Identification and Review of the Departmentís Major Information Technology Systems Inventory

Audit Report 07-37
June 2007
Office of the Inspector General


Executive Summary

This audit report responds to a directive contained in the fiscal year (FY) 2006 Department of Justice appropriations bill conference report that the Office of the Inspector General (OIG), among other things, provide an inventory of major Department of Justice (DOJ) information technology (IT) systems.1 In a prior report, the OIG developed a preliminary inventory of DOJ IT investments based on DOJ’s reporting to the Office of Management and Budget (OMB). In this report, the OIG has refined the inventory to identify 38 major DOJ IT systems and to provide cost and other information on the 38 systems. In addition, this OIG audit provides information on the way that DOJ collects cost information for its IT investments.

In this report, we provide information on DOJ’s IT inventory, including system names, descriptions, DOJ component owner, future funding requirements, and implementation status. This information is discussed throughout the report and is summarized in the report appendices.

We also attempted to provide cost data on each of the DOJ’s major systems. Because DOJ’s financial systems do not provide sufficiently detailed cost data on individual IT systems, we collected cost information from DOJ components’ IT system managers.

This report includes cost data provided by the components for the 38 major DOJ systems. In addition, we attempted to perform detailed testing on the costs of three IT systems from the components responsible for the majority of DOJ’s IT spending – the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), and Justice Management Division (JMD) – to verify the accuracy of the cost information.

We found that the DOJ’s approach to IT system cost reporting is fragmented and lacks the management controls necessary to ensure the accuracy and completeness of system cost data. Moreover, our detailed testing of the costs of the three sampled systems confirms that DOJ does not have complete cost data for any of these IT systems. We determined that the $327.9 million combined costs reported for these three systems was understated by at least $68 million.

We also found that the methods DOJ components use to track and report the actual costs of IT systems vary. Even within DOJ components, such as the FBI, differences in methods also exist for collecting cost information for different IT systems. We found that IT system managers are generally responsible for developing and maintaining the cost data they report, and neither the Chief Information Officers (CIO) at the component and DOJ levels nor the Department Investment Review Board (DIRB) evaluates and approves the methods used or test the validity of the cost data reported.2

Although our audit did not examine the components’ core financial systems in detail, we found that the cost data contained in these systems generally does not allow a determination of individual IT system costs.

Background

Since FY 2001, Congress has authorized more than $12 billion for DOJ IT equipment, software, and services – an average of over $2 billion annually. In FY 2007, DOJ spending authority represents approximately 4 percent of the $64 billion authorized for IT across the federal government and approximately 11 percent of DOJ’s annual budget.

DOJ IT decision-making and oversight involves Congress, OMB, the DIRB, and CIOs at the DOJ and component levels. DOJ and component CIOs are required to manage their respective Capital Planning and Investment Control processes in accordance with the Clinger-Cohen Act of 1996 and OMB directives.3 The Clinger-Cohen Act defines Capital Planning and Investment Control (CPIC) as the process for maximizing the value, and assessing and managing the risks, of executive agency IT acquisitions. As part of this audit, we reviewed documents that contain DOJ IT system cost data, including OMB Exhibits 300 (Business Case) and OMB Exhibit 53 (IT Investment Portfolio).

Congressional Request

The conference report for P.L. 109-108 directs the OIG to: (1) produce an inventory of all major DOJ IT systems and planned initiatives, and (2) report on the effectiveness of DOJ’s IT planning efforts. In a prior report, the OIG developed a preliminary inventory of investments based on DOJ’s reporting to OMB, which we have refined for this report to identify major DOJ IT systems.4

In this report, we provide a more detailed inventory that includes the following information for each major DOJ IT system:

In addition to reporting on the inventory of major DOJ IT systems, the OIG was asked to provide another report detailing all research, plans, studies, and evaluations that DOJ has produced, or is in the process of producing, concerning its IT systems, needs, plans, and initiatives. A separate OIG audit report will present this analysis.

Inventory of DOJ IT Systems and Projects

In developing an inventory of major DOJ systems, we identified 38 major IT systems operated by, or under development in, 7 DOJ components. The FBI has the largest number of IT systems in the inventory with 21, followed by the DEA with 7, and JMD with 6.5 Because these three components make up nearly 90 percent of the total inventory, we focused on these three components’ IT cost-reporting practices in this audit.

The following chart shows the distribution of all 38 major DOJ IT systems and projects by component, with a further breakout by major FBI entity.

Distribution of IT Inventory

FBI-STB:11, FBI-CIO:5, FBI-NSB:5, DEA:7, JMD:6, EOIR:1, OJP:1, ATF:1, BOP:1.

Source: OIG

The following table lists the 38 major IT systems in DOJ’s IT inventory, grouped by DOJ component.

DOJ Inventory of 38 IT Systems and Projects by Component

Component Systems and Projects
FBI 21 Systems and Projects
FBI STB Science and Technology Branch – 11 Systems and Projects
1 Integrated Automated Fingerprint Identification System
2 Next Generation Integrated Automated Fingerprint Identification System
3 National Instant Criminal Background Check System
4 National Crime Information Center
5 Law Enforcement Online Re-engineering/Relocate
6 Law Enforcement National Data Exchange Rev 9/7
7 Combined DNA Index System
8 Electronic Surveillance Data Management System
9 Digital Collection
10 Biometric Reciprocal Identification Gateway /Criminal Justice Information Sharing Interoperability Initiative
11 Computer Assisted Response Team Storage Area Network
FBI OCIO Chief Information Officer Branch –
5 Systems and Projects
1 Sentinel
2 Data Centers
3 Technical Refresh Program
4 Investigative Data Warehouse
5 Multi-Agency Information Sharing Initiative Regional Data Exchange
FBI NSB & Security Div National Security Branch and Security Division –
5 Systems and Projects
1 Terrorist Screening Center
2 Foreign Terrorist Tracking Task Force
3 Security Management Information System
4 Information Assurance Technology Infusion
5 Sensitive Compartmented Information Operational Network
DEA 7 Systems and Projects
1 Model 204 Corporate Systems
2 E-Commerce-Controlled Substances Ordering System
3 EPIC Information Systems
4 Concorde
5 FIREBIRD
6 Merlin
7 OCDETF Fusion Center System
JMD 6 Systems and Projects
1 Integrated Wireless Network
2 Unified Financial Management System
3 Litigation Case Management System
4 Classified Information Technology Program
5 Justice Consolidated Office Network
6 Public Key Infrastructure
ATF National Integrated Ballistics Information Network
BOP Inmate Telephone System-II
EOIR eWorld
OJP Grants Management System
Source: OIG analysis

Cost Data for DOJ’s Major IT Systems

One of our objectives was to determine the actual amounts DOJ has spent on the 38 IT systems identified in the inventory. To accomplish this, we first considered using data from the core financial systems used by the various DOJ components and their related IT systems. However, we found that the components’ financial systems are not required to organize data for CPIC cost reporting purposes and thus do not contain costs for individual IT systems.

We next considered any control procedures specific to reporting IT system costs. However, none of the three components whose individual system we tested in depth – the FBI, DEA, or JMD – had established control procedures to ensure that the actual costs reported for their IT systems were complete and accurate. We concluded that component CIOs lack the control procedures necessary to ensure accuracy and completeness in the CPIC cost reporting function and this likely contributed to incomplete costs reported for the DOJ IT systems we tested.

Because we lacked a source of cost data for individual IT systems within the DOJ, the OIG developed a questionnaire related to the 38 major systems in the inventory. Through the DOJ CIO, we distributed these questionnaires to the components’ IT system managers. The completed questionnaires included: (1) annual costs incurred since the system’s inception through FY 2005, (2) estimated funding requirements through FY 2012, and (3) a description of the cost tracking methods used by each IT system.

The following table shows the total costs of the 38 major DOJ IT systems through FY 2005 and the amounts estimated through FY 2012, as reported to us by the components’ system managers.

Costs Incurred and Estimated as Reported
for the 38 Major DOJ IT Systems

Component Actual Costs Incurred through FY 2005a Actual and Estimated Costs through FY 2012
FBI – 21 systems
$ 3,344,267,750
$ 8,629,480,672
DEA – 7 systems
$ 1,176,437,903
$ 2,276,009,456
JMD – 6 systems
$ 984,461,302
$ 3,771,279,876
ATF, BOP, EOIR, and OJP - 1 system each
$ 222,596,693
$ 394,855,788
Total DOJ
$ 5,727,763,649
$ 15,071,625,792
Source: OIG analysis of completed questionnaires

a Due to rounding, values do not sum.

Testing the Accuracy of Reported Costs

Next, we judgmentally selected 3 of the 38 questionnaires completed by the IT system managers in the 3 components with the most IT systems – the FBI, DEA, and JMD – to perform tests on the accuracy of the cost data for “Actual Costs Incurred through FY 2005.”

Due to the insufficient internal controls over the completeness of the costs reported, we assessed as “high” the risk that DOJ IT system costs may be understated. Accordingly, we focused our attention on determining whether the costs reported for the IT systems were complete.

Testing for the completeness of costs without a means of sampling transactions from the entire financial system is considerably more difficult than simply confirming that reported costs exist. Although we used components’ financial and budget system data to the extent possible in attempting to verify the costs reported to us, we cannot provide assurance that our audit has identified all the costs associated with the three selected IT systems.

The systems we selected for testing are:

The following table shows the costs each system manager provided us through FY 2005 and the cost amounts identified by the OIG for each of these systems.

Comparison of Components’ Reported Costs and Costs
Identified by the OIG for Three Sampled Systems

($ in millions)

IT System
Tested
Amount
Reported by
Component
Amount
Identified by
OIG
Amount of
Differencea
Percentage
Difference
LEO $ 115 $ 128 $ 13 11%
Concorde $ 19.8 $ 21.3 $ 1.5 8%
JCON $ 194 $ 246 $ 53 27%
Source: OIG analysis

a Due to rounding, not all values sum.

In the next sections, we describe our results for each of these three systems.

Law Enforcement Online

LEO is the FBI’s Internet-based communication system and information service for law enforcement agencies nationwide. Thousands of police officers and other employees of local, state, and federal law enforcement agencies are able to access LEO 24 hours a day, 7 days a week.

In its completed questionnaire, the FBI reported $115 million in total costs incurred for LEO through FY 2005. The two largest elements included $74 million related to a cooperative agreement with Louisiana State University (LSU) that developed the LEO system and $30 million for FBI salaries and benefits to maintain the system.

To test the completeness of the reported amounts associated with the FBI’s cooperative agreement with LSU, we obtained a listing of all payments the FBI made to LSU from the FBI financial system. Reconciling all the financial system payment information and the reported amounts would have taken an inordinate amount of time, but from a random review of some of the FBI financial system’s listed payments, we identified five requisitions related to LEO totaling $850,000 that were not included in the project management cost data. We also obtained directly from LSU amounts invoiced to the FBI since 1995 when LEO was created. When we compared the LSU and FBI amounts for LEO, the LSU amounts were more than $13 million greater than the amounts recorded by the FBI.

FBI officials told us it was likely the LEO cost data was missing LSU transactions from all FBI divisions. Because LEO’s costs are tracked by the FBI Criminal Justice Information System (CJIS) Division, LEO activity involving other divisions or offices of the FBI must be reported to the CJIS to be included in the LEO cost reports.

Finally, we verified that approximately 30 FBI employees are working on LEO-related activities, and we concluded that the reported costs averaging $3 million annually over the 10-year period are reasonable.

Concorde

Concorde is a DEA system designed to integrate DEA’s IT functions, improve business processes, and enable information sharing within the DEA. It is intended to allow DEA Special Agents, Intelligence Analysts, and other investigative professionals to manage investigative case files digitally. The central feature of the Concorde system is the Investigative Management Program and Case Tracking System (IMPACT), a web-based case management system.

In responding to our request for Concorde cost information, the DEA reported that the project began in 2000, with related costs through FY 2005 totaling $19.8 million. The DEA’s response to our questionnaire also stated government personnel costs amounted to $3.7 million, and that five contractors were individually paid at least $1.3 million over this same period.

The DEA’s financial system is not organized to easily and reliably identify all the costs associated with any particular IT system. However, in FY 2005 DEA finance staff created a unique code for Concorde funding. This code was established so the financial system could easily track funding specifically allocated for Concorde. DEA finance staff provided us with a financial system report that captured all activity associated with the Concorde funding code in FYs 2005 and 2006. To the extent possible, we tested the completeness of contract costs contained in this financial system report for FYs 2005 and 2006.

By comparing the financial system report to the Concorde project management cost data, we identified $702,555 in omitted software expenditures. DEA officials told us the incomplete project management cost data may have been related to the accounting treatment for Concorde’s software expenditures, which requires these costs to be reported as an asset in DEA’s financial statement throughout the development phase rather than as an expense. In addition, we determined that expenditures totaling approximately $770,000 during the first 2 years of the project were not included in DEA’s response to our request.

We also evaluated the $3.7 million in government personnel costs DEA reported for Concorde, or approximately $600,000 annually between FYs 2000 and 2005. Although our analysis suggests that these costs are reasonable, these amounts are not based on actual data. DEA officials told us they have no procedures for tracking the time its employees spend working on any particular project, and the personnel costs are estimates made at the beginning of the fiscal year.

Justice Consolidated Office Network

JCON is the common office automation platform administered by JMD that over 70,000 employees from 16 DOJ components use daily. JCON provides IT tools and services that allow these employees to perform their computer-based work duties.6 Specifically, JCON provides the basic IT computing framework for DOJ, which includes hardware such as networked workstations and printers, and applications such as e-mail and word processing. JCON also provides the infrastructure for components to access other IT systems, such as case management databases and DOJ’s Financial Management Information System.

The JCON system manager reported $193.6 million in total costs since FY 2001, including $50 million paid to BAE Systems, the single largest contractor that provides full life cycle support services for JCON. From an overall listing of payments DOJ made to this contractor – containing over 1,400 payments totaling more than $149 million – we identified 504 payments related to JCON made between FYs 2002 and 2005 totaling $49,537,777. The difference between the value we calculated and the value reported by JCON is $89,135 – less than 1 percent of the reported costs.

We also discussed financial issues with the JCON Project Management Office (PMO) and learned it would be possible to create a report from the financial system that could identify planning and acquisition-related costs to JCON. The PMO provided us with a report that matched the $193.6 million figure reported to us on our questionnaire. Officials told us this amount included the government full-time equivalent (FTE) costs incurred over the period.

In addition to comparing FY 2005 CPIC and budget data, we compared the $246 million total amount reported to OMB in the JCON Exhibit 300 for planning and acquisition to the $193.6 million total amount reported in the OIG questionnaire. JCON officials told us that total costs in the Exhibit 300 were $53 million more than total costs reported to the OIG because the Exhibit 300 includes expenditures from FYs 2000 and 2001 and are not considered part of the current version of JCON, which is called JCON IIA.

We researched government and industry sources for more information on JCON and JCON contracts. This search identified a $500 million JCON contract awarded in 1996, more than 5 years before the first costs reported in our questionnaire. Although the PMO response to our questionnaire made clear that the reported costs relate to JCON IIA, we consider the JCON initiative to have begun in 1996 when the decision was made to replace disparate office automation systems with a consolidated system.

The JCON PMO confirmed that this first attempt at replacing existing office automation systems, known as JCON I, began in 1996 and was ultimately terminated along with the contract in 1998 when it did not work. JCON II followed JCON I and evolved into JCON IIA by FY 2002. Because the earlier JCON efforts predate the current JCON Project Manager and other staff, they were not able to provide us with the complete costs for JCON prior to FY 2002.

In summary, by using financial system and budget data we were able to verify the costs the JCON Project Management Office reported to us. However, the Project Management Office said these costs only represent the current standard architecture, JCON IIA, and not previous versions of JCON. Although JMD views the various versions of JCON as separate systems, we believe the true cost of JCON should include all costs incurred since 1996 when the JCON project was initiated. Therefore, we conclude that JCON’s costs since 1996 should be at least $53 million more than the $193.6 million we verified. In addition, because complete cost data was not available for JCON prior to FY 2002, we were unable to determine what amounts, if any, were paid in connection with the 1996 $500 million contract.

Conclusions

We found that IT system cost reporting within the DOJ is fragmented and lacks the management control procedures necessary to ensure such cost tracking is accurate and complete.

Moreover, DOJ does not have complete cost data for the three IT systems we tested and, based on our testing and review of data produced by DOJ’s financial and budgeting systems, in general we lack confidence in the accuracy of the cost data reported for DOJ’s IT systems. In our opinion, the lack of complete cost data that is verifiable for DOJ’s IT systems compromises the effectiveness of DOJ’s IT oversight entities, including Congress, the OMB, the DIRB, and DOJ and component CIOs.

In this report, we make three recommendations to improve the accuracy and completeness of DOJ’s reporting of IT system costs. The recommendations involve: (1) ensuring that components develop methods of reporting of actual and verifiable IT system costs, (2) better integrating OMB Exhibits 53 with budget submissions, and (3) assessing the feasibility of using the planned Unified Financial Management System for consistent and accurate reporting of individual IT system costs.



Footnotes
  1. Conference Report for the Fiscal Year 2006 Science, State, Justice, Commerce, and Related Agencies Appropriations Act (P.L. 109-108).

  2. The DIRB is a group chaired by the Deputy Attorney General and vice-chaired by the DOJ CIO that is responsible for Department-level oversight of major DOJ IT investments and for ensuring that components’ IT investments are aligned with DOJ’s IT strategy. The DIRB also includes senior DOJ officials with IT and financial management expertise.

  3. The Clinger-Cohen Act is codified in 40 U.S.C. § 11312 (1996).

  4. Department of Justice, Office of the Inspector General. Inventory of Major Department of Justice Information Technology Investments as of FY 2006, Audit Report Number 06-25, March 2006.

  5. Although the Organized Crime Drug Enforcement (OCDETF) Fusion Center is located within the Office of the Deputy Attorney General, for purposes of this audit we included the Fusion Center IT system as part of the DEA. The DEA’s unobligated funds developed the Fusion Center.

  6. The amounts discussed below represent JCON Planning and Acquisition only. JCON maintenance is funded by the 16 participating DOJ components.



« Previous Table of Contents Next »