The GAO's report assessed processes put in place after an August 2005 directive in which the White House Office of Management and Budget ordered federal agencies to identify high-risk projects and provide quarterly reports on those failing to meet certain performance criteria.
Commissioned by the House Committee on Government Reform, the report summarized the progress that agencies have made in adhering to the directive but said they haven't always consistently identified high-risk projects. As a result, the GAO found several projects that appeared to meet the OMB's definition of high-risk, but the agencies didn't classify them as such.
The GAO also chastised the OMB for failing to fully assist the agencies in complying. For example, it cited a lack of clarity in the directive and said the OMB could have done much more to ensure its success. The budget office needs to streamline the procedures that agencies use to submit their quarterly reports, the GAO said, noting that inconsistencies could exist between OMB and agency records.
According to the GAO, the OMB hasn't defined procedures for agencies to provide updated information about high-risk projects. It also hasn't compiled a single, aggregated list of the identified projects, which limits OMB staffers' ability to analyze projects on a governmentwide basis and track the full set of IT investments requiring special oversight, the report said.
Big money is at stake, the report noted. Within the 24 agencies subject to the August 2005 directive, the GAO tallied 226 IT projects classified by their respective agencies as high-risk. The report said the total funding requested for the projects in fiscal 2007, which starts Oct. 1, is US$6.4 billion -- about 10 percent of the Bush administration's overall IT budget request.
Seventy-nine of the high-risk projects, totaling about $2.2 billion in planned outlays, were classified by agencies as suffering from performance shortfalls, the report said.
The GAO recommended that the OMB order agencies to consistently apply its criteria for designating projects as high risk and establish "a structured, consistent process" for updating project data. It also called on the OMB to create a unified list of high-risk projects and their deficiencies.
But Evans, whose official title is OMB administrator for e-government and IT, was adamant in her response that the GAO's suggestions were based on inaccurate assumptions and interpretations. Evans, who also is the director of the federal Chief Information Officers Council, added that the GAO's report contradicted itself on the need for the OMB to provide agencies with further guidance on identifying high-risk projects.
"The report incorrectly implies agencies will not be able to oversee their own projects without additional guidance on this narrowly focused process, when in fact the report itself suggests agencies are using this policy as an opportunity to improve their internal oversight," she said.
Evans also disputed the need for an aggregated list of high-risk projects, noting that the OMB uses the reports from agencies "in the larger context of [its] budget and program oversight processes."