FDIC's Capital Investment Management Review Process for
Information Technology Investments

December 3, 2004
Supplement to Evaluation Report No. 04-039
Dated September 23, 2004

This supplement contains copies of correspondence between the Office of Inspector General (OIG) and the Chief Financial Officer and Chief Information Officer subsequent to the issuance of Evaluation Report No: 04-039, dated September 23, 2004. The intent of this supplement is to show progress made on the resolution of conditions identified at the time the OIG issued the final report.

Table of Contents

i. OIG Assessment of Management Response to Final Report
Memorandum dated December 3, 2004, from the Assistant Inspector General for Audits to the Deputy to the Chairman and Chief Financial Officer and the Chief Information Officer and Director, Division of Information Resources Management
ii. Management Response to the Final Report
Memorandum received October 15, 2004, from the Deputy to the Chairman and Chief Financial Officer and Chief Information Officer and Director, Division of Information Resources Management

i. OIG Assessment of Management Response to the Final Report

FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: December 3, 2004

MEMORANDUM TO: Steven O. App, Deputy to the Chairman and
                                    Chief Financial Officer

                                    Michael E. Bartell, Chief Information Officer and Director,
                                    Division of Information Resources Management

FROM: Russell A. Rau [Electronically produced version; original signed by Stephen M. Beard for Russell A. Rau], Assistant Inspector General for Audits

SUBJECT:Assessment of the Corporationís Response to Final Report Entitled FDICís Capital Investment Management Review Process for Information Technology Investments (Report No. 04-039)

We received your memorandum on October 15, 2004, which responds to the subject final report. In that report, we requested that you reconsider recommendation 4 to update FDIC Capital Investment Policy requirements for the independent validation of quarterly project assessments.

In your response, you reiterated your position that current procedures provide for the adequate validation of quarterly project assessments. Specifically, the multi-level review that the quarterly assessments undergo is sufficiently documented in the FDIC Capital Investment Policy. Moreover, in determining your position, you considered the fact that the Division of Information Resources Management (DIRM) is in the midst of a major transformation effort. Finally, you indicated that reallocating resources to make additional modifications to a policy that you consider adequate is not consistent with your current mission priorities.

The intent of this recommendation was to ensure that existing control requirements for the review of quarterly assessment reports are clearly documented. The FDIC Capital Investment Policy is clear with respect to the following:

  • The project manager is required to submit a quarterly assessment report to the Capital Investment Review Committee (CIRC) and Board of Directors, outlining the projectís current status.
  • Responsibility for assessing the performance of a project (i.e., reviewing the quarterly report) rests with its executive sponsor and executive steering committee, not the project manager.
  • The CIRC is the final authority for approving all project assessments.

Additional controls appear to exist based on our discussion with program officials, but these controls are not sufficiently documented. Specifically, as discussed in the report, DIRMís Investment Management Branch (IMB) and the CFO also have roles in reviewing the adequacy and consistency of quarterly assessment reports, but the roles and responsibility of the IMB and CFO are not adequately described in the FDIC Capital Investment Policy. Additionally, through discussions with program officials, we understand that Office of Enterprise Risk Management staff also participate on executive steering committees.

We recognize that DIRM is in the process of a major transformation effort and is facing substantial staffing reductions. DIRM has also recently adopted the Rational Unified Process (RUP) system development life-cycle model and is establishing a project management office. Both of these initiatives should result in additional oversight and control mechanisms for corporate projects. Given that the fundamental review requirements are addressed in the existing policy and that additional controls are being developed and are subject to change as a result of the DIRM transformation efforts, we agree that further action is not required at this time. Accordingly, we consider recommendation 4 resolved, dispositioned, and closed for reporting purposes. We intend, however, to evaluate this issue in future reviews.

Should you have any questions concerning the report, please contact me at (202) 416-2543 or Marshall Gentry, Director, Corporate Evaluations, Office of Audits, at (202) 416-2919.

ii. Management Response to the Final Report


[ D ]

Last updated 11/11/04