Legislative Analyst's OfficeAnalysis of the 2002-03 Budget Bill |
The Department of Information Technology (DOIT) is responsible for ensuring that appropriate plans, policies, and procedures are in place to guarantee successful implementation of state information technology (IT) projects. The budget proposes $9.5 million ($8.8 million from the General Fund and $750,000 from reimbursements) for support of the department's operations in 2002-03, a decrease of $1.5 million, or 15 percent, above estimated current-year expenditures. The budget proposes 64 personnel-years for the department in the budget year.
Authority for the Department of Information (DOIT) sunsets on June 30, 2002. Reauthorization provides the Legislature the opportunity to evaluate DOIT's performance, and make adjustments, as necessary, to ensure DOIT meets legislative directions. To this end, we assess DOIT's overall performance, discuss the difficulties it has had in meeting some of its mandates, and provide recommendations to the Legislature on how to adjust DOIT's responsibilities in the future.
In 1995, the Legislature enacted Chapter 508, Statutes of 1995 (SB 1, Alquist) for the planning, implementation, and oversight of the state's IT activities. The Legislature determined that legislation was necessary in order to address multiple problems affecting the state's IT activities. Chapter 508 established DOIT with specific responsibilities intended to improve the state's ability to apply IT in a cost-effective manner and improve the Legislature's confidence in major IT initiatives. This legislation included a sunset date of July 1, 2000. Chapter 873, Statutes of 1999 (AB 1686, Dutra) subsequently extended the sunset date to July 1, 2002.
Reauthorization Provides Opportunity to Evaluate DOIT's Performance. Sunset dates are established in order to provide the Legislature an opportunity to evaluate performance when considering whether to reauthorize a department. In this review, we examine (1) each major area of DOIT's responsibilities, (2) the accomplishments and activities left undone by the department, and (3) the difficulties that DOIT has faced in meeting certain responsibilities.
We have identified four major categories of DOIT's responsibilities. For each of these categories, we review the specific mandated activities, DOIT's accomplishments, activities not yet addressed, and assess the extent to which DOIT has met legislative direction.
Based on our review, DOIT's overall performance of its legislative mandate has been one of limited success. In all of its major areas of responsibilities, DOIT has experienced some accomplishments and some misses. In its planning and policy role, DOIT has had the most success with most of its accomplishments occurring in this area. In its procurement role, DOIT has issued some policies but it has not issued all the policies directed by the Legislature. The DOIT has been unsuccessful in meeting a number of its mandates in the project review and oversight area. In the area of various miscellaneous IT activities, DOIT has had the least success with most of its mandated activities not being met. We have summarized our findings in Figure 1 and discuss them in more detail below.
The DOIT's primary role is to provide planning and policy guidance on the state's IT through the issuance of state plans and policies. The DOIT's major accomplishment in this category was planning the state's Year 2000 (Y2K) remediation efforts by setting the state's overall Y2K remediation policy, and establishing standardized Y2K reporting and oversight processes.
Figure 1 DOIT’s Major Responsibilities, Accomplishments, and Activities Not Addressed |
|
Accomplishments |
Activities Not Addressed |
Planning and Policy Development |
|
· Completed state’s Y2K remediation activities. · Issued Statewide IT Plan. · Began review of department IT plans. · Completed a data center consolidation study. · Assisted DGS in transitioning the state to the new telecommunications network. · Drafted a policy on Operational Recovery Planning (ORP) and began reviewing department ORPs. |
· Has not updated the statewide IT plan in five years. · Did not implement any initiatives identified in statewide IT plan. · Did not provide 2001 annual report to the Legislature. · Has not issued policies on system and information security, data confidentiality, and access to public records as directed by Legislature. |
Project Review and Oversight |
|
·
Reviews and oversees most state IT · Issued five project-related policies. · Began reviews of Post Implementation Evaluation Reports. · Developed project and risk assessment tools. |
· Does not document its basis for approving IT projects, ensure departments assess project risk, consistently use departments project reports as oversight tools, receive project updates from departments, and ensure that departments evaluate completed projects. · Has not issued policies on risk mitigation plans, project summary, project sizing, independent project oversight, project delegations, maintenance and operations, and project transmittal letters as directed by Legislature. · Provides limited information on its oversight activities. |
Procurement |
|
· Has issued three policies. |
· Has not issued policies on Letter of Credit and procurement alternatives. |
Other IT Responsibilities |
|
· Has been involved in the state’s IT staff recruitment and retention issues. · Began development of an on-line project inventory system. |
· A wide range of miscellaneous activities have not been addressed. · Has not issued policies on project management training and intellectual property as directed by Legislature. |
|
However, DOIT has also experienced some shortcomings in this category. For example, DOIT has not updated the statewide IT plan since 1997 and has not implemented any initiatives from that plan. In addition, DOIT has not issued a number of policies that the Legislature directed it to issue.
Timeframes Not Specified. One of the reasons that DOIT has experienced shortcomings in its planning and policy development role is that DOIT's enabling legislation did not specify timeframes for implementing many of its responsibilities thereby allowing each administration to establish its own priorities for DOIT. Without specific timeframes in which to implement its mandates, DOIT has been able to defer or not address many of its mandates.
