The nation’s largest provider of federal grants for service and volunteering is working on a new information technology management system to replace its outdated one, but continued delays have hobbled not only its timeline but also the agency’s process for assessing risks associated with grants, according to a Government Accountability Office report.
The report looks at the Corporation for National and Community Service’s efforts to update its eGrants IT system, which manages the digital records for $783.9 million in grants for organizations like AmeriCorps and SeniorCorps.
The eGrants system — which was established in 1998 and documents numerous grant compliance policies — and other legacy systems cost the CNCS $11 million to maintain in fiscal 2016, officials said.
But CNCS’s 2013 IT modernization plan found that data recorded into the eGrants system was not standardized and featured few validation checks, which helped compromise data quality.
GAO noted that those data quality problems further undermined the CNCS inspector general’s abilities to track or predict the improper use of grant funding because investigators reported that they couldn’t compare reporting data across awarded grants or the grantee population to find spending aberrations.
“The OIG noted that, although the agency had collected data from its grantees to monitor their use of funds, its outdated systems did not provide the kind of data analytics capabilities needed to monitor early detection of fraud and mismanagement of grant funds,” the report said.
CNCS officials asked a contractor to develop a strategy for its modernization efforts in 2014, which resulted in an independent assessment of the eGrants system and what it would take to update it.
The contractor noted that while CNCS was attempting to migrate to a new system, it fell behind its development schedule, causing employees to develop workarounds to “manage critical information accessed from multiple disparate sources, such as spreadsheets, e-mail, local and shared files, and local databases.”
The service filed a task order to move its grants operations to the cloud in 2014. Investigators said the ongoing modernization projects meet the current needs of the grant monitoring process, but they are not defined for a future risk-based approach.
The GAO report said that in July 2015, during the first of a three-phase development process, CNCS officials documented 26 business requirements for the system, including program enhancements and replicated functionality from the old system.
But by October 2015, CNCS officials decided to defer 20 enhancement requirements in favor of “improving the outcomes of monitoring activities and to include them in the requirements definitions for the second version of the monitoring system,” because officials had yet to define what the business needs were for the new system beyond the existing needs.
The plan was to develop a version of the new system to handle existing business operations to roll out in 2016, followed by a second version of the system that would include the risk-based process.
The new enhancements were to be included in the second version of the new system, but by March 2017, CNCS had not evaluated its monitoring efforts and how they would mitigate risk in the new program.
“We recommended that CNCS, as part of its efforts to establish enterprise-wide risk-based management, develop a risk-based approach to grant monitoring and establish a policy to ensure that all grants expected to be active in a fiscal year are assessed for potential risk,” the report said.
“In addition, according to CNCS’s Chief Risk Officer and Chief Information Officer, as of April 2017, the agency had not defined a risk-based management approach and, therefore, had not defined business needs for monitoring grants based on risks.”
The first version of the new eGrants system was originally projected to be delivered in April 2016, but still hadn’t as of July 2017. CNCS officials said they expected the version to be delivered in October.
The OIG initially made five recommendations, but after receiving additional documentation from the agency, revised the report. The OIG offered three remaining recommendations:
- That the Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS’s future risk-based grants monitoring process
- That the CEO should direct the CIO that the project development schedule include both planned and actual dates for completing all project-level activities in its baseline, with progress monitoring.
- That the CEO direct the CIO ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages.
CNCS officials partially agreed with the first recommendation centering on ensuring the second version of the system align with a risk-based approach, but disagreed that the first version of the system didn’t meet the business needs of the process. After receiving additional documentation, the OIG modified the recommendation.
Officials also partially agreed with the second recommendation, saying that they supported developing actual start and finish dates and detailed system-level schedules. However, they didn’t agree with the OIG’s view that there should be schedules for the testing and development of individual Phase 1 systems because officials said they had already done them.
“Contrary to statements made by OIT officials throughout our review, the officials stated that the agency had, in fact, developed such schedules,” the report said.
“Subsequently, in June 2017, the agency provided us an integrated master schedule for the earlier phases of the project through the requirements definition phase, and that incorporated specific activities, interdependencies and resources required for the individual system-level projects, as we initially recommended.”
Because of the new disclosure, officials also partially agreed with the third recommendation, again citing that individual testing procedures had already been put in place. The OIG revised the report to reflect this new information.