Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
CNIC Audit 2006

CNIC Audit 2006

Ratings: (0)|Views: 2 |Likes:
Published by Statesman Journal
Department of Administrative
Services: Computing and Networking
Infrastructure Consolidation (CNIC)
Risk Assessment
Department of Administrative
Services: Computing and Networking
Infrastructure Consolidation (CNIC)
Risk Assessment

More info:

Published by: Statesman Journal on Apr 05, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Department of AdministrativeServices: Computing and NetworkingInfrastructure Consolidation (CNIC)Risk Assessment
   S  e  c  r  e   t  a  r  y  o   f   S   t  a   t  e   A  u   d   i   t   R  e  p  o  r   t
   B   i   l   l   B  r  a   d   b  u  r  y ,   S  e  c  r  e   t  a  r  y  o   f   S   t  a   t  e   C   h  a  r   l  e  s   A .   H   i   b  n  e  r ,   D   i  r  e  c   t  o  r ,   A  u   d   i   t  s   D   i  v   i  s   i  o  n
 The Department of Administrative Services(department) is responsible for providingcentralized services to state agencies. In July2004, the governor accepted the department’sproposal to consolidate 12 of the states majordata processing centers. The majority of funding for the resulting Computing andNetworking Infrastructure Consolidation(CNIC) project was authorized by the 2005legislature. The total anticipated cost of theproject was approximately $63.6 million. The purpose of this audit was to provide aninterim evaluation of the department’s CNICproject. Our primary audit objectives were todetermine whether the department planned andmanaged the CNIC project to ensure its overallsuccess.
During our review we identified severalsignificant weaknesses in the department’sproject planning and management processesthat adversely affected the integrity andviability of the CNIC project, including thefollowing:
Initial project planning weaknesses led tounrealistic project expectations, objectivesand timelines, causing the department toduplicate its efforts to adopt a more feasibleconsolidation strategy. We concluded thatthese changes were justified and likelynecessary to help mitigate significant projectrisks. However, the changes would delaypromised savings by at least one biennium.
Revised project plans remained incompleteregarding how, when or to what degreeconsolidation of data center resources wouldoccur or how some critical security anddisaster recovery services would beprovided.
Because of ineffective contractmanagement, it was unclear what value thestate received from at least $3.4 million of contract dollars spent. In addition, thedepartment may have limited its ability toobtain remedy for those dollars spent.
 The absence or ineffectiveness oindependent quality assurance processesalso likely impacted decision makers’ viewof project risk, cost, and benefit.
Accounting and compliance issues mayresult in loss of federal support and/ormisstatements in the financial records.
We recommend that the department:
Develop detailed plans necessary to achieveproject objectives.
Reevaluate project management processes toensure the viability of future majorinformation technology projects.
Provide more robust reviews of contractdeliverables.
Work with the contractor and legal counselto ensure that the state receives fair value forall incomplete or insufficient contractdeliverables.
Provide more effective quality assurancereviews.
Ensure all relevant costs are identified andcapitalized in accordance with generallyaccepted accounting principles.
Ensure compliance with federal Office of Management and Budget requirements andmake adjustments for inequitable costrecoveries that have already occurred.
 The Department of Administrative Servicesgenerally agrees with the recommendations.
Report No. 2006-33September 5, 2006
Secretary of State
Audit Report No. 2006-33 • September 5, 2006
 The Department oAdministrative Services(department) is responsible forproviding centralized services tostate agencies, includingcentralized computer networks andprocessing infrastructure. Statestatute specifically directs thedepartment to coordinate statewideplanning and activities related tothe acquisition, installation and useof all information andtelecommunications technology forthe state.In March 2004, the departmentcontracted with Accenture, LLP todevelop a business case forconsolidating the states major dataprocessing centers. Shortlythereafter, the then acting directorof the department formed aComputing and NetworkInfrastructure Consolidation(CNIC) Governing Board toprovide high-level direction andresolve major project issues. TheCNIC Governing Board reviewedAccentures analysis andrecommended that the projectproceed.Following the board’srecommendation, the departmentamended its contract withAccenture to include work tosolidify project scope and provideexpertise during data centerconsolidation. The department obtainedconditional funding approval at the June 2004 Emergency Boardmeeting to plan for a facility tohouse the consolidated data centeroperations. In July 2004, thoseconditions were met as thegovernor accepted the department’sproposal to consolidate 12 of thestates major data processingcenters. The resulting State DataCenter (SDC) building wasessentially completed in the fall of 2005, and cost approximately$20 million.In June 2005, the departmentpresented the CNIC project with itsState Data Center’s operationsbudget to the legislature forapproval. The budgetary requestsfocused on providing cost savingsto the state over a period of biennia,and were based on assumptionsrelating to a reduction of personneland infrastructure, and streamliningof processes to provide efficiencies.After significant discussion, the2005 legislature approved themajority of funding for CNICdevelopment and implementation. The approved project scopeincluded consolidation of 12agency data centers with theirrespective mainframe computers,network servers, data storage, andoperations. This brought the totalanticipated cost of the project toapproximately $43.6 million,excluding the cost of the building. The department indicated that themission of the CNIC project was“to reduce costs while maintainingor improving service levels throughconsolidation of the state’scomputing and networkinginfrastructure.” The departmentestimated that these and otherconsolidation efforts would savethe state an estimated $10 millionper year and the project would payfor itself in approximately fiveyears.
Audit Results
