Business Systems Modernization

IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management Gao ID: GAO-06-310 March 20, 2006

The Internal Revenue Service's (IRS) effort to modernize its tax administrative and financial systems--Business Systems Modernization (BSM)--has suffered delays and cost overruns due to a number of factors, including inadequate development and management of requirements. Recognizing these deficiencies, IRS created a Requirements Management Office (RMO) to establish policies and procedures for managing requirements. GAO's objectives were to assess (1) whether the office has established adequate requirements development and management policies and procedures and (2) whether BSM has effectively used requirements development and management practices for key systems development efforts.

BSM does not yet have adequate policies and procedures in place to guide its systems modernization projects in developing and managing requirements. In January 2006, the RMO developed a set of draft policies that address some key areas of requirements development and management; these policies are to serve as interim guidance while the final policies and processes are being developed. At the conclusion of GAO's review, the RMO also provided a high-level plan that includes milestones for completing these policies. Since critical BSM projects continue to be pursued and completion of the policies and procedures is not expected until March 2007, it is critical that BSM immediately implement the draft policies and continue to develop the final policies. As a result of the lack of policies and procedures, the one ongoing project--Modernized e-File (MeF)--and the two completed projects--Filing and Payment Compliance (F&PC) and Customer Account Data Engine (CADE)--GAO reviewed did not consistently follow disciplined practices for systems development and management. For example, all three projects had a key element of managing requirements--a change management process that requires approvals and impact assessments to be completed when there are changes to requirements--but none met all of the practices needed for effective requirements management. In addition, two projects did not have a clear, consistent way to elicit (gather) requirements, two did not have fully documented requirements, and two could not produce fully traceable requirements (i.e., the requirements could not be tracked through development and testing), which is another key element of managing requirements. Unless IRS takes the steps needed to develop and institutionalize disciplined requirements development and management processes and implements draft policies in the interim to cover key areas of requirements development and management, it will continue to face risks, including cost overruns, schedule delays, and performance shortfalls.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-06-310, Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management This is the accessible text file for GAO report number GAO-06-310 entitled 'Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management' which was released on April 19, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Subcommittee on Transportation, Treasury, the Judiciary, HUD, and Related Agencies, Committee on Appropriations, U.S. Senate: March 2006: Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management: GAO-06-310: GAO Highlights: Highlights of GAO-06-310, a report to the Subcommittee on Transportation, Treasury, the Judiciary, HUD, and Related Agencies, Committee on Appropriations, U.S. Senate. Why GAO Did This Study: The Internal Revenue Service‘s (IRS) effort to modernize its tax administrative and financial systems”Business Systems Modernization (BSM)”has suffered delays and cost overruns due to a number of factors, including inadequate development and management of requirements. Recognizing these deficiencies, IRS created a Requirements Management Office (RMO) to establish policies and procedures for managing requirements. GAO‘s objectives were to assess (1) whether the office has established adequate requirements development and management policies and procedures and (2) whether BSM has effectively used requirements development and management practices for key systems development efforts. To improve the requirements development and management practices at IRS, GAO recommends that the Commissioner of Internal Revenue direct the Associate Chief Information Officer for BSM to (1) ensure that BSM completes delivery of policies and procedures for requirements development and management as planned and (2) immediately implement interim policies for BSM projects while final policies and procedures are being developed. The Commissioner agreed with our recommendations and described steps taken to address them. What GAO Found: BSM does not yet have adequate policies and procedures in place to guide its systems modernization projects in developing and managing requirements. In January 2006, the RMO developed a set of draft policies that address some key areas of requirements development and management; these policies are to serve as interim guidance while the final policies and processes are being developed. At the conclusion of GAO‘s review, the RMO also provided a high-level plan that includes milestones for completing these policies. Since critical BSM projects continue to be pursued and completion of the policies and procedures is not expected until March 2007, it is critical that BSM immediately implement the draft policies and continue to develop the final policies. As a result of the lack of policies and procedures, the one ongoing project”Modernized e-File (MeF)”and the two completed projects”Filing and Payment Compliance (F&PC) and Customer Account Data Engine (CADE)”GAO reviewed did not consistently follow disciplined practices for systems development and management (see table). Table: Requirements Activities Completed on BSM. [See PDF for Image] [End of Figure] For example, all three projects had a key element of managing requirements”a change management process that requires approvals and impact assessments to be completed when there are changes to requirements”but none met all of the practices needed for effective requirements management. In addition, two projects did not have a clear, consistent way to elicit (gather) requirements, two did not have fully documented requirements, and two could not produce fully traceable requirements (i.e., the requirements could not be tracked through development and testing), which is another key element of managing requirements. Unless IRS takes the steps needed to develop and institutionalize disciplined requirements development and management processes and implements draft policies in the interim to cover key areas of requirements development and management, it will continue to face risks, including cost overruns, schedule delays, and performance shortfalls. To view the full product, including the scope and methodology, click on the link above. For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov or Keith A. Rhodes at (202) 512-6412 or rhodesk@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: BSM Lacks Policies and Procedures for Requirements Management: BSM Projects Have Not Consistently Followed Disciplined Requirements Development and Management Practices: Conclusions: Recommendations for Executive Action: Agency Comments: Appendixes: Appendix I: Scope and Methodology: Appendix II: Project Descriptions: Appendix III: Comments from the Department of the Treasury: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Requirements Activities Completed on BSM Projects: Table 2: MeF Releases and Functionality: Table 3: Development and Steady State Costs for MeF: Table 4: F&PC Releases and Functionality: Table 5: Development Costs for F&PC: Table 6: CADE Releases and Functionality: Table 7: Development Costs for CADE: Figures: Figure 1: IRS BSM Funding Fiscal Year 1999 to Fiscal Year 2005: Figure 2: Requirements Development and Management Process and Typical Work Products/Activities: Abbreviations: BSM: Business Systems Modernization: CADE: Customer Account Data Engine: CCS: Collection Contract Support: CM: Configuration Management: CMMI: Capability Maturity Model Integration: ELC: Enterprise Life Cycle: F&PC: Filing and Payment Compliance: IEEE: Institute of Electrical and Electronics Engineers: IRS: Internal Revenue Service: MeF: Modernized e-File: PDC: Private Debt Collection: RMO: Requirements Management Office: SEI: Software Engineering Institute: TIGTA: Treasury Inspector General for Tax Administration: Letter: March 20, 2006: The Honorable Christopher S. Bond: Chairman: Subcommittee on Transportation, Treasury, the Judiciary, HUD, and Related Agencies Committee on Appropriations: United States Senate: Dear Mr. Chairman: The Internal Revenue Service (IRS) has long relied on obsolete automated systems for key operational and management functions; its attempts to modernize these systems span several decades. IRS's current effort--Business Systems Modernization (BSM)--is a highly complex, multibillion dollar effort to modernize its technology and related business processes. Over the past 7 years, IRS has been appropriated approximately $1.9 billion for BSM. These systems modernization projects have experienced cost overruns and schedule delays due to, among other things, inadequate development and management of requirements.