(Oct. 8, 2021) Four recommendations to improve NCUA’s information technology investment management program are laid out in a report from the agency’s office of inspector general (OIG), made public this week.
The recommendations made to agency management, in a report of an audit initiated by the OIG, are:
- Document and publish information technology investment management policies and procedures to include definitions, roles, responsibilities, and processes associated with information technology governance and selecting, controlling, and evaluating information technology investments.
- Finalize and publish an updated agency IT oversight council charter that more comprehensively addresses and delineates the council’s information technology investment management authority, responsibilities, and functions.
- Keep the language from the April 2019 charter, or include similar language in its new charter, requiring the council to provide a rated and ranked listing of all office of primary interest-proposed projects to the NCUA Board, highlighting those that are statutorily or legally required.
- Include language in the council’s charter requiring NCUA officials to provide the group’s meeting minutes to the NCUA Board.
According to the report, the audit covered the period of Jan. 1, 2016, through Dec. 31, 2019. NCUA Inspector General (IG) James Hagen wrote that, although the audit found that the agency overall had an effective process for managing IT initiatives across the agency, “we also determined the agency could make some improvements in its IT Investment Management program related to its policies and procedures and transparency, as well as ensuring certain functions of the Information Technology Oversight Counsel (ITOC) are clearer.”
The IG found that the agency needs to document its IT investment management policies and procedures; needs to make the scope of the Information Technology Prioritization Council’s (ITPC) authority, responsibilities, and functions clearer; and needs more transparency in the IT Investment Management process.
Hagen wrote that the audit also considered Office of the Chief Information Officer’s (OCIO) concerns regarding the funding of IT projects that fall outside of operations and maintenance support and below the threshold of capital projects. The report made no recommendations regarding funding, Hagen wrote, since the agency CIO is already addressing that.
Audit of the NCUA’s Governance of Information Technology Initiatives, Sept. 28, 2021 (Report #OIG-21-06)