Overlapping Policy Development Responsibilities. Another reason DOIT has had limited success is that its policy development and other areas of responsibilities often overlap with the responsibilities of several other departments. For example, DOIT's policy development responsibilities overlap with the Department of General Services (DGS), Department of Personnel Administration, Department of Consumer Affairs' Office of Privacy Protection, and Office of Emergency Services (OES). This overlap causes confusion as to which department is responsible for what activities. For example, the Government Code specifies OES is responsible for the state's disaster response and recovery, and DGS is responsible for business resumption planning, including the loss of electronic information. However, DOIT's enabling legislation states it is responsible for developing policies ensuring department business operations will continue to function in a disaster. The Government Code is unclear how OES, DGS, and DOIT's roles differ or may even be the same.
The second major area of responsibility is reviewing IT project proposals to ensure compliance with state policies and plans. The DOIT has the authority to approve or deny project proposals based on compliance with state policies and plans. In addition, DOIT is responsible for (1) monitoring on-going projects, (2) making recommendations for corrective actions, and (3) suspending or terminating those projects that are out of compliance with state policies. It reviews and oversees most state IT projects.
Since its establishment, DOIT has issued five policies related to project reviews and oversight. However, DOIT has not issued a number of policies that the Legislature directed it to issue. In addition, its project reviews and oversight activities are deficient according to the Bureau of State Audits (BSA) in its June 2001 audit of DOIT's mandated activities.
The DOIT Does Not Report Oversight Activities. The DOIT is ultimately responsible for approving, denying, or suspending all state IT projects. However, DOIT has never suspended or terminated a state IT project even though it has the authority to do so. According to DOIT, 14 percent of state IT projects require corrective action and 7 percent are at risk of failure. The DOIT states that it works with departments to correct project problems. However, the Legislature receives limited information on these corrective actions and their outcomes.
The DOIT is responsible for issuing policies that improve the acquisition of state IT projects and services. Specifically, the policies should share risks with vendors, improve the acquisition process, and ensure projects are funded and scheduled in phases. Since 1995, DOIT has issued three policies related to procurement. However, DOIT has not issued all the policies that the Legislature directed it to issue. For example, the Legislature has directed DOIT to issue policies on Letter of Credit and procurement alternatives, and yet these policies have not been issued.
Procurement Role Conflicts with DGS. We believe DOIT has had limited success in its procurement role because DOIT's role conflicts with DGS's role as the state's procurement officer. The DGS has the responsibility of developing procurement policies and enforcing state procurement laws. The DGS and DOIT have had difficulties separating their policy development roles because IT procurement policy is a subset of overall state procurement policy and practices. Evidence of this overlap occurred during recent legislative testimony in which the Director of DGS indicated that the Government Code was unclear as to whether DGS or DOIT was responsible for software procurement policies, practices, and contracting.
In addition to its three major areas of responsibilities, DOIT is also responsible for an assortment of miscellaneous tasks ranging from maintaining a project inventory system to promoting civil service reforms for the state's IT professionals. In this area, DOIT has been involved in the state's IT staff recruitment and retention efforts and is in the process of developing a project inventory system. However, DOIT has not implemented most of its responsibilities in this area. For example, DOIT was directed by the Legislature to issue policies on project manager training and qualifications and yet has not issued these policies.
Some Mandates Are Obsolete or Have Multiple Interpretations. We believe that one of the reasons for this lack of success is that many of these activities are either no longer relevant or the exact requirement is unclear. An example of an activity that is no longer relevant is establishing and maintaining criteria for advanced technology projects that were used in the 1980s to evaluate how well new technologies meet state program needs. Advanced technology projects are no longer used because state procurement methods changed allowing vendors to propose IT solutions for solving the state's program problems.
An example of an activity in which the mandate has multiple interpretations is identifying available IT resources from the public and private sectors. The mandate may mean that DOIT is responsible for recruiting IT staff from the private sector or it could mean that DOIT is responsible for creating a master service agreement of IT firms that the state has authorized as IT business partners. Either interpretation appears to be consistent with DOIT's current statutory authority.
It is important to both the administration and the Legislature to have oversight of state information technology activities. Because of its importance, we recommend that the Legislature reauthorize the Department of Information Technology (DOIT) for two years. However, we recommend that the Legislature, through the reauthorization process, (1) clarify DOIT's responsibilities and (2) direct the Bureau of State Audits (BSA), prior to 2004, to assess the extent to which DOIT has addressed its mandated activities.
Clarify DOIT's Responsibilities. As noted earlier, many of DOIT's activities overlap other department's responsibilities or are unclear as to legislative intent. The Legislature can strengthen DOIT's role by clarifying specifically what DOIT is expected to perform in its role, thereby reducing overlap and confusion between departments. The Legislature should also direct other departments to work with DOIT in meeting its mandates and set specific timeframes in which these tasks must be accomplished. The Legislature should clarify DOIT's mandates so there is no ambiguity about legislative intent. Finally, the Legislature should establish clear priorities, requirements, and timeframes in which DOIT must meet its mandated activities.
Extend DOIT for Two Years. We recommend that DOIT be reauthorized for two years. We further recommend that the Legislature direct BSA to conduct an audit evaluating DOIT's performance and the extent to which DOIT has met its mandated responsibilities by December 2003 to provide the Legislature with the information it will need when considering DOIT's 2004 reauthorization.