[Footnote 1] Lack of attention to these crucial processes has led to projects not meeting cost, schedule, and performance goals. IRS has recognized these deficiencies and established a Requirements Management Office (RMO) to, among other things, develop the policies and procedures that are to cover all aspects of requirements development and management. This report responds to your request that we assess (1) whether the RMO has established adequate requirements development and management policies and procedures and (2) whether BSM has used effective requirements development and management practices for key systems development efforts. To accomplish our objectives, we reviewed BSM requirements development and management policies, guidance, procedures, and tools. We also analyzed two completed and one ongoing BSM systems development projects[Footnote 2] and interviewed appropriate IRS and contractor officials. Further details on our objectives, scope, and methodology are provided in appendix I. Our work was performed from June 2005 through February 2006 in accordance with generally accepted government auditing standards. Results in Brief: BSM does not yet have adequate policies and procedures in place to guide its systems modernization projects in developing and managing requirements. In January 2006, the RMO developed a set of draft policies that address key areas of requirements development and management; these policies are to serve as interim guidance while the final policies and processes are being developed. At the conclusion of our review, BSM provided us the draft policies and a high-level plan that includes milestones for completing these policies. Since critical BSM projects continue to be pursued and completion of the policies and procedures is not expected until March 2007, it is critical that BSM immediately implement the draft policies and continue to develop the final policies. As a result of the lack of policies and procedures, BSM projects did not consistently follow disciplined requirements development and management practices. For example, all three projects had a change management process in place that requires approvals and impact assessments to be completed when there were changes to requirements. However, none of the projects met all of the practices needed for effective requirements management. For example, two did not implement all needed practices in eliciting (gathering) requirements; two did not have fully documented requirements; and two could not produce fully traceable requirements (i.e., the requirements could not be tracked through development and testing). Unless BSM takes the steps needed to develop and institutionalize disciplined requirements development and management processes and to improve interim guidance, it will continue to face risks, including cost overruns, schedule delays, and performance shortfalls. We are recommending that the Commissioner of Internal Revenue direct the Associate Chief Information Officer for BSM to ensure that BSM completes the delivery of policies and procedures for requirements development and management, as planned. In addition, we also recommend that the interim policies for BSM be immediately implemented while the final policies and procedures are being developed. In providing written comments on a draft to this report, the Commissioner of Internal Revenue agreed with our findings and stated that the report provided a sound and balanced representation of the progress IRS has made to date as well as work that remains to be completed. The Commissioner also described the actions that IRS is taking to implement our recommendations, including establishing a schedule to complete the development of policies that address the areas of requirements elicitation, documentation, verification and validation, and management. The Commissioner's written comments are reprinted in appendix III. Background: IRS is currently replacing its antiquated tax administration and financial systems. This effort, as we have reported numerous times,[Footnote 3] has suffered delays and cost overruns due to a number of reasons, including inadequate development and management of requirements. History of IRS Modernization: The IRS tax administration system, which collects approximately $2 trillion in annual revenues, is critically dependent on a collection of obsolete computer systems. Congress and IRS designed the BSM program to bring IRS tax administration systems to a level equivalent to private and public sector best practices, while managing the risks inherent in one of the largest, most visible, and sensitive modernization programs under way. Over the past 7 years, IRS has been appropriated approximately $1.9 billion for BSM (see fig. 1). Figure 1: IRS BSM Funding Fiscal Year 1999 to Fiscal Year 2005: [See PDF for image] [End of figure] BSM is critical to supporting IRS's taxpayer service and enforcement goals. For example, BSM includes projects to allow taxpayers to file and retrieve information electronically and to help reduce the backlog of collection cases. It also provides IRS with the reliable and timely financial management information it routinely needs to account for the nation's largest revenue stream. BSM has had some recent successes with its modernization efforts. During 2004, IRS implemented initial versions of (1) Modernized e-File (MeF), which provides electronic filing for large corporations and tax- exempt organizations; (2) e-Services, which created a Web portal and other electronic services to promote the goal of conducting most IRS transactions with taxpayers and tax practitioners electronically; (3) Customer Account Data Engine (CADE), which will replace the current system that contains the agency's repository of taxpayer information; and (4) the Integrated Financial System, which replaced aspects of IRS's core financial systems and is ultimately intended to operate as its new accounting system of record. However, despite these successes, IRS has had difficulty developing and managing requirements for its modernization efforts over the years. We reported in 1995[Footnote 4] that IRS did not have the requisite software development capability to successfully complete a major modernization effort and that the success of modernization would depend on whether IRS would promptly address the weaknesses in several software development areas, including requirements management. In 1998, we assessed IRS's systems life cycle document and reported[Footnote 5] a lack of sufficient information to document how business requirements were to be specified. More recently, in February and November of 2004, we reported in testimony and a report[Footnote 6] that cost overruns in various BSM projects, including CADE, MeF, and e-Services, were due in part to inadequate definition of requirements for their new systems, leading to incorporation of additional requirements late in the system's life cycle and at a higher cost than if they had been included in the initial requirements baseline. We continue to highlight management control weaknesses such as these in our annual expenditure plan reviews.[Footnote 7] Other organizations that have assessed BSM projects have also found that IRS has not developed and managed requirements sufficiently on various projects. In 2001, the Treasury Inspector General for Tax Administration (TIGTA) reviewed[Footnote 8] key systems development practices of four BSM projects[Footnote 9] and reported that weaknesses in several process areas, including requirements management, were responsible for cost increases and schedule delays. TIGTA noted that these weaknesses raised the risk that systems would be developed that would not meet the needs of the businesses they were intended to support and recommended that BSM strengthen and/or implement aspects of these key systems development practices. In 2003, an independent technical assessment[Footnote 10] of CADE noted significant breakdowns in developing and managing requirements, which resulted in the inability of CADE to meet its original schedule. The assessment further stated that IRS focused primarily on the high-level business requirements and paid less attention to the development of specific, testable requirements developed later in the development life cycle and that responsibility for developing and managing the requirements was distributed among their various organizational component, instead of being concentrated in a centralized authority. BSM has acknowledged that it has weaknesses in developing and managing requirements; since 2004, requirements management has been one of its high-priority initiatives.