Report 2014-602 Recommendation 1 Responses

Report 2014-602: High Risk Update—California Department of Technology: Lack of Guidance, Potentially Conflicting Roles, and Staffing Issues Continue to Make Oversight of State Information Technology Projects High Risk (Release Date: March 2015)

Recommendation #1 To: Technology, California Department of

By December 2015 CalTech should develop and adopt criteria to guide the type and degree of intervention it will take to prevent IT projects with significant problems from continuing without correction, including when and how IPO analysts should recommend corrective action and escalate issues to CalTech's management.

Annual Follow-Up Agency Response From November 2017

Reflected in SIMM 45, CDT developed and adopted criteria to guide the type and degree of intervention it will take to prevent IT projects with significant problems from continuing without correction.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From October 2016

ITPOD has developed a draft escalation and correction action plan. The final version is expected to be completed in December 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

The Information Technology Project Oversight Division ITPOD has developed an escalation process which includes a reporting template and examples of conditions that warrant escalation (See attached). In the course of drafting the escalation process, ITPOD decided to also develop a "Corrective Action Plan" process which will formally notify departments that certain conditions or negative trends must be remediated, and if allowed to continue, could result in suspension or termination of the project. This process will become official State policy which necessitates allowing for consultation with Agency Information Officers and drafting State Administrative Manual updates. The additional time needed for this recommendation is due to the anticipated time needed to appropriately articulate and vet the conditions which warrant this action.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

Activity is progressing in developing the criteria for future use in determining project intervention.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

- Communicate the criteria for suspending or terminating a project to ITPOD - complete

- Develop high level conditions which can be observed and documented - in process

- Document ITPOD's internal escalation process - in process

California State Auditor's Assessment of 60-Day Status: Pending

Although CalTech provided us documentation that it met with its staff to communicate its criteria for suspending or terminating a project, the criteria provided was the same as that included in its response to our report, which we indicated was not sufficient. Specifically, we noted that the criteria provided in its response was a good start; however, the criteria only speaks to circumstances where the need to intervene is apparent. We believe guidance is important in situations where professional judgment is needed—as we note on page 13 of our report—such as before IT projects reach the situations CalTech describes. Furthermore, CalTech's response does not address our concerns discussed on page 15 of our report that, beyond the description in state law, it has not defined the remedial measures, short of suspension or termination, that it may pursue, or the fact that CalTech lacks criteria to guide independent project oversight (IPO) analysts in recommending such measures. According to our IT expert, without such guidance, CalTech cannot meaningfully defend its decisions about whether and when to intervene in a troubled IT project.

All Recommendations in 2014-602

Agency responses received are posted verbatim.