Federal Accounting Standards Review of NSA Internally Developed Software Claims


Federal Accounting Standards Advisory Board

  • 12 pages
  • For Official Use Only
  • April 15, 2009


Ms. Wendy Payne
Executive Director, Federal Accounting
Standards Advisory Board
Accounting and Auditing Policy Committee
441 G Street, NW
Room 6814
Mail Stop 6K17V
Washington, DC 20548

Dear Ms. Payne:

The Intelligence Community’s (IC) Accounting Standards Working Group requests the Accounting and Auditing Policy Committee (AAPC) review the National Security Agency (NSA)’s interpretation of internally developed software (IDS) as it relates to the internal use software definitions outlined in Financial Accounting Standards Advisory Board Statement of Federal Financial Accounting Standard (SFFAS) No. 10, Accounting for Internal Use Software. Specifically, NSA requests to direct expense internal software development for unique operational and mission-related software development that predominately does not meet the useful-life timelines and definitions necessary to accumulate and capitalize costs. The enclosed report describes NSA’s business challenges and proposed financial accounting and reporting treatment for mission-related IDS; defines what constitutes mission-related IDS; and documents the rationale for direct expenditure of these costs. The IC Accounting Standards Working Group reviewed this report and approved NSA’ s request to seek an independent, external review of their interpretation of SFFAS No. 10.

My point of contact for this action is Barbara Jones, Acting Director of the Financial Improvement Group. She can be reached at (703) 275-3405 or email barbara.b.jones[at]gov.gov. Please advise Barbara when the AAPC will review this accounting issue. Representatives from my office or the NSA are available to answer any questions and brief the AAPC in either unclassified or classified forum.


Marilyn A. Vacca


1.0 (U) Title

(U) The National Security Agency’s (NSA) proposed accounting treatment for a unique class of developed software to comply with Statement of Federal Financial Accounting Standard (SFFAS) No. 10, Accountingfor Internal Use Software (IUS).

2.0 (U) Issue

(U//FOUO) NSA has a number of unique conditions with internally developed software I used to produce intelligence or provide information assurance2 that impedes our ability to determine on a consistent, reliable, and cost-effective basis the useful life of the software~ or the beginning and end of the software development phase without impacting our mission operations. As a result, NSA has taken the position that mission-related software development costs will be expensed when incurred. The following paragraphs provide support for this position.

2.1 (U) Useful Life Determinations

(U//FOUO) NSA cannot estimate in a consistent, reliable, and cost-effective manner the useful life of mission-related software at the time it enters the “development phase” of the project. The rapid pace of technological advancements and sophistication of our adversaries to develop solutions that counter advances made by NSA often reduces the utility of our mission-related developed software solutions from years to months.

(U//FOUO) NSA has determined that 54 percent of the mission-related systems in operation at the beginning of fiscal year (FY) 2008 were retired from operation during the fiscal year because the capability no longer meets the needs of the Agency. This indicates that NSA’s missionrelated systems will be replaced, on average, at least once every two years. The pace at which technological advancements reduce the utility of NSA’s mission-related systems does not permit our program managers to develop a reliable and cost-effective estimate of mission-related system useful life.

(U//FOUO) NSA also assessed whether prior mission-related system development projects would be useful in determining the useful life of new development projects. We determined that 93 percent of the total number of system projects retired in FY 2008 were replaced with another system capability, which indicates that mission-related system development projects provide new capabilities that are needed to replace outdated capabilities. In effect, the new projects are a “first of its kind” system development that renders the prior system useful life essentially meaningless in determining the useful life of new system development projects.

(U//FOUO) NSA contacted a number of Federal agencies (see Section 8.0) to determine if there were best practices currently being used in the Federal government that could be applied to NSA’s unique mission-related system development projects. We determined that most Federal agencies internal system development efforts were designed to meet specific agency mission needs, and the development projects did not provide mission-related capabilities similar to NSA’s that could be used to estimate the useful life of NSA’s development projects. The other Federal agencies standard life-cycle includes easily identifiable milestones that trigger the start and end period of the software development phase, the period for which development costs should be capitalized in accordance with SFFAS No. 10. We were unable to identify another Federal agency whose mission-related internal software development life-cycle requires a condensed development schedule, and/or a mixture of design and development activities in the same phase, as NSA must perform to meet end-users immediate technological needs.