[Footnote 11] To demonstrate their commitment to improving the development and management of requirements, it created an RMO in October 2004. This office is to address issues related to (1) lack of quality and completeness of modernization requirements, (2) lack of alignment of modernization requirements with business strategy and needs, (3) risks incurred by projects transitioning to development without a sufficient requirements baseline, and (4) lack of visibility into a fully traceable set of modernization requirements. During 2005, the RMO created a Concept of Operations that showed, at a high level, the RMO's plans to address requirements practices, and, in November 2005, it obtained contractor support to develop new policies and procedures. Requirements Development and Management: According to the Software Engineering Institute's (SEI) Capability Maturity Model Integration[Footnote 12] (CMMISM), the requirements for a system describe the functionality needed to meet user needs and perform as intended in the operational environment. A disciplined process for developing[Footnote 13] and managing[Footnote 14] requirements can help reduce the risks of developing or acquiring a system. A well-defined and managed requirements baseline can, in addition, improve understanding among stakeholders and increase stakeholder buy-in and acceptance of the resulting system. The practices underlying requirements development and management include eliciting, documenting, verifying and validating, and managing the requirements through the systems life cycle (see fig. 2). This set of activities translates customer needs from statements of high-level business requirements into validated, testable systems requirements. Figure 2: Requirements Development and Management Process and Typical Work Products/Activities: [See PDF for image] [End of figure] Requirements Development and Management Processes: Elicitation: The requirements development process starts with project teams eliciting, or gathering, requirements from stakeholders or participants involved in the project (e.g., customers and users). Since the usefulness of the system to its users and stakeholders is critically dependent on the accuracy and completeness of the requirements, all user groups and stakeholders should be identified and involved in defining requirements. In addition to gathering requirements from users and other stakeholders, analysis and/or research can be used to identify additional requirements that balance stakeholder needs against constraints and ensure that the requirements can be met in the proposed operational environment. Documentation: After requirements have been elicited, they are analyzed in detail; documented as the business, or high-level, requirements; and agreed to by all stakeholders. Stakeholder agreement is an important part of this activity and is needed to demonstrate that the requirements accurately define intended uses. The business requirements should then be decomposed into detailed system requirements, which are analyzed to ensure that they can be implemented in the expected operational environment and that they can satisfy the objectives of higher-level requirements. The final requirements are approved by all stakeholders and documented as the requirements baseline. Once the baseline is established, it is placed under configuration management (CM)[Footnote 15] control. Verification and Validation: Once the requirements baseline has been developed, the requirements are analyzed and broken down into more specific system-level requirements and eventually into the code that makes up the system. The verification process ensures that the system-level requirements and the resulting code are an accurate representation of stakeholder needs. This process includes checking selected work products, such as software code, against the initial baseline requirements to ensure that the lower- level items fully satisfy the higher-level requirements. It is an inherently incremental process, occurring throughout the development of the product. This agreement between work products, such as code and baseline requirements, is verified by conducting peer reviews. Peer reviews can also be used to identify action items that need to be addressed. Without such reviews, an organization is taking a risk that substantial defects will not be detected until late in the development and/or testing phases, or even after the system is implemented. While the system is being developed, each component must be tested to ensure that its outputs are accurate. Testing (e.g., unit, system integration, and user acceptance) is the process of executing a program with the intent of finding errors. Clear, complete, and well-documented requirements are needed in order to design and implement an effective testing program. Linking the testing activities back to the requirements assures the organization that, once testing activities are successfully completed, all requirements have been addressed and will be met by the system. Without such assurance, it is possible for a requirement to be missed in development and the resulting lack of functionality not noticed until late in testing, or even after deployment. Management: Requirements, once developed and approved, also need to be managed throughout the system life cycle. Two key areas of requirements management are addressing changes to requirements and establishing and maintaining bidirectional traceability from high-level requirements through detailed work products to test cases and scenarios. As mentioned earlier, once a set of high-level requirements is documented, verified, and approved, it is placed under configuration control. From this point, changes to the requirements are evaluated and validated as part of the change control process.[Footnote 16] Change control includes reviewing and assessing proposed changes to the requirements to determine the reasons for the changes, determining if these changes are occurring due to flaws in the requirements development process, and ensuring that any effects of the change on other requirements as well as on the cost, schedule, and performance goals of the project are determined and assessed. Establishing and maintaining traceability from initial requirements to work products and the resulting system is also important. A requirements traceability matrix demonstrates forward and backward (bidirectional) traceability from business requirements to detailed system requirements all the way through to test cases. BSM Lacks Policies and Procedures for Requirements Management: BSM does not yet have adequate policies and procedures in place to guide its systems modernization projects in developing and managing requirements. In January 2006, the RMO developed a set of draft policies that address key areas of requirements development and management; these policies are to serve as interim guidance while the final policies and processes are being developed. At the conclusion of our review, the RMO provided us the draft policies and a high-level plan that includes milestones for completing these policies. Since critical BSM projects continue to be pursued and completion of the policies and procedures is not expected until March 2007, it is critical that BSM immediately implement the draft policies and continue to develop the final policies. BSM Lacks Comprehensive Policies and Procedures for Requirements Development and Management, but Has Initiated Their Development: BSM does not have comprehensive, detailed policies and procedures for requirements management and development activities that include requirements elicitation, documentation, verification and validation, and management. During our review, BSM officials were unable to provide us with detailed policies and procedures and agreed that they do not have such documents. Project teams were not consistent in their understanding of which guidance they should use for the development and management of requirements; some project team members mentioned BSM's Enterprise Life Cycle[Footnote 17] (ELC); others said they were waiting for guidance from the RMO. Our review of the ELC showed that it did not provide the procedures project managers would need to properly perform the steps in the requirements development and management process. BSM program officials agreed that the ELC did not provide the needed guidance. In December 2005, the RMO completed an analysis of requirements development and management areas that need improvement. The RMO found, as we did, that BSM lacks detailed guidance; their recommendations included developing