Business Systems Modernization
Internal Revenue Service's Fiscal Year 2009 Expenditure Plan
Gao ID: GAO-09-281 March 11, 2009
The Internal Revenue Service's (IRS) Business Systems Modernization (BSM) program is a multi-billion-dollar, high-risk, highly complex effort that involves the development and delivery of a number of modernized systems that are intended to replace the agency's aging business and tax processing systems. As required, IRS submitted its fiscal year 2009 expenditure plan in August 2008 to the congressional appropriations committees, requesting $222 million from the BSM account. GAO's objectives in reviewing the expenditure plan were to (1) determine whether it satisfies the applicable legislative conditions, (2) determine IRS's progress in implementing prior expenditure plan review recommendations, and (3) provide additional observations about the plan and the BSM program. To accomplish the objectives, GAO analyzed the plan, reviewed related documentation, and interviewed IRS officials.
IRS's expenditure plan satisfies the applicable legislative conditions, which include meeting the Office of Management and Budget's (OMB) capital planning and investment control review requirements, and complying with federal systems acquisition requirements and management practices. IRS has addressed two of GAO's prior recommendations to improve its management capabilities and controls, including a recommendation to develop policies and procedures for developing and managing project requirements. However, work remains in order to fully implement other recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. GAO's observations about the expenditure plan and the BSM program include the following: IRS continued to implement BSM projects and meet cost and schedule estimates for most deliverables; however, one project milestone experienced a significant cost increase, and two milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed, despite having unaddressed issues. Specifically, reported project costs and completion dates showed that 10 of the 11 milestones were completed within 10 percent of cost estimates and 9 were completed within 10 percent of schedule estimates. However, 6 out of the 10 milestones reported as complete had conditional milestone exits, meaning that they were allowed to proceed to the next milestone with unaddressed issues. Because IRS's guidance does not specify procedures for determining when to grant conditional exits, the process could potentially be used to mask cost and schedule overruns and could result in premature milestone exits, introducing cost, schedule, and performance risks. BSM project releases continue to face significant risks and issues, which IRS is addressing. For example, IRS reports that a release of its new taxpayer information database continues to face schedule risks. Further, IRS recently informed GAO that it had stopped work on releases of two key systems and would re-evaluate them in light of the long-term plans for BSM, which are being revisited and are expected to be defined at a high level by June 2009. While IRS is addressing the risks and issues confronting the BSM program, GAO will continue to monitor these efforts. Security weaknesses continue to affect IRS's modernization environment. As GAO recently reported, IRS continues to have weaknesses in its information security controls. In addition, the Treasury Inspector General for Tax Administration reported that two tax administration systems were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-09-281, Business Systems Modernization: Internal Revenue Service's Fiscal Year 2009 Expenditure Plan
This is the accessible text file for GAO report number GAO-09-281
entitled 'Business Systems Modernization: Internal Revenue Service's
Fiscal Year 2009 Expenditure Plan' which was released on March 11, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
March 2009:
Business Systems Modernization:
Internal Revenue Service's Fiscal Year 2009 Expenditure Plan:
GAO-09-281:
GAO Highlights:
Highlights of GAO-09-281, a report to congressional committees.
Why GAO Did This Study:
The Internal Revenue Service‘s (IRS) Business Systems Modernization
(BSM) program is a multi-billion-dollar, high-risk, highly complex
effort that involves the development and delivery of a number of
modernized systems that are intended to replace the agency‘s aging
business and tax processing systems. As required, IRS submitted its
fiscal year 2009 expenditure plan in August 2008 to the congressional
appropriations committees, requesting $222 million from the BSM
account.
GAO‘s objectives in reviewing the expenditure plan were to (1)
determine whether it satisfies the applicable legislative conditions,
(2) determine IRS‘s progress in implementing prior expenditure plan
review recommendations, and (3) provide additional observations about
the plan and the BSM program. To accomplish the objectives, GAO
analyzed the plan, reviewed related documentation, and interviewed IRS
officials.
What GAO Found:
IRS‘s expenditure plan satisfies the applicable legislative conditions,
which include meeting the Office of Management and Budget‘s (OMB)
capital planning and investment control review requirements, and
complying with federal systems acquisition requirements and management
practices.
IRS has addressed two of GAO‘s prior recommendations to improve its
management capabilities and controls, including a recommendation to
develop policies and procedures for developing and managing project
requirements. However, work remains in order to fully implement other
recommendations: developing long-term plans for completing BSM,
including consolidating and retiring legacy systems; developing a
quantitative measure of scope; and developing a plan for addressing its
various human capital initiatives.
GAO‘s observations about the expenditure plan and the BSM program
include the following:
* IRS continued to implement BSM projects and meet cost and schedule
estimates for most deliverables; however, one project milestone
experienced a significant cost increase, and two milestones experienced
significant schedule delays. In addition, over half of the milestones
were reported completed, despite having unaddressed issues.
Specifically, reported project costs and completion dates showed that
10 of the 11 milestones were completed within 10 percent of cost
estimates and 9 were completed within 10 percent of schedule estimates.
However, 6 out of the 10 milestones reported as complete had
conditional milestone exits, meaning that they were allowed to proceed
to the next milestone with unaddressed issues. Because IRS‘s guidance
does not specify procedures for determining when to grant conditional
exits, the process could potentially be used to mask cost and schedule
overruns and could result in premature milestone exits, introducing
cost, schedule, and performance risks.
* BSM project releases continue to face significant risks and issues,
which IRS is addressing. For example, IRS reports that a release of its
new taxpayer information database continues to face schedule risks.
Further, IRS recently informed GAO that it had stopped work on releases
of two key systems and would re-evaluate them in light of the long-term
plans for BSM, which are being revisited and are expected to be defined
at a high level by June 2009. While IRS is addressing the risks and
issues confronting the BSM program, GAO will continue to monitor these
efforts.
* Security weaknesses continue to affect IRS‘s modernization
environment. As GAO recently reported, IRS continues to have weaknesses
in its information security controls. In addition, the Treasury
Inspector General for Tax Administration reported that two tax
administration systems were deployed with known security
vulnerabilities relating to the protection of sensitive data, system
access, monitoring of system access, and disaster recovery.
What GAO Recommends:
GAO recommends that the Commissioner of Internal Revenue direct that
procedures be defined for determining when to grant conditional
milestone exits. In commenting on a draft of this report, IRS agreed
with the recommendation and outlined steps it plans to take, including
strengthening its governance processes to emphasize the prevention of
premature milestone exits.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/products/GAO-09-281]. For more
information, contact David A. Powner at (202) 512-9286, or
pownerd@gao.gov.
[End of section]
Contents:
Letter:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Briefing Slides from the Jan. 13, 2009, Briefing to the
Senate and House Appropriations Subcommittee Staffs:
Appendix II: Comments from the Internal Revenue Service:
Appendix III: GAO Contact and Staff Acknowledgments:
Abbreviations:
AD: Applications Development:
AMS: Accounts Management Services:
BSM: Business Systems Modernization:
CADE: Customer Account Data Engine:
EA: enterprise architecture:
ELC: enterprise life cycle:
ESC: Executive Steering Committee:
IRS: Internal Revenue Service:
MCL: Maintaining Current Levels:
MeF: Modernized e-File:
MV&S: Modernization Vision and Strategy:
NAP: National Account Profile:
OMB: Office of Management and Budget:
PIR: post-implementation review:
TIGTA: Treasury Inspector General for Tax Administration:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
March 11, 2009:
Congressional Committees:
As required, the Internal Revenue Service (IRS) submitted its fiscal
year 2009 expenditure plan in August 2008 to the congressional
appropriations committees, requesting $222 million from the Business
Systems Modernization (BSM) account, which funds IRS's efforts to
modernize its business and tax processing systems.[Footnote 1] Our
objectives in reviewing the plan were to (1) determine whether the plan
satisfies the applicable legislative conditions,[Footnote 2] (2)
determine IRS's progress in implementing our prior recommendations, and
(3) provide any other observations about the plan and IRS's BSM
program.
On December 12, 2008, we provided the results of our review to
congressional appropriations subcommittee staffs. We followed up with a
briefing to the staffs on January 13, 2009. This report transmits the
materials we used at the briefing and provides the recommendation that
we made to the Commissioner of Internal Revenue. The full briefing
materials, including our scope and methodology, are included as
appendix I.
In summary, we made the following major points:
* IRS's fiscal year 2009 plan satisfies each of the six legislative
conditions. These conditions include meeting OMB's capital planning and
investment control review requirements, and complying with federal
systems acquisition requirements[Footnote 3] and management practices.
* IRS has addressed two of our prior recommendations to improve its
management capabilities and controls, including our recommendation to
develop policies and procedures for developing and managing project
requirements and to determine whether completed projects have achieved
expected benefits. However, work remains to fully implement other
recommendations: developing long-term plans for completing BSM,
including consolidating and retiring legacy systems; developing a
quantitative measure of scope; and developing a plan for addressing its
various human capital initiatives.
* IRS has made progress in implementing BSM projects and in meeting
cost and schedule estimates for most deliverables, but one project
milestone[Footnote 4] experienced a significant cost increase, and two
project milestones experienced significant schedule delays. In
addition, over half of the milestones were reported completed, despite
having unaddressed issues. During 2008, IRS completed milestones for
Modernized e-File (MeF), an electronic filing system; Customer Account
Data Engine (CADE), the new taxpayer information database; and Accounts
Management Services (AMS), a system intended to provide applications
for IRS employees to access, validate, and update accounts on demand.
Our analysis of reported project costs and completion dates showed that
10 of the 11 associated project milestones that were scheduled for
completion during this time were completed within 10 percent of cost
estimates, and 9 of 11 milestones were delivered within 10 percent of
schedule estimates. However, a milestone for MeF exceeded its planned
schedule by 54 percent and experienced a 40 percent increase in cost.
Additionally, a milestone for CADE exceeded its planned schedule by 10
percent, as of November 24, 2008; however, work on this milestone was
stopped, pending the completion of a review of long-term plans for BSM,
and will be re-evaluated in light of the new plans.
