Veterans Affairs banner with U.S. FlagVeterans Affairs banner with U.S. Flag

Office of Budget

Fiscal Year 2005 Performance and Accountability Report
Published November 15, 2005

Back to Table of Contents

GAO5. DEVELOPING SOUND DEPARTMENTWIDE MANAGEMENT STRATEGIES TO BUILD A HIGH-PERFORMING ORGANIZATION

VA continues to face challenges in developing departmentwide management strategies to build a high-performing organization.

5A. Financial Management Weaknesses: Information Systems Security and Financial Management System Integration

VA continues to address two long-standing financial management weaknesses in the areas of information systems security and financial management system integration. Inadequate information security controls continue to place VA's sensitive financial and veteran medical information at risk of inadvertent or deliberate misuse or fraudulent use. The lack of an integrated financial management system continues to impede VA's ability to prepare, process, and analyze financial information to support the timely preparation of its financial statements. These material internal control weaknesses also contribute to VA's lack of substantial compliance with federal financial management systems requirements under the Federal Financial Management Improvement Act of 1996. While VA is making progress in improving its security posture, significant actions are still needed, including certifying and accrediting more than half of its 871 systems, improving configuration management, and implementing an intrusion detection system. Additionally, after unsuccessfully piloting a new integrated financial system, VA is reevaluating its current plans for the new system. In the interim, task groups will investigate the feasibility of developing tools to support the effective and efficient preparation of financial statements. GAO made recommendations to improve VA's internal controls over selected operational areas, and VA is planning to implement most of these recommendations.

VA's Program Response to GAO5A:

Substantial progress was made in improving the Department's information security posture in 2005. Significant actions that have been taken or are planned to remediate Department information security weaknesses include the following:

  • Certification and Accreditation (C&A). As of August 31, 2005, the Department reported completing C&A activities for 585 systems and major applications, representing all VA systems currently in operation. The Administrations, staff offices, and the VA Office of Cyber and Information Security will continue to work collaboratively on continuous monitoring efforts, which occur between tri-annual certification activities, to ensure that facilities are in compliance with VA and federal policies and standards and that security controls are implemented and tested for effectiveness to ensure the confidentiality, integrity, and availability of data and adequate protection of VA systems.

  • Intrusion Detection. Intrusion detection system installation has been completed. The Critical Infrastructure Protection Service is in the final stages of obtaining contractor support (award of this contract is anticipated to occur before the end of the current fiscal year) that will provide management and monitoring of security devices (intrusion detection systems) VA-wide. The services provided will include both host and network intrusion protection.

  • Configuration Management. Progress has been made regarding configuration management of VA systems. The VHA Office of Information has developed a detailed configuration management plan, change control process, and maintenance procedures that support the system development life cycle for its VistA application and local area networks. In addition, configuration guidelines have been published on the VA Intranet to help protect the confidentiality, integrity, and availability of sensitive VA data.

The Office of Finance has developed and is implementing a remediation plan that creates a dual path to substantially reduce the material audit weaknesses associated with the lack of an integrated financial management system. The first path focuses on improving the quality and timeliness of VA's financial data by developing a single and centralized Web-based data repository of information that is currently maintained in several different legacy systems. We will provide the user with a commercial off-the-shelf financial statement reporting system tool that will improve the accessibility of financial data, provide ad-hoc reports, and secure access to our customers within an integrated computer environment.

The second path will reduce the significant manual compilation and labor-intensive processes for the preparation of VA's consolidated financial statements and other standardized automated accounting reports. Under the new system, VA's consolidated financial statements, Treasury's Governmentwide Financial Reporting System and Federal Agency's Centralized Trial-Balance System II budgetary reports, and intra-governmental reporting will be produced from a single database using standardized formats. The new system decreases the risk of materially misstating financial information, strengthens reporting controls, automates the collection and consolidation of accounting data, and reduces the reporting lead time required to produce reports. Scheduled for implementation in 2006, the remediation plan should reduce the material weaknesses and make the Financial Management System substantially compliant with the Federal Financial Management Improvement Act.

5B. Enterprise Architecture Documentation

VA's commitment to addressing critical information technology (IT) management weaknesses has been evident, although challenges to improving key areas of IT performance remain. The Department continues to define products and processes essential to the development of an integrated, Departmentwide enterprise architecture-a blueprint for systematically and completely defining its current and desired IT environment-and is taking steps to improve effective management of its IT investments. However, key documentation critical to effectively implementing and managing the architecture needs to be finalized, and policies and guidance for ensuring sound management of VA's investment portfolio need to be completed.

VA's Program Response to GAO5B:

VA has completed development of Enterprise Architecture (EA) version 4.0. The final draft was submitted to OMB on May 31, 2005. This is the first EA release to incorporate graphic representation of VA business processes, as well as implementation of both sharable service components and technical "pattern" solutions as prescribed within the OMB System Reference Model and Technical Reference Model.

VA has also completed OMB's EA "Completion and Use Plan" and a self-assessment of OMB's EA Capability Maturity Model (CMM). VA submitted these plans to OMB in May 2005. They detail VA's recent EA accomplishments and planned EA improvements through May 2007. Following the submissions, VA was awarded a score of 3.0, a substantial improvement in its OMB CMM score for EA.

