aExceptions to the requirement for approval include items purchased under VA’s departmentwide procurement computer hardware and software contract and purchases of picture archiving and retrieval systems.

Source: VA.

As shown in figure 1, projects that require approval by the CIB are submitted by the applicable administration/office to the department’s CIO Council Investment Panel. This panel evaluates and ranks IT proposals for the CIO Council. The council then reviews the proposals and forwards selected ones to the Capital Investment Panel. This panel ranks and scores both IT and non-IT projects and makes recommendations to the CIB, which then makes recommendations to the Secretary for inclusion in the department’s capital plan and annual budget request.

Although VA had established a detailed process for selecting, controlling, and evaluating IT investments, discipline within the process was previously lacking. Specifically, we reported in July 1998 that VA decisionmakers did not have current and/or complete information—such as cost, benefit, schedule, risk, and performance data at the project level—with which to make sound investment decisions. In addition, VA’s process for controlling and evaluating its investment portfolio was incomplete and, as a result, decisionmakers did not have the information needed to detect or avoid problems early or to improve the VA investment process for the future.

Accordingly, we made several recommendations to VA to improve its selection, control, and evaluation of IT investments. As discussed below, the department agreed to implement them.

GAO/AIMD-98-154, July 7, 1998.

VA Has Improved Its Process for Selecting CIB-Level Projects

In response to our recommendation that it implement a disciplined process for selecting IT investments in which decisions are based on complete and current project data, VA now requires its administrations/offices to meet a more comprehensive and specific set of criteria. The selection criteria used during the fiscal years 2000 and 2001 capital investment planning processes covered areas such as the proposed projects’ (1) impact on "One-VA" customer service, (2) return on taxpayer investment, (3) contribution to a high-performing workforce, (4) risks, and (5) comparison with alternatives. VA investment review panels then screened proposals to ensure that they had adequate information.

The proposals submitted for the fiscal years 2000 and 2001 reviews were much more complete than those submitted for the fiscal year 1999 investment planning process. In fiscal year 1999, none of the seven proposals that we reviewed contained all the required information, yet all were passed by the CIB. In fiscal year 2000, by contrast, all seven of the proposals that passed VA’s review had the required information, including cost-benefit analysis, risk analysis, and alternatives analysis. Similarly, in the fiscal year 2001 review, all five proposals that passed VA’s review generally met the criteria.

In our July 1998 report we stated that VA’s process for monitoring and managing its investment portfolio was not timely and provided decisionmakers with little information. We recommended that VA conduct formal in-process reviews at key milestones in a project’s life cycle and provide these results, along with results of periodic project status reviews, to those responsible for deciding whether to continue, accelerate, or terminate IT projects.

VA agreed with this recommendation and has taken steps to implement it. For example, in response to our recommendation that in-process reviews be conducted at key milestones of a project’s life, VA recently changed its method for identifying projects for such reviews. In the past, in-process reviews were conducted in an ad hoc manner, such as when it became apparent that a project was behind schedule, over budget, or not performing as planned, or when oversight agencies raised questions. Now, the CIO Council plans to identify projects for review by VA OI&T based on the council’s assessment of the project. This assessment will take into consideration the results of execution reviews and input from project managers. These reviews focus on whether the project meets cost, schedule, and performance goals.

VA’s CIO Council Investment Panel and Capital Investment Panel.

Additionally, VA has made progress in responding to our recommendation that the results of in-process reviews be provided to decisionmakers. Specifically, the results of formal in-process reviews are given to decisionmakers along with the results of post-implementation reviews and audits of IT issues conducted by VA’s OIG.

However, the in-process reviews may still not be timely. As of April 28, 2000, VA OI&T has only completed five of the eight in-process reviews scheduled for fiscal year 1999. Without timely reviews, VA is limited in its ability to control approved projects. Accordingly, it is important that VA establishes and monitors deadlines for completing in-process reviews.

