US GAO Holds Third Quarterly WGITA Webinar on “Auditing Legacy IT Systems”
Government Accountability Office (GAO) hosted a webinar on August 11, 2021, in the framework of the INTOSAI Working Group on IT Audit (WGITA) Work plan 2020-22. More than 240 participants joined the meeting.
The Topic of the webinar “Auditing Legacy IT Systems” was taken up with the aim of enhancing knowledge of member SAIs and other organisations interested in the field of Information Systems Audit by disseminating information on the relevant areas through a series of quarterly webinars. SAI India and U.S. Government Accountability Office (US GAO) are the co-leads for the project.
The webinar was presented by the following members of GAO’s Information Technology and Cybersecurity Team:
- Kevin Walsh, Director
- Jessica Waselkow, Assistant Director
- Meredith Raymond, Senior IT Analyst.
During the session they presented a GAO report on legacy systems, or those that use outdated programming languages, unsupported hardware and software, and/or are operating with known security vulnerabilities.
This report was prepared in 2019 and identified the most critical U.S. legacy systems in need of modernization, evaluated the agencies’ plans for modernizing them; and identified examples of legacy system modernization initiatives in the previous 5 years that agencies considered successful.
The U.S. government planned to spend over $90 billion in 2019 fiscal year on information technology, with most of the amount to be used to operate and maintain existing systems, including aging systems. These systems can be more costly to maintain and vulnerable to hackers. Also they can make it difficult for agencies to reliably meet mission needs and agencies can have trouble finding staff who know how to use the systems’ old technology and code.
US GAO analyzed 65 federal legacy systems and identified the 10 most critical at 10 agencies ranging from Defense to Treasury. The systems were 8 to 51 years old, and were vital to providing essential services like emergency management, health care, and defense. Three agencies had no documented plans to modernize. Two had plans that included key practices for success. Some of them also used outdated code, relied on hardware and software that is no longer supported by the manufacturers, or had major security risks.
However, agencies identified at least 94 examples of legacy systems being successfully modernized in the previous 5 years. The five examples that GAO selected of successful information technology (IT) modernization initiatives included transforming legacy code into a more modern programming language and moving legacy software to the cloud. Doing so allowed the agencies to reportedly leverage IT to successfully address their missions and achieve a wide range of benefits, including cost savings.
In the report GAO is making a total of eight recommendations – one to each of eight agencies – to ensure that they document modernization plans for the selected legacy systems. The eight agencies agreed with GAO's findings and recommendations, and seven of the agencies described plans to address the recommendations.
Presentation of the report provoked intense interest among the participants. The amount of questions was so high and taken the limited time of the meeting the GAO representatives promised to address all the uncovered topics in the written form after the webinar.