State grapples with gaps in I.T. project oversight

Sen. Betsy Johnson, D-Scappoose, a member of the Legislature's Emergency Board, is concerned whether there is adequate oversight and quality control over the voter registration system project.

Despite a record of information technology project failures, some state agencies are exempt from a law requiring them to have an independent external quality assurance review of projects exceeding $1 million.

Certain state agencies, such as the Secretary of State’s Office, are exempt from laws passed in 2014-15 to require certain state agencies to have independent outisde oversight and reporting on I.T. projects. Some of the state’s most notorious I.T. project failures — such as Cover Oregon healthcare exchange website and the more recent project to install a new state agency phone system — lacked an independent quality assurance reviewer for all or part of the duration of those projects.

The Secretary of State’s Office has allocated $2.8 million to build its own Oregon Centralized Voter Registration computer system during the next three years to replace software now supplied by contractor, DXC Technology.

Officials with the Secretary of State’s Office believe having an in-house system would allow them to quickly adapt the system to changes in Oregon law and better maintain the security of data, said Steve Bender, an analyst with the Legislative Fiscal Office. It also was uncertain whether DXC would continue to support the voter registration system.

When it came to the attention of the Legislative Fiscal Office that the project budget excluded a quality assurance review, the office asked the secretary of state to add the review. The secretary of state obtained a quote of nearly $337,000 to conduct an independent review of the I.T. project.

The state Legislature’s Joint Emergency Board approved that expenditure Wednesday, May 23.

Given state government’s “landscape of all of the detritus of failed computer systems and failed I.T. implementations,” Emergency Board member Sen. Betsy Johnson, said, she was concerned whether there is adequate oversight and quality control over the voter registration system project.

“I am just quite worried that some of the same people who oversaw absolute debacles here are now going to be present overseeing this, and I’m looking for some degree of reassurance,” the Scappoose Democrat said.

The Legislative Fiscal Office flagged the lack of independent oversight after going over the project, said Legislative Fiscal Officer Ken Rocco.

“LFO was concerned about the risk of the project and the size of the project and that is why we asked the secretary of state obtain an external quality assurance review of this,” Bender said.

“Quality assurance reviews don’t ensure a project is successful. However, we do believe that this will increase the likelihood of that outcome and that if there are potential difficulties or concerns in the implementation plan that were not discovered internally then having an external reviewer would be helpful in increasing the likelihood of the project’s success.”

Johnson said she also wanted assurances that lawmakers would receive reports on the quality assurance reviews to provide accountability for the project.

“What happens if the Q.A. is retained and ignored?” she asked.

The Legislative Fiscal Office will receive reports on the quality assurance review and give them to lawmakers on the committee that oversees I.T. projects, Rocco said.

The failure of the Cover Oregon health insurance website — which ate up more than $300 million in state and federal funds — and the more recent problems with the $46 million replacement of the state agency phone system lacked the kind of quality control reviews that might have caught problems early on.

The health insurance exchange website project was transitioned from Oregon Health Authority to Cover Oregon, a quasi-public corporation, in mid-2013. As a public corporation, it would not have been subject to state-mandated quality assurance reviews, though other independent quality assurance services were required as a condition of some federal grants, said Travis Miller, policy and communications strategist at the Oregon Office of the State Chief Information Officer.

The phone system modernization, known as Project MUSIC, also was not required to retain independent quality assurance services because it was initiated in late 2013, before the requirement was enacted in law.

“Additionally, it was considered a lower-risk hardware replacement not subject to the independent quality assurance requirement,” Miller said.

The Office of the State CIO recently hired Gartner Inc. to perform independent testing and conduct a risk assessment o assure the state that telephone system that has been delivered by IBM is complete, functional, stable and secure, according to report to lawmakers Tuesday by acting CIO Terrence Woods.