Our objective was to determine if the Postal Service developed the HERO system in accordance with policies, procedures, and industry best practices, and whether it is functioning as management intended.
In July 2015, the Postal Service approved a Decision Analysis Report (DAR) request for [redacted] to replace the existing Human Resource (HR) systems with a new cloud-based Integrated Human Resources System (IHRS) comprised of five modules that address HR functions. In September 2016, the Postal Service awarded [redacted] the contract to build an IHRS and required delivery of all five DAR modules. Because that supplier was unable to meet contractual requirements, the Postal Service awarded a contract to [redacted] to implement a cloud-based commercial-off-the-shelf integrated Human Resources system called HERO for [redacted]. This contract required delivery of four of the five IHRS DAR modules.
We reviewed the HERO system’s requirements, business case, and contract and compared these to HERO’s functionality. We also reviewed HERO’s contract payment data and compared it to invoices to ensure accuracy.
We planned our fieldwork before the President of the United States issued the national emergency declaration concerning the novel coronavirus outbreak (COVID19) on March 13, 2020. The results of this audit do not reflect operational changes and/or service impacts that may have occurred as a result of the pandemic.
The Postal Service did not develop the HERO system in accordance with policies, procedures, and federal government security standards, and the system did not function as management intended.
In fiscal year (FY) 2018, [redacted] launched a module that did not support business needs and processes outlined in the contract and in FY 2019 only partially delivered a second module. We found that Postal Service management did not clearly communicate requirements to [redacted] leading to gaps in contract deliverables. Requirements form the basis for the entire supply chain process and provide the necessary detail to understand what is required to develop a solution that meets business needs.
These issues occurred because Postal Service management purchased a commercial-off-the-shelf solution that could not be customized to meet its business needs. In addition, Postal Service policy did not require a demonstration of the functional capabilities prior to purchase of the cloud solution. Further, management did not initiate required technical assessments of the vendor until after awarding the contract.
As a result, the Postal Service spent [redacted] for the contract but only received two partially completed modules out of five IHRS DAR modules. On average, management spent [redacted] annually from FYs 2018 to 2020 and ended the IHRS DAR investment in December 2019. In addition, because [redacted] did not fully complete the required modules, in January 2020 the Postal Service approved an additional [redacted] to upgrade the legacy system.
Postal Service management also did not complete an interim security assessment as required by policy to mitigate HERO contract risks while the [redacted] Federal Risk and Authorization Management Program (FedRAMP) authorization was in progress. This authorization is required and helps ensure stringent information security requirements are in place to alleviate risk associated with data security practices.
This occurred because the contracting officer and the Chief Information Security Officer agreed to award the contract and pursue an agency Authority to Operate without completing the required interim security assessment while [redacted] completed the FedRAMP authorization process. However, they could not meet FedRAMP authorization requirements which delayed the HERO system implementation by 16 months.
Finally, we found that 18 of 51 total HERO invoices issued from June 2016 to January 2020 totaling [redacted] in HERO system payments, were not retained by the contracting officer representative (COR) in Supply Management as required by policy. The COR is required to retain copies of all certified invoice records for six years following contract close out. Subsequently, Accounts Payable located copies of 17 of the 18 missing invoices and provided them to Supply Management.
This occurred because there was a frequent change of COR and no policy existed at the time requiring centralized electronic storage of hard copy invoices. Without adequate controls over contract records, management may not be able to verify all amounts paid or services rendered, resulting in a risk of overpayment or paying for services not received.
We recommend management:
- Update Management Instruction AS-800-2014-4, Cloud Computing Policy, to include early demonstrations of system functionality to key stakeholders to validate and verify the alignment of business needs and the technical capabilities before purchasing any cloud software solutions.
- Update Management Instruction AS-800-2014-4, Cloud Computing Policy, to state the Vice President, Information Technology, must approve a waiver for cloud solution purchases when the policy is not followed.
- Update the Supplying Principles and Practices to state the processes outlined in Management Instruction AS-800-2014-4, must be completed before awarding cloud solution contracts.
- Update the Postal Service Handbook AS-805, Information Security, to define the interim security assessment process, document the associated risks and mitigation plans, ensure proper document retention, and complete the process prior to the purchase of a cloud solution.
- Retrieve the missing HERO invoice and store it in the Contract Authoring and Management System.