 The primary objective of thisaudit was to determine whether theDepartment of AdministrativeServices (department) planned andmanaged the Computing andNetwork InfrastructureConsolidation (CNIC) project toprovide reasonable assurance thatthe project could be completed asapproved and that the state’s assetswould be safeguarded.Generally accepted controls forinformation technologies indicatethat organizations responsible formajor projects like CNIC shouldestablish and maintain a projectmanagement framework andapproach that is commensuratewith the size, complexity, andrequirements of the project.Based on the results of our auditwork, we concluded that thedepartment’s initial planning andmanagement of the CNIC projectwere inadequate, placing theviability of the project, as approvedby the legislature, in question. Themost significant project planningand management issues that weidentified included the following:
CNIC project planning wasinadequate.
Project managers did noteffectively manage third-partycontract work.
 The department did not providefor effective independentquality assurance reviews.
 The department did notproperly account for all projector transition costs.
CNIC Project PlanningWas Inadequate
An effective project managementframework should ensure the scopeand objectives of an Information Technology (IT) project are clearlydefined and an integrated projectplan is formulated to guide teammembers through implementationphases. The approved scope andproject plans should effectivelyprovide boundaries and a roadmapleading to successful projectcompletion and closure.Project planning should alsoprovide clear direction regardinghow major objectives will beachieved. In that regard, projectplans and decisions should bebased on reliable informationregarding:
 The beginning state of ITresources, systems and servicesto be consolidated;
Secretary of State
Audit Report No. 2006-33 • September 5, 2006
Needs of end-users, includinganticipated costs and benefits of alternatives;
 The desired end-state ocombined assets and services;and
 The feasibility of transitioningto the proposed end-configuration. The 2005 legislature authorizedfunding for the CNIC project basedon the department’s assurance thatit would achieve operationalefficiencies and cost savings.Specific project milestonesincluded incrementallyconsolidating and moving datacenter operations into the StateData Center (SDC) beginning inNovember 2005, with a project enddate scheduled for June 2007.During this process, the departmentcommitted to reduce data centerstaffing levels from 155 positionsto 93. This represented a source of significant recurring savingsnecessary to achieve overall projectcost-saving objectives.Shortly after the 2005 legislativebudget hearings, the departmenthired a State Data CenterAdministrator. In addition, thedepartment’s Chief InformationOfficer and Deputy Chief Information Officer, both keyproject leaders, left state service. Inthe fall of 2005, the new projectmanagement team beganquestioning and reassessing thefeasibility of the consolidationstrategies and plans originallypresented to the legislature. Forexample, the team questioned thelevel of consolidation that thedepartment could initially provideand the timing of agencymovement into the SDC. The teamalso questioned the feasibility of staffing commitments as approvedin the project plan and agencybudgets.Based on the results of the teamsassessments, departmentmanagement initiated substantialchanges to its CNIC consolidationplans and strategies. Those changesreflected a much more conservativeapproach and timeline. The department’s new plansprovided for some immediatehardware consolidation, such asreductions in the number of mainframe devices. The new plansalso called for transferringagenciesdata center operations tothe SDC in their current state andconfiguration, then consolidatingthose services at a later time.However, the plans wereincomplete regarding how, when,or to what degree consolidation of servers, system tools, mainframeoperations, or operating systemplatforms would occur. In addition,the new plans did not adequatelyaddress how and when somecritical security and disasterrecovery services would beprovided at the SDC. The revised project plans alsospecified a more conservativetimeline. The new schedule calledfor the largest agencies to occupythe SDC by June 2006 rather thanincrementally transitioning into thefacility beginning in November2005. At the time of this report, thedepartment indicated it hadtransferred the majority of computing infrastructure for theseagencies to the SDC. The department’s revised plansalso significantly changed proposedSDC staffing. To carry out thoseplans, the department obtainedEmergency Board authorization foran additional 49 positions, andtransferred seven positions fromanother unit of the department,increasing SDC staffing totals to149. That change represented a60 percent increase from theprevious total, postponing ornegating much of the promisedproject savings.After reviewing numerous projectplans and contract deliverables, weconcluded that departmentmanagement’s decision to revisethe nature, timing, and extent of theproject were justified, and likelynecessary to help mitigatesignificant project risks. We alsoconcluded that the need for suchchanges was likely avoidablethrough better project planningprocesses and practices. The most significant planningproblems were the result of thepoor quality of information thedepartment and Accenture used todevelop project plans andobjectives. For example, initialmilestones and objectives,including how much money theproject could save, were formulatedusing high-level metrics. We notedthat some of the key assumptionsand data used in those calculationswere inaccurate or incomplete. When the department presented itsproject to the legislature, it had notdetermined the beginning state of IT resources, the desired endingstate, or the feasibility of transitioning resources to achieveproposed objectives. These same issues continued tohinder the project as it enteredimplementation stages. At thattime, the project team continued tolack critical information regardingthe beginning state of IT resourcesnecessary for carrying out specificplanning and project objectives.For example, the project team didnot have a complete inventory orunderstanding of agencyapplications, the environment onwhich they operated, and theirdependencies. This lack of detailmade it infeasible to carry outplanned server consolidation.Inadequate planning also affectedthe department’s ability to obtainfull use of contracted resources. Asdescribed in the contractmanagement section below, manykey project planning andimplementation steps thatAccenture was supposed to performcould not be done because thedepartment could not provide vitalinformation relating to the

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->