for State agencies to follow when developing and implementing large information technology projects. We also interviewed the executive branch s CITO and officials from the Kansas Information Technology Office, the Department of Revenue, and the Division of Purchases. We also reviewed documentation on file for the streamlined sales tax project. In addition, we reviewed limited documentation for 4 other projects to determine whether they started before the CITO had approved them. Finally we talked to staff in the agencies responsible for implementing these projects to determine why they started before the official approval. PERFORMANCE AUDIT REPORT 1

A copy of the scope statement the Legislative Post Audit Committee approved for this audit is included in Appendix A. In conducting this audit, we followed all applicable government auditing standards. 2 PERFORMANCE AUDIT REPORT

Were All Laws and Policies Related to Approval and Notification of Information Technology Projects Followed for the Department of Revenue s Streamlined Sales Tax Project? State laws and policies outline an approval and notification process for information technology projects expected to cost $250,000 or more. Agencies are required to put together a detailed project plan, which should be approved by the agency head and chief information technology officer (CITO) before being sent out for bids. The Joint Committee on Information Technology (JCIT) also is to be kept informed about such projects and consulted if they significantly exceed authorized costs or schedules. These requirements weren t followed for the streamlined sales tax project. The Department didn t submit a project plan for the executive branch CITO s approval because it estimated the project would cost less than $250,000. After learning the bids had come in at more than $1 million, the CITO didn t require the Department to submit the required documentation for her review and approval. The CITO and agency head never formally approved the project; a letter the CITO sent to the Department on October 27 did not constitute approval. Finally, the JCIT wasn t notified and kept informed about this project in the manner contemplated by the law. We also noted other projects that started before they got their respective CITO s approval. These and related findings are discussed in the sections that follow. The 1998 Legislature Passed a Law Requiring All Information Technology Projects Expected To Cost $250,000 or More To Be Formally Approved Before They Could Be Implemented In response to legislators frustration with State information technology projects taking much longer and costing a lot more than expected, the 1998 Legislature passed a law that changed the way such projects were to be approved. The law created a new oversight structure to approve and monitor these projects. The players involved in that process are shown in Graphic I-1 on the next page. Various people we talked to during the audit told us they thought the law was unclear regarding exactly at what stage a project needed to be approved by the CITO. However, we interpreted the law as discussed in the following section. The law requires a sequence of events to take place before agencies can begin to implement information technology projects costing a total of $250,000 or more. Here s what s outlined in the law: The agency must develop and document a project plan and submit it to the appropriate CITO. As shown in the box on page 5, this plan is a fairly comprehensive description of the project s scope, tasks, schedules, costs, and funding sources. Agencies may develop this PERFORMANCE AUDIT REPORT 3

Graphic I-1 The Various Players Involved in Kansas Information Technology Governance Joint Committee on Information Technology A standing committee of the Kansas Legislature. The committee provides oversight on information technology issues for State government. The 3 Chief Information Technology Officers report to the Committee. Information Technology Executive Council A 17-member group including the heads of 8 State agencies, representatives of local units of government and the private sector, and the Chief Information Technology Officers from each branch of government. The Council is charged with enforcing the Information Technology laws of the State and meets quarterly to adopt:! IT Policies and procedures, and project management methodologies! The Kansas Statewide Technology Architecture! Standards for data management for all State agencies! Strategic Information Technology Management Plan Chief Information Technology Architect The Chief Information Technology Architect is responsible for developing and maintaining a strategic information management plan, the overall technical architecture, project management standards and policies. The Information Architect works with the 3 CITOs and is a non-voting member of the Executive Council. Executive CITO Judicial CITO Kansas Information Technology Office Legislative CITO The 3 Chief Information Technology Officers (CITOs) review and consult with agencies regarding information technology plans in their respective branches of government. By law, the CITOs must monitor compliance with all information technology policies established by the Executive Council, incuding the approval of technology projects costing over $250,000, and coordinate implementation of new information technology. This is a division within the Department of Administration that supports the statutory responsibilities of the Chief Information Technology Architect and the 3 CITOs. The Office s 8 staff coordinate the preparation of plans, policies, reports and other information technology related documents and carry out tasks in support of information technology activities. Source: LPA summary from State law and Kansas Information Technology Office website 4 PERFORMANCE AUDIT REPORT