process handbooks for aspects of requirements elicitation, documentation, verification and validation, and management. Subsequently, in January 2006, BSM officials developed draft guidance that covers aspects of requirements development and management. However, this guidance does not fully address requirements elicitation, documentation, verification and validation, and management. At that time, BSM also provided us with a high-level plan that contains interim milestones and establishes a March 2007 completion date for the final set of policies and procedures. BSM officials told us that these draft policies are to serve as interim guidance while the remaining policies and procedures are being developed. In addition, IRS also uses its governance processes, particularly the milestone exit reviews, to find and mitigate issues and problems with requirements development and management on existing projects. Finally, the RMO is allocating resources to key projects-- such as F&PC version 1.2--to assist them in developing requirements. Without a formal set of documents that detail organizational policies and associated procedures, employees and contractors will rely on their individual knowledge and expertise to complete requirements development and management activities. This raises the risk of cost overruns, schedule delays, and reduction of functionality. Since critical BSM projects are already under way, and completion of the policies and procedures is not set until March 2007, it is urgent that BSM immediately implement the draft policies. Until BSM develops and implements policies and procedures that fully address the key areas of requirements development and management, including elicitation, documentation, tracking of cost and schedule impacts associated with requirements changes, and establishing and maintaining full bidirectional traceability, ongoing projects will continue to run greater risk of cost and schedule overruns and poor system performance. BSM Projects Have Not Consistently Followed Disciplined Requirements Development and Management Practices: As a result of the lack of policies and procedures, BSM projects varied in the extent to which they followed disciplined requirements practices. All three projects we reviewed--MeF release 3.2 (to be deployed March 2006), and F&PC release 1.1 (deployed January 2006), and CADE release 1.1 (deployed July 2004)--performed some of the practices associated with sound requirements development and management. For example, all three projects had a change management process in place that requires approvals and impact assessments to be completed when changes are made to requirements. However, none of the three BSM project releases we reviewed consistently performed all of the practices needed for effective requirements management. Specifically: * Project teams did not have a clear, documented, and consistent method of eliciting requirements. * Project teams did not adequately document all requirements. * Project teams did not effectively verify requirements. * Project teams did not demonstrate adequate management of requirements. Table 1: Requirements Activities Completed on BSM Projects: Projects: Eliciting requirements; MeF 3.2: Practice Partially Implemented; F&PC 1.1: Practice Partially Implemented; CADE 1.1: Practice Not Implemented. Projects: Documenting requirements; MeF 3.2: Practice Partially Implemented; F&PC 1.1: Practice Fully Implemented; CADE 1.1: Practice Not Implemented. Projects: Verifying and validating requirements; MeF 3.2: Practice Partially Implemented; F&PC 1.1: Practice Partially Implemented; CADE 1.1: Practice Partially Implemented. Projects: Managing requirements; MeF 3.2: Practice Partially Implemented; F&PC 1.1: Practice Fully Implemented; CADE 1.1: Practice Not Implemented. Source: GAO analysis of BSM data. [End of table] Project Teams Have Inconsistent Requirements Elicitation Practices: Based on stakeholder information such as customer expectations, constraints, and interfaces for a system, the requirements elicitation team discovers, defines, refines, and documents business-level requirements. Due to the importance of this activity, plans or strategies should be in place to guide project officials in defining elicitation-related activities and in outlining how the requirements will be gathered (e.g., interviewing the users or analyzing the current or expected business processes). BSM project teams did not have a clear, consistent, and documented method of eliciting requirements for the projects. For example, although the teams identified stakeholders in their project plans, only MeF 3.2 provided evidence that working group meetings were conducted with stakeholders to understand their needs and to identify their problems and expectations and that strategies or plans were developed for eliciting requirements. CADE 1.1 project team members could not describe how they elicited requirements or provide a requirements plan that documented elicitation procedures or strategies. An F&PC project team member stated that, for release 1.1, the project did not have a fully documented process for elicitation; however, the team member stated that the team had held workshops and obtained resources and assistance from the RMO to help mitigate the lack of a process. The RMO used lessons learned from this effort to develop a new requirements elicitation process, which they expect will assist F&PC in elicitation for its next release. BSM project and program officials agreed that requirements elicitation processes could be improved and stated that they were planning to address some of the problems we found. For example, when we asked project officials about the policies and procedures underlying their current requirements elicitation activities, some stated that they were waiting for new policies to be issued by the RMO, and others cited the ELC as guidance. As mentioned earlier, the ELC does not provide the information needed for the requirements elicitation process. Furthermore, F&PC officials could not state which sections in the ELC described the requirements elicitation process. BSM program management and RMO officials acknowledged the lack of policies and procedures and stated that the RMO has since developed new guidance for eliciting requirements that will be piloted on F&PC version 1.2, which is currently entering the requirements development phase. BSM project teams performed elicitation processes in a nonstandard manner due to the lack of policies, procedures, and guidance. Without standardized policies and procedures to guide this key part of requirements development, BSM program officials cannot ensure that its systems development projects have collected and documented all the necessary requirements, which could result in systems being developed that do not meet user needs. Projects Do Not Fully Document Requirements: After collecting and documenting high-level requirements from customers, users, and other stakeholders, the requirements team should analyze these high-level requirements against the conceptual (or expected) operational environment to balance user needs and constraints and to ensure that the system developed will perform as intended. The resulting lower-level requirements should also be analyzed to make sure they can be performed in the expected environment and that they satisfy the objectives of the higher-level requirements. The final requirements are documented in the requirements baseline. The BSM projects we reviewed did not complete all of the activities needed to adequately document requirements. Although project teams provided evidence that they created a set of high-level requirements and obtained approvals from stakeholders on this set of requirements, two of the three projects did not provide evidence that requirements were thoroughly analyzed and decomposed to lower-level system requirements. For example, part of this analysis would link all lower- level systems requirements to the original higher-level business requirements. Only one of the project teams--F&PC--provided documentation showing the necessary linking or mapping of lower-level system requirements to the business requirements. MeF and CADE provided documentation; however, their documentation did not fully demonstrate the linking of system-level requirements to the business requirements. A MeF project official agreed that full linkage of system-level requirements to business requirements should be implemented. The MeF official stated that they planned to implement this in their next version--version 4.0. In addition, a BSM program official indicated that additional project guidance on requirements documentation would be part of the RMO's deliverables and would help to address this issue. Without feasible and clearly defined requirements, projects run the risk of cost overruns, schedule delays, and deployment of systems with limited functionality. For example, incomplete definition of requirements has been cited as one reason for schedule delays and cost overruns for both CADE and MeF. Projects Do Not Fully Verify Requirements; Validation Activities Completed, but Problems Remain: Once requirements are fully documented, software code and other work products that will guide development and testing activities need to be verified using peer review techniques against the original requirements. In addition, these products should be validated through testing to ensure that they will operate effectively in the intended environment. Projects Do Not Fully Verify Requirements through Peer Reviews: Requirements verification ensures that the lower-level requirements, software code, and other work products that will guide development and testing activities are an accurate representation of stakeholder needs. Peer reviews are an important part of the verification process and are a proven mechanism for effective defect removal. During peer reviews, teams of peers[Footnote 18] examine code and other work products to identify defects, determine the causes of the defects, and make recommendations that address changes needed to help ensure that the system will meet stakeholder and developer needs. Peer reviews should follow a structured, formalized process; peer review events should be planned in advance, with items, such as code and other work products, selected in advance; the results of the sessions should be incorporated into peer review reports that project teams are expected to address before moving further into development activities. The BSM project teams did not provide evidence that work products had been verified against requirements through the use of a formalized peer review process and project officials did not follow recommended practices for conducting peer reviews. BSM project team members stated that they conducted customer technical reviews and milestone exit reviews that they considered to be peer reviews; however, these kinds of reviews do not meet the criteria for peer reviews. They were not structured, did not select code and other items in advance to be evaluated, and did not produce formal peer reports with action items that projects were required to address. Project Teams Performing Validation, but Problems Remain: Requirements validation is the process of demonstrating that a product fulfills its intended use in its environment. It differs from the verification activities previously described, in that validation determines that the product will fulfill its intended use, while verification ensures that work products properly reflect the baseline requirements. Validation includes tests conducted on the product during development to prove that the product performs its intended functions correctly. In a disciplined software development process, planning for validation activities begins as requirements are developed; testing activities are critical to determining that a system not only operates effectively but addresses all baseline requirements. To complete validation activities, testing is conducted at several levels, each of which validates that the system will operate effectively at a different level. For example, unit testing validates individual sections of code, and system integration testing ensures that the system as a whole can operate effectively in its environment. User acceptance testing allows the user community to determine whether the system, as developed, can be used to effectively support their work. It also validates that the system meets user expectations. An effective testing process confirms the functionality and performance of the product prior to delivery. It is a crucial process and needs to be well planned, well structured, well documented, and carried out in a controlled and managed way. The BSM projects provided evidence of validation activities, such as test plans and test results. CADE 1.1 officials provided both test plans and test reports. MeF release 3.2 and F&PC release 1.1 are still in the testing phase; they provided available test plans but do not yet have test reports. Despite the existence of test plans and reports, requirements are not fully documented or fully traced. In addition, while the ELC provides guidance on testing that discusses test planning, activities, and test responsibilities, program officials say that this guidance is limited. BSM's Enterprise Services organization has initiated an effort to review, revise, and enhance test procedures across BSM. Therefore, until BSM ensures full documentation and traceability of requirements, questions about the completeness of its testing will remain. Project Teams Not Adequately Managing Requirements: Finally, requirements must be managed through the system development life cycle. We found that the three projects did not fully demonstrate adequate management of their requirements. Although the projects had a formal change control process in place to analyze and manage changes to requirements, associated costs and schedule changes resulting from requirements changes were not always tracked or updated. In addition, projects' documentation did not demonstrate adequate traceability of requirements from the business requirements (high-level requirements) to system requirements (low-level requirements) to test cases. Project Teams Not Updating Cost and Schedule to Reflect Requirements Changes: Managing changes to the original requirements is a formal process to identify, evaluate, track, report, and approve these changes. As work products are developed and more is learned about the system that is being developed, information is occasionally found that requires a change to the original requirements. Modifications to project scope or design can also result in requirements changes. Therefore, projects need to manage these changes to requirements in a structured way. The BSM project teams used a change management process to manage changes to requirements that included documenting the rationale for changes, developing assessments of the impact of the change, and obtaining approvals by the Configuration Change Board. However, only the MeF and F&PC teams provided evidence that their cost and schedule baselines were updated when changes to requirements impacted cost and/ or schedule. For example, CADE officials did not provide any evidence to show how they updated and tracked cost changes resulting from changes to requirements, nor did they provide evidence that the work breakdown structure[Footnote 19] was updated to reflect schedule changes. F&PC officials provided evidence for tracking changes to the cost and schedule. MeF officials provided a document that tracked the cost implications of changes to requirements and the work breakdown structure to reflect schedule changes. A BSM project official indicated that the BSM project was implementing cost and schedule tracking on its current releases. However, it was not clear whether BSM was doing this consistently or whether appropriate guidance for tracking cost and schedule would be provided by BSM. Project teams that do not effectively track cost and schedule changes as a result of changes to requirements will not be able to effectively mitigate the potential impact of these changes to overall cost, schedule, and performance goals, thus raising the risk of cost overruns, schedule delays, and deferral of functionality. Project Teams Not Ensuring Full Traceability of Requirements: Another key element of requirements management is establishing and maintaining the traceability of requirements. Traceability of requirements is tracking the requirements from the inception of the project and agreement on a specific set of business requirements to development of the lower-level system requirements, detailed design, code implementation, and test cases necessary for validating the requirements. Tracing a requirement throughout the development cycle provides evidence that the requirements are met in the developed system and ensures that the product or system will work as intended. Requirements must be traceable forward and backward through the life cycle. Each business requirement must be traceable to associated system requirements and test cases. Without adequate traceability, errors in functionality could occur and not be found until the testing phase, when problems are more costly to fix and time frames for fixing problems without causing a schedule slip for deployment are limited. Of the three projects, only the F&PC team showed evidence of full traceability of the requirements from high-level requirements to low- level requirements. MeF and CADE documentation did not demonstrate clear traceability from the business requirements to lower-level system requirements, coding, and test cases. MeF program officials acknowledged weaknesses in this area and stated that they planned to develop full bidirectional traceability to the business level requirements as part of MeF release 4.0. According to project officials, one reason they do not have full bidirectional traceability is due to the lack of detailed procedures and guidance for traceability of requirements. Until recently, BSM projects were not required to develop and use a traceability matrix. While interim guidance issued by BSM does require the use of traceability matrices and use of its configuration management repository to manage requirements, the guidance lacks the detail needed to ensure that projects meet criteria. BSM program officials agreed that this was an area that needed additional guidance. The RMO is currently reviewing new guidance on how to improve requirements traceability. Without adequate traceability of requirements, system requirements can be missed during development and the agency cannot be assured that validation activities fully demonstrate that all the agreed-upon requirements have been developed, fully tested, and will work as intended. Conclusions: BSM lacks policies and procedures to develop and manage requirements for their systems modernization projects. BSM has acknowledged this deficiency since late 2004 when it listed requirements management as one of its high-priority initiatives and created an RMO. The office has now developed draft policies that cover aspects of eliciting, documenting, verifying and validating, and managing requirements. These draft policies are to serve as guidance to projects teams as BSM projects are pursued. It is critical that BSM implement these draft policies immediately and continue to develop the remaining policies. The three BSM development projects that we reviewed showed significant differences in how they implemented practices for developing and managing requirements. Until BSM and the RMO complete the development of policies and procedures to ensure disciplined requirements development and management practices, projects will not have sufficient guidance to ensure implementation of these practices, which will impair their ability to effectively manage the development and acquisition of critical systems and increase the risk of cost overruns, schedule delays, and deferral of functionality. Recommendations for Executive Action: To improve the requirements development and management policies and practices of the IRS's BSM, we recommend that the Commissioner of Internal Revenue direct the Associate Chief Information Officer for BSM to take the following two actions: 1. Ensure that BSM completes the delivery of policies and procedures for requirements development and management as planned. The policies and procedures should fully describe the processes, include a minimum set of activities required for each project, and provide detailed procedures for each of the key areas of requirements elicitation, documentation, verification and validation, and management. As part of this effort, the policies and procedures should specifically include the following: * A standardized process for the elicitation of requirements that ensures that projects fully investigate the requirements needed for a specific system, including gathering requirements from all relevant users and stakeholders. * A standardized process for the documentation of requirements that ensures full documentation of the baseline requirements. * A process for ensuring formal peer reviews are planned and completed for key products. * Guidance on tracking cost and schedule impacts of changes to requirements for all projects. * Guidance on establishing and maintaining full bidirectional requirements traceability. 2. In addition, since BSM has ongoing projects that are developing and managing requirements and the development of new policies and procedures is not scheduled to be complete until March 2007, the Commissioner should direct the Associate CIO for BSM to immediately implement its draft policies while the final policies and procedures are being developed. Agency Comments: In providing written comments on a draft to this report, the Commissioner of Internal Revenue agreed with our findings and stated that the report provided a sound and balanced representation of the progress IRS has made to date as well as work that remains to be completed. The Commissioner also described the actions that IRS is taking to implement our recommendations, including establishing a schedule to complete the development of policies that address the areas of requirements elicitation, documentation, verification and validation, and management. The Commissioner's written comments are reprinted in appendix III. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the date of this letter. At that time, we will send copies of this report to the Chairmen and Ranking Members of other Senate and House committees and subcommittees that have appropriation, authorization, and oversight responsibilities for IRS. We are also sending copies to the Commissioner of Internal Revenue, the Secretary of the Treasury, the Chairman of the BSM Oversight Board, and the Director of the Office of Management and Budget. Copies are also available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov.]. Should you or your offices have questions on matters discussed in this report, please contact David A. Powner at (202) 512-9286 or or Keith A. Rhodes at (202) 512-6412. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: David A. Powner, Director, Information Technology Management Issues: Signed by: Keith A. Rhodes, Chief Technologist, Center for Technology and Engineering: [End of section] Appendixes: Appendix I: Scope and Methodology: The objectives of our review were to assess (1) whether the Requirements Management Office (RMO) has established adequate requirements development and management policies and procedures and (2) whether the Business Systems Modernization (BSM) has effectively used requirements development and management practices for key systems development efforts. To assess the adequacy of BSM's requirements development and management policies and procedures, including IRS's Enterprise Life Cycle (ELC),[Footnote 20] we compared it against criteria based on industry standards and best practices, including the Software Engineering Institute's (SEI) Capability Maturity Model Integration (CMMISM) version 1.1. We also reviewed draft policies and procedures provided by the RMO in February 2006 and compared them against this criteria. In addition, we interviewed appropriate BSM officials to discuss the creation and goals of the RMO and whether there were BSM requirements development and management policies and procedures in place. To assess whether BSM project teams effectively used requirements development and management practices on its systems acquisitions, we selected three BSM projects to review: (1) Modernized e-File (MeF) release 3.2, which is to be deployed in March 2006; (2) Filing and Payment Compliance (F&PC) release 1.1, which was deployed in January 2006; and Customer Account Data Engine (CADE) Individual Master File release 1.1, which was deployed July 2004. We selected these investments because they were (1) important to the goals and mission of the agency, (2) large-scale development efforts with significant costs, and (3) at different points in their development life cycles. To evaluate whether each of the three projects had effectively used requirements development and management practices for key systems development efforts, we compared the project's documentation and processes against criteria based on industry standards and best practices, including SEI's CMMISM version 1.1. The documentation reviewed for each of the projects included requirements management plans, traceability matrices, testing plans, baseline requirements, and other items. We also interviewed the program officials from each of these three projects to further clarify issues on their requirements development and management activities. Our work was performed from June 2005 to February 2006 in Washington D.C., in accordance with generally accepted government auditing standards. [End of section] Appendix II: Project Descriptions: The following are descriptions of the three projects we selected to review: Modernized e-File (MeF) release 3.2, Filing and Payment Compliance (F&PC) release 1.1, and Customer Account Data Engine (CADE) release 1.1. Modernized e-File: In fiscal year 2004, BSM introduced the Modernized e-File (MeF) system, which allows e-filing for tax-exempt organizations and large corporations and reduces the time to process their tax forms. The goal for MeF is to replace the current e-filing technology with a modernized, Internet-based electronic filing system. MeF is also expected to result in an increase in the use of electronic filing because it is efficient and easy to access, use, and maintain. Projected benefits of the