Of the 10 milestones that were reported completed during fiscal year
2008, 6 received conditional exits, meaning that they were allowed to
proceed with outstanding issues remaining to be addressed. Examples of
outstanding issues include incomplete test cases and incomplete
security certification and accreditation. Ideally, projects should
proceed to the next milestone without significant issues needing to be
addressed. In addition, we have previously reported that investment
management procedures typically specify procedural rules for decision-
making during project oversight.[Footnote 5] While IRS's guidance
states that Executive Steering Committees may grant conditional exits,
it does not specify procedures for determining when to grant them.
Without these procedures, the conditional exit process could
potentially be used to mask cost and schedule overruns and result in
projects exiting milestones prematurely, thereby introducing cost,
schedule, and performance risks.
* BSM project releases continue to face significant risks and issues,
which IRS is addressing. For example, CADE continues to face schedule
risks for one of its releases, as a result of having to reallocate
resources to address software changes necessitated by the requirements
of the Economic Stimulus Act of 2008.[Footnote 6] Also, because of the
interdependencies between CADE and AMS, IRS has to coordinate
significant integration management activities between these two
projects. Further, IRS's Commissioner and Chief Technology Officer
recently informed us that IRS had stopped work for the 2010 filing
season release of CADE and a release of AMS and would re-evaluate the
planned scope and functionality for these releases in light of the long-
term plans for BSM that are expected to be defined at a high level by
June 2009.[Footnote 7] While IRS continues to monitor these issues, the
risks and challenges facing future releases of CADE, MeF, and AMS are,
nevertheless, significant. Given this, we will continue to monitor the
risks and IRS's actions to address them.
* IRS continues to use its high-priority initiatives program to address
identified challenges. This program improvement process continues to be
an effective means of regularly assessing, prioritizing, and
incrementally addressing BSM issues and challenges. In September 2008,
IRS completed another cycle of high-priority initiatives and is
currently working on a cycle that is scheduled to be completed by the
end of March 2009. Initiatives that were addressed in the 6-month cycle
ending in September 2008 included information security, refining the
system retirement and consolidation strategy, and infrastructure
improvements (e.g., executing a strategy developed for technology
migrations to modernized technology).
* Security weaknesses continue to affect IRS's modernization
environment. As we reported in November 2008[Footnote 8] and January
2009,[Footnote 9] the agency continues to have weaknesses in its
information security controls. In addition, in September 2008, the
Treasury Inspector General for Tax Administration reported that both
CADE and AMS were deployed with known security vulnerabilities relating
to the protection of sensitive data, system access, monitoring of
system access, and disaster recovery. Further, IRS has identified
security weaknesses through its high-priority initiatives program.
While actions to address our report findings and the high-priority
initiatives help to improve IRS's security posture, the modernization
environment will continue to be at risk until the agency completes
these initiatives and addresses our report findings.
Conclusions:
During 2008, IRS continued to make progress in delivering BSM projects
that provided benefits to both taxpayers and the agency. IRS also
continued to improve its management capabilities and controls by, among
other things, implementing two of our recommendations from prior
expenditure plan reviews and addressing its high-priority initiatives.
These actions will likely result in improved management of BSM and may
help mitigate the risks inherent in managing such a large and complex
program. However, IRS is still facing challenges in consistently
meeting its cost and schedule estimates, managing project-specific
risks, addressing high-priority initiatives, and securing its many
systems. In addition, IRS has not yet fully implemented all prior
recommendations: developing long-term plans for completing BSM,
including consolidating and retiring legacy systems; developing a
quantitative measure of scope; and developing a plan for addressing its
various human capital initiatives. Finally, IRS's use of conditional
milestone exits is not supported by documented procedures. Without
documented procedures, the conditional exit process could potentially
be used to mask cost and schedule overruns and result in projects
exiting milestones prematurely, thereby introducing cost, schedule, and
performance risks.
Recommendation for Executive Action:
We are recommending that the Commissioner of Internal Revenue direct
that procedures be defined for determining when to grant conditional
milestone exits. Such guidance would help ensure that IRS's process for
granting milestone exit approvals is not used to mask cost and schedule
overruns and that projects are not exiting milestones prematurely
thereby introducing cost, schedule, and performance risks.
Agency Comments and Our Evaluation:
IRS's Deputy Commissioner for Operations Support provided written
comments on a draft of this report (reprinted in app. II). In these
comments, IRS stated it was pleased that the report confirmed that the
expenditure plan (1) satisfied the legislative conditions and (2)
acknowledged the progress made in addressing prior recommendations,
implementing BSM projects, and addressing BSM risks and issues. IRS
also agreed with our recommendation to define procedures for
determining when to grant conditional exits. The agency further stated
it would continue to follow the existing ELC processes for milestone
readiness reviews to determine whether projects have met the necessary
conditions to exit a milestone, and would strengthen its governance
processes to emphasize the prevention of premature milestone exits.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate and House committees and subcommittees that have
appropriations, authorization, and oversight responsibilities for IRS.
We are also sending copies to the Commissioner of Internal Revenue, the
Secretary of the Treasury, the Chairman of the IRS Oversight Board, and
the Director of OMB. In addition, the report will be available at no
charge on the GAO Web site at [hyperlink, http://www.gao.gov].
Should you or your offices have questions on matters discussed in this
report, please contact me at (202) 512-9286 or at pownerd@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
made key contributions to this report are listed in appendix III.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
List of Congressional Committees:
The Honorable Richard J. Durbin:
Chairman:
The Honorable Susan Collins:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
United States Senate:
The Honorable José E. Serrano:
Chairman:
The Honorable Jo Ann Emerson:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
House of Representatives:
[End of section]
Appendix I: Briefing Slides from the Jan. 13, 2009, Briefing to the
Senate and House Appropriations Subcommittee Staffs:
Review of IRS‘s Fiscal Year 2009 Business Systems Modernization
Expenditure Plan:
Briefing for Staff Members of the Subcommittee on Financial Services
and General Government, Senate Committee on Appropriations, and,
Subcommittee on Financial Services and General Government, House
Committee on Appropriations:
December 12, 2008:
Contents:
Introduction and Objectives:
Results in Brief:
Background:
Scope and Methodology:
Results:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
I: Description of Business Systems Modernization Projects and Program-
Level Initiatives:
II: Additional Detail on IRS‘s Fiscal Year 2009 BSM Expenditure Plan:
III: IRS Reported Project Cost/Schedule for Projects Scheduled for
Completion in Fiscal Year 2008:
[End of section]
Introduction and Objectives:
The Internal Revenue Service (IRS) has long relied on obsolete
automated systems for key operational and financial management
functions, and its attempts to modernize these computer systems span
several decades. IRS‘s multibillion-dollar Business Systems
Modernization (BSM) program, initiated in fiscal year 1999, is the
agency‘s latest attempt to modernize its systems. IRS contracted with
Computer Sciences Corporation as the PRIME systems integration support
contractor to assist with designing, developing, and integrating a new
set of information systems that are intended to replace IRS‘s aging
business and tax processing systems. BSM is a high-risk, highly complex
program that involves the development and delivery of a number of
modernized tax administration, internal management, and core
infrastructure projects that are intended to provide improved and
expanded service to taxpayers and internal business efficiencies for
IRS. In fiscal year 2006, IRS developed a new Modernization Vision and
Strategy (MV&S)[Footnote 10] in response to our recommendation to fully
revisit the vision and strategy for the BSM program and develop a new
set of long-term goals, strategies, and plans consistent with the
budgetary outlook and IRS‘s management capabilities.[Footnote 11] The
MV&S represents a new approach to the modernization effort emphasizing,
among other things, involving joint business and IT leadership
throughout the process; delivering smaller, incremental releases more
frequently; and leveraging existing systems where appropriate.
As required by the Consolidated Security, Disaster Assistance, and
Continuing Appropriations Act, 2009,[Footnote 12] which provides
appropriations for the IRS for fiscal year 2009, funds for the BSM
program (excluding labor costs) are not available until IRS submits a
modernization expenditure plan for approval to the congressional
appropriations committees.[Footnote 13 This plan must:
* meet the capital planning and investment control review requirements
established by the Office of Management and Budget (OMB);
* comply with IRS‘s enterprise architecture;[Footnote 14]
* conform with IRS‘s enterprise life cycle methodology;[Footnote 15]
* comply with federal acquisition rules, requirements, guidelines, and
systems acquisition management practices;
* be approved by IRS, the Department of the Treasury, and OMB; and;
* be reviewed by GAO.
Since mid-1999, IRS has submitted a series of expenditure plans
requesting release of BSM-appropriated funds. To date, about $2.6
billion has been appropriated and released for BSM.
On August 15, 2008, IRS submitted its fiscal year 2009 expenditure plan
to the relevant House and Senate appropriations subcommittees, seeking
release of $222 million from the BSM account.
As agreed with IRS‘s appropriations subcommittees, our objectives were:
* determine whether IRS‘s fiscal year 2009 expenditure plan satisfies
the applicable legislative conditions;
* provide an update on IRS's progress in implementing our prior
expenditure plan review recommendations; and;
* provide any other observations about the expenditure plan and IRS's
BSM program, including progress in delivering BSM projects and in
meeting cost and schedule commitments, and risks and challenges
confronting planned project releases.
Results in Brief:
IRS‘s fiscal year 2009 plan satisfies each of the six legislative
conditions.
IRS has addressed two of our prior recommendations to improve its
management capabilities and controls, including our recommendation to
develop policies, procedures, and tools for developing and managing
project requirements and determine whether completed projects have
achieved expected benefits. However, steps remain to fully implement
our recommendations in three areas: (1) developing long-term plans for
completing BSM and consolidating and retiring legacy systems, (2)
developing a quantitative measure of progress in delivering systems‘
planned functionality (scope), and (3) developing a plan for addressing
IRS‘s various human capital initiatives. Regarding long-term plans for
completing BSM, IRS‘s Commissioner and Chief Technology Officer recently
informed us that they had tasked the agency with defining these plans
by February 2009 and ensuring they address key findings and
recommendations from recent audits, with particular emphasis on IT
security, financial statement material weaknesses, and long-term
architecture and planning. While IRS‘s actions are positive steps,
until our recommendations are fully implemented, there is a risk that
IRS will not effectively manage its modernization program, and Congress
may not have the information it needs to effectively assess IRS‘s
performance in implementing BSM.