Statutorily Required Information Agencies Need To Compile For Information Technology Projects Costing $250,000 or More K.S.A. 75-7209 requires agencies to prepare and submit the following information to the Chief Information Technology Officer of their branch of government: Project scope statement showing a detailed description of and justification for the project Analysis of the program, activities, and other needs and planned uses for the new or improved information technology Description of the scope of the project, and a description of the tasks and schedule for each phase of the project Analysis of other ways to accomplish what the planned information technology project would accomplish Project budget estimate Financial plan showing the proposed sources of funding and cost estimates for such things as a needs analysis, professional services, major repairs, or improvements to buildings Cost-benefit statement showing qualitative and financial benefits Architectural statement to help ensure that agencies implement information technology that s consistent with computer systems and applications used by the State The Information Technology Executive Council has established policies to implement the law, and imposed some requirements on State agencies for additional information. The executive CITO and staff developed information technology project planning instructions as well as a checklist to guide agencies in preparing a project plan. These documents are available on the Internet. information on their own, or they may issue requests for information from vendors to help develop it. For very large or complex projects, they also may contract with vendors for help in the project planning phase before they can develop a project plan showing schedule and cost estimates for subsequent phases of the project. The agency head and CITO must approve the project plan before it goes out for bids. The law states that, before the agency can begin to implement a technology project, the agency head and the respective CITO must approve the project plan. The law also states that all specifications for bids or proposals related to an approved information technology project...shall be reviewed by the respective CITO. In other words, the agency head and CITO must approve the project plan before the project is sent out for bids. PERFORMANCE AUDIT REPORT The 3 CITOs are required to provide all information technology project budget estimates as well as any amendments and revisions to those plans to the Joint Committee of Information Technology (JCIT) and to the Legislative Research Department by October of each year. To implement this requirement, the Information Technology Executive Council adopted a policy of providing quarterly reports summarizing the status of all active (approved) projects, as well as a section showing planned (not yet approved) projects. The judicial and executive branch CITOs also are required to periodically report to the 5

legislative CITO regarding agencies progress in implementing IT projects, as well as all proposed and revised expenditures for such projects. The legislative branch CITO reviews that information and makes recommendations to the Joint Committee regarding the merit of the projects and appropriations for them. Agency heads must consult with the JCIT before approving any increase in the planned cost of an approved project that s either 10% or $1 million over the authorized cost estimate, whichever is less. In other words, if the bids submitted for a project (or other factors) raise the estimated cost of that project, agency heads can authorize that change as long as the increase doesn t exceed these thresholds. The agency head can t authorize cost over-runs above these limits without notifying and consulting the JCIT. According to the current legislative CITO, who in the past also served as the executive branch CITO, the intent of the new approval and monitoring structure was for agencies to exercise due diligence in planning for a project, and to provide more external oversight over such projects to prevent projects from being significantly over budget. A 2003 Law Established the Need for a New Computer System To Help Implement The Streamlined Sales Tax Project The 2003 Legislature passed a law requiring retailers to charge sales taxes based on where the buyer lived, rather than on where the purchase was being made. The law was intended to bring Kansas into compliance with the multi-state Streamlined Sales and Use Tax Agreement it entered into in 2002. Among other things, the law would let Kansas begin collecting sales taxes on Internet purchases once Congress provided that authority. The law required the Department of Revenue to create a computer system that would allow retailers to determine the correct amount of sales tax to charge. At the time the Legislature was considering the project, the costs were unknown. Department officials told us that there was no software on the market that could perform the functions needed for the streamlined sales tax, and only 2 states (Washington and South Dakota) had tried to implement such a system. In a March 21, 2003, letter to the chair of the Senate Assessment and Taxation Committee, the Budget Director passed along information from the Department of Revenue indicating $28,580 would be needed for revisions to sales tax publications and for notices to be sent to retailers. According to the letter, Department officials had indicated the required programming would be performed by existing staff, unless the combined effect of implementing this project and other legislation exceeded the Department s programming resources, or unless the time for implementing the changes was too short. In that case, outside contract programming services would be required. 6 PERFORMANCE AUDIT REPORT