(U//FOUO) Our mission program managers project that technology will continue to advance at the rapid pace it has over the last several years for the foreseeable future. As a result, the uncertainty with the useful life of mission-related developed software does not warrant an investment of significant resources to determine on a case-by-case basis what would be at best an unreliable projection of mission-related useful life.

2.2 (U) Software Development Phase Determinations

(U//FOUO) NSA is not able to accumulate in a consistent, reliable and cost-effective manner software development costs related to mission-related projects. This is a direct result of NSA’s need to rapidly deploy our software solutions to meet our end-users immediate military and homeland security needs.

(U//FOUO) A “standard” software development life-cycle usually begins with the receipt of a capability need and the development of requirements that will define what the software is required to do; as well as an evaluation and test of alternatives. Once a final solution is determined, software configuration control boards and other oversight organizations will approve the solution and funding is provided to begin software development activities. The software development phase will end when user testing is complete and the software is deployed into operation. The software development lifecycle is consistent with SFFAS No. 10.

(U//FOUO) NSA’s mission-related development activities do not follow a “standard” software development life-cycle because our development activities must be responsive to our end users immediate requests for emerging and advanced technological capabilities. NSA’s mission related development life-cycle requires development activities, such as coding of software, be performed in conjunction with the design of the solution, making mission-related software design and development activities indistinguishable.

(U//FOUO) For example, NSA often receives urgent requests from customers to monitor communications of adversaries who often use new technology to escape detection. To meet the immediate need of the end user, our technical managers begin writing software code while the final solution is still being developed. This dual tracked effort is performed to significantly reduce the development schedule. NSA does not have time to evaluate and test alternative solutions; and as a result, NSA’s mission-related internally developed software life-cycle must be flexible and condensed to meet end-user immediate needs.

(U//FOUO) Mission-related software projects are often deployed directly into operations before product testing is completed and formal user acceptance has occurred, making the consistent and reliable determination of whether mission-related software development activities are complete virtually impossible. In many instances, software deployed directly into operation does not always meet the capability of the end-user; and therefore, NSA must either abandon the software project or return it to NSA’s developers for further design activities. This process may occur several times throughout NSA’ s mission-related development life-cycle, further impeding the determination of whether the software project is in the development phase as defined by SFF AS No. 10.

2.3 (U) Cost Benefit Determinations

(U//FOUO) It is cost prohibitive for NSA to determine in a consistent and reliable manner, the useful life or capitalized development costs for mission-related systems/software. We expect technological advancements to occur at the current rapid pace, so it is reasonable to conclude that NSA will initiate a significant number of mission-related system development projects in FY 2009 and beyond; and as a result, NSA believes that it is cost-prohibitive to determine, on a caseby-case basis, whether these mission-related system development projects will meet the capitalization requirements of SFFAS No. 10.

(U//FOUO) While NSA cannot determine an actual cost should the FASAB’s Accounting and Auditing Policy Committee (AAPC) reject our position to expense mission-related development costs when incurred, we have identified some of the additional costs that would have to be borne by NSA:

• (U) Re-configuration of Management Information Systems – additional hardware, software, and contractor implementation costs to re-configure management information systems (e.g., project costing, time and labor, etc.) that will allow the Agency to accumulate costs incurred during the software development phase.

• (U) Modification to existing processes and controls – costs associated with the development and implementation of business processes and controls to accumulate reliable financial information on mission-related software development costs.

• (U//FOUO) Impact on mission service delivery- cost to our customers of delaying the delivery of our mission capabilities.

