Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: 2014-IT-B-003 February 26, 2014

Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services

available formats

Finding 2: The Board Has Not Implemented Consistent Processes for Applications Development and Help-Desk Services

We found that over half of Board divisions perform applications development and help-desk services, often using differing processes, procedures, and tools. For example, several Board divisions perform SharePoint development, Intranet and Internet site maintenance, and programming using SQL server and SAS technologies. Several divisions also develop and maintain econometric applications to support research on monetary policy. We found that processes and tools used by Board divisions in support of applications development activities in these areas, such as for project risk assessment, change management, and ensuring section 508 compliance, vary across divisions. We attribute inconsistent application management processes to the absence of a common systems development life cycle (SDLC) policy and associated operating procedures for use across Board divisions. As a result, the Board is not realizing operational efficiencies in applications management that could result from the implementation of consistent processes and standardized tools.

An SDLC refers to the overall process of developing, implementing, maintaining, and retiring information systems. According to the National Institute of Standards and Technology, each agency should have a documented and repeatable SDLC policy and guideline that supports its business need and that complements its unique culture.2 The Division of IT has established a systems development methodology (SDM) that provides a framework for development projects managed by the division. The SDM specifically applies to Division of IT projects that result in releases, phases, or versions, and it includes activities for risk assessment, change management, and compliance. However, the other Board divisions are not required to follow the SDM, and two Board divisions told us that they relied largely on best practices and not the SDM when they developed large-scale systems.

During our audit, the Board completed a review of help-desk and other IT services that identified similar concerns regarding differing processes and tools used across Board divisions. The Board has begun evaluating options to standardize help-desk services across Board divisions; thus, we are not providing specific recommendations related to achieving operational efficiencies for help-desk services. The Board also completed a survey of the scope of IT services performed by individual divisions that highlighted the variety of applications management activities being performed across Board divisions. This survey noted that approximately 40 percent of the Board's total IT services costs are for applications management activities. Given that applications management represents a significant portion of total IT services costs at the Board, we believe that consistent processes for applications development, operations, and maintenance could lead to operational efficiencies and cost savings.


We recommend that the Director of the Division of IT

  1. Implement across Board divisions a common SDLC policy and associated procedures.

Management's Response

The Director of the Division of IT agreed with our recommendation and noted that the division will work toward implementing best practices to be used by Board divisions that can promote the use of a common SDLC.

OIG Comment

In our opinion, the corrective actions described by the Director of the Division of IT are generally responsive to our recommendation. We plan to follow up on the planned corrective actions to ensure that our recommendation is fully addressed.

  • 2. National Institute of Standards and Technology Special Publication 800-63, Revision 2, Security Considerations in the Systems Development Life Cycle, October 2008.  Return to text