Audit Report 4-14: Enforcement of SBA’s Information Technology Enterprise Architecture during the Development of the Disaster Credit Management System
Date Issued: Tuesday, March 2, 2004
Report Number: 4-14

On March 2, 2004, the OIG issued Audit Report 4-14, Enforcement of SBA’s Information Technology Enterprise Architecture during the Development of the Disaster Credit Management System.  This is the second, in a series of reports, related to the development of the Disaster Credit Management System.  The first report, issued on September 24, 2003, Audit Report 3-39, Monitoring of SBA’s Implementation of the Disaster Credit Management System, reported on the monitoring of SBA’s implementation of the Disaster Credit Management System (DCMS).  The Office of Disaster Assistance utilized the Automated Loan Control System (ACLS) to process disaster assistance. 

The ACLS was a distributed system that utilized a mix of mainframe and microcomputer capabilities to process disaster loan assistance.  In an effort to improve its disaster loan origination and servicing activities, the ODA purchased the Disaster Credit Management System or DCMS. 

The DCMS is a commercially available solution intended to provide more features, better usability, improved reliability and maintainability, better performance, and better security than the existing Automated Loan Control system.  The DCMS was designed to introduce paperless loan application, virtual loan processing, access to outside data sources, and improved workflow and document preparation.  In the recent report, the objectives of the audit were to determine if SBA’s implementation of DCMS (1) provided adequate safeguards, controls and testing before DCMS was placed into production, and (2) complied with overall objectives of the SBA Information Technology-Enterprise Architecture. 

Based on this review, the OIG determined that the ODA followed a disciplined planning process and had strong management oversight of the DCMS project however; the OIG found that the OCIO needed to enforce, more adequately, the SBA’s IT-EA standards for this project.  The OIG recommended that the Chief Information officer (1) perform “In-Process Reviews” for large-scale system development projects as part of the investment review process to ensure that IT Enterprise Architecture standards are enforced, and (2) Formulate and publish a strategy to provide for more proactive oversight of development projects from an IT Enterprise Architecture perspective.