We have four observations related to the BSM program and fiscal year
2009 expenditure plan:
* IRS continued to implement BSM projects and meet cost and schedule
commitments for most deliverables, but one project milestone
experienced a significant cost increase and two project milestones
experienced significant schedule delays. In addition, over half of the
milestones were reported completed despite having unaddressed issues.
Since March 2008, when we reported on our last expenditure plan review,
IRS completed milestones of Modernized e-File (MeF) (an electronic
filing system), Customer Account Data Engine (CADE) (the new taxpayer
information database), and Accounts Management Services (AMS) (a system
intended to provide applications for IRS employees to access, validate,
and update accounts on demand). Our analysis of IRS‘s reported planned
and actual costs and completion dates showed that 10 of the 11 project
milestones scheduled for completion during the year were completed
within 10 percent of cost estimates and 9 of them were completed within
10 percent of schedule estimates. However, 6 out of the 10 milestones
that were reported completed had conditional milestone exits, meaning
that they were allowed to proceed to the next milestone with
outstanding issues remaining to be addressed. While IRS‘s guidance
states that conditional exits may be granted, it does not specify
procedures for determining when to grant them. Without these
procedures, the conditional exit process could potentially be used to
mask cost and schedule overruns and result in projects exiting
milestones prematurely, thereby introducing cost, schedule, and
performance risks.
* BSM project releases continue to face significant risks and issues,
which IRS is addressing. IRS has reported that challenges and risks
continue to confront planned project releases. For example, CADE
continues to face schedule risks for one of its releases as a result of
having to reallocate resources to address software changes necessitated
by the requirements of the Economic Stimulus Act of 2008.[Footnote 16]
Also, because of the interdependencies between CADE and AMS, IRS has to
coordinate significant integration management activities between these
two projects. Further, IRS‘s Commissioner and Chief Technology Officer
recently informed us that IRS had stopped work underway for the 2010
filing season release of CADE and a release of AMS and would re-
evaluate the planned scope and functionality for these releases in
light of the long-term plans for BSM that are expected to completed by
February 2009.
* IRS continues to use its high-priority initiatives program to address
identified challenges. IRS‘s high-priority initiatives program
improvement process continues to be an effective means of regularly
assessing, prioritizing, and incrementally addressing BSM issues and
challenges. Beginning in March 2008, IRS expanded this program to the
Deputy Commissioner of Operations Support level, so that it now
addresses challenges not only at the level of IRS‘s IT organization
(MITS), but also across other organizations such as the Human Capital
Office and the Office of Privacy, Information Protection, and Data
Security. Initiatives addressed in the recent cycle include developing
a strategy and approach for professional security certifications for
MITS personnel and developing a comprehensive computer security program
plan.
* Security weaknesses continue to affect IRS‘s modernization
environment. Specifically, we recently reported that IRS continues to
have weaknesses with its information security controls.[Footnote 17]
For example, we noted that sensitive information, including user IDs
and passwords for mission critical applications, continued to be
readily available to any user on IRS‘s internal network. In addition,
in September 2008, the Treasury Inspector General for Tax
Administration (TIGTA) reported that both CADE and AMS were deployed
with known security vulnerabilities relating to the protection of
sensitive data, system access, monitoring of system access, and
disaster recovery. Further, IRS has also identified security weaknesses
through its high-priority initiatives program, and is working
to address them. Until these actions and our report findings are
addressed, the modernization environment will continue to be at risk.
We are recommending that the Commissioner of Internal Revenue direct
that procedures be defined for determining when to grant conditional
milestone exits. Such guidance would help ensure that IRS‘s process for
granting milestone exit approvals is not used to mask cost and schedule
overruns and projects are not exiting milestones prematurely, thereby
introducing cost, schedule, and performance risks.
In e-mail comments on a draft of this briefing, the Associate Chief
Information Officer for Applications Development agreed that clearer
guidance and criteria are needed regarding conditional exits but stated
that our language insinuates deliberate masking of cost and schedule.
We are not implying that IRS would deliberately mask cost and schedule
but expressing our concern that, without documented procedures, the
potential for doing so exists. We have modified this briefing to
clarify this. IRS also provided technical comments which we addressed,
as appropriate.
Background:
Since 1999, we have reviewed and reported on 15 BSM expenditure plans.
In particular, we have reported on program management capabilities and
controls that are critical to the effective management of the BSM
program. They include:
* cost and schedule estimates: IRS did not have effective procedures
for validating contractor-developed cost and schedule estimates;
[Footnote 18]
* contract management: IRS did not have effective processes for
determining the type of task order to be awarded in acquiring
modernized systems;[Footnote 19]
* requirements development and management: IRS did not have adequate
policies and procedures in place to guide its system modernization
projects in developing and managing requirements;[Footnote 20]
* post-implementation review: post-implementation reviews conducted
were incomplete and did not follow IRS procedures;[Footnote 21] and'
* human capital: IRS did not have a plan with specific time frames for
addressing its human capital initiatives.[Footnote 22]
We have made recommendations aimed at strengthening IRS‘s program
management controls and capabilities. Over the years, IRS has addressed
several of these recommendations. However, more work remains for some
capabilities and controls to be fully institutionalized or implemented.
The modernization of IRS‘s tax administration systems and supporting
technical infrastructure (BSM), driven by a new Modernization Vision
and Strategy (MV&S),[Footnote 23] involves both leveraging existing
(legacy) applications and deploying modernized systems. This represents
a shift in the thinking at the outset of the program, which was to
completely replace the existing environment.
IRS‘s Applications Development (AD) organization has primary
responsibility for managing and delivering the BSM program. This group,
within the Office of the Chief Information Officer, was established in
2006 and integrates Business Systems Modernization”whose primary
mission was delivering IRS modernization”with the Business Systems
Development Division”whose primary focus was maintaining the current
production systems environment (i.e., legacy applications). AD is
headed by the Associate Chief Information Officer for Applications
Development.
The AD organization includes three core competency areas:
* Domains focus on IT legacy and modernized systems that support a
major functional mission area of the IRS (e.g., Compliance and Customer
Service).
* Matrix domains support functions for the primary operating domains
and are tasked with improving the effectiveness of AD operations (e.g.,
the Test, Assurance, and Documentation Office and the Program
Management Office).
* Front office teams perform administrative, human resources, and
financial management functions for the entire organization (e.g.,
Resource Management).
To help manage its systems, IRS recently established an enterprise
governance structure and an investment decision-making process, which,
among other things, provide a standard approach for reviewing projects.
The structure is composed of various levels of governance bodies which
track projects‘ progress and make project cost, schedule, and scope
decisions. These bodies include Executive Steering Committees (ESCs),
which are domain level committees that oversee their investment
portfolio. The committees are chaired by a business leader and an IT
leader who share accountability over the domain strategy and associated
project delivery. As investments complete milestones, they submit
milestone exit review packages to the ESCs for approval. The ESCs may
approve, conditionally approve, or deny a milestone exit.
IRS‘s fiscal year 2009 expenditure plan describes the agency‘s efforts
to develop modernized systems and supporting infrastructure.[Footnote
24] They include:
* continuing ongoing program-level initiatives (e.g., architecture and
integration and program management) and core infrastructure projects
(e.g., infrastructure shared services), and,
* continuing seven tax administration project releases to their next
milestones.
Key tax administration projects include:
* Modernized e-File, which is to provide a single standard for filing
electronic tax returns;
* Customer Account Data Engine, which is intended to provide the
modernized database foundation to replace the existing Individual
Master File processing system, which contains the repository of
individual taxpayer information; and,
* Accounts Management Services, which is intended to enhance the
Customer Account Data Engine by providing applications that enable IRS
employees to access, validate, and update accounts on demand.
Details on these and other BSM projects and program-level initiatives
identified in the fiscal year 2009 plan are provided in appendix 1.
Table 1 shows a financial summary of the plan.
Table 1: Summary of IRS‘s Fiscal Year 2009 BSM Expenditure Plan[A]:
Tax administration project: Modernized e-File;
Amount requested (in thousands): $25,000.
Tax administration project: Customer Account Data Engine;
Amount requested (in thousands): $58,800.
Tax administration project: Accounts Management Services;
Amount requested (in thousands): $26,158.
Subtotal”tax administration projects:
Amount requested (in thousands): $109,958.
Core infrastructure projects: Development, Integration, and Testing
Environments;
Amount requested (in thousands): $10,000.
Core infrastructure projects: Infrastructure Shared Services;
Amount requested (in thousands): $22,000.
Subtotal”core infrastructure projects:
Amount requested (in thousands): $32,000.
Architecture, integration, and management: Architecture and
Integration;
Amount requested (in thousands): $13,745.
Architecture, integration, and management: Business Integration;
Amount requested (in thousands): $4,206.
Architecture, integration, and management: Business Rules and
Requirements Management;
Amount requested (in thousands): $3,160.
Architecture, integration, and management: Management Processes;
Amount requested (in thousands): $3,539.
Architecture, integration, and management: Federally Funded Research
and Development Center;
Amount requested (in thousands): $7,396.
Architecture, integration, and management: Project Management;
Amount requested (in thousands): $2,954.
Subtotal”architecture, integration, and management
Amount requested (in thousands): $35,000.
Management Reserve:
Amount requested (in thousands): $2,300.
BSM Capital Total:
Amount requested (in thousands): $179,258.
BSM Labor Total:
Amount requested (in thousands): $42,052.
Maintaining Current Levels (MCL)[B]:
Amount requested (in thousands): $1,354.
Total: $222,664.
Source: GAO analysis of IRS data.
[A] See appendix II for additional details on the plan.
[B] Maintaining Current Levels (MCL) is the inflationary factor for the
BSM labor cost.
[End of table]
Scope and Methodology:
To accomplish our objectives, we:
* reviewed the fiscal year 2009 expenditure plan submitted by IRS in
August 2008;
* analyzed the plan for compliance with the applicable legislative
conditions;
* interviewed IRS program and project management officials to
corroborate our understanding of the plan and other BSM activities;
* analyzed available evidence on recent agency efforts to implement our
prior recommendations, including progress on improving its
modernization management controls and capabilities;
* reviewed and analyzed modernization program review and project
management briefings and related documentation to assess program and
project status and associated issues and risks;
* reviewed program management reports to assess the progress IRS has
made in completing actions and implementing program management
improvements related to the BSM highest priority initiatives; and,
* reviewed related reports by TIGTA.
