Information Technology Risk Management

IJnited

States

General

Acrounling

Offic*r

GAO

Information Managernerd and Technology Division

Information Technology: An Audit Guide for Assessing Acquisition Risks

I;AO/lMTE(:-8.1.4

Preface

~~._

.--. --.~

The federal government depends heavily on a variety of information technology products and services to serve the public. Each year the government spends billions of dollars on computer equipment., services, software, and telecommunications. The success or failure of information system acquisitions affects executive agencies’credibility with the Congress and the public as well as their abilities to carry out their missions effectively and efficiently. The General Accounting Office (GAO) and offices of inspectors general have consistently identified problems with information technology acquisitions. Problems identified in numerous evaluations include information systems that do not meet users’needs, exceed cost estimates, or take significantly longer than expected to complete. This guide provides a logical framework for evaluating information technology acquisitions. It incorporates a risk assessment methodology intended to reduce audit planning time and ensure that significant issues are included. It is based on a model of the acquisition process developed by GAO in cooperation with a wide range of federal and private sector officials. ’The model outlines the process used to acquire information technologies and identifies elements of the process that are essential for planning and carrying out acquisitions. This guide is intended for use in planning and conducting risk assessments of computer hardware and software, telecommunications, and system development acquisitions. A risk assessment is the process of identifying potential risks in a system under development and then determining the significance of each risk in terms of its likelihood and impact on the acquisition’ cost, schedule, and ability s
‘ information Technology:...