(U//FOUO) Considering the uncertainties with the utility of mission-related software and the cost benefits of tracking system development phase costs for a significant number of system projects each year, our request to expense mission-related system development project costs when they occur is appropriate and in compliance with SFFAS No. 1o.

2.4 (U) Conclusion

(U//FOUO) The persuasive uncertainties that exist around the utility of NSA’s mission-related developed systems and the determination of when the projects enter or leave the development phase, combined with the costs that would be required to accumulate mission-related system development project costs on a project-by-project basis, supports our position that these development costs should be expensed when occurred.

4.0 (U) Audit Findings

(V) NSA’ s need to revise our accounting treatment for IVS was derived from an audit finding as identified below:

• (U) Type of review – the Agency performed an audit readiness self-assessment in accordance with its Financial Management Solutions (FMS) Program. The review included Internal Use Software which is a sub-component of the Agency’s Property, Plant and Equipment (PPE) financial statement line.

• (U) Who Conducted Review – the audit assessment was performed by PricewaterhouseCoopers LLP, as a subcontractor to NSA’s FMS Prime Contractor, Accenture National Security Services LLC.

• (U) Date of Review – A final PPE Assessment Report was delivered to NSA on February 15, 2005.

• (U//FOUO) Findings – The report stated the following: “The Agency does not account for the direct and indirect costs associated with Internal Use Software, as defined in SFFAS No. 10 Accountingfor Internal Use Sl?ftware. Additionally, no process exists to perform an inventory or determine the value of Internal Use Software.”

• (U) Status of Findings

o (U//FOUO) NSA established an IUS Working Group to address the conditions identified in the contractor’s PPE Assessment Report.

o (UIIFOUO) The IUS Working Group segregated the IUS Audit Remediation Project into three distinct classes of IUS: (1) Commercial Off-the-Shelf (COTS) software purchases; (2) software projects related to signals intelligence and information assurance activities; and (3) software projects for all other NSA activities.

o (U//FOUO) NSA developed a position that development costs related to mission-related system software should be expensed when incurred because of the conditions discussed in Section 2 of this paper. All COTS and other software project costs would be capitalized in accordance with the criteria outlined in SFFAS No. 10.

o (U//FOUO) NSA is in the initial phases of developing processes and controls around the accounting and financial reporting of COTS and non-mission developed software. At this time, there are no significant issues that would impede NSA’s ability to complete remediation activities in accordance with its audit readiness objective.

5.0 (U) Current Practice

(U//FOUO) NSA’s current practice with respect to all developed software is to expense costs when incurred. NSA’s audit compliance contractor determined that this practice was not in compliance with SFFAS No. 10, and that this would impede an audit of NSA’s financial statements. To resolve these impediments, NSA developed and is implementing an audit remediation plan for IUS with a planned remediation date of December 31, 2010.

6.0 (U) NSA Position

(U//FOUO) NSA will capitalize in accordance with the criteria set-forth in SFFAS No. 10; COTS purchases; non-mission-related:l software development costs; and mission-related software project costs that are integral to fixed-asset development projects, provided that the capitalized costs exceed NSA’s materiality thresholds. Capitalized costs will be amortized over the useful life of the software or the fixed asset.

(U//FOUO) Other mission-related software development costs will be expensed when incurred. The rapid pace of technological advancements that are being made by our adversaries imbeds too much uncertainty as to whether software projects will have a useful life equal to or exceeding two years. In addition, NSA’s mandate to meet our customers intelligence and information assurance needs in real-time requires a condensed software development life-cycle that prohibits a reliable, consistent and cost effective determination of whether software projects are in the software development phase as defined by SFFAS No. 10; and therefore, when the accumulation of capitalized software development costs should occur.

(U//FOUO) NSA’s IUS Working Group also believes that the cost to re-configure management information systems to accumulate mission-related software development costs on a project-byproject basis, and that would not affect the delivery of our mission program capabilities, would far exceed the benefits that would be derived from the capitalization and amortization of software costs in NSA’s financial statements.

Share this: