Follow-on Audit of FDIC's General Examination System Developme

Musong - Fdic Oig Office Of Audits

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

41 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Musong
Nombre de lectures	68
Langue	English

Extrait

March 31, 1999
FOLLOW-ON AUDIT OF FDIC'S GENERAL EXAMINATION
SYSTEM (GENESYS) DEVELOPMENT PROJECT
Audit Report No. 99-020
OFFICE OF AUDITS
OFFICE OF INSPECTOR GENERAL37 RECOMMENDATIONS
APPENDIX II - TABLE: MANAGEMENT RESPONSES TO
28 APPENDIX I - MEMORANDUM: CORPORATION COMMENTS
24 CORPORATION COMMENTS AND OIG EVALUATION
21 INFORMATION CAN BE IMPROVED
TRACKING AND REPORTING OF GENESYS COST-BENEFIT
21 Recommendations
18 BANK EXAMINATION DATA
IMPROVED SAFEGUARDS NEEDED TO PROTECT CONFIDENTIAL
18 Recommendations
16 NEED FOR CONTINUITY OF EXAMINATION STAFF
16 Recommendations
14 GENESYS AUTOMATION EFFORTS
BETTER INTERAGENCY COORDINATION NEEDED FOR FUTURE
14 Recommendation
11 GENESYS Testing Was Inefficient, Costly, and Not Always Effective
10 Recommendations
8 Use of Evolutionary Prototyping
8 Recommendations
6 Feasibility and Cost-Benefit of Alternative Solutions Not Evaluated
5 DEVELOPMENT METHODOLOGY
FDIC'S STRUCTURED GENESYS DID NOT FOLLOW THE
4 RESULTS OF AUDIT
3 OBJECTIVES, SCOPE, AND METHODOLOGY
2 BACKGROUND
TABLE OF CONTENTSMarch 31, 1999
ts
W
TO: Demitros, Director,
James Sexton, Director
FROM: .
SUBJECT: Follow-on Audit of FDIC's General Examination System
(Audit Report No. 99-020)
Audit of the General Examination System (GENESYS)
designed to improve the FDIC's system development practices relative to GENESYS.
management had taken some steps to improve the development practices for GENESYS
BACKGROUND
2
safety and soundness examination process. GENESYS will replace the FDIC's Automated
GENESYS represents the FDIC's most comprehensive initiative to apply technology to the bank
evaluating alternatives.
required a formal re-evaluation of alternatives, the FDIC continued with their initial plan without
noted that despite significant changes in the project's scope, cost, and schedule that should have
document came after significant investments had been made in development work. We also
the GENESYS project work plan, functional requirements document (FRD), and system design
plan had been formally approved. In addition, senior DIRM and DOS management approvals of
and development work before user requirements had been completely defined or a project work
following our initial audit. However, DIRM repeated its practice of performing detailed design
Division of Information Resources Management (DIRM) and Division of Supervision (DOS)
dated June 5, 1997 that contained five findings and recommendations Development Project
issued an audit report entitled
adhering to the FDIC's system development policies and procedures. Prior to this audit, the OIG
development project. This follow-on audit focused on evaluating whether developers were
completed a follow-on audit of the FDIC's General Examination System (GENESYS)
The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has
Development Project
Report Entitled
Assistant Inspector General
Loewenstein David H
Division of Supervision
Management and Chief Information Officer
Division of Information Resources Donald C.
DATE:
Office of Inspector General ashington, D.C. 20434
Office of Audi Federal Deposit Insurance CorporationROE and the efficiency of the report preparation process by leveraging time saving and data
examination information, such as Call Report and Uniform Bank Performance Report data.
operations can be assessed. In addition, by expanding the amount of timely and relevant data
add-on tools, including Formula One™ and First
based laptop computer.
The objectives of the audit were to determine whether: (1) development was adhering to
Alabama State Banking Department. In addition, we reviewed key SDLC deliverable products,
3
interviewed representatives of the U.S. General Accounting Office (GAO), FRS, CSBS, and the
well as regional and field office bank examiners who were involved with the project. We also
To accomplish our audit objectives, we interviewed headquarters DIRM and DOS personnel as
audit to discuss our preliminary recommendations.
of the GENESYS development project, we met with DIRM and DOS personnel throughout the
information had been adequately documented and tracked. Because of the time-sensitive nature
requirements had been adequately defined and satisfied user needs, and (3) cost and benefit
established and generally accepted System Development Life Cycle (SDLC) procedures, (2)
OBJECTIVES, SCOPE, AND METHODOLOGY
March 1999.
remaining state banking departments, along with FRS, planned to implement GENESYS in
