SALEM — Oregon has taken steps over the last year to prevent major information technology project failures such as Cover Oregon, but the effort remains understaffed and incomplete, according to an audit released Monday.
Auditors also concluded the new project management strategy would not prevent many of the common problems that arose with state IT projects over the last 10 years.
Auditors at the Secretary of State’s Office reviewed a new project management model developed by Oregon’s chief information officer in the wake of the Cover Oregon fiasco. Although the strategy is a positive step, auditors found the CIO’s office has taken more than a year to develop the model and still has not finished it. One reason is the agency where the CIO works, the Department of Administrative Services, does not have enough employees assigned to the project.
Michael Jordan, who was chief operating officer for the state and director of DAS until March 5, agreed with most of the findings. Jordan agreed the chief information officer’s office was understaffed, and pointed out in a Feb. 24 written response that the agency had asked for 12 more employees in the next two-year budget starting in July. Without additional employees, Jordan estimated his agency would finish developing the new project management strategy by summer 2017.
However, Jordan took issue with the auditors’ recommendation for clear consequences when IT projects fail to meet goals during the development process; Jordan wrote that it was also important to be “supportive and collaborative.”
The Governor’s Office initially asked for more time so that George Naughton could write “an enhanced response” to the audit after Jordan resigned March 5, said Secretary of State’s office spokesman Tony Green. Kristen Grainger, a spokeswoman for Gov. Kate Brown, wrote in an email that it was simply an “opportunity to consider that DAS has a new interim director, and whether or not the agency response letter needed to reflect that. Upon further consideration, it did not.” Naughton made only a few minor word changes before signing off on the response Jordan had written.
An independent IT services review that Brown called for last week will cover management issues in addition to security issues, Grainger wrote. Brown announced her plan for the review in a press release last week acknowledging a data breach at the DAS-managed state data center.
Despite the audit’s focus on IT project management, it did not examine what auditors described as “arguably the worst computer development failure in state history,” Cover Oregon. Oregon spent $300 million in federal money primarily to set up an online exchange for people to purchase health insurance, plus at least $26 million in state money for related projects, The Associated Press reported. The exchange website failed to launch as planned in October 2013. Meanwhile, the state and technology company Oracle American, Inc. have filed dueling lawsuits over the project.
Green wrote in an email that this audit largely followed up on problems identified in previous audits, and “We have not audited Cover Oregon because it is currently being looked at by Federal agencies and a host of other consultants for the state, including those hired by the Governor’s office.”
Jordan alluded to Cover Oregon in his response to the audit findings, writing that the new IT project management strategy was introduced in February 2014 “as a direct response to a major IT project that was ill-prepared to move to its execution phase ...”
There are plenty of other high-stakes state IT projects currently underway and planned for the future. The state is working on several that are each worth at least $20 million, and the total value of current and planned state computer system projects is nearly $1 billion, according to auditors. The projects include replacing many of the core applications at the Department of Revenue, and developing a new child support computer system for the Oregon Department of Justice.
The Department of Administrative Services directly manages some of these IT projects and assists different agencies on others. Auditors found DAS’ project management was “a significant step in the right direction,” but weaknesses remained across all state IT projects. For example, DAS did not assign enough staff to handle project management, and the consequences for failing to meet project management goals were unclear.
The problems have long been known. Auditors from the Secretary of State’s office found in 2001 that DAS had not written adequate guidelines for other agencies to develop computer systems, and in fact the agency had mishandled one of its own major IT projects.
State CIO Alex Pettit started to develop a new IT project management strategy in 2014, but it is still not complete. For example, auditors found DAS has not yet identified which state employees are responsible for oversight of various aspects of IT projects under this process. Auditors attributed the problem to a staffing shortage at DAS: the agency has three to four analysts available at any time to “evaluate multiple projects and provide needed guidance to agencies,” and they have little or no time to work on the project management strategy. In 2014, these analysts were responsible for oversight of 30 ongoing state IT projects and gave conditional approval to an additional 41 new state agency projects.
“Given this workload, this level of staffing is insufficient to effectively develop and fully implement the concepts associated with the (project management) model,” auditors wrote.
Matt Shelby, a spokesman for DAS, said the agency was aware it needed more employees to manage these projects and that is why it asked lawmakers for more money to hire additional staff. Shelby said Pettit also worked with lawmakers to draft House Bill 3099 to assign more authority to the chief information officer. The bill is currently scheduled for an April 2 hearing at the House Committee On Consumer Protection and Government Effectiveness.
The Capital Bureau is a collaboration between EO Media Group and Pamplin Media Group.