In an April 30, 2003 letter, the Department sent to the Budget Director, it indicated the cost of the software would be $250,000 for the development of the local sales tax rate, and boundary and address databases required under the agreement, with an annual maintenance fee of $20,000. Because the final version of the bill made this requirement effective July 1, 2003, the Department initially had just a few months after the legislation was passed to implement the streamlined sales tax project. However, after an uproar from the Kansas business community, the Governor allowed enforcement of the law between July 2003 and January 2004 to be relaxed. Nonetheless, the timeframe for implementing this information technology project still was tight. The Normal Approval Requirements Weren t Followed for the Streamlined Sales Tax Project It appeared to us that neither the Department nor the executive branch CITO followed all the requirements related to the approval process, as described below. The Department of Revenue did not submit a project plan for the CITO s approval before sending the project out for bid. During the spring and summer months of 2003, the Department did preparatory work on the project and prepared bid specifications. Although the fiscal note estimate for the project was $250,000, the Department did not submit a project plan and the other information required by law to the CITO during that time. The Department s chief information officer told us he gave the CITO a preliminary copy of the draft request for proposals on August 28. The Department went out for bids on August 29. In early September, the CITO asked the chief information officer to submit a summary of the planned project. In his response, the chief information officer reported the project would cost less than $250,000, which was below the threshold needed for CITO approval. The chief information officer also maintained this was not a project that needed CITO approval because it only involved the purchase of software. However, the law defines information technology projects to include those with proposed expenditures for new or replacement equipment or software, or data, consulting, or other professional services. After learning the project would cost more than $250,000, the CITO didn t require the Department to submit the required documentation for her review and approval. On October 1, shortly after the bid process closed, the Division of Purchases notified the executive branch CITO that all the bids for this project exceeded $1 million. Within the scope of this 100-hour audit, we couldn t pursue why the bids were so much higher than the Department s projections. PERFORMANCE AUDIT REPORT 7

The JCIT has adopted a number of criteria for reviewing projects and has outlined actions that should be taken in certain situations. Among those criteria is one that says, serious consideration should be given to stopping IT projects that deviate from their financial plan by 30% or more and recommending that an independent 3 rd party...conduct a project review and make recommendations to the agency head and the Committee. Although the bids in this case were significantly higher than the amount the Department had estimated, it probably wasn t feasible to stop this project because of its tight deadline. But now that the project s cost was clearly over $250,000, the Department should have requested CITO approval and the CITO should have required the Department to submit the documentation required for her review and approval. In a letter dated October 27, the CITO asked the chief information officer to file an entire project plan with her office if the work for the project was going to be done in-house, and to submit only the vendor s work plan and a risk-management assessment if the work was going to be outsourced. The letter did not mention the need to get the CITO s approval. The project ultimately was outsourced. The CITO told us she didn t ask for all the documents required in this case because they normally would have been turned in early in the project s planning phase, and the project already had progressed beyond that phase. She also told us she was in touch with the Department about this project, and everyone felt confident this wasn t a project that was going to fail. The executive branch CITO and Secretary of Revenue never signed a letter formally approving this project. Typically, when an IT project is approved, the agency head and executive branch CITO both sign a letter stating this letter constitutes approval of the project under provisions of KSA 75-7209. That approval letter then is sent to officials of the Division of Accounts and Reports, the Division of Purchases, the Legislative Research Department, and members of the Joint Committee on Information Technology. (Appendix B shows a typical approval letter, and the October 27 letter the CITO sent to the Department.) For this project, no such approval letter was written. The CITO told us she never received a letter from the Department requesting that the project be approved. The Secretary of Revenue told us that this project had her full support and approval from the beginning, and she wasn t aware that anything further needed to be done. Our review of correspondence related to this project showed the following: 8 PERFORMANCE AUDIT REPORT