Within EA version 4.0, substantial progress has been made toward EA influencing VA's capital investment process and project milestone review process. The full EA version 4.0 Web portal was provided to GAO on July 12, 2005. With EA version 4.0, VA has addressed GAO's recommendations for EA improvement that were originally issued in 2003. Within the next EA release, VA will focus on the following:

  • The retirement of obsolete systems.
  • The reuse of existing data and sharable services.
  • The use of "patterned" technical solutions.
  • The use of federal e-Gov initiatives to avoid creating redundant facilities across Government.

5C. Performance Measures

VA also faces the challenge of establishing performance measures that show how well its IT initiatives support veterans' benefits programs.

VA's Program Response to GAO5C:

Information technology (IT) is critical to VA's success. Fundamentally, IT determines how quickly and efficiently VA delivers services to veterans.

In health care, for example, VA received national recognition as a result of groundbreaking achievements in the areas of technology-dependent bar coding, computerized records, and telemedicine.

VA is working with DoD to improve information sharing and to ensure a seamless transition to civilian life for our newest veterans from Operation Iraqi Freedom and Operation Enduring Freedom. Automated information systems, an integral part of this effort, significantly expedite the transfer of medical records and other information to VA.

VA has put more than 3 million interment records, dating back to the Civil War, on its National Cemetery Administration Web site. Through the use of information technology, the Nationwide Gravesite Locator allows a user to find a veteran's gravesite quickly and easily using only the name of the deceased veteran.

In sum, IT is an integral part of VA's success. The above-cited examples illustrate the central role of IT in delivering services to our Nation's veterans.

5D. VA/DoD Information Sharing

Additionally, VA in conjunction with DoD, is proceeding with efforts to share electronic health information for veterans and active-duty servicemembers, but faces the challenge of clearly defining its strategy and technological approach to realize this exchange of information. GAO made recommendations to help ensure progress in achieving the health information exchange, which the two departments agreed with and have planned or undertaken actions to address.

VA's Program Response to GAO5D:

VA and DoD have made significant progress toward implementing a strategy to achieve interoperability of health information. This strategy is known as the VA/DoD Joint Electronic Health Records Interoperability plan. The Departments are working to achieve interoperability between data repositories. The first release of Phase II of the Clinical Health Data Repository for outpatient pharmacy, medication allergies, and patient demographic data is expected in February 2006. Since May 2002, DoD has transmitted military health record data on over 3 million unique and separated servicemembers. The data are stored in a secure shared repository and are available for viewing by VA clinicians. As of the third quarter of 2005, over 1 million of those patients had presented to VA for care. In addition, in October 2004, VA and DoD first implemented the Bidirectional Health Information Exchange (BHIE). BHIE now supports the bidirectional exchange of outpatient pharmacy, laboratory results, text-based radiology results, and allergy information. BHIE is presently installed at all VA facilities; VA is working closely with DoD to conduct additional installations at locations where shared patients present for care. To support this exchange of information, VA and DoD have also entered into a memorandum of understanding (sponsored by both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the privacy programs of both of the departments) that outlines the specific authorities to share information under applicable privacy regulatory requirements.

VA and DoD play key complementary roles as lead partners in the Consolidated Health Informatics (CHI) initiative. The goal of CHI is to establish federal health information interoperability standards as the basis for electronic health data transfer in all activities and projects among all agencies and departments. In May 2004, the Departments of Defense, Veterans Affairs, and Health and Human Services announced their adoption of 15 additional standards recommended from the CHI initiative. Some of the key standards adopted include:

  • Health Level 7 (HL7) vocabulary standards for demographic information, units of measure, immunizations, and clinical encounters and the HL7 Clinical Document Architecture standard for text-based reports.

  • College of American Pathologists Systematized Nomenclature of Medicine Clinical Terms for laboratory result contents, non-laboratory interventions and procedures, anatomy, diagnosis and problems, and nursing.

  • Logical Observation Identifier Name Codes for electronic exchange of laboratory test orders.

  • Health Insurance Portability and Accountability Act transactions and code sets for the electronic exchange of health-related information to perform billing or administrative functions.

  • The Environmental Protection Agency's Substance Registry System for non-medicinal chemicals of importance to health care.

VA's enterprise architecture links the business mission, strategy, and processes of the Department to its health technology strategy. VA's Office of Enterprise Architecture Management maintains an Exhibit 300 entitled Registration and Eligibility, which supports the VA/DoD data sharing effort. The project also supports VA/DoD joint initiatives for the seamless transition of service personnel returning from Iraq and Afghanistan. It will leverage the One VA wide area network, various cyber security centralization projects, data from the Defense Enrollment Eligibility Reporting System, and data from the Defense Integrated Military Human Resources System. On July 1, 2004, the VA Office of Information Management and the DoD/Defense Manpower Data Center signed a memorandum of understanding outlining how data would be shared between VA and DoD.

Efforts are underway to provide VA access to claimants' personnel information found in the Defense Integrated Military Human Resources System through the DoD/Defense Manpower Data Center interface when it is fielded in late 2005. VA has already interfaced with the imaged Official Military Personnel Files for the Army, Navy, and Marine Corps via the VA Personnel Information Exchange System and the Defense Personnel Records Image Retrieval System. The result is early identification of recently discharged DoD servicemembers. VA can quickly and routinely verify the honorable discharge status of the servicemember in just 3 days as contrasted with 90 days without the shared information system.