GAO Issues Report on the ACE Expenditure Plan, Management of ACE (Part I - New Recommendations)

(According to the GAO, the ACE expenditure plan satisfies many - but not all - of the legislative conditions specified in the DHS Appropriations Act of 2007. The Act states that DHS cannot obligate $216.8 million of the $316.8 million appropriated for ACE until the House and Senate Appropriations Committees receive an expenditure plan that satisfies certain conditions, including being reviewed by GAO.)

This is Part I of a multi-part series of summaries on this GAO report and highlights the three new recommendations that GAO made for the expenditure plan and the management of ACE. See future issues of ITT for additional details of the report.

GAO Makes 3 New Observations About the Expenditure Plan, ACE Management

GAO is making three new observations about the expenditure plan and the management of ACE:

Redefined ACE releases likely to cause delays, increased costs. First, the program is taking needed steps to redefine requirements for several ACE releases because of limitations in the completeness of original requirements, but this redefinition is likely to introduce significant program schedule delays and cost increases.

In defining ACE requirements, the program office discovered that its original approach did not adequately engage all key legacy system stakeholders, such as software programmers and subject matter experts. To address this, key stakeholders are now collaborating and decomposing legacy code. However, this effort is expected to significantly delay some ACE system releases and drops.

Program officials have taken several actions that they say will minimize the impact of the delays, such as prioritizing shared functionality, dividing releases/drops into smaller increments, and changing release deployment strategies. However, these changes have yet to be approved, and the full extent of the cost and schedule implications is not yet known. Moreover, neither the FY 2007 expenditure plan nor the ACE quarterly reports have disclosed the requirements redefinition and its impact, and neither has addressed any changes to release deployment strategies.

Replacement of key off-the-shelf product may hurt user productivity. Second, the changes to ACE requirements have led to replacement of a key commercial off-the-shelf (COTS) product, but the new product carries the risk of negatively impacting user productivity.

The program office conducted several analyses to determine which COTS products would best meet ACE system requirements, including a general review of various packages in 2002 to select a provider and a more detailed analysis in 2004 to define and allocate ACE requirements and select a specific product-the Systems Applications Products (SAP) Enterprise Portal.

In December 2006, however, the ACE Chief System Architect determined through additional analysis that all planned SAP functionality could be provided by Internet Transaction Server (ITS) technology and recommended that ITS be adopted. The program office subsequently stopped work on SAP Enterprise Portal design and configuration efforts and reported that ITS would be used for the Entry Summary, Accounts, and Revenue (ESAR) A2 release/drop instead of the SAP Enterprise Portal.

This decision is expected to have some near-term schedule impacts because much of the completed work for A2 had been based on the planned use of SAP Enterprise Portal.

Further, use of ITS raises the risk of inadequate user response time, which would, in turn, negatively impact user productivity and introduce a high probability of significant cost and schedule impacts.

Program officials reported that actions are under way to mitigate the risk through performance modeling and test planning. However, neither the FY 2007 expenditure plan nor the quarterly reports to Congress disclose this COTS product change, its impact on release schedules and cost estimates, or the risk to future system performance.

Automated database used for managing ACE risks is incomplete. Third, the automated database used for managing ACE risks is incomplete and does not contain information needed to adequately inform program decisions.

The program office has developed a process guide and implemented an automated tool (database) for managing ACE risks in accordance with relevant guidance and best practices. Although the database contains fields to provide a description, level (high, medium, or low), and mitigation strategy (including start and end dates, exit criteria, and implementation status) for each risk, the completeness and quality of this information varies. Because of such database limitations, GAO could not determine the status of and mitigation progress on 17 risks.

Moreover, these database limitations were not reflected in the documentation used at key program events, indicating that the program does not have the risk-related information that it needs to inform its program decisions and to reduce the chances of potential problems becoming actual problems. Program officials stated that they are taking steps to improve risk management, including establishing a group to ensure the quality and completeness of the database, holding regular group meetings with contract staff and team leads to discuss risks and their impacts, and conducting risk management training. To date, however, program risks have not been communicated to oversight organizations through the 2007 expenditure plan or recent quarterly reports to the House and Senate Appropriations Committees.

DHS Agrees With GAO Findings

The GAO states that DHS agreed with GAO's findings and stated that it is committed to addressing them.

GAO contact- Randolph Hite (202) 512-3459

(See ITT's Online Archives or 11/20/06 news, 06112010, for Part I of BP's summary on the DHS Appropriations Act for FY 2007, which contains information on ACE.

See ITT's Online Archives or 08/29/07 news, 07082915, for BP summary of U.S. Customs and Border Protection (CBP) posting its FY 2007 second quarter ACE report to Congress. See future issues of ITT for summary of the FY 2007 third quarter ACE report to Congress.)

GAO report, "Information Technology: Improvements for Acquisition of Customs Trade Processing System Continue, but Further Efforts Needed to Avoid More Cost and Schedule Shortfalls" (dated October 2007) available at http://www.gao.gov/new.items/d0846.pdf

CBP's report to Congress on ACE for the third quarter of FY 2007 (dated June 30, 2007) available at http://www.cbp.gov/linkhandler/cgov/toolbox/about/modernization/ace/quarterly_reports/ace_report_to_congress_062007.ctt/ace_report_to_congress_062007.pdf.