The Department s Chief Information Officer apparently thought the CITO s October 27 letter constituted project approval, but the CITO s correpondence makes it clear that letter did not constitute approval of the streamlined sales tax project. On November 5, Division of Purchases staff (who were getting ready to award the bid) asked the CITO to clarify whether her October 27 letter constituted approval, as the Department s chief information officer was claiming. The CITO replied that, once the Department decided whether to go with a vendor or proceed using Department staff, KDOR would need to obtain CITO approval and adhere to reporting requirements as outlined in my letter of 10/27/03. In other words, the October 27 letter clearly did not constitute CITO approval. Her e-mail did say she was in concurrence with the direction the Department was going on the project. The CITO s chief staff member told the Division of Purchases the contract for this project could be awarded without the CITO s approval, and indicated the CITO would approve the project plan after the contract was awarded. On November 12, Division of Purchases staff asked the Director of the Kansas Information Technology Office to confirm in writing what he had told her over the phone: that specific written approval from KITO/ CITO is not required prior to contract award. He agreed, and said the CITO s approval would be given later. That interpretation appears to us to be contrary to the law, and was contrary to the understanding the Department of Revenue s own purchasing manager had at the time. The CITO never did approve the project plan. The Division of Purchases awarded the contract on November 14. The vendor began implementing it on November 17 th, and essentially completed the work on January 27, 2004. The Department of Revenue provided the first status report on the streamlined sales tax project to the CITO in January 2004. The status report indicated the project would cost a total of $560,000, with a 4- year maintenance cost of $150,000 per year. The project cost was significantly greater than the Department s original cost estimates. On May 4, 2004, the CITO issued a letter approving an extension of the project deadline from January 2004 to May 2004. She indicated the letter didn t constitute approval of the project. We noted several problems with the general project approval process the executive branch CITO described to us during this audit. The current CITO started in June 2003, and in October 2003 prepared a flowchart that she said documented the process used by the previous CITO. PERFORMANCE AUDIT REPORT 9

The CITO s general policy is to review and concur with bid specifications before they are sent out, but not to review and approve the project plan until after the agency has awarded the contract. The problems we identified with this process are as follows: the process is not consistent with State law. The law would require the CITO to review and approve agencies IT project plans before those projects are sent out for bids. That gives the CITO the opportunity to question the agency s proposal and suggest changes that can make the project more feasible and the estimates more accurate. the process allows agencies to avoid doing the rigorous due diligence needed to determine the purpose, scope, tasks, schedules, costs, and funding for their projects before they send those projects out for bid or award the vendor contracts. As a result, the Legislature may authorize funding for a project based on agency estimates that are not well researched and may be significantly understated. In addition, if agencies go out for bids before developing their own firm estimates, there s no yardstick to measure the bid proposals against to determine whether those proposals are reasonable, and they could end up paying more than they need to. the process could severely limit the CITO s ability to question or change the project plan. If the agency sends the project out for bid and awards the contract to a vendor before the CITO has reviewed and approved the project plan, there may be little the CITO could do to question or change the project plan after-the-fact. the process can prevent the JCIT from seeing the real differences between the amount State officials estimated the project would cost, and the amount of the contract award. When the CITO waits until after the contract is awarded before approving the project plan, the planned project cost reported to the JCIT is the contracted amount, not the estimate the agency developed in its project plan. Yet those agency estimates may have been the basis for the Legislature s funding decisions. For example, the 4th-quarter status report the CITO submitted to the JCIT listed the planned cost of the streamlined sales tax project as $560,000 (excluding annual maintenance costs). The report categorized the project as meeting targeted goals. There s no mention that the initial project cost the Department estimated was $250,000 for software (plus $20,000 a year for maintenance), but that the final contract price for the project was $560,000 for 10 PERFORMANCE AUDIT REPORT

software (plus $150,000 a year for maintenance). That comparison would have earned this project the status of significantly outside of targeted goals (by more than 20 percent). The CITO told us she had talked with the legislative CITO about this process, and was considering possible changes to that process. Because the Typical Approval Letter Was Never Signed, The Legislature Didn t Receive the Usual Notifications About the Project s Status There are several stages at which the Joint Committee on Information Technology (JCIT) and others normally would have been notified about various aspects of this project, but weren t in this case. Because the typical approval letter wasn t signed, the JCIT and others didn t receive a project approval notification. As noted earlier, when the agency head and CITO approve an information technology project, a copy of the approval letter is sent to the Legislative Research Department, the Divisions of Purchasing and Accounts and Reports, and the Joint Committee on Information Technology. Because no formal approval letter was issued for this project, these parties never received that notification. The JCIT wasn t informed of a major increase in planned costs. Under State law, an agency head has to consult with the JCIT before approving any changes to a project s planned cost that increases the total authorized costs by either 10% or $1 million, whichever is less. In this case, the project cost increased from an estimate of $250,000 to $560,000, significantly more than the Department had initially estimated. The Joint Committee wasn t formally notified about this increase. The quarterly status report the JCIT received in November 2003 didn t mention the streamlined sales tax project. This status report, which is a compilation of reports individual agencies provide to the Kansas Information Technology Office, is subsequently sent to the Joint Committee, each CITO, the Legislative Research Department and others. The 3 rd quarter status report was for projects that were under way or planned in July-September 2003. Although the streamlined sales tax project was under way by then, it wasn t included in the status report because the Department had reported it would cost less than $250,000. It appeared to us the streamlined sales tax project should have been mentioned in this status report under the category called updated key information occurring after this report period. The report wasn t issued until November, and by October 1 the CITO and her staff were aware that the bids for this project had come in significantly over $250,000. The project was mentioned in the 4 th quarter report, which was issued in February 2004, and in the 1 st quarter report, issued in May 2004. PERFORMANCE AUDIT REPORT 11

