Legacy Systems Modernization and Movement to Cloud Services

View Report

Date Issued

Thursday, September 26, 2024

Submitting OIG

Social Security Administration OIG

Other Participating OIGs

Social Security Administration OIG

Agencies Reviewed/Investigated

Social Security Administration

Report Number

142312

Report Description

Attached is Ernst & Young LLP's final audit report. Their objective was to determine the extent to which (1) the Social Security Administration had improved its cyber-security posture by defining and implementing plans to modernize or replace and retire its legacy information technology systems and (2) SSA’s efforts and plans to move to cloud services are consistent with Federal guidance.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agree
Ensure timely steps are taken to approve and implement a modernization strategy which covers SSA modernization efforts and comprehensively addresses legacy system risks for the upcoming years.
2	No	$0	$0	Agree
Ensure timely steps are taken to develop Enterprise Architecture planning documents that directly align with strategic objectives and performance goals noted in the Agency's strategic and Annual Performance Plans.
3	No	$0	$0	Agree
Review the Information Resource Management Strategic Plan annually and ensure it supports the goals of the Agency Strategic Plan, as required by the Government Performance and Results Modernization Act of 2010, OMB Circular A-130, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996.
4	No	$0	$0	Agree
Ensure legacy system modernization plans include a detailed description of the work needed for modernization, considerations for the disposition of the system, and tracking cost data that covers all aspects of the project.
5	Yes	$0	$0	Agree
Regularly perform risk assessments for legacy systems, as required by OMB Circular A-130, Section 5(a)(1)(b)(i) and (c)(ii). Performing assessments regularly will help management identify information systems and components that cannot be appropriately protected or secured. This will ensure that such systems that may be costly or difficult to maintain, are given high priority for upgrade, replacement, or retirement.
6	No	$0	$0	Agree
Continue to refine the Agency’s inventory of business applications to ensure data elements specifically related to changes, such as retiring or replacing applications, resulting from modernization efforts are tracked/flagged appropriately.
7	No	$0	$0	Agree
Implement cost monitoring mechanisms to help with the tracking and management costs related to modernization. Additionally, management should conduct cost analyses for modernization projects, considering cost from a risk perspective.
8	No	$0	$0	Agree
Regularly perform post-implementation reviews on all information technology investments.