As we have reported, VA’s post-implementation reviews had not contained an assessment of whether the implemented project achieved the estimated cost, schedule, or mission-related benefits. Further, VA had not identified lessons learned that could be used to improve its investment process for selecting, controlling, and evaluating IT initiatives. We recommended that VA initiate post-implementation reviews for IT projects within 12 months of implementation, to compare completed project cost, schedule, performance, and mission improvement outcomes with original estimates, and provide the results of these reviews to decisionmakers so that improvements can be made to VA’s IT process.

VA concurred with our recommendation and has taken steps to improve its process. For example, in three of the four post-implementation reviews conducted in fiscal year 1999, actual and estimated costs, schedules, and mission-related benefits were compared. The remaining review did not include a comparison between actual and estimated costs.

VA also now identifies lessons learned from its evaluation of completed projects, and documents them in the post-implementation review report. For example, among the lessons learned were the need to ensure that (1) a variety of users participate in the decision-making process on systems enhancements and/or user modifications and (2) user documentation is readily available and updated regularly to reflect the latest systems changes.

These reviews are conducted by the CIO Council Investment Panel and Capital Investment Panel to monitor and manage projects approved by the CIB.

GAO/AIMD-98-154, July 7, 1998.

However, the lessons learned are provided only to the sponsoring VA organizations, and not to decisionmakers, such as the investment panel members, who could also benefit from them. Decisionmakers receive only a summary of the audit findings in post-implementation reviews; lessons learned are not part of that summary. To improve the department’s process for selecting, controlling, and evaluating IT investments, decisionmakers should be provided with such lessons learned information so they can use it in making better-informed judgments about projects.

As previously discussed, IT procurements that are $250,000 and greater, but less than the thresholds for review by the CIB, must be approved by VA OI&T; procurements and IT projects that are less than $250,000 are reviewed at the administration/office level. The capital investment process used for these projects is less structured than the high-cost, high-visibility projects reviewed by the CIB.

To implement the approval process for projects above $250,000 and beneath the CIB thresholds, VA OI&T has issued guidance—IRM Planning and Acquisitions Handbook—to project sponsors. Sponsors requesting approval must submit a package containing key information, such as a requirements analysis, benefit/cost analysis, and a minimum 10 percent return on investment. It has not yet issued written guidance for
(1) monitoring and managing approved procurements or (2) evaluating completed projects. VA OI&T is now in the process of revising its handbook to address these areas.

Guidance for IT projects costing up to $250,000 is partially complete. VBA has issued selection process guidance entitled Information Technology: Investment Board and Investment Evaluation Process that covers all IT projects, including those under $250,000. It requires each project sponsor to submit a package containing information such as the names of the team members, cost-effectiveness analysis, alternatives analysis, risk analysis, and performance measures. This information is reviewed by VBA’s Information Technology Investment Board. The board reviews the proposal for (1) consistency with and support of the VA/VBA mission, goals, and objectives, along with technical and organizational feasibility, and (2) completeness of project plan, cost-effectiveness analysis, and risk analysis. It then ranks the proposal in terms of risk and return. VBA’s guidance also requires its Information Technology Investment Board to review ongoing projects. VBA has not issued written guidance for evaluating completed projects, but a VBA official told us that the agency is in the process of developing such guidance.

According to VA, about $814 million of its $1.2 billion fiscal year 1999 IT investments were not subject to review by the CIB; these were the most recently available data.

Lastly, VHA issued written guidance this past January for selecting IT investments for its Office of Information, which manages VHA-wide projects. This guidance requires project sponsors to submit cost-benefit analyses, alternatives analyses, project schedules, and a discussion of funding sources. VHA offices in headquarters and the field have typically relied on group meetings and discussions to select IT initiatives. According to a director in the Office of Information, VHA is currently drafting guidance for selecting IT investments at its field offices. VHA does not have written guidance for monitoring and managing IT procurements nor does it have guidance for evaluating completed projects. VHA plans to develop such guidance, but it has not established a date for when this will be completed.