Our Review of Other Projects Showed It Was Common for Them To Begin Before the CITO Formally Approved Them We reviewed 4 additional information technology projects during this audit to determine whether they had been started before the CITO had formally approved them. Table I-1 shows the details. In all, 3 of those 4 projects started before the CITO approved them. For one project, we also noted that required documents weren t in the file, and that the agency head didn t sign the approval letter for the project. Because of our inquiries, the CITO s staff looked at all 26 projects active during our audit. They found that 17 projects had a planned start date before the CITO s approval date. (Agencies aren t currently required to report when they actually started the project). The executive branch CITO and officials from the Technology Office told us that, although the law mandates CITOs to monitor agencies compliance with the policies and procedures adopted by the Information Technology Executive Council, it doesn t include a mechanism for CITOs to enforce this mandate. Table I-1 Did the Respective CITO Approve the Project Before Implementation Began? Project Date of CITO Approval Date Work Began Was requirement followed? If not, why not Siebel Upgrade Department of Human Resources $425,000 Computer Assisted Mass Appraisal Project Department of Revenue 12/17/03 11/10/03 No Department officials said the agency was remiss in getting approvals and reporting projects to the CITO before the new chief information officer was hired. After he came on board, he retroactively submitted it to the CITO. Agency officials also point out that this project was originally estimated to cost between $150,000 to $170,000. It was only after the bid proposals came in that it became clear the project would surpass the $250,000 threshold. 12/17/03 11/03/03 No Our review of the project documents submitted by the agency showed that Phase 2 of this project (installation of the computer hardware and software) began November 3, before the CITO had approved the project plan. $3.8 million Harrison Center Infrastructure Department of Transportation $840,000 District Court Accounting & Case Mgmt. System Office of Judicial Administration 11/14/03 7/1/03 No The CITO s approval came after the project was under way because there initially was uncertainty about whether this was even an IT project, and who would prepare the project plan (the project dealt with installing switches and wiring to prepare the Harrison building to house KDOT staff). KDOT officials told us they used July as the project start date because they were aware of on-going activities that had occurred around that time. Can t tell 7/31/01 Can t tell Agency officials couldn t find an official record showing that the judicial CITO had approved this project. However, they told us the project had been approved by the former CITO, and we did see an e- mail that made a reference to the previous CITO approving the project. That e-mail didn t indicate the date the approval occurred. $5.7 million 12 PERFORMANCE AUDIT REPORT

Conclusion The Legislature has made agency officials responsible for doing a better job of planning large information technology projects, and has created more oversight to ensure that such projects are properly carried out. For this process to work effectively, agencies need to rigorously plan such projects and follow the required approval and notification requirements, and CITOs need to make it clear to agencies what s required and by when. Both the Department of Revenue and the executive branch CITO share responsibility for those requirements not being followed for this project. The Department significantly underestimated the project s cost, which kept it outside the approval and notification loop for months. For a variety of reasons, the CITO allowed the project to continue and the contract to be awarded without her formal approval. Neither kept the JCIT adequately informed about the status and cost over-runs of this project. The issues that arose with this project and the fact that other projects are starting without CITO approval seem to point out that the executive branch CITO and the agencies are confused about what is required and when. Also, it seems to us that it would be impossible to comply with the law for projects that are originally estimated to cost less than $250,000 and end up costing more. That s because those projects wouldn t have been required to go through the approval process, and therefore wouldn t have been approved before being sent out for bid. The Legislature may need to clarify the law to correct some of these issues. In other cases the CITOs will need to agree on some uniform procedures and make sure agency officials understand and conform to them. Recommendations 1. To help ensure that the approval process for information technology projects conforms to the law, the executive branch CITO should, in consultation with the legislative and judicial branch CITOs, review and revise the approval process currently being followed. All 3 CITOs should ensure that the agreed-upon process is implemented uniformly across all agencies. The Information Technology Executive Council should incorporate any resulting changes into State policies, and the Kansas Information Technology Office should alert agencies regarding the changes. 2. To ensure that the planning, approval, and notification requirements for information technology projects are being carried out as intended, the Joint Committee on Information Technology should amend K.S.A. 75-7201 et seq. to do the following: PERFORMANCE AUDIT REPORT 13