To assess the reliability of the cost and schedule information
contained in this expenditure plan, we interviewed IRS officials in
order to gain an understanding of the data and discuss our use of the
data in this briefing. In addition, we confirmed that information in
the plan was consistent with information contained in IRS internal
briefings and other governance process artifacts. We did not, however,
assess the accuracy and reliability of the information reported in
these documents.
We performed our work between September 2008 and December 2008, in
Washington, D.C., in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
Results: Legislative Conditions:
Objective 1: The plan satisfies the conditions applicable to IRS‘s
fiscal year 2009 appropriations.
Table 2: Fiscal Year 2009 Expenditure Plan Provisions for Satisfying
Legislative Conditions:
Legislative condition: 1. Meets OMB capital planning and investment
control review requirements;
Expenditure plan provisions: IRS‘s fiscal year 2009 expenditure plan
identifies funding for managing IT investments as part of a single
portfolio through its capital planning and investment control process.
In line with this, IRS has implemented a structured governance and
decision-making process framework including various levels of governing
bodies to manage its projects under a standardized approach. The
framework includes policies and procedures to select, control, and
evaluate investments consistent with OMB capital planning and
investment control review requirements.
Legislative condition: 2. Complies with IRS‘s enterprise architecture
(EA);
Expenditure plan provisions: The plan identifies funding for complying
with IRS‘s EA by providing for continued definition and implementation
of the EA. For example, it identifies funding needed for:
* performing architecture, engineering, and integration activities to
ensure that the IRS EA provides the information and guidance necessary
for modernization projects;
* supporting the performance of EA compliance certification activities;
and;
* finalizing and publishing updates to the EA based on change requests.
In addition, according to IRS, early milestones within the enterprise
life cycle take steps to ensure compliance with the EA. In the
preliminary design phase, projects submit an EA Compliance Checklist,
in which one item ensures that the project design is checked for EA
compliance. For example, it ensures that all products used are present
in the enterprise standards profile and can be seamlessly integrated
into the current infrastructure without undue burden.
Legislative condition: 3. Conforms with IRS‘s enterprise life cycle
(ELC) methodology;
Expenditure plan provisions: The plan conforms with IRS‘s ELC
methodology in that it calls for meeting the requirements in IRS‘s ELC
management program. For example, the plan calls for:
* providing centralized guidance, administration, mitigation, and
closure of risks issued throughout the life cycle of each project and,
* maintaining and enhancing the ELC.
Further, the plan states that IRS is developing a comprehensive
security program to respond to computer security weaknesses and to
position the organization to address computer security needs in the
future. This approach includes updating the ELC for major systems by
developing security guidance, establishing baseline requirements, and
launching an initiative to develop an ELC security process for non-
major projects. Further, IRS developed a governance structure to ensure
enterprise-wide coordination and integration of information technology
and systems compliance with the ELC.
Legislative condition: 4. Complies with the acquisition rules,
requirements, guidelines, and systems acquisition management practices
of the federal government;
Expenditure plan provisions: As part of the ELC, IRS has defined
processes, roles, and responsibilities for implementing Carnegie Mellon
University‘s Software Engineering Institute Software Acquisition
Capability Maturity Model® practices for the key process areas within
the repeatable level (level 2) of the 5-stage model.[A] These practices
are consistent with federal acquisition requirements and management
practices, and the plan calls for implementation of the ELC on all
projects.
Legislative condition: 5. Approved by IRS, the Department of the
Treasury, and OMB;
Expenditure plan provisions:
* IRS”May 22, 2008;
* Treasury”June 6, 2008;
* OMB”August 4, 2008.
Legislative condition: 6. Reviewed by GAO;
Expenditure plan provisions: GAO”December 12, 2008, briefing to IRS‘s
appropriations subcommittees.
Sources: The Consolidated Appropriations Act, 2008, Pub. L. No. 110-
161, Div. D, title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007), as
continued by the Consolidated Security, Disaster Assistance, and
Continuing Appropriations Act, 2009, Pub. L. No. 110-329, Div. A, sec.
101, 122 Stat. 3574 (Sept. 30, 2008), and IRS‘s fiscal year 2009
expenditure plan submitted to Congress in August 2008.
[A] These key process areas are acquisition planning, solicitation,
requirements development and management, project management, contract
tracking and oversight, evaluation, and transition to support. For this
condition, we did not determine whether the expenditure plan comports
with the Federal Acquisition Regulation or other federal requirements
beyond those encompassed by the Software Engineering Institute‘s
Capability Maturity Model.
[End of table]
Results: Prior Recommendation Status:
Objective 2: IRS has implemented two of our previous recommendations to
improve its modernization management controls and capabilities, but
steps remain to fully implement the remaining ones.
IRS implemented our recommendations to complete policies and procedures
for requirements management and development and to determine whether
projects‘ expected benefits have been achieved as part of its post
implementation reviews. However, steps remain to fully implement the
remaining recommendations, including developing long-term plans for
completing BSM and consolidating and retiring legacy systems.
Table 3: Status of IRS‘s Progress in Implementing Prior GAO
Recommendations:
Prior GAO recommendation: Requirements development and management”
Ensure that BSM completes the delivery of policies and procedures for
requirements development and management as planned;
Implemented: [Check];
Status as of fiscal year 2009 plan: See p. 19.
Prior GAO recommendation: Post-implementation reviews”Perform analyses
of investment data to determine whether completed projects have
achieved expected benefits;
Implemented: [Check];
Status as of fiscal year 2009 plan: See p. 20.
Prior GAO recommendation: Modernization vision and strategy”Fully
revisit the vision and strategy for the BSM program and develop a new
set of long-term goals, strategies, and plans that are consistent with
the budgetary outlook and IRS‘s management capabilities;
In progress: [Check]
Status as of fiscal year 2009 plan: See pp. 21-22.
Prior GAO recommendation: Quantitative measures of progress in scope”
Ensure that future expenditure plans include a quantitative measure of
progress in meeting project scope expectations;
In progress: [Check[;
Status as of fiscal year 2009 plan: See p. 23.
Prior GAO recommendation: Human capital strategy”Complete a plan with
specific time frames for implementing the initiatives supporting its
human capital strategy;
In progress: [Check];
Status as of fiscal year 2009 plan: See p. 24.
Source: GAO analysis of IRS data.
[End of table]
Requirements Development and Management:
In March 2006, we recommended that IRS complete requirements
development and management policies and procedures.[Footnote 25] IRS
agreed with our recommendation, and, in response, developed policies,
procedures, and tools for developing and managing project requirements
through its Business Rules and Requirements Management office. In March
2008, we reported[Footnote 26] that IRS had developed (1) a
standardized process for the elicitation and documentation of
requirements; (2) guidance on establishing and maintaining full
bidirectional requirements traceability; (3) guidance on tracking cost
and schedule impacts of changes to requirements; and (4) a process for
ensuring that formal peer reviews are planned and completed for key
requirements. We have since reviewed these documents and found that
they address our recommendations. The Business Rules and Requirements
Management office has been providing support to multiple projects
throughout the IRS, including CADE, AMS, and MeF. For example, IRS
stated that the new requirements development and management policies,
procedures, and tools were used for CADE Release 5 and that the
requirements office is providing support and/or consultation services
to three AMS releases. By developing and implementing these policies
and procedures, IRS will be able to more effectively develop and manage
project requirements for the acquisition of critical systems.
Post-Implementation Reviews:
In November 2004, we recommended that post-implementation reviews (PIR)
of deployed BSM projects include an analysis of quantitative and
qualitative investment data to determine whether expected benefits were
achieved.[Footnote 27] IRS agreed with our recommendation, and, in
response, developed a new procedure for conducting PIRs. In March
2008, we reported that, due to resource constraints and other
priorities, IRS stated that it planned to conduct streamlined PIRs on
CADE and AMS releases 12-18 months after those releases are deployed,
and lessons learned activities for other systems. Since then, IRS has
conducted PIRs on CADE Releases 2.2 and 3.1, which documented major
findings and discussed customer and user satisfactions, benefits
achieved, lessons learned, and improvement opportunities. Additionally,
according to IRS, PIRs were started at the end of fiscal year 2008 for
AMS Releases 1.1 and 1.2A and are scheduled to be completed in December
2008. Finally, IRS is now requiring lessons learned activities to be
conducted for all projects that follow its ELC. Performing these
activities will allow IRS to better determine whether projects are
meeting expectations.
Modernization Vision and Strategy:
In July 2005, we recommended that IRS fully revisit the vision and
strategy for the BSM program and develop a new set of long-term goals,
strategies, and plans consistent with the budgetary outlook and IRS‘s
management capabilities.[Footnote 28] We also noted that the vision and
strategy should include time frames for consolidating and retiring
legacy systems. IRS agreed with our recommendation, and, in response,
developed an initial cycle of its Modernization Vision and Strategy
(MV&S) and 5-year enterprise transition strategy in fiscal year 2006
[Footnote 29] to guide IT investment decisions during fiscal years 2007
through 2011.The MV&S framework was built on a functional segmentation
of IRS into core mission business functions (business domains)
supported by services necessary for their effective and secure
execution (service domains). The enterprise transition strategy
described the overall IRS vision and strategy and how existing and
proposed investments align to it. It also documented the scope,
business challenges, current and transition architectures, redesign
opportunities, strategy, proposed projects and associated release
strategies, and the planned evolution (i.e., reuse, consolidation,
retirement) of related key current production environment systems for
each of the MV&S business domains. During 2007, IRS updated its 5-year
transition strategy.[Footnote 30] The strategy includes security and
privacy (a new service domain), planned business domains, and
opportunities for retirement of legacy systems.
IRS recently developed a white paper outlining an overall strategy for
retiring and consolidating systems. It includes a list of guiding
principles for making retirement and consolidation decisions as well as
areas of focus for each business domain. An initial 5-year schedule
[Footnote 31] for each domain was also developed. IRS has identified
several initiatives that are required to sustain and enhance its
ability to effectively retire and consolidate systems, including
developing and maintaining a single comprehensive inventory of
applications and systems and establishing guidance for how retirements
should be implemented in the systems lifecycle. The IRS Commissioner
and Chief Technology Officer also recently informed us that they had
tasked the organization to clearly define plans for completing the
program over the next several years and specifically define the
expected outcomes, the actions necessary to achieve those outcomes, and
a plan to complete those actions within reasonable timeframes and cost.