VA has made only limited progress in addressing other key issues, such as appointing full-time CIOs, developing a business process reengineering strategy, and developing an integrated IT architecture. These need to be addressed if the department is to effectively use IT to achieve its "One VA" vision.

The Clinger-Cohen Act and the Paperwork Reduction Act direct the heads of federal agencies to appoint CIOs to (1) promote improvements in work processes used by the agencies to carry out their programs, (2) implement integrated, agencywide systems or technology architectures, and (3) help establish sound investment review processes to select, control, and evaluate IT spending. To help ensure that these responsibilities are effectively executed, the act requires that the CIO’s primary responsibility be related to information management.

As we reported in July 1998, however, the responsibilities of VA’s CIO were not limited to information management. Specifically, the CIO served the department in a variety of top management positions, including assistant secretary for management, chief financial officer, and deputy assistant secretary for budget. We noted that in an agency as decentralized as VA, the CIO was faced with many significant information management responsibilities, which constitute a full-time job for any CIO. Accordingly, we recommended that the Secretary of Veterans Affairs appoint a CIO with full-time responsibility for information resources management alone.

VA concurred with this recommendation and established the position of assistant secretary for information and technology to serve as its CIO. However, this executive branch position has been unfilled since its creation in June 1998. Accordingly, the Secretary created the position of principal deputy assistant secretary for information and technology and designated that person as VA’s acting CIO until an assistant secretary could be appointed. The Secretary also realigned information resources management functions within VA under this position.

The principal deputy assistant secretary for information and technology has reported directly to the Secretary and is involved in IT planning issues across the department. He said that his responsibilities have included advising the Secretary on IT issues, serving as chair of the department’s CIO Council and a member of VA’s CIB, and working with the CIOs in VBA and VHA. He sees his role as one of helping them use IT to support their administrations. According to this official, one of his priorities has been to ensure that IT activities in VBA and VHA are in concert with VA’s departmentwide efforts.

VA’s acting CIO recently announced, however, that he will be retiring from VA at the end of this month. As a result, VA will again be left without IT leadership, and the CIO position will have been vacant for almost 2 years. It is critical that this position be filled to provide the leadership to achieve the "One VA" vision through effective IT.

GAO/AIMD-98-154, July 7, 1998.

At the time, these responsibilities included ensuring that (1) VA’s systems development projects would not be handicapped by incomplete architectures and (2) a sound information management investment review process providing systematic, data-driven means of selecting, controlling, and evaluating IT projects would be institutionalized.

In a separate yet somewhat similar situation, VHA has a CIO vacancy that was created when its previous CIO left the agency in October 1999. To address this situation, in November 1999 the acting undersecretary for health designated VHA’s chief facilities management officer as VHA’s acting CIO. This individual currently carries both responsibilities—for facilities and IT management.

According to VHA’s acting CIO, he devotes approximately 60 to 75 percent of his time to information management activities. He acknowledged that he has no background in IT and relies on staff to provide expertise and guidance in this area. He said, however, that he does not think the allocation of his time or lack of background is cause for concern, especially given his background in and knowledge of VHA. His immediate focus, he said, is to bring about general management improvements in VHA’s Office of Information for such areas as the fiscal process, communications, and project management.

We believe this dual responsibility is contrary to good management practices, and that the VHA CIO should have information management as his primary focus. We have stressed the importance of this principle in testimony and in our February 1997 high-risk report, in which we emphasized that the CIO’s duties should be centered on strategic information management issues and not include other major responsibilities. VHA is no exception: it needs a CIO focused on information management.

The Clinger-Cohen Act requires agency heads to analyze the missions of their agencies and, on the basis of this analysis, revise and improve the agency’s mission-related and administrative processes before making significant investments in supporting IT. As our business process reengineering guide makes clear, an agency should have an overall business process improvement strategy that provides a means to coordinate and integrate the various reengineering and improvement projects, set priorities, and make appropriate budget decisions.

Government Reform: Legislation Would Strengthen Federal Management of Information and Technology (GAO/T-AIMD-95-205, July 25, 1995), Managing Technology: Best Practices Can Improve Performance and Produce Results (GAO/T-AIMD-97-38, January 31, 1997), High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997), and Chief Information Officers: Ensuring Strong Leadership and an Effective Council (GAO/T-AIMD-98-22, October 27, 1997).

Business Process Reengineering Assessment Guide (GAO/AIMD-10.1.15, April 1997).

Our 1998 report noted that VA had not analyzed its business processes in terms of implementing its "One VA" vision. We also pointed out that VA did not have a departmentwide business process improvement strategy specifying what reengineering and improvement projects were needed, how they were related, and how they were prioritized. At the time, VA concurred with our recommendation to develop such a strategy.

VA’s assistant secretary for policy and planning and principal deputy assistant secretary for information and technology have now, however, informed us that VA no longer plans to develop an unified, departmentwide business process improvement strategy. According to the assistant secretary, the department will, instead, rely on each of its administrations—VBA, VHA, and NCA—to reengineer its own business process.

As we reported in 1998, an overall business process improvement strategy can provide the means to coordinate and integrate various reengineering and improvement projects, set priorities, and make appropriate budget decisions. Given the department’s approach of delegating to its three major components reengineering of their own business processes, it is unclear how VA will be able to provide veterans with a unified view of VA services. Accordingly, VA should either reassess its "One VA" vision or, if it is committed to that vision, reassess its strategy given the inconsistency in its approach.

The Clinger-Cohen Act and Office of Management and Budget guidelines require agency CIOs to implement an architecture to provide a framework for evolving or maintaining existing IT and for acquiring new IT to achieve the agency’s strategic and IT goals. Leading organizations both in the private sector and in government use systems architectures to guide mission-critical systems development and to ensure the appropriate integration of information systems through common standards.

A VA architecture team consisting of representatives from VA administrations and offices issued a report to the VA CIO Council in May 1997 adopting the National Institute of Standards and Technology (NIST) five-layer model for its departmentwide IT architecture. The five layers—business processes, information flows and relationships, applications processing, data descriptions, and technology—provide a framework for defining an IT architecture.

Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology—Learning From Leading Organizations (GAO/AIMD-94-115, May 1994).

However, as discussed in our 1998 report, VA and its components had yet to define a departmentwide, integrated architecture. Accordingly, we recommended that VA develop a detailed implementation plan with milestones for completing such an IT architecture.

Although VA concurred with our recommendation, it did not develop a detailed implementation plan with milestones for completing the architecture. Instead, VA published a departmentwide technical architecture, which includes a technical reference model and standards profile. This document describes only one element—the technology layer—of the full NIST model. VA has not yet documented the logical architecture showing the business processes, information flows and relationships, applications processing, and data description layers for the entire department.

VA’s principal deputy assistant secretary for information technology said that in order to develop the logical architecture, the business owners would have to be involved. However, he has no plans to bring them together to begin this process. He believes, instead, that their individual business process reengineering initiatives will eventually result in development of these areas, although he did not explain how this would happen without guidance from VA. We believe that it is important for VA’s CIO or designee to take the leadership role and work with the business owners to develop the logical architecture so that the department can produce an integrated IT architecture.

At the component agency level, neither VBA nor VHA has fully defined and documented their current IT architectures. VBA’s new CIO recently stated that plans to hire a contractor to document the architecture are now on hold until completion of a new information systems strategic plan. This individual stated that the IT architecture would be made part of the plan. Regarding VHA’s architecture, our analysis of its most recent document, IT Architecture—Fiscal Year 1999 Plan, shows that it also lacks key layers of the NIST model. It contains information on VHA’s business processes and the technology infrastructure, but details on the information flows and relationships, applications processing, and data description layers are missing. VHA’s IT architect said that VHA recognizes that it needs to complete these other layers of the architecture but does not have an estimate of when this will happen.

VA Technical Architecture: Technical Reference Model and Standards Profile, May 1999.

As you requested, we will now discuss the status of VA’s efforts to develop and implement three IT projects—VA’s Master Veteran Record (MVR); VBA’s actions to modernize its information systems, also known as VETSNET; and VHA’s Decision Support System. Each of these projects is at a different stage of development and implementation, but they all face challenges ahead.

MVR—master veteran record—is a messaging system that notifies VA components and offices of changes in common veteran data, such as name and address. Its development began in 1994 and was scheduled to be implemented across VA by 1998, at a cost of about $8 million. MVR was expected to unify VA services through information-sharing among its administrations/offices, improved data integrity and customer service through access to the most current information, and reduced overpayments through more current death notifications. VA further hoped that as veterans received quicker responses and more complete service, their confidence in VA would increase.

According to VA’s principal deputy assistant secretary for information and technology, the MVR project was completed in 1999. The project director told us that MVR’s life-cycle cost was about $4 million. MVR has enabled the transmission of messages across VHA, NCA, and VA staff offices. As anticipated, these messages include veteran status changes such as addresses and death notifications, which can be reported to any VA office with the expectation that all benefits programs operations will be informed of the new information. According to VA, MVR has begun to produce some of the benefits expected. For example, VHA medical centers can now be notified more quickly of changes in veterans’ benefits status that affect hospital eligibility. However, VA is unable to quantify the benefits attributable to MVR.

Although VA considers MVR to be completed, one VA administration—VBA—is not yet fully linked to the system. In particular, VBA’s largest service line, compensation and pension, does not yet have a gateway to receive MVR information, such as address changes and death notifications, from other systems. VBA initially stated that funding and policy issues had to be resolved before MVR could be implemented, yet it planned to develop the gateway needed for its compensation and pension benefits payments system to become fully linked to MVR by December 1999. VBA did not, however, meet this deadline due to a departmental request that it study the feasibility of using an existing interface between VBA and NCA to access MVR. As of April 28, 2000, VBA still had not awarded a contract to complete this study and develop the MVR gateway.

According to VA’s MVR director, the delay in VBA’s compensation and pension service line fully linking to MVR has not significantly affected the department’s ability to realize benefits. While unable to quantify benefits for the program, he said that MVR is paying for itself today as VHA uses the system for its enrollment program, specifically to determine veterans’ eligibility for medical care benefits.

Notwithstanding these enrollment related benefits, the potential additional benefits of MVR could be significant if VBA’s compensation and pension service line was linked to it. In particular, early death notifications via MVR could help minimize compensation and pension overpayments to veterans who had died. According to a December 1996 report by VA’s OIG on compensation and pension overpayments, 20 percent of overpayments went to veterans who had already died. These overpayments increase the amount of debt or accounts receivable that VBA must subsequently attempt to collect. Full linkage to MVR could provide compensation and pension personnel with notices of death sooner, and thereby help minimize such overpayments.

The second project that we were asked to address is VETSNET. This project refers to a strategy VBA initiated to replace its existing old, high-maintenance payments systems with newer, lower maintenance systems that would provide a rich data source for answering questions about veterans’ benefits. VBA also expected VETSNET to provide faster processing of benefits.

Two major projects initiated under VETSNET were compensation and pension (C&P) replacement and education redesign. The C&P project was intended to replace VBA’s existing legacy compensation and pension payment systems with one new, state-of-the-art system. This project, which began in April 1996, had an estimated cost of $8 million and was scheduled for completion in May 1998. The education redesign project was intended to replace each of VBA’s four education payment systems. This project, which began in January 1997, had an estimated cost of $9 million and was scheduled for completion in December 1998.

The OIG sampled 324 overpayments and found that of these, 65 overpayments totaling $180,261 were issued to veterans who had already died.

From fiscal year 1986 through fiscal year 1995, VBA reportedly spent at least $284 million modernizing its systems, including replacing its old computer terminals with personal computers and developing software applications to assist staff in claims processing.

VBA’s four education payment systems are chapter 30, chapter 32, chapter 35, and chapter 1606. Each of these is named for the statute that provides the specific education benefit. For example, chapter 30 provides benefits to active duty servicemen, and chapter 1606 is for reservists.

Neither of these two major projects has yet been completed. The C&P replacement project missed several key milestones, including its May 1998 completion date and a revised completion date of December 1998. VBA currently has no expected completion date for this project. The education redesign project was terminated without a product in November 1997, and VBA has not established a date for when this project will be restarted. To date, at least $11.5 million has reportedly been spent on the VETSNET C&P replacement project and about $3 million on the education redesign project, with no measurable improvement in service to veterans.

We and others have previously reported on problems that VBA has had in completing the VETSNET C&P and education redesign projects. One key reason for these problems is the lack of an integrated architecture defining the business processes, information flows and relationships, business requirements, and data descriptions. For example, the C&P project was begun before VBA had fully developed and validated its business requirements on what the new system was supposed to do. Project delays subsequently resulted because of confusion over the specific requirements to be developed. At the same time, the contractor for the education redesign project cited problems with the constant redefining of the computer hardware and software to be used.

Another key reason for its problems with the VETSNET projects is VBA’s immature software development capability. In 1996 we reported and testified that VBA’s software development capability was ad hoc and chaotic—the lowest level of software development capability. More specifically, at this level, VBA could not reliably develop and maintain high-quality software on any major project within cost and schedule constraints. Reviews by us and VA illustrated that these projects had difficulties meeting deadlines and that not all critical systems development areas were adequately addressed. For example, in our May 1997 report, we noted that both the C&P replacement and education redesign projects had missed deadlines and had schedule delays.

Since 1996, VBA has reportedly spent at least $100 million on VETSNET and other related projects, such as the Loan Services and Claims, Expended Lender Index, Loan Processing, and the Automated Appraisal Assignment (renamed VA Assignment System) systems.

Veterans Benefits Modernization: Management and Technical Weaknesses Must Be Overcome if Modernization Is to Succeed (GAO/T-AIMD-96-103, June 19, 1996), Veterans Benefits Computer Systems: Risks of VBA’s Year 2000 Program (GAO/AIMD-97-79, May 30, 1997), and VETSNET Quarterly Review, Office of Information Resources Management, Department of Veterans Affairs, March 1998.

Software Capability Evaluation: VA’s Software Development Process Is Immature (GAO/AIMD-96-90, June 19, 1996) and GAO/T-AIMD-96-103, June 19, 1996.

VBA officials acknowledge these problems and have informed us that efforts are underway to address them. As we have previously recommended, it is critical that VBA establish a complete, integrated systems architecture and improve its software development capability if it is to avoid problems like these in the future.

VHA’s decision support system—DSS—is an executive information system that can provide VHA managers and clinicians with data on patterns of patient care and patient health outcomes, as well as the capability to analyze resource utilization and the cost of providing health care services. VHA intends to use DSS to (1) prepare budgets for its medical centers,
(2) allocate resources based on performance and workload, (3) generate productivity analyses and patient-specific costs, (4) support continual quality improvement initiatives, (5) measure outcomes-based performance and effectiveness of health care delivery processes, and (6) improve efficiency of care processes through the use of clinical practice guidelines.

VHA planned to implement DSS at all of its medical centers—currently 143—from 1994 through 1997 at an estimated cost of $132 million. Beginning in May 1994, VHA implemented DSS in its medical centers in six separate implementation efforts. It had been implemented at all VA medical centers by the end of October 1998. The total estimated cost through fiscal year 1999 to develop and operate DSS was reportedly at least $213 million. VHA expects to spend about $48 million to operate DSS this year.

Although VHA could not quantify the benefits derived from the use of DSS, to date at least 44 VHA medical centers and selected Veterans Integrated Service Networks (VISN) have cited benefits attributable to DSS, including cost reductions and improved clinical processes. For example, VISN 9 determined that integrating services between its Nashville and Murfreesboro (Tennessee) medical centers could result in projected savings of $5.8 million. In another example, the clinical practice of routinely ordering two units of pre-surgery autologous blood for total knee replacement was changed, at the Portland (Oregon) VA medical center, resulting in estimated savings of $600+ per case.

GAO/AIMD-97-79, May 30, 1997.

This amount includes the cost of studying, developing, and implementing DSS. It covers the period from fiscal years 1992 through 1999.

VHA is composed of 22 VISNs, which are regional organizations encompassing medical centers, nursing homes, and domiciliaries.

However, none of the medical centers and VISNs we contacted use DSS for all of the purposes for which VHA intended. For example, of the 20 VISNs we contacted—representing 126 medical centers—only 3 VISNs—representing 14 medical centers—use DSS for budget formulation and resource allocation, according to DSS staff. Instead, they tend to use the cost distribution report for budget formulation and the Veterans Equitable Resource Allocation model for resource allocation. Only one VISN has begun to use DSS to measure outcomes-based performance and effectiveness of health care delivery processes.

A variety of reasons were given for why more medical centers and VISNs have not made greater use of DSS. First, some medical centers have been reluctant to use DSS because of concerns about the accuracy and completeness of its data. Work performed by us, VA’s OIG, and the DSS Steering Committee has raised similar concerns. Second, VHA fiscal officials that we interviewed told us that medical centers need about 2 years of DSS data before the system can be used for budget formulation and resource allocation. It was not until last October that the 52 medical centers in the final round of DSS implementation had accumulated 2 years of data.

VISN 9 has medical centers in Huntington, West Virginia; Lexington and Louisville, Kentucky; and Memphis, Mountain Home, Murfreesboro, and Nashville, Tennessee.

Autologous (a patient’s own) blood is provided by the patient in advance of surgery.

The cost distribution report is limited to information on where the cost is expended; for example, a medical bed for an in-patient and a clinical stop grouping for an outpatient. In contrast, DSS provides cost information that shows where the services were provided and actual resources consumed by patient and by care encounter.

This model was adopted to ensure an equitable distribution of funds to VISNs rather than simply being based on historic funding patterns. It provides VISNs with national workload prices for three types of patients. In fiscal year 1999, VISNs received $66 for a basic single outpatient visit, $2,857 for basic vested care patients (those with routine health care needs), and $36,955 for complex care patients (those with complex/chronic health care needs).

VA Health Care Delivery: Top Management Leadership Critical to Success of Decision Support System (GAO/AIMD-95-182, September 29, 1995), Audit of Veterans Health Administration Decision Support System Standardization (Report No. 9R4-A19-075, March 31, 1999), DSS Steering Committee Report, May 14, 1999.

Third, DSS usage may have been hampered by insufficient staff, staff with inadequate skills, and staff turnover. For example, according to a post-implementation review performed by VA’s IRM Policy and Standards Service, over 70 percent of the medical centers had not followed staffing guidelines recommended by VHA’s Implementation and Training Service. The review further stated that in some of these medical centers, the DSS teams were understaffed by as much as 50 percent. VHA’s previous deputy director for technical implementation also told us that some medical center directors assigned personnel with inadequate skills. Additionally, several VISN DSS coordinators said that they have had difficulty retaining well-trained DSS personnel.

We have discussed these concerns with VHA officials and they generally concur with them. According to these officials, efforts are underway to address these problems and corrective actions are expected to be completed by 2002. It is critical that VHA follow through in addressing these problems if it is to achieve the benefits intended from the hundreds of millions of dollars spent to date on DSS.

The last area we were asked to discuss is computer security—critical to VA’s ability to safeguard its assets, maintain the confidentiality of sensitive information, and ensure the reliability of its financial data. If effective computer security practices are not in place, sensitive information contained in VA’s systems is at risk of inadvertent or deliberate misuse, fraud, improper disclosure, or destruction—possibly occurring without detection.

In September 1998 we reported that VA’s lack of effective information system controls placed critical department operations—such as financial management, health care delivery, benefits payments, and other operations—at risk of misuse and disruption. A key reason for these continuing information systems control problems was that the department did not have a comprehensive computer security planning and management program. Accordingly, we recommended that the Secretary develop and implement such a departmentwide program, and work with the VBA and VHA CIOs and facility directors to implement appropriate security measures and controls in agency facilities. VA recognized the significance of these problems and reported information systems security as a material weakness in its Federal Managers’ Financial Integrity Act reports for 1998 and 1999.

Information Systems: VA Computer Control Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure (GAO/AIMD-98-175, September 23, 1998).

To address our recommendation to develop a comprehensive computer security planning and management program, VA established a centrally managed security group in February 1999 and an information security working group in March 1999. Since then, VA has (1) developed a departmentwide plan to improve information systems security throughout the department, (2) established a departmentwide computer security planning and management program, and (3) initiated a program to increase computer security awareness across its administrations and offices. VA is now developing a risk-based framework for addressing information security issues.

In addition, VA organizations have independently initiated actions to improve certain aspects of their computer security programs. For example, as we reported in October 1999, the Austin Automation Center corrected most of the computer security issues we identified in 1998. Specifically, the center reduced the number of users with access to the computer room; restricted access to certain sensitive libraries, audit information, and utilities; improved identification and password management controls; developed a formal software change control process; and expanded tests of its disaster recovery plan.

In contrast, the VBA benefits delivery centers are still in the process of correcting most of the weaknesses we reported in 1998. For example, information security reviews performed by VA’s OIG in 1999 found that only one of seven weaknesses we found had been corrected at the Philadelphia benefits delivery center and that five of seven weaknesses had not been fully addressed by the Hines, Illinois, benefits delivery center.

In addition, audits by us as well as by VA’s OIG continue to find serious problems related to the department’s control and oversight of access to its computer systems at VA facilities such as the Philadelphia Insurance Center, and the Hines (Illinois) and Philadelphia benefits delivery centers. For example, VA still has not adequately limited the access granted to authorized users, appropriately segregated incompatible duties among computer personnel, adequately managed user identifications and passwords, or routinely monitored access activity. We made several recommendations to address these problems.

Information Systems: The Status of Computer Security at the Department of Veterans Affairs (GAO/AIMD-00-5, October 4, 1999).

GAO/AIMD-00-5, October 4, 1999.

We performed this assignment in accordance with generally accepted government auditing standards, from July 1999 through April 2000. In carrying out this assignment, we reviewed and analyzed VA’s IT investment process policies and compared these with applicable guidance in this area. We also analyzed the results of IT investments conducted by the CIB, VA OI&T, and VA components/offices. In particular, we reviewed 17 IT proposals submitted as part of the department’s fiscal year 2000 investment planning process and 12 IT proposals submitted as part of the fiscal year 2001 process. We reviewed VA’s directives regarding the responsibilities of the CIO and reviewed and analyzed VA, VBA, and VHA IT architecture documents, comparing these to NIST’s five-layer standard, the guidance used by VA. For the MVR, VETSNET, and DSS projects, we reviewed and analyzed costs, schedules, and status updates. In the area of computer security, we reviewed our recent reports and VA updates on actions taken to address our recommendations.

Mr. Chairman, this concludes my statement. I would be pleased to respond to any questions that you or other members of the Subcommittee may have at this time.

For information about this testimony, please contact Joel C. Willemssen at (202) 512-6253 or by e-mail at willemssenj.aimd@gao.gov. Individuals making key contributions to this testimony included Nabajyoti Barkakati, Amanda Gill, Tonia Johnson, Robert Kershaw, Helen Lew, Barbara Oliver, J. Michael Resser, John Riley, and Henry Sutanto.

Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail message with "info" in the body to:

Info@www.gao.gov

or visit GAO’s World Wide Web home page at:

http://www.gao.gov

Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

1-800-424-5454 (automated answering system)

Back to Witness List