departments planned to begin using GENESYS with the FDIC in 1998, and the majority of the
safety and soundness examinations when fully implemented. Approximately 30 state banking
in developing, testing, and implementing the system. DOS planned to use GENESYS on all new
soundness examination system. Throughout the project, the FDIC's DIRM assumed the lead role
(CSBS) joined the project as part of an interagency effort to develop a single bank safety and
Governors of the Federal Reserve System (FRS) and the Conference of State Bank Supervisors
The FDIC initiated the GENESYS project in December 1995. In January 1997, the Board of
was used to provide functionality to the GENESYS screens. GENESYS operates on a Pentium-
used to develop the GENESYS database, and Structured Query Language (SQL) program code
Impression®. Microsoft Access ‘97® was
DIRM developed GENESYS using Microsoft Visual Basic® version 5.0 software and various
performed on site, thereby reducing the burden of examinations to the industry.
examiners to perform additional work off site and should facilitate the work that must be
specific risk areas that should be addressed during an examination. GENESYS will also allow
available to examiners prior to on-site examinations, examiners will be better able to identify the
more effectively analyzing liquidity risk, interest rate risk, and other risks against which bank
Data analysis and query tools contained within GENESYS are intended to assist examiners in
GENESYS permits the electronic capture and analysis of key bank safety and soundness
integration features of Windows® 95 and Microsoft® Office 97 software. In addition,
generate the Report of Examination (ROE). GENESYS is intended to improve the quality of the
Report of Examination (C-ARE) and WordPerfect® templates used by DOS examiners totraining evaluation reports, and other key reports and documents prepared during the GENESYS
reviewed the FDIC's SDLC policies and procedures.
Our audit work was limited to the FDIC's development of version 1.0 of GENESYS. We did not
4
tested and the programming bugs corrected.
risk by postponing GENESYS training and implementation until the software had been thoroughly
initiated its national training on the system. In our opinion, DIRM and DOS could have limited its
programming bugs and was not ready for training or production implementation when FDIC
examiners following GENESYS training indicated that the software contained numerous
satisfy their requirements for generating a safety and soundness ROE. However, feedback from
field work stated that GENESYS would generally Examiners that we spoke with during our audit
the FDIC and state examiners on use of the software.
numerous software bugs in GENESYS to go undetected until after DIRM and DOS began training
the SQT process. Inadequate system qualification testing also allowed security weaknesses and
resulted in the development of erroneous test procedures that had to be revised or eliminated during
the testing process by providing SQT testers with outdated GENESYS design specifications. This
testers from completing a SQT for GENESYS. DIRM also experienced inefficiencies and delays in
required testers to continually revalidate and update test procedures and ultimately prevented the
risk. For example, ongoing changes to the functionality of GENESYS during the SQT process
inefficiencies in the GENESYS development process and required the FDIC to assume unnecessary
aggressive development schedule for GENESYS. However, these deviations caused several
DIRM decided to deviate from the FDIC's prescribed SDLC procedures in an attempt to meet an
SDLC phases.
critical SDLC deliverables and obtaining senior management approvals prior to initiating subsequent
feasibility or cost-benefit of alternative solutions to the development of GENESYS or finalizing
completed. In addition, DIRM deviated from the FDIC's SDLC process by not evaluating the
also initiated a SQT of GENESYS before system development and integration testing had been
was performed before requirements definition and design work were substantially complete. DIRM
employed an evolutionary prototyping process to develop GENESYS wherein development work
from the structured approach prescribed by the FDIC’s SDLC process. Specifically, DIRM
for GENESYS following our initial audit, GENESYS development practices continued to deviate
Although DIRM and DOS management had taken some steps to improve the development practices
RESULTS OF AUDIT
generally accepted government auditing standards.
We conducted our audit between September 1997 and October 1998 in accordance with
review development plans or wor