a. for information technology projects initially estimated to cost $250,000 or more: clarify that the project plan must be submitted to the CITO and approved before that project can be sent out for bids. b. for information technology projects initially estimated to cost less than $250,000 (which don t go through the approval and notification process before going out for bids): clarify the procedures to be followed when the bidding process shows the project will cost more than $250,000. The JCIT should require that such projects be reviewed and approved by the CITO before the contract can be awarded. It also should consider what approval and notification requirements should be followed for such projects that are completed in-house by agency staff. If the JCIT decides that the procedures called for in this recommendation should be developed by the CITOs instead, with the advice and consent of the JCIT, it should direct the CITOs to develop those procedures and have them incorporated into State policy. 14 PERFORMANCE AUDIT REPORT

APPENDIX A This appendix contains the scope statement that was authorized by the Chair of the Legislative Post Audit Committee on March 24, 2004. The requesting legislator was Representative McLeland. PERFORMANCE AUDIT REPORT 15

SCOPE STATEMENT Information Technology Projects: Determining Whether the Chief Information Technology Officer Has Followed All Applicable Approval and Notification Requirements Before an information technology project with an estimated cumulative cost of $250,000 or more can be implemented or any moneys spent on it, that project must be approved by the appropriate executive, judicial, or legislative branch Chief Information Technology Officer (CITO) and the agency head. The executive and judicial branch CITOs also are required to notify the legislative branch CITO regarding progress in implementing IT projects, and all proposed expenditures for such projects for the current and ensuing years. That information is also reviewed with the Joint Committee on Information Technology (JCIT), which advises the House Appropriations and Senate Ways and Means Committees on funding for those projects. Legislative concerns have been raised that the executive branch CITO may not have handled the Department of Revenue s streamlined sales tax information technology project in accordance with these approval and notification requirements. Reportedly, this $560,000 project proceeded without formal approval or formal plans being submitted, and without notification to or review by the Legislature. A performance audit in this area would address the following question: 1. Has the executive branch Chief Information Technology Officer followed all applicable project approval and notification requirements? To answer this question, we would review applicable laws, regulations, policies, and practices to determine what requirements the CITO is supposed to follow, and how those requirements are normally carried out. We also would review recent status reports prepared by the Kansas Information Technology Office and other documents as needed to identify information technology projects with an estimated cumulative cost of $250,000 or more. For a small sample of those projects including the streamlined sales tax project we would review correspondence, memos, payment records, JCIT agendas and minutes, and other relevant records to determine whether all applicable approval and notification requirements were followed. For any instances where requirements weren t followed, we would interview officials to determine the reasons why. Estimated completion time: 100 hours 16 PERFORMANCE AUDIT REPORT

APPENDIX B This appendix shows a typical technology project approval letter, alongside the October 27 letter the executive CITO sent to the Department of Revenue regarding the streamlined sales tax project. PERFORMANCE AUDIT REPORT 17

18 PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT REPORT 19

APPENDIX C On May 26, 2004, we provided a draft copy of the audit report to the executive-branch Chief Information Technology Officer and to the Department of Revenue. Their responses are included in this Appendix. After carefully reviewing the responses, we made some minor clarifications to the draft audit that didn t affect any of our findings or conclusions. 20 PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT REPORT 21

22 PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT REPORT 23

24 PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT REPORT 25

26 PERFORMANCE AUDIT REPORT

PERFORMANCE AUDIT REPORT 27

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback