Our review of the State's leadership and management of its information technology (IT) projects revealed the following:
RESULTS IN BRIEF
The State has a significant investment in information technology (IT)--more than an estimated $2 billion annually--and in the past has experienced several major failures in planned IT systems. When it passed legislation that resulted in the creation of the Department of Information Technology (DOIT) in 1996, the Legislature envisioned that DOIT would provide the leadership, guidance, and oversight needed to protect the State's investment in IT. Although DOIT is developing new processes to meet its responsibilities, it has not consistently delivered what it has been asked to do by the Legislature.
The State needs strong leadership from DOIT to ensure that departments develop IT systems effectively. However, DOIT is not consistently ensuring that departments plan their IT efforts carefully. Planning is crucial to the proper development of IT projects. State law requires DOIT to develop a statewide IT plan to outline the vision and direction of the State's IT efforts, but it has not updated its 1997 plan to address pressing issues and include current measurable objectives. Additionally, the statewide plan does not include priorities to ensure that the most important projects are considered first. Further, DOIT has not sufficiently reviewed the strategic plans of departments' IT projects. DOIT could increase the level of leadership and guidance it provides to increase the probability of success for the State's IT efforts.
DOIT is also responsible for the review and approval of the proposed IT projects of departments. However, DOIT cannot demonstrate that it has consistently and sufficiently performed project reviews or that it considers all risks before departments develop their projects. In its oversight role for IT projects in development, DOIT requires departments to report their progress and, in some cases, requires departments to hire independent consultants to oversee projects. However, we found that DOIT does not always use these reports effectively, nor does it request the detail necessary to properly monitor projects. DOIT has launched several programs for overseeing projects from planning through evaluation that may address these issues, but it has yet to fully implement these programs.
Although DOIT is responsible for overseeing departments' IT efforts, departments are primarily responsible for planning, developing, and ensuring the quality of their IT projects. When we reviewed four major IT projects recently under development, we found that two projects had significant management problems. The Department of Transportation (Caltrans) undertook a major project to redesign how it collects and accounts for toll bridge charges without first establishing a supportable justification for the redesign. This particular project, which started in 1993, is about five years behind schedule and is expected to cost $28 million more than originally estimated. The Department of Health Services (Health Services) has been enhancing a management system for cases involving children from low-income families and individuals who have certain genetic diseases but is currently rethinking the technical direction of this project. Meanwhile, the project is expected to cost more than $10 million, almost double the original estimated cost of $5.6 million. The projects at the Employment Development Department and Franchise Tax Board were generally better managed but still experienced some cost overruns and delays.
In addition, DOIT has not consistently fulfilled other responsibilities intended to improve the State's management of IT projects. One area of particular concern is that DOIT lacks a mechanism to consistently assist departments in identifying and coordinating similar IT projects. Further, state law requires DOIT to maintain an inventory of IT projects, which could improve coordination and oversight, but it has not continuously maintained such an inventory and has only recently surveyed departments to collect sufficient information. In addition, DOIT has only recently prepared drafts of several key standards that establish common rules for IT projects, and has not yet begun to develop other standards. Also, DOIT has not consistently used two state-mandated councils established to provide advice on its activities. DOIT's lack of progress on these requirements and on some past initiatives could lessen its credibility. Further, DOIT's lack of an internal strategic plan to prioritize its use of resources while facing the turnover of key managers and other challenges has contributed to DOIT not making more progress in meeting its statutory responsibilities.
To provide strategic guidance for IT activities, DOIT, in conjunction with others, should update the statewide plan to address pressing IT concerns, priorities, and measurable objectives. DOIT should then ensure that it reviews department-level strategic plans for appropriateness and consistency with the State's plan.
To improve its oversight of departments' IT efforts, DOIT should continue to reengineer its project review, approval, and monitoring processes and promptly implement new processes as needed. However, for any new oversight process, DOIT must include sufficient documentation of project analyses to demonstrate that it thoroughly evaluated the projects, require departments to report relevant information about the progress of their efforts, and ensure that DOIT staff receive and effectively use project progress and oversight reports.
To organize and focus its efforts, DOIT should adopt an internal strategic plan to identify key responsibilities and establish priorities. Further, DOIT should establish a formal mechanism to promote coordination of IT projects. To facilitate this coordination, DOIT should complete the IT project inventory based on its survey of departments, ensure that the reported data is accurate, update the inventory as it receives new data, and consider how departments and the Legislature can effectively access this information. In addition, to improve compatibility and help standardize IT processes, DOIT should expedite its efforts to implement standards by focusing on standards it determines are high priority. Further, it should work with departments to ensure that all necessary standards have been implemented. DOIT also should consistently use the two advisory councils as intended by state law.
Finally, to help ensure that IT projects are implemented effectively, departments need to better manage the development of their IT projects. In particular, Caltrans and Health Services should follow best practices when obtaining the services of vendors and follow sound project management practices.
DOIT believes that our recommendations are consistent with the new enterprise direction it is taking and has reported progress on each of the recommendations. DOIT raises some concerns with the audit work that established the basis for the recommendations; however, its response contains numerous incorrect or misleading statements. Our comments on DOIT's response begin on page 141.
Caltrans, Health Services, and the Employment Development Department all agree with the recommendations that we made to them. In its response, the Franchise Tax Board provided us additional information on its project that we reviewed.