Improvements in IT investment management program urged by NCUA OIG

Improving the agency’s information technology (IT) investment management program is the aim of four recommendations from the federal credit union regulator’s inspector general following a recent audit of the agency’s governance of IT initiatives, according to a just-published report.

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) said that on its own, it undertook an audit covering the period of Jan. 1, 2016, through Dec. 31, 2019, according to a memo with the report dated Sept. 28, 2021. The IG wrote that the audit found generally that the NCUA, overall, had an effective process for identifying, controlling, prioritizing, and implementing IT initiatives across the agency. “However, we also determined the agency could make some improvements in its IT Investment Management program related to its policies and procedures and transparency, as well as ensuring certain functions of the Information Technology Oversight Counsel (ITOC) are clearer,” IG James Hagen stated in a memo accompanying the Sept. 28 report.

The OIG found that the agency needs to document its IT investment management policies and procedures; needs to make the scope of the Information Technology Prioritization Council’s (ITPC) authority, responsibilities, and functions clearer; and needs more transparency in the IT Investment Management process.

To that end, it recommended that agency management:

  1. Document and publish Information Technology Investment Management policies and procedures to include definitions, roles, responsibilities, and processes associated with information technology governance and selecting, controlling, and evaluating information technology investments.
  2. Finalize and publish an updated Information Technology Oversight Council charter that more comprehensively addresses and delineates the Information Technology Oversight Council Information Technology Investment Management authority, responsibilities, and functions.
  3. Keep the language from the April 2019 charter, or include similar language in its new charter, requiring the NCUA Information Technology Oversight Council to provide a rated and ranked listing of all office of primary interest-proposed projects to the NCUA Board, highlighting those that are statutorily or legally required.
  4. Include language in the Information Technology Oversight Council’s charter requiring NCUA officials to provide the Information Technology Oversight Council meeting minutes to the NCUA Board.

Hagen wrote that the audit also considered Office of the Chief Information Officer’s (OCIO) concerns regarding the funding of IT projects that fall outside of operations and maintenance (O&M) support and below the threshold of capital projects. The OIG made no recommendations regarding funding, Hagen wrote, since the CIO is already addressing that.

Audit of the NCUA’s Governance of Information Technology Initiatives, Sept. 28, 2021 (Report #OIG-21-06)