Expands the main menu

Breadcrumb

Audit Reports

Jul
13
2015
Report Number:
IT-AR-15-006
Report Type:
Audit Reports
Category: Technology

Software Development Processes

Background

Organizations spend significant resources developing, acquiring, and maintaining applications that manage critical information. To ensure proper governance over software development, the U.S. Postal Service uses development processes to ensure proper design, development, and testing of each new or modified application. The Postal Service has one of the country’s largest retail networks and has developed over 2,200 software applications to manage its business activities.

The Postal Service uses various processes to ensure each new or modified application is properly designed, developed, and tested. To remain competitive, it must use technology that continues to meet customer needs and achieve business goals. Currently, there are about 100 applications under development to optimize the value of the postal infrastructure and leverage technology to drive business value.

Our objective was to determine whether the Postal Service’s software development processes are adequate to manage development risk and reflect best practices.

What The OIG Found

The Postal Service does not consistently manage software development risk or properly develop and maintain documentation for applications in accordance with current Postal Service policies. We found that project teams are not always executing the required phases of the development process. Also, non-national (field) applications do not always adhere to the approved development processes and are not included in the governance and compliance process.

Further, we found the current governance and compliance review process does not ensure all software development complies with Postal Service policies. Finally, management is not consistently maintaining application status and proper documentation in the required repositories. We determined that management did not maintain 1,100 of the 3,451 required documents for the 71 applications we sampled.

These issues exist because current policy does not clearly define roles and responsibilities for documenting system requirements and testing system functionality. In addition, software development processes do not address non-national application development. Finally, management does not conduct quality reviews or follow-up to ensure all phases of the process are complete.

Without an adequate software development process, the Postal Service risks developing applications that do not meet customer needs or achieve business goals. In addition, there is a higher risk of cost overruns and project delays, which limit the organization’s ability to optimize infrastructure and leverage technology to drive business value. We identified potential schedule delays and cost overruns of about $4.5 million. 

What The OIG Recommended

We recommended management define specific roles and responsibilities for the requirements and testing phases and ensure that all system requirements are documented and tested prior to migration to production. We also recommended management train personnel to test correctly. Finally, we recommended management revise policies to require quality reviews, update application status, and upload documentation at the completion of each development phase. Because of the 2014 cyber intrusion, management disallowed non-national application development; therefore, we are not recommending further action on this issue.

 

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

R - 1 -- Update the Technology Solutions Life Cycle policies and processes to define which groups are responsible for requirements gathering, design, and testing phases.

Closed $0 Agree
2

R - 2 -- Implement guidance and training to Business Owners for the customer testing process and ensure that testing teams are following requirements in Handbook AS-805, Information Security.

Closed $0 Agree
3

R - 3 -- Ensure that all new system requirements and modifications are gathered, analyzed, and documented, and thoroughly tested prior to migration to production.

Closed $0 Agree
4

R - 4 -- Update development policies including the Technology Solutions Life Cycle (TSLC) governance and compliance policy to include all software development phases in the monthly governance and compliance review process and update the system retirement process to designate responsibility for updating the application status in the TSLC Artifacts Library.

Closed $0 Agree
5

R - 5 -- Revise policies to require program managers to upload required documentation into the Technology Solutions Life Cycle (TSLC) Artifacts Library at the completion of each phase of the TSLC process.

Closed $0 Agree