They asked that the plans address key findings and recommendations from
recent audits, with particular emphasis on IT security, financial
statement material weaknesses, and long-term architecture and planning
and stated that they would be completed by February 2009. While IRS‘s
actions are positive steps, to fully implement our recommendation, the
agency still needs to (1) develop a long-term plan for completing BSM
and (2) complete its plans for retiring and consolidating its legacy
systems.
Quantitative Measure of Progress in Meeting Scope Expectations:
In February 2007, we recommended that IRS ensure that future
expenditure plans include a quantitative measure of progress in
delivering systems‘ planned functionality (scope).[Footnote 32] We also
recommended that, in developing this measure, IRS consider using earned
value management[Footnote 33] since this is a proven technique required
by OMB for measuring cost, schedule, and functional performance (i.e.,
scope of work) against plans. While IRS agreed with our recommendation
to develop a quantitative measure of progress in meeting scope
expectations, it has stated that it does not believe earned value
management would provide this measure, given the manner in which the
technique is being used at the agency.[Footnote 34] Instead, IRS has
developed an incremental approach to address our recommendation.
Specifically, as an initial step, IRS defined a detailed qualitative
measure that indicates the difference between a project release‘s
planned and delivered capabilities in the fiscal year 2008 expenditure
plan. In March 2008, we reported that, as a second step, IRS planned to
leverage its requirements management tools to assign quantitative
values to the capabilities in the fiscal year 2009 expenditure plan.
[Footnote 35] IRS did not have the measurement of scope ready for the
fiscal year 2009 expenditure plan as planned but stated that it is
continuing to develop the metric and is currently piloting its use. IRS
also stated that a schedule for implementation and inclusion into the
annual expenditure plan will depend on the outcome of the pilot
efforts. Until IRS fully addresses our recommendation, IRS will not
have a quantitative measure and Congress may not have the information
it needs to effectively assess IRS‘s performance in implementing BSM.
Human Capital Strategy:
In March 2008, we reported that IRS had developed a human capital
strategy for its Application Development organization that addressed
hiring critical personnel, employee training, leadership development,
and workforce retention and identified several initiatives it planned
to undertake these areas. However, the agency did not have a specific
plan, including time frames for addressing the human capital
initiatives across the AD organization. Accordingly, we recommended
that the agency develop such a plan.[Footnote 36] IRS agreed with our
recommendation and stated that it would implement it by October 2008.
In response to our recommendation, IRS developed a timeline of
activities for fiscal years 2008 to 2010. However, the timeline does
not specify what these activities entail or how they address the areas
of hiring critical personnel, employee training, leadership
development, and workforce retention that are identified in the AD
human capital strategy. Until IRS develops a plan, including these
specifics, it may be challenged in acquiring and retaining the staff
resources it needs to effectively support BSM.
Results: Observations:
Objective 3: Observations about IRS‘s BSM Program and Expenditure Plan:
Observation 1: IRS continued to implement BSM projects and meet cost
and schedule commitments for most deliverables, but one project
milestone experienced a significant cost increase and two project
milestones experienced significant schedule delays. In addition, over
half of the milestones were reported completed despite having
unaddressed issues.
Since March 2008, when we reported on our last expenditure plan review,
IRS completed milestones of MeF, CADE, and AMS, which provided benefits
to the taxpayers and the agency.[Footnote 37] Our analysis of IRS‘s
reported planned and actual costs and completion dates showed that 10
of the 11 project milestones scheduled for completion during the year
were completed within 10 percent of cost estimates and 9 of them were
completed within 10 percent of scheduled estimates (see figure 1).
Specifically, one release of MeF exceeded its planned schedule by 54
percent and experienced a 40 percent increase in cost. In addition,
work on one release of CADE, which exceeded its planned schedule by 10
percent as of November 24, 2008, was stopped pending the completion of
a review of long-term plans for BSM, and will be re-evaluated in light
of the new plans.
Figure 1 depicts the detailed cost and schedule variances of the
project milestones that were scheduled to be delivered during fiscal
year 2008.
Figure 1: Summary of Cost and Schedule Performance for Fiscal Year 2008
Project Milestones:
[Refer to PDF for image: illustration]
Project plan depicting the following:
Plus or minus 10 percent is within acceptable range.
Milestone: 4a-5;
Release: 5;
Program: MeF;
Cost variance: 0;
Schedule variance: 0.7%.
Milestone: 3;
Release: 6;
Program: MeF;
Cost variance; 40%;
Schedule variance 53.8%.
Milestone: 4;
Release: 3.2;
Program: CADE;
Cost variance: 0;
Schedule variance: -0.4%.
Milestone: 2-3;
Release: 4.0;
Program: CADE;
Cost variance: 0;
Schedule variance: -2.5%.
Milestone: 4;
Release: 4.1;
Program: CADE;
Cost variance: [A];
Schedule variance: -10.4%.
Milestone: 3;
Release: 5;
Program: CADE;
Cost variance: [B];
Schedule variance: [C].
Milestone: 5;
Release: 1.1;
Program: AMS;
Cost variance: 0;
Schedule variance: 0.
Milestone: 4b;
Release: 1.2;
Program: AMS;
Cost variance: 0;
Schedule variance: 8.7%.
Milestone: 4a;
Release: 1.3;
Program: AMS;
Cost variance: 0;
Schedule variance: 0.7%.
Milestone: 2;
Release: 2.1;
Program: AMS;
Cost variance: 0;
Schedule variance: -2.2%.
Milestone: 3;
Release: 2.1;
Program: AMS;
Cost variance: 0;
Schedule variance: 0.
Source: GAO analysis of IRS data.
[A] In e-mail comments on a draft of this briefing, IRS informed us
that it had approved a transfer of funds from release 4.1 to release
4.2, resulting in a negative cost variance.
[B] This release of CADE has not yet exited milestone 3 and therefore
we cannot yet calculate cost variance for this milestone.
[C] This release of CADE has not yet exited milestone 3. However, based
on the start date, on November 24, 2008 schedule variance exceeded the
10 percent threshold mark for acceptable variances.
[End of figure]
The following provides details on the milestones that were completed
within 10 percent of cost and schedule estimates.
MeF:
* A release of MeF completed development, test, and integration on
January 3, 2008 and completed deployment on July 18, 2008. This release
provides for processing the U.S. income tax returns of foreign
corporations and the ePostcard forms of tax exempt and government
entities. It also includes a continuously operating failover capability
that IRS states will allow for posting returns 24 hours a day, seven
days a week.
CADE:
* Release 3.2 (intended to include the legislative changes for the 2007
filing season and the data for generation of math error notices)
completed development, test and integration on February 27, 2008.
* Release 4 (intended to add extensions, decedent and surviving spouse
returns, credit elect processing, receipt processing, criminal
investigation refund holds, and last name changes) completed system
logical design on February 13, 2008. Release 4.1 completed development,
test, and integration on July 24, 2008. It should be noted that while
this milestone was completed ahead of schedule, some functionality
intended for this release was shifted to a subsequent release as a
result of having to reallocate resources to address software changes
necessitated by the requirements of the Economic Stimulus Act of 2008,
[Footnote 38] which IRS had not anticipated. In email comments on a
draft of this briefing, IRS stated that it had approved a transfer of
funds from Release 4.1 to Release 4.2 to fund the requirements that
were shifted from one release to the other. Release 4.2 is scheduled to
be completed on March 31, 2009. Because IRS has not yet defined a
quantitative measure of progress in meeting scope expectations as we
have recommended, it is difficult to determine the magnitude of the
adjustment or its net effect on project performance.
AMS:
Together, the following three AMS releases provide the capability to
update authoritative account data on a daily cycle to IRS customer
service representatives and a new inventory and workflow function that
automates assignment, research, resolution, and closure for internally
generated cases.
* One release was successfully deployed on January 29, 2008. This
release provides interfaces among the Desktop Integration, CADE, and
current processing environment systems and allows address change
transactions to be passed to the CADE system.
* The second release completed development, test and integration on
February 13, 2008.
* The third release of AMS completed physical design on February 13,
2008.
A final release of AMS completed two milestones during the year.
* Conceptual design was completed on January 10, 2008, and,
* System logical design was completed on June 24, 2008.
The following provides details on the milestones that were
significantly over cost or over schedule.
* MeF Milestone 3 of Release 6 (intended to roll out the use of Form
1040 and 21 other schedules and supporting forms) experienced
significant cost increases and schedule delays. This milestone was
completed 63 days behind schedule.[Footnote 39] According to IRS, a
longer logical design phase was required primarily due to a requirement
for additional application functionality (real time transactions with
the IRS National Account Profile (NAP) and new reports) as well as
added complexity to the infrastructure for interfacing with the NAP
and Electronic Fraud Detection System.
* CADE Release 5 (primarily intended to improve the infrastructure and
availability of CADE) was scheduled to complete logical design
(milestone 3) on September 30, 2008. However, this schedule was not
met. In addition, the IRS Commissioner and Chief Technology Officer
have told us that work on this release has been stopped pending the
results of a review of long-term plans for BSM. This review is expected
to be completed in February 2009.
* Further, it should be noted that, of the ten milestones that were
reported completed during fiscal year 2008, six received conditional
exits,[Footnote 40] meaning that they were allowed to proceed with
outstanding issues remaining to be addressed. Examples of outstanding
issues include incomplete test cases and incomplete security
certification and accreditation. Ideally, projects should proceed to
the next milestone without significant issues needing to be addressed.
In addition, we have previously reported that investment management
procedures typically specify the procedural rules for decision-making
during project oversight.[Footnote 41] While IRS‘s guidance states that
ESCs may grant conditional exits, it does not specify procedures for
determining when to grant them. Without these procedures, the
conditional exit process could potentially be used to mask cost and
schedule overruns and result in projects exiting milestones
prematurely, thereby introducing cost, schedule, and performance risks.
Observation 2: BSM project releases continue to face significant risks
and issues, which IRS is addressing.
IRS has reported that challenges and risks continue to confront planned
project releases.
MeF: IRS indicates that because of delays in completing the logical
design phase of the current MeF release (Release 6), there is no slack
in the schedule. Further, MeF depends significantly on the portal
environment‘s ability to support the volume of Form 1040s. Engineering
and capacity analyses have been launched to help ensure that the portal
environment can support the volume.
CADE: IRS reports that because of the added requirement this year to
complete the work necessitated by the requirements of the Economic
Stimulus Act of 2008,[Footnote 42] there is no slack in the schedule
for completing Release 4 which, as previously noted, is intended to add
extensions, decedent and surviving spouse returns, credit elect
processing, receipt processing, criminal investigation refund holds,
and last name changes. To mitigate this risk, IRS is currently using
two separate teams working in parallel to maintain the schedule, along
with conducting impact assessments. In addition, four contract line
items were shifted from Release 4.1 into Release 4.2. In e-mail
comments on a draft of this briefing, IRS informed us that it had
approved a transfer of $8 million from Release 4.1 to Release 4.2 to
address this. These funds are to be supplemented with $1.525 million
from management reserve and $475,000 from fiscal year 2007 Risk
Adjustment. IRS has held meetings to develop a re-plan strategy that
deploys most of the remaining functionality by the end of February
2009. Certain non-critical components would be deferred to a future
release.
IRS also reported that CADE Release 5 (to be deployed in 2010) may face
resource contention with Release 4.2, as well as funding and cost
estimation issues and a possible need to shift functionality from
Release 4 into this release. As noted above, logical design work was
not completed by September 2008 as planned, and the IRS Commissioner
and Chief Technology Officer informed us that the work on the release
had been stopped and would be re-evaluated in light of the long-term
plans for BSM that are expected to completed by February 2009. IRS also
expects future releases of CADE to increase in complexity.
AMS: AMS and CADE releases depend on one another to a great extent.
Specifically, AMS releases require specific CADE functionality in order
to be deployed. CADE also depends on some of the planned AMS
functionality deployments to allow CADE to accept more complicated
returns and better resolve taxpayer issues. Because of these
interdependencies, IRS has to coordinate significant integration
management activities.
In March 2008, we reported that IRS was working on a Release Content
Master Plan to address the risks associated with the interdependencies.
In November 2008, the Acting Deputy Commissioner for Operations Support
informed us that the current Release Content Master Plan will not be
used because, as noted above, IRS is reevaluating CADE Release 5 and
also reevaluating the scope of AMS Release 2.1 given its interdependency
with CADE. According to the Associate CIO for Applications Development,
IRS has also stopped working on AMS Release 2.2 pending the review of
long-term plans for BSM.
While IRS continues to monitor these issues, the risks and challenges
facing future releases of CADE, MeF, and AMS are nevertheless
significant. If these risks are not effectively managed, the projects
could face cost increases and IRS's modernization efforts could be
delayed. Given this, we will continue to monitor the risks and IRS‘s
actions to address them.
Observation 3: IRS continues to use the high-priority initiatives
program to address identified challenges.
IRS‘s high-priority program improvement initiatives process[Footnote
43] continues to be an effective means of regularly assessing,
prioritizing, and incrementally addressing BSM issues and challenges.
Beginning in March 2008, IRS expanded this program to the Deputy
Commissioner of Operations Support level, so that it now addresses
challenges not only at the level of IRS‘s IT Organization (MITS), but
also across other organizations such as the Human Capital Office and
the Office of Privacy, Information Protection, and Data Security.
In September 2008, IRS completed another cycle of high-priority
initiatives and is currently working on a cycle that is scheduled to be
completed by the end of March 2009. The most recently completed cycle
included multiple initiatives for MITS, including many focused on
security-related challenges. The key focus areas for MITS during
this cycle included:
* security improvements (developing a strategy and approach for
professional security certifications for MITS personnel and developing
a comprehensive computer security program plan);
* refining the system retirement and consolidation strategy to align
with MV&S);
* operational improvements (assessing and addressing security
vulnerabilities associated with a computing center mainframe
environment, and limiting access controls to authorized personnel);
and,
* infrastructure improvements (executing a strategy developed for
technology migrations to modernized technology).
Observation 4: Security weaknesses continue to affect IRS‘s
modernization environment.
IRS continues to have security weaknesses that affect its modernization
environment. In March 2008, we reported that IRS had just recently
updated its enterprise life cycle methodology to incorporate security
processes, procedures, and tools into the early stages of the
enterprise life cycle. Further, we recently reported that IRS continued
to have weaknesses with its information security controls.[Footnote 44]
For example, we noted that sensitive information, including user IDs
and passwords for mission critical applications, continued to be
readily available to any user on IRS‘s internal network. These IDs and
passwords could be used by a malicious user to compromise data flowing
to and from IRS‘s Integrated Financial System, which is part of the
modernization environment.[Footnote 45] We stated that the key reason
for the presence of these and other weaknesses was the lack of a fully
implemented security program. In written comments on a draft of our
report, IRS recognized that information security continues to be a
significant issue, and noted that it established an Office of Online
Fraud Detection and Prevention to address evolving online threats
affecting IRS and taxpayers. IRS also noted that it developed a
corrective action plan to address information technology security
training, systems auditing, access controls, system security
configuration control, and systems disaster recovery.
Further, in September 2008, TIGTA reported that while IRS had
established appropriate system development policies and procedures
requiring security and privacy safeguards to be planned for and
designed in the early phases of a system‘s development cycle, both CADE
and AMS were deployed with known security vulnerabilities relating to
the protection of sensitive data, system access, monitoring of system
access, and disaster recovery. These vulnerabilities increase the risks
that 1) an unscrupulous person, with little chance of detection, could
gain unauthorized access to the vast amount of taxpayer information
that the IRS processes, and 2) the systems could not be recovered
effectively and efficiently during an emergency. The IRS agreed with
the TIGTA‘s recommendations and stated that it would continue to follow
the governance process documented in the Customer Service Executive
Steering Committee[Footnote 46] charter and consider all security
vulnerabilities to ensure that best practices are in place for the
successful delivery of project security and functionality. As noted
above, IRS recently informed us that work planned for certain CADE and
AMS releases had stopped pending a re-evaluation of immediate and long-
term functionality and scope for these systems, including incorporating
security concerns raised by GAO and TIGTA.
IRS has also identified security weaknesses through its high-priority
initiatives program, and, to its credit, it is working to address them.
For example, through this program, IRS recently updated its enterprise
life cycle methodology to consistently incorporate security guidance
for non-major projects.[Footnote 47]
Through its high-priority initiatives program, IRS reported having
addressed additional security practices including:
* developing a strategy and approach for professional security
certifications for systems and database administrators;
* developing business requirements for the use of digital certificates
and public key infrastructure technology; and,
* working to develop a comprehensive Computer Security Program Plan to
allow IRS to identify current and planned security projects and
initiatives.
While actions to address our report findings and the high-priority
initiatives help to improve its security posture, IRS‘s modernization
environment will continue to be at risk until the agency fully
implements its security program, as evidenced by the recent GAO and
TIGTA reports.
Conclusions:
During 2008, IRS continued to make progress in delivering BSM projects
that provided benefits to both taxpayers and the agency. IRS also
continued to improve its management capabilities and controls by, among
other things, implementing two of our recommendations from prior
expenditure plan reviews and addressing its high priority initiatives.
These actions will likely result in improved management of BSM and help
mitigate the risks inherent in managing such a large and complex
program. However, IRS is still facing challenges in consistently
meeting its cost and schedule commitments, managing project-specific
risks, addressing high priority initiatives, and securing its many
systems. In addition, IRS has not yet fully implemented all prior
recommendations, including developing long-term plans for completing
BSM and consolidating and retiring legacy systems, developing a
quantitative measure of scope, and developing a plan for addressing its
various human capital initiatives. Finally, IRS‘s use of conditional
milestone exits is not supported by documented procedures. Without
documented procedures, the conditional exit process could potentially
be used to mask cost and schedule overruns and result in projects
exiting milestones prematurely, thereby introducing cost, schedule, and
performance risks.
Recommendation for Executive Action:
We are recommending that the Commissioner of Internal Revenue direct
that procedures for determining when to grant conditional milestone
exits be defined. Such guidance would help ensure that IRS‘s process
for granting milestone exit approvals is not used to mask cost and
schedule overruns and projects are not exiting milestones prematurely,
thereby introducing cost, schedule, and performance risks.
Agency Comments and Our Evaluation:
In email comments on a draft of this briefing, the Associate Chief
Information Officer for Applications Development agreed that clearer
guidance and criteria are needed regarding conditional exits but stated
that our language insinuates deliberate masking of cost and schedule.
IRS also identified a situation where milestone exits will always be
conditional and stated that all work performed is charged to the
appropriate milestone, despite the conditional exit. We are not
implying that IRS would deliberately mask cost and schedule overruns.
We are stating our concern that, that without documented procedures,
the potential for doing so exists. We have modified this briefing to
clarify this. IRS also provided technical comments which we addressed,
as appropriate.
Appendix I: Description of BSM Projects and Program-Level Initiatives:
Tax administration projects:
Proposed modernization initiative: Modernized e-File;
Description: Is to provide a single standard for filing electronic tax
returns. Initial releases will address large corporations, small
businesses, and tax-exempt organizations. Its ultimate goal is the
conversion of IRS‘s 1040 e-file program.
Proposed modernization initiative: Customer Account Data Engine;
Description: Is to build the modernized database foundation to replace
the existing Individual Master File processing system that contains the
repository of individual taxpayer information.
Proposed modernization initiative: Accounts Management Services;
Description: Is to deliver improved customer support and functionality
by leveraging existing IRS applications (Desktop Integration and
Correspondence Imaging System) and new technologies to bridge the gap
between modernization initiatives, such as the Customer Account Data
Engine, and legacy systems. Accounts Management Services is to enhance
the Customer Account Data Engine by providing applications for IRS
employees and taxpayers to access, validate, and update accounts on
demand.
Core infrastructure projects:
Proposed modernization initiative: Development, Integration, and
Testing Environments;
Description: Is to provide oversight for laboratory environments that
support evaluation, development, and testing of components from
multiple projects: (1) Virtual Development Environment provides a
software development environment and a standardized set of tools and
(2) Enterprise Integration and Test Environment provides an integration
and testing environment for all projects.