MeF program are as follows: * Reduction in the BSM's effort associated with receiving, processing, manually entering data, and resolving data entry errors from paper returns; * Reduction in system maintenance costs; * Savings in time and money for taxpayers and tax practitioners due to not copying, assembling, and mailing a return; and: * Sharing of tax and information return data electronically throughout state agencies. The MeF project is projected to provide the capability for Internet- based filing of 330 different BSM forms. The following is table 2, describing MeF releases deployed and their functionalities, followed by table 3, which describes MeF financial data. Table 2: MeF Releases and Functionality: Release: Release 1; Functionality: Deployed in February 2004; Provides 53 forms and schedules for 1120/1120S and 5 forms for 990 e- filing, along with the functionality to support those forms, including applicable interfaces, validations, retrieval and display options, the capability for large taxpayers to file using the Internet, and the capability to attach Adobe files. Release: Release 2; Functionality: Deployed in August 2004; Provides the remaining 43 forms and schedules for 1120/1120S and required public access (access to redacted information for nonprofit organizations) to the filed 990s. Release: Release 3.1; Functionality: Deployed in January 2005; Provides 990PF series forms, Form 7004 (Application for Automatic Extension of Time to File Corporation Return), and M-TRDB processing codes. Release: Release 3.2; Functionality: Projected deployment in January 2006; Expected to provide the Federal/State Single Point Filing System platform and retrieval system for all state, corporate, and tax-exempt tax returns and acknowledgments. Source: IRS. [End of table] Table 3: Development and Steady State Costs for MeF: Dollars in millions. Fiscal Year: FY 04; Dollars in millions: Development: $57.1; Steady state: $2.3; Total: $59.4. Fiscal Year: FY 05; Dollars in millions: Development: $67.1; Steady state: $5.2; Total: $72.3. Fiscal Year: FY 06; Dollars in millions: Development: $60.6; Steady state: $5.6; Total: $66.2. Source: IRS. [End of table] Filing and Payment Compliance: The Filing and Payment Compliance (F&PC) project is intended to improve technologies and processes that support BSM's compliance activities. According to BSM, their collection operations rely on 30-year-old technology and processes that are no longer compatible with the realities of today's taxpayer environment. F&PC plans to provide support for detecting, scoring, and working nonfiler and payment delinquency cases. It is to use advanced software to analyze tax collection cases and divide them into cases that require BSM involvement and those that can be handled by private collection agencies. Case attributes are to be identified, segmented, and prioritized to select the individual taxpayer cases that have a greater probability of paying the tax liabilities in full or through installment agreements. The F&PC project is also to serve as an inventory management system to assign, exchange, monitor, control, and update delinquent taxpayer accounts between the BSM Authoritative Data Source and the private collection agencies with whom BSM will contract. The F&PC project is expected to increase the following: * collection case closures by 10 million annually by 2014, * voluntary taxpayer compliance, and: * BSM's capacity to resolve the buildup of delinquent taxpayer cases. The BSM intends to deliver an initial limited private debt collection capability in January 2006. Full implementation of this aspect of the F&PC is projected to be completed by January 2008 with additional functionality to follow in later years. Following is table 4, describing F&PC releases deployed and their functionality, followed by table 5, which describes F&PC financial data. Table 4: F&PC Releases and Functionality: Release: Release 1.1; Functionality: Projected deployment in January 2006; Expected to provide limited functionality of commercial-off the- shelf (COTS) software with many manual processes employed by BSM, small case volumes and minimal number of private collection agencies supported. Release: Release 1.2; Functionality: Projected deployment in January 2007; Expected to provide full implementation, testing, and deployment of inventory management capabilities using the BSM infrastructure. Release: Release 1.3; Functionality: Projected deployment in January 2008; Expected to provide full COTS software functionality, private collection agencies fully installed, electronic data transfer between them fully established and operational. Source: IRS. [End of table] Table 5: Development Costs for F&PC: Dollars in millions. Fiscal Year: FY 04; Dollars in millions: Development: $0.4; Steady state: $0.0; Total: $0.4. Fiscal Year: FY 05; Dollars in millions: Development: $0.0; Steady state: $0.0; Total: $0.0. Fiscal Year: FY 06; Dollars in millions: Development: $5.9; Steady state: $0.0; Total: $5.9. Source: IRS. [End of table] Customer Account Data Engine: The Customer Account Data Engine (CADE), intended to replace BSM's antiquated tax administration system, is BSM's highest priority project and is intended to house tax information for more than 200 million individual and business taxpayers. The CADE databases and related applications are also to enable the implementation of other systems that will improve customer service and compliance and allow the online posting and updating of taxpayer account and return data. The CADE project is intended to: * generate refund notices, detect potential fraudulent transactions, and calculate taxes; * replace the group of BSM tax master files with a single database--the Tax Account Data Store; * accept, validate, and store taxpayer return and account data, along with financial account activity data, such as tax payments, liabilities, and installment agreements; and: * enable future business application systems. In July 2004 and January 2005, BSM implemented the initial releases of CADE, which have been used to process Form 1040EZ returns. CADE posted more than 1.4 million returns for filing season 2005 and generated more than $427 million in refunds. In 2006, CADE is expected to expand the number and type of returns beyond the Form 1040EZ. BSM is also projecting that CADE will process 33 million returns during 2007. Following is table 6, describing CADE releases deployed and their functionality, followed by table 7 describing CADE financial data. Table 6: CADE Releases and Functionality: Release: Release 1.0; Functionality: Deployed in July 2004; Provided the filing capabilities for 1040 EZ forms. Release: Release 1.1; Functionality: Deployed in July 2004 (concurrent with Release 1.0); Provided filing season 2003 and 2004 tax law changes. Release: Release 1.2; Functionality: Deployed in January 2005; Provided filing season 2005 tax law changes. Release: Release 1.3.1; Functionality: Deployed in September 2005; Provided new functionality to improve performance and allow address changes on tax returns as well as some filing season 2006 tax law changes. Release: Release 1.3.2; Functionality: Projected deployment in January 2006; Expected to provide the remaining filing season 2006 tax law changes and some additional functionality. Source: IRS. [End of table] Table 7: Development Costs for CADE: Dollars in millions. Fiscal Year: FY 04; Development: $100.6; Steady state: $0.0; Total: $100.6. Fiscal Year: FY 05; Development: $109.9; Steady state: $0.0; Total: $109.9. Fiscal Year: FY 06; Development: $109.9; Steady state: $0.0; Total: $109.9. Source: IRS. [End of table] [End of section] Appendix III: Comments from the Department of the Treasury: Commissioner: Department Of The Treasury: Internal Revenue Service: Washington. D.C. 20224: March 1, 2006: Mr. David Powner: Director, Information Technology Management Issues; United States Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Powner: I have reviewed the Government Accountability Office (GAO) draft report titled "Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management" (GAO-06-310). We continue to appreciate the sound and balanced work of the GAO and are pleased that the GAO: * Recognized the establishment of the Requirements Management Office (RMO) to develop the policies and procedures; * Acknowledged the issuance of interim guidance to address key areas of requirements management; * Recognized that developing the final requirements policies and procedures is not expected to be completed until March 2007. I would like to provide a few comments to the following report observation: "Unless IRS takes the steps needed to develop and institutionalize disciplined requirements development and management processes and implement draft policies in the interim to cover the key areas of requirements development and management, it will continue to face risks, including cost overruns, schedule delays, and performance shortfalls." We agree with this observation and complementing our progress in establishing the RMO, we are fully committed to continued management improvements to address cost overruns and schedule delays. A recent GAO report: "Review of Internal Revenue Service (IRS) Fiscal Year 2006 Business Systems Modernization Expenditure Plan (EP)" (GAO- 03-360), already recognizes our improved performance in meeting cost and schedule commitments on several of our modernized systems; acknowledges the taxpayer and agency value our systems have begun to add; affirms the effectiveness of our program improvement process; and endorses the recent steps we have taken to develop a Modernization Vision and Strategy for the BSM program. It is worth noting that since the Fiscal Year 2006 BSM EP was submitted, we expect the Integrated Financial Systems project to return $4 to $5 million to the BSM management reserve. Therefore, the 93 percent reported overrun in the last EP will be reduced. This further demonstrates the steady improvement and commitment we have made in working to control costs within the BSM program. I would like to briefly comment on your report's recommendations: "To improve the requirements development and management policies and practices of the Internal Revenue Service's Business Systems Modernization, we recommend that the Commissioner of Internal Revenue direct the Associate Chief Information Officer for BSM to take the following actions: 1. Ensure that BSM completes the delivery of policies and procedures for requirements development and management as planned. The policies and procedures should fully describe the processes; include a minimum set of activities required for each project; provide detailed procedures for each project; and provide detailed procedures for each of the key areas of requirements elicitation, documentation, verification and validation, and management. As a part of this effort, the policies and procedures should specifically include: * A standardized process for the elicitation of requirements that ensures that projects fully investigate the requirements needed for a specific system, including gathering requirements from all relevant users and stakeholders. * A standardized process for the documentation of requirements that ensures full documentation of the baseline requirements. * A process for ensuring formal peer reviews are planned and completed for key products. * Guidance on tracking cost and schedule impacts of changes to requirements for all projects. * Guidance on establishing and maintaining full bi-directional requirements traceability." The IRS agrees that this is a key focal point for the RMO, and we have established a schedule to build out the areas of elicitation, documentation, verification and validation, and management, as described above. It is expected that these activities will be ongoing through March 2007 when the RMO is planned to have a full suite of detailed policies and procedures. 2. In addition, since BSM has ongoing projects that are developing and managing requirements, and the development of new policies and procedures is not scheduled to be complete until March 2007, the Commissioner should direct the Associate CIO for BSM to immediately implement its draft policies while the final policies and procedures are being developed." The IRS acknowledges that the draft documentation that is currently under review is robust enough to serve as interim guidance and can be implemented when developing and managing requirements for ongoing projects. We believe these steps will address your recommendation. We appreciate your continued support and the assistance and guidance from your staff. If you have any questions, or if you would like to discuss our response in more detail, please contact W. Todd Grams, Chief Information Officer, at (202) 622-6800. Sincerely, Signed by: Mark W. Everson: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, 202-512-9286, Keith A. Rhodes, 202-512- 6412 Staff Acknowledgments: In addition to those named above, Neil Doherty, Nancy Glover, George Kovachick, Tonia Johnson, Tammi Nguyen, Madhav Panwar, and Rona Stillman made key contributions to this report. (310490): FOOTNOTES [1] The requirements for a system describe the functionality to be developed or acquired. [2] We reviewed these three projects: Modernized e-File (MeF) release 3.2 (to be deployed March 2006), Filing and Payment Compliance (F&PC) release 1.1 (deployed January 2006), and Customer Account Data Engine (CADE) release 1.1 (deployed July 2004). [3] GAO, Business Systems Modernization: IRS's Fiscal Year 2004 Expenditure Plan, GAO-05-46 (Washington, D.C.: Nov. 17, 2004); GAO, Business Systems Modernization: IRS Needs to Better Balance Management Capacity with Systems Acquisition Workload, GAO-02-356 (Washington, D.C.: Feb. 28, 2002); and GAO, Business Systems Modernization, Internal Revenue Service's Fiscal Year 2005 Expenditure Plan, GAO-05-774 (Washington, D.C.: July 22, 2005). [4] GAO, Tax System Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is To Succeed, GAO/AIMD-95-156 (Washington, D.C.: July 26, 1995). [5] GAO, Tax Systems Modernization: Blueprint Is a Good Start but Not Yet Sufficiently Complete to Build or Acquire Systems, GAO/AIMD/GGD-98- 54 (Washington, D.C.: Feb. 24, 1998). [6] GAO, Business Systems Modernization: Internal Revenue Service Needs to Further Strengthen Program Management, GAO-04-438T, (Washington, D.C.: Feb. 12, 2004) and GAO-05-46. [7] GAO-02-356 and GAO-05-774. [8] Treasury Inspector General for Tax Administration, Modernization Project Teams Need to Follow Key Systems Development Practices, Reference Number 2002-20-025 (Washington, D.C.: November 2001). [9] The systems reviewed were Customer Communications 2001, Customer Relationship Management Exam, Telecommunications Enterprise Strategic Program, and e-Services. [10] Carnegie-Mellon Software Engineering Institute, Report of the Independent Technical Assessment (ITA) on the Internal Revenue Service (IRS) Business Systems Modernization (BSM) Customer Account Data Engine (CADE) (Washington, D.C.: Oct. 3, 2003). [11] The high-priority initiatives are a set of 6-month goals and strategies to address weaknesses in seven key focus areas affecting IRS's ability to design, develop, and deliver modernized IT systems. The seven key focus areas are (1) staffing and skill sets, (2) contractor management, (3) requirements and demand management, (4) systems engineering, (5) project management disciplines, (6) communication and collaboration, and (7) empowerment and accountability. [12] The CMMI is SEI's process model, which describes how to develop the processes needed for software development and specific practices that organizations should follow. [13] In requirements development, an organization gathers, generates, and analyzes customer, products, and product-component requirements. This includes elicitation, analysis, and communication of customer and stakeholder requirements as well as technical requirements. [14] In requirements management, an organization manages the business and system requirements and identifies inconsistencies among requirements and the project's plans and work products. This includes managing all technical and nontechnical requirements through the life cycle as well as any changes to the requirements as they evolve. [15] CM is a discipline that applies technical and administrative direction and surveillance to identify and document the functional and physical characteristics of hardware or software, control changes to those characteristics and their related documentation, record and report change processing and implementation status, and verify compliance with specified requirements. The purpose of CM is to systematically identify and baseline the items that make up a system (identification), formally control any modifications to those items (control), report on the status of the CM process (status accounting), and ensure that baseline configurations are implemented (audit). [16] Change control is a formal process that identifies, evaluates, tracks, reports, and approves changes to the requirements. [17] IRS's Enterprise Life Cycle is a structured method for managing system modernization projects and project investments throughout their life cycles. [18] Peers are other IRS project team members who have experience in requirements development and management. [19] The work breakdown structure is a tool used to manage project development plans and capture the project history. It provides logical summary points for assessing performance accomplishments and measuring cost and schedule performance. [20] IRS's ELC is a structured method for managing system modernization projects and project investments throughout their life cycles. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.