Proposed modernization initiative: Infrastructure Shared Services;
Description: Is to deliver, in incremental releases over multiple
years, a fully integrated, shared IT infrastructure to include
hardware, software, shared applications, data, telecommunications,
security, and an enterprise approach to systems and operations
management.
Architecture, integration, and management:
Proposed modernization initiative: Architecture and integration;
Description: Is to ensure that systems solutions meet IRS business
needs and that the development projects are effectively integrated into
the business environment.
Proposed modernization initiative: Business integration;
Description: Is to ensure that IRS‘s BSM program is aligned with the
business units‘ vision and delivers the desired business results. It
provides support to key activities such as transition management,
business rules enterprise management, and requirements development and
management operations.
Proposed modernization initiative: Business rules and requirements
management;
Description: Is to provide support to business process analysis and
redesign by harvesting and managing an enterprise set of business
rules, and developing business requirements.
Proposed modernization initiative: Management processes;
Description: Is to provide sustaining support for program-level
management processes, including quality assurance, risk management,
program control and process management, and enterprise life cycle
maintenance and enhancements.
Proposed modernization initiative: Federally funded research and
development center;
Description: Is to provide program management and systems engineering
support. Program management Is to ensure that projects achieve their
objectives; provide the management information and IT infrastructure
that supports risk management, project cost and schedule estimating,
and financial management; and provide procurement management for the
PRIME contract and associated task orders.
Source: GAO analysis of IRS data.
[End of table]
[End of Appendix]
Appendix II: Additional Detail on IRS‘s Fiscal Year 2009 BSM
Expenditure Plan:
Proposed modernization initiative:
Tax administration projects: Modernized e-File (MeF)
Release[A]: 7;
Milestone[B]: 4a-4b;
Amount requested (in thousands): $25,000;
Subtotal”MeF project: $25,000.
Tax administration projects: Customer Account Data Engine (CADE);
Release[A]: 5;
Milestone[B]: 4a;
Amount requested (in thousands): $12,000.
Tax administration projects: CADE;
Release[A]: 5.1;
Milestone[B]: 4b;
Amount requested (in thousands): $16,800.
Tax administration projects: CADE;
Release[A]: 5.2;
Milestone[B]: 4b;
Amount requested (in thousands): $18,000.
Tax administration projects: CADE;
Release[A]: operations and maintenance;
Milestone[B]: Level of Effort (LOE);
Amount requested (in thousands): $12,000.
Subtotal”CADE project: $58,800.
Tax administration projects: Accounts Management Services (AMS);
Release[A]: 2.2;
Milestone[B]: 5;
Amount requested (in thousands): $3,078.
Tax administration projects: AMS;
Release[A]: 3.1;
Milestone[B]: 4a;
Amount requested (in thousands): $4,582.
Tax administration projects: AMS;
Release[A]: 3.1;
Milestone[B]: 4b;
Amount requested (in thousands): $6,723.
Tax administration projects: AMS;
Release[A]: 3.1;
Milestone[B]: 5;
Amount requested (in thousands): $2,291.
Tax administration projects: AMS;
Release[A]: 3.2;
Milestone[B]: 3;
Amount requested (in thousands): $5,472.
Tax administration projects: AMS;
Release[A]: 3.2;
Milestone[B]: 4a;
Amount requested (in thousands): $4,012.
Subtotal”AMS project: $26,158.
Subtotal”tax administration projects: $109,958.
Core infrastructure projects: Development, integration, and testing
environments;
Milestone[B]: Infrastructure (INF)
Amount requested (in thousands): $10,000.
Core infrastructure projects: Infrastructure Shared Services;
Milestone[B]: INF
Amount requested (in thousands): $22,000.
Subtotal”core infrastructure projects: $32,000.
Architecture, integration, and management: Architecture and
integration;
Milestone[B]: LOE;
Amount requested (in thousands): $13,745.
Architecture, integration, and management: Business integration;
Milestone[B]: LOE;
Amount requested (in thousands): $4,206.
Architecture, integration, and management: Business rules and
Requirements Management;
Milestone[B]: LOE;
Amount requested (in thousands): $3,160.
Architecture, integration, and management: Management processes
Milestone[B]: LOE;
Amount requested (in thousands): $3,539.
Architecture, integration, and management: Federally funded research
and development center;
Milestone[B]: LOE;
Amount requested (in thousands): $7,396.
Architecture, integration, and management: Program management;
Milestone[B]: LOE;
Amount requested (in thousands): $2,954.
Subtotal”architecture, integration, and management: $35,000.
Management reserve: $2,300.
BSM Capital Total: $179,258.
BSM Labor Total: $42,052.
MCLs: $1,354.
Total fiscal year 2009 BSM program: $222,664.
Source: GAO analysis of IRS data.
[A] Releases are software versions that provide a subset of the total
planned project functionality.
[B] Milestones correspond to phases within IRS‘s enterprise life cycle
(0 – vision and strategy/enterprise architecture, 1 – project
initiation, 2 – domain architecture, 3 – preliminary design, 4a –
detailed design, 4b – system development, 5 – system deployment).
[End of table]
[End of appendix]
Appendix III: IRS Reported Cost/Schedule for Projects Scheduled for
Completion in Fiscal Year 2008:
This table shows the projects completed in fiscal year 2008.
Project segment: MeF, Release 5, Milestone 4a-5;
Estimated completion date and funding (in thousands): 3/31/08; $14,300
Milestone exit and cost (in thousands): 4/2/08; $14,300
Change (%): 2 days (.7%); $0 (0%);
IRS explanation of change: Conditional exit. Unconditional exit
approved on July 18, 2008.
Project segment: MeF, Release 6, Milestone 3
Estimated completion date and funding (in thousands): 4/18/08; $7,000
Milestone exit and cost (in thousands): 7/18/08; $9,800
Change (%): 63 days (53.8%); $2,800 (40.0%);
IRS explanation of change: Additional application functionality (real
time transactions with the IRS National Account Profile (NAP) and new
reports) as well as added complexity to the infrastructure of
interfacing with the NAP and Electronic Fraud Detection System (EFDS)
required a longer Logical Design phase. Conditional exit based on
subsequent satisfaction of four conditions.
Project segment: CADE, Release 3.2, Milestone 4;
Estimated completion date and funding (in thousands): 2/28/08; $18,000;
Milestone exit and cost (in thousands): 2/27/08; $18,000;
Change (%): -1 day (-0.4%); $0 (0%);
IRS explanation of change: Conditional exit. Subject to resolution of
conditions identified in milestone exit review.
Project segment: CADE, Release 4, Milestone 2-3;
Estimated completion date and funding (in thousands): 2/28/08; $11,330;
Milestone exit and cost (in thousands): 2/13/08; $11,330;
Change (%): -10 days (-2.5%); $0 (0%).
IRS explanation of change: IRS explanation of change: Able to exit 10
days early.
Project segment: CADE, Release 4.1, Milestone 4;
Estimated completion date and funding (in thousands): 8/31/08; $22,410
Milestone exit and cost (in thousands): 7/24/08; $22,410
Change (%): -26 days (-10.4%); $0 (0%);
IRS explanation of change: Able to exit milestone one month early. IRS
However exit was conditional subject to resolution of six issues
identified in milestone exit review. Also some functionality shifted to
Release 4.2. In email comments on a draft of this briefing, IRS
informed us that it had approved a transfer of funds from release 4.1
to release 4.2 to address this shift in functionality, resulting in a
negative cost variance.
Project segment: CADE, Release 5, Milestone 2-3;
Estimated completion date and funding (in thousands): 9/30/08; $6,025;
Milestone exit and cost (in thousands): [Empty];
Change (%): [Empty];
IRS explanation of change: Work on this release has been stopped
pending final decision regarding scope and cost.
Project segment: AMS; Release 1.1, milestone 5;
Estimated completion date and funding (in thousands): 1/29/08; $506;
Milestone exit and cost (in thousands): 1/29/08; $506;
Change (%): 0 days (0%); $0 (0%).
IRS explanation of change: IRS explanation of change: [Empty].
Project segment: AMS, Release 1.2, Milestone 4b;
Estimated completion date and funding (in thousands): 1/29/08; $3,463;
Milestone exit and cost (in thousands): 2/13/08; $3,463;
Change (%): 11 days (8.7%); $0; (0%);
IRS explanation of change: Exited milestone 11 days late within 10
percent of plan. Exit was conditional pending resolution of milestone
exit review findings.
Project segment: AMS, Release 1.3, Milestone 4a;
Estimated completion date and funding (in thousands): 2/12/08; $1,655;
Milestone exit and cost (in thousands): 2/13/08; $1,655;
Change (%): 1 day (.7%); $0, (0%);
IRS explanation of change: Conditional Exit on 2/13/2008 pending
resolution of one milestone exit review finding. Conditional status was
removed on March 25, 2008.
Project segment: AMS, Release 2.1, Milestone 2;
Estimated completion date and funding (in thousands): 1/15/08; $2,369;
Milestone exit and cost (in thousands): -3 days; -2.2%;
Change (%): $0; (0%).
IRS explanation of change: Were able to exit this milestone 3 days
early.
Project segment: AMS, Release 2.1, Milestone 3;
Estimated completion date and funding (in thousands): 6/24/08; $2,580;
Milestone exit and cost (in thousands): 0 days, (0%);
Change (%): $0; (0%).
IRS explanation of change: Exited milestone 3 on June 24, 2008 as
planned.
Source: GAO analysis of IRS data.
[A] Note: Variances for projects through milestone 3 are based on rough
order of magnitude estimates. Post-milestone 3 variances are based on
more specific estimates.
[B] IRS also completed milestones for a data repository known as the
Integrated Production Model. However, we are not reporting on these
because funding for them was not requested in the fiscal year 2008
expenditure plan.
[End of table]
[End of appendix]
Appendix II: Comments from the Internal Revenue Service:
Department Of The Treasury:
Deputy Commissioner:
Internal Revenue Service:
Washington, D.C. 20224:
February 25, 2009:
Mr. David A. Powner:
Director, Information Technology Management Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Mr. Powner:
I have reviewed the Government Accountability Office draft report
titled "Business Systems Modernization: Internal Revenue Service's
Fiscal Year 2009 Expenditure Plan," (Government Accountability Office-
09-281). We appreciate the sound and balanced work of this office and
are pleased that it:
* Confirmed that our Fiscal Year 2009 expenditure plan satisfies the
six legislative conditions specified in the law. These conditions
include meeting the Office of Management and Budget's capital planning
and investment control review requirements, and complying with the
federal systems acquisition requirements and management practices.
* Recognized the steps we have taken to address your prior
recommendations for improving management capabilities and controls.
These include the development of policies and procedures for creating
and managing project requirements and determining whether completed
projects have achieved expected benefits.
* Acknowledged our progress in implementing Business Systems
Modernization projects and in meeting cost and schedule commitments for
most deliverables.
* Validated that we continue to make progress in addressing Business
Systems Modernization project risks and issues, and identifying
challenges through our high-priority initiatives programs.
I would like to briefly comment on the recommendation included in your
report concerning the "procedures for determining when to grant
conditional milestone exits be defined." We agree with this
recommendation and will continue to follow the existing Enterprise Life
Cycle processes for milestone readiness reviews to determine whether
projects have met the necessary conditions to exit a milestone. We will
also strengthen our governance processes to emphasize premature exit of
milestones prevention.
We appreciate your continued support and the assistance and guidance
from your staff. If you have any questions or would like to discuss our
response in more detail, please contact Terence V. Milholland, Chief
Technology Officer, at (202) 622-6800.
Sincerely,
Signed by:
Mark A. Ernst:
Deputy Commissioner, Operations Support:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
David A. Powner, (202) 512-9286, or pownerd@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, Sabine R. Paul, Assistant
Director; Neil Doherty; Mary D. Fike; Sairah R. Ijaz; Lee McCracken;
and Paul B. Middleton made key contributions to this report.
[End of section]
Footnotes:
[1] BSM funds (except labor costs) are unavailable until IRS submits a
modernization expenditure plan to the congressional appropriations
committees and obtains their approval. See the Consolidated Security,
Disaster Assistance, and Continuing Appropriations Act, 2009, Pub. L.
No. 110-329, Div. A, Sec. 101, 122 Stat. 3574 (Sept. 30, 2008), which
continues funding under the authority and conditions provided in the
Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. D,
title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007).
[2] This plan must (1) meet the Office of Management and Budget's (OMB)
capital planning and investment control review requirements; (2) comply
with IRS's enterprise architecture; (3) conform with IRS's enterprise
life cycle (ELC) methodology; (4) comply with federal acquisition
rules, requirements, guidelines, and systems acquisition management
practices; (5) be approved by IRS, the Department of the Treasury, and
OMB; and (6) be reviewed by GAO. These conditions for BSM funding
availability have been in effect for several years, including the
immediately preceding fiscal year. At the time of this report, IRS's
funding is being provided under the Consolidated Security, Disaster
Assistance, and Continuing Appropriations Act, 2009, Pub. L. No. 110-
329, Div. A, Sec. 101, 122 Stat. 3574 (Sept. 30, 2008) (which has been
extended through March 11, 2009, by H.J. Res. 38, March 6, 2009).
[3] For this condition, we did not determine whether the expenditure
plan comports with the Federal Acquisition Regulation or other federal
requirements beyond those encompassed by the Software Engineering
Institute's Capability Maturity Model.
[4] Milestones correspond to phases within IRS's ELC (0 - vision and
strategy/enterprise architecture, 1 - project initiation, 2 - domain
architecture, 3 - preliminary design, 4a - detailed design, 4b - system
development, 5 - system deployment).
[5] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, [hyperlink,
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: Mar. 2004).
[6] Economic Stimulus Act of 2008, Pub. L. No. 110-185, sec. 101, 122
Stat. 613 (Feb. 13, 2008).
[7] After our expenditure plan review, IRS's Chief Technology Officer
provided us with an update on the agency's efforts to define plans for
completing BSM. He stated that a high-level strategy was expected to be
defined by June 2009.
[8] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119]
(Washington, D.C.: Nov. 10, 2008).
[9] After we provided our expenditure plan review results to the
subcommittees, we issued a report focusing on IRS's information
security program: GAO, Information Security: Continued Efforts Needed
to Address Significant Weaknesses at IRS, [hyperlink,
http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9,
2009).
[10] An initial cycle of the MV&S was completed in fiscal year 2006 and
the strategy was updated a year later. IRS, Internal Revenue Service:
IT Modernization Vision & Strategy (Washington, D.C: October 2007).
[11] GAO, Business Systems Modernization: Internal Revenue Service‘s
Fiscal Year 2005 Expenditure Plan, [hyperlink,
http://www.gao.gov/products/GAO-05-774] (Washington, D.C., July 22,
2005).
[12] The Consolidated Appropriations Act, 2008, Pub. L. No. 110-161,
Div. D, title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007), as
continued by the Consolidated Security, Disaster Assistance, and
Continuing Appropriations Act, 2009, Pub. L. No. 110-329, Div. A, sec.
101, 122 Stat. 3574 (Sept. 30, 2008).
[13] These funds support IRS's efforts to modernize IRS's business
systems. Other systems efforts, including the maintenance of legacy
applications, are supported by other funds which are not subject to the
BSM program legislative conditions.
[14] An enterprise architecture is an institutional blueprint that
defines how an enterprise operates today, in both business and
technology terms, and how it intends to operate in the future. An
enterprise architecture also includes a road map for transitioning
between these environments.
[15] IRS refers to its life cycle management program as the enterprise
life cycle (ELC).
[16] Economic Stimulus Act of 2008, Pub. L. No. 110-185, sec. 101, 122
Stat. 613 (Feb. 13, 2008).
[17] GAO, Financial Audit: IRS‘s Fiscal Years 2008 and 2007 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119]
(Washington, D.C.: November 10, 2008).
[18] GAO, Business Systems Modernization: IRS Has Made Significant
Progress in Improving Its Management Controls, but Risks Remain,
[hyperlink, http://www.gao.gov/products/GAO-03-768] (Washington, D.C.:
June 27, 2003).
[19] [hyperlink, http://www.gao.gov/products/GAO-03-768].
[20] GAO, Business Systems Modernization: IRS Needs to Complete Recent
Efforts to Develop Polices and Procedures to Guide Requirements
Development and Management, [hyperlink,
http://www.gao.gov/products/GAO-06-310] (Washington, D.C.: Mar. 20,
2006).
[21] GAO, Business Systems Modernization: IRS‘s Fiscal Year 2004
Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-05-46]
(Washington, D.C.: Nov. 17, 2004).
[22] GAO, Business Systems Modernization: Internal Revenue Service‘s
Fiscal Year 2008 Expenditure Plan, [hyperlink,
http://www.gao.gov/products/GAO-08-420] (Washington, D.C.: Mar. 7,
2008).
[23] An initial cycle of the MV&S was completed in fiscal year 2006 and
the strategy was updated a year later.
[24] Efforts to maintain and enhance legacy applications are funded
through a different source, and the release of these funds is not
contingent on the BSM account legislative conditions.
[25] [hyperlink, http://www.gao.gov/products/GAO-06-310].
[26] [hyperlink, http://www.gao.gov/products/GAO-08-420].
[27] [hyperlink, http://www.gao.gov/products/GAO-05-46].
[28] GAO, Business Systems Modernization: Internal Revenue Service‘s
Fiscal Year 2005 Expenditure Plan, [hyperlink,
http://www.gao.gov/products/GAO-05-774] (Washington, D.C.: July 22,
2005).
[29] IRS‘s MV&S initiative is intended to be an annual process through
which the agency integrates the strategic plans, business concepts of
operations, IT planning roadmaps, and proposed investments into a set
of integrated strategies and investment proposals for each domain and
ultimately into a proposed IT investment portfolio.
[30] IRS, Enterprise Transition Plan: Enterprise Transition Strategy
and Enterprise-Wide Sequencing Plan, version 3.1 (Washington, D.C.,
Sept. 28, 2007).
[31] IRS, Applications Development: 5-Year Plan, ’A systems view“
Projects – Programs – Retirements & Consolidations.
[32] GAO, Business Systems Modernization: Internal Revenue Service‘s
Fiscal Year 2007 Expenditure Plan, [hyperlink,
http://www.gao.gov/products/GAO-07-247] (Washington, D.C.: Feb. 15,
2007).
[33] Earned value management is a project management tool that
integrates the investment scope of work with schedule and cost elements
for investment planning and control. This method compares the value of
work accomplished during a given period with that of the work expected
in the period. Differences between accomplishments and expectations are
measured in both cost and schedule variances.
[34] In December 2007, the Associate Chief Information Officer for
Applications Development stated that IRS uses earned value management
to measure progress in completing ELC deliverables, not in delivering
functionality, and consequently the agency‘s application of earned
value management does not provide a quantitative measure of progress in
meeting scope expectations.
[35] [hyperlink, http://www.gao.gov/products/GAO-08-420].
[36][hyperlink, http://www.gao.gov/products/GAO-08-420].
[37] IRS also completed milestones for a data repository known as the
Integrated Production Model. However, we are not reporting on these
because funding for them was not requested in the fiscal year 2008
expenditure plan.
[38] Pub. L. No. 110-185.
[39] The original schedule for completing this design phase is a ’rough
order of magnitude“ estimate based on preliminary project plans.
[40] According to IRS, the Executive Steering Committee may grant an
’unconditional“ exit approval to proceed with the next phase of
development, or they may grant a ’conditional“ exit with the
expectation that progress in resolving any outstanding issues will be
regularly reported to the governance body. The governance body may also
deny exit approval if it deems the readiness of the investment to be
significantly deficient.
[41] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, [hyperlink,
http://www.gao.gov/products/GAO-04-394G (Washington, D.C.: March 2004).
[42] Pub. L. No. 110-185.
[43] In August 2004, the Associate Chief Information Officer initiated
an incremental approach to assess, prioritize, and address the highest
priority initiatives from the program improvement framework in 6-month
cycles. These initiatives are derived, in part, from corrective actions
recommended by GAO and the Treasury Inspector General for Tax
Administration for improving modernization management controls and
processes.
[44] [hyperlink, http://www.gao.gov/products/GAO-09-119].
[45] Because testing these controls involved assessing the
enterprisewide information security program, our findings for IRS‘s
financial reporting system also apply to IRS‘s modernization
environment.
[46] This is the governance board that has final milestone exit
approval for CADE and AMS.
[47] This high priority initiative was closed in September 2008.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: