Business Systems Modernization

Internal Revenue Service's Fiscal Year 2009 Expenditure Plan Gao ID: GAO-09-281 March 11, 2009

The Internal Revenue Service's (IRS) Business Systems Modernization (BSM) program is a multi-billion-dollar, high-risk, highly complex effort that involves the development and delivery of a number of modernized systems that are intended to replace the agency's aging business and tax processing systems. As required, IRS submitted its fiscal year 2009 expenditure plan in August 2008 to the congressional appropriations committees, requesting $222 million from the BSM account. GAO's objectives in reviewing the expenditure plan were to (1) determine whether it satisfies the applicable legislative conditions, (2) determine IRS's progress in implementing prior expenditure plan review recommendations, and (3) provide additional observations about the plan and the BSM program. To accomplish the objectives, GAO analyzed the plan, reviewed related documentation, and interviewed IRS officials.

IRS's expenditure plan satisfies the applicable legislative conditions, which include meeting the Office of Management and Budget's (OMB) capital planning and investment control review requirements, and complying with federal systems acquisition requirements and management practices. IRS has addressed two of GAO's prior recommendations to improve its management capabilities and controls, including a recommendation to develop policies and procedures for developing and managing project requirements. However, work remains in order to fully implement other recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. GAO's observations about the expenditure plan and the BSM program include the following: IRS continued to implement BSM projects and meet cost and schedule estimates for most deliverables; however, one project milestone experienced a significant cost increase, and two milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed, despite having unaddressed issues. Specifically, reported project costs and completion dates showed that 10 of the 11 milestones were completed within 10 percent of cost estimates and 9 were completed within 10 percent of schedule estimates. However, 6 out of the 10 milestones reported as complete had conditional milestone exits, meaning that they were allowed to proceed to the next milestone with unaddressed issues. Because IRS's guidance does not specify procedures for determining when to grant conditional exits, the process could potentially be used to mask cost and schedule overruns and could result in premature milestone exits, introducing cost, schedule, and performance risks. BSM project releases continue to face significant risks and issues, which IRS is addressing. For example, IRS reports that a release of its new taxpayer information database continues to face schedule risks. Further, IRS recently informed GAO that it had stopped work on releases of two key systems and would re-evaluate them in light of the long-term plans for BSM, which are being revisited and are expected to be defined at a high level by June 2009. While IRS is addressing the risks and issues confronting the BSM program, GAO will continue to monitor these efforts. Security weaknesses continue to affect IRS's modernization environment. As GAO recently reported, IRS continues to have weaknesses in its information security controls. In addition, the Treasury Inspector General for Tax Administration reported that two tax administration systems were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-09-281, Business Systems Modernization: Internal Revenue Service's Fiscal Year 2009 Expenditure Plan This is the accessible text file for GAO report number GAO-09-281 entitled 'Business Systems Modernization: Internal Revenue Service's Fiscal Year 2009 Expenditure Plan' which was released on March 11, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: March 2009: Business Systems Modernization: Internal Revenue Service's Fiscal Year 2009 Expenditure Plan: GAO-09-281: GAO Highlights: Highlights of GAO-09-281, a report to congressional committees. Why GAO Did This Study: The Internal Revenue Service‘s (IRS) Business Systems Modernization (BSM) program is a multi-billion-dollar, high-risk, highly complex effort that involves the development and delivery of a number of modernized systems that are intended to replace the agency‘s aging business and tax processing systems. As required, IRS submitted its fiscal year 2009 expenditure plan in August 2008 to the congressional appropriations committees, requesting $222 million from the BSM account. GAO‘s objectives in reviewing the expenditure plan were to (1) determine whether it satisfies the applicable legislative conditions, (2) determine IRS‘s progress in implementing prior expenditure plan review recommendations, and (3) provide additional observations about the plan and the BSM program. To accomplish the objectives, GAO analyzed the plan, reviewed related documentation, and interviewed IRS officials. What GAO Found: IRS‘s expenditure plan satisfies the applicable legislative conditions, which include meeting the Office of Management and Budget‘s (OMB) capital planning and investment control review requirements, and complying with federal systems acquisition requirements and management practices. IRS has addressed two of GAO‘s prior recommendations to improve its management capabilities and controls, including a recommendation to develop policies and procedures for developing and managing project requirements. However, work remains in order to fully implement other recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. GAO‘s observations about the expenditure plan and the BSM program include the following: * IRS continued to implement BSM projects and meet cost and schedule estimates for most deliverables; however, one project milestone experienced a significant cost increase, and two milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed, despite having unaddressed issues. Specifically, reported project costs and completion dates showed that 10 of the 11 milestones were completed within 10 percent of cost estimates and 9 were completed within 10 percent of schedule estimates. However, 6 out of the 10 milestones reported as complete had conditional milestone exits, meaning that they were allowed to proceed to the next milestone with unaddressed issues. Because IRS‘s guidance does not specify procedures for determining when to grant conditional exits, the process could potentially be used to mask cost and schedule overruns and could result in premature milestone exits, introducing cost, schedule, and performance risks. * BSM project releases continue to face significant risks and issues, which IRS is addressing. For example, IRS reports that a release of its new taxpayer information database continues to face schedule risks. Further, IRS recently informed GAO that it had stopped work on releases of two key systems and would re-evaluate them in light of the long-term plans for BSM, which are being revisited and are expected to be defined at a high level by June 2009. While IRS is addressing the risks and issues confronting the BSM program, GAO will continue to monitor these efforts. * Security weaknesses continue to affect IRS‘s modernization environment. As GAO recently reported, IRS continues to have weaknesses in its information security controls. In addition, the Treasury Inspector General for Tax Administration reported that two tax administration systems were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. What GAO Recommends: GAO recommends that the Commissioner of Internal Revenue direct that procedures be defined for determining when to grant conditional milestone exits. In commenting on a draft of this report, IRS agreed with the recommendation and outlined steps it plans to take, including strengthening its governance processes to emphasize the prevention of premature milestone exits. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/products/GAO-09-281]. For more information, contact David A. Powner at (202) 512-9286, or pownerd@gao.gov. [End of section] Contents: Letter: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing Slides from the Jan. 13, 2009, Briefing to the Senate and House Appropriations Subcommittee Staffs: Appendix II: Comments from the Internal Revenue Service: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: AD: Applications Development: AMS: Accounts Management Services: BSM: Business Systems Modernization: CADE: Customer Account Data Engine: EA: enterprise architecture: ELC: enterprise life cycle: ESC: Executive Steering Committee: IRS: Internal Revenue Service: MCL: Maintaining Current Levels: MeF: Modernized e-File: MV&S: Modernization Vision and Strategy: NAP: National Account Profile: OMB: Office of Management and Budget: PIR: post-implementation review: TIGTA: Treasury Inspector General for Tax Administration: [End of section] United States Government Accountability Office: Washington, DC 20548: March 11, 2009: Congressional Committees: As required, the Internal Revenue Service (IRS) submitted its fiscal year 2009 expenditure plan in August 2008 to the congressional appropriations committees, requesting $222 million from the Business Systems Modernization (BSM) account, which funds IRS's efforts to modernize its business and tax processing systems.[Footnote 1] Our objectives in reviewing the plan were to (1) determine whether the plan satisfies the applicable legislative conditions,[Footnote 2] (2) determine IRS's progress in implementing our prior recommendations, and (3) provide any other observations about the plan and IRS's BSM program. On December 12, 2008, we provided the results of our review to congressional appropriations subcommittee staffs. We followed up with a briefing to the staffs on January 13, 2009. This report transmits the materials we used at the briefing and provides the recommendation that we made to the Commissioner of Internal Revenue. The full briefing materials, including our scope and methodology, are included as appendix I. In summary, we made the following major points: * IRS's fiscal year 2009 plan satisfies each of the six legislative conditions. These conditions include meeting OMB's capital planning and investment control review requirements, and complying with federal systems acquisition requirements[Footnote 3] and management practices. * IRS has addressed two of our prior recommendations to improve its management capabilities and controls, including our recommendation to develop policies and procedures for developing and managing project requirements and to determine whether completed projects have achieved expected benefits. However, work remains to fully implement other recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. * IRS has made progress in implementing BSM projects and in meeting cost and schedule estimates for most deliverables, but one project milestone[Footnote 4] experienced a significant cost increase, and two project milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed, despite having unaddressed issues. During 2008, IRS completed milestones for Modernized e-File (MeF), an electronic filing system; Customer Account Data Engine (CADE), the new taxpayer information database; and Accounts Management Services (AMS), a system intended to provide applications for IRS employees to access, validate, and update accounts on demand. Our analysis of reported project costs and completion dates showed that 10 of the 11 associated project milestones that were scheduled for completion during this time were completed within 10 percent of cost estimates, and 9 of 11 milestones were delivered within 10 percent of schedule estimates. However, a milestone for MeF exceeded its planned schedule by 54 percent and experienced a 40 percent increase in cost. Additionally, a milestone for CADE exceeded its planned schedule by 10 percent, as of November 24, 2008; however, work on this milestone was stopped, pending the completion of a review of long-term plans for BSM, and will be re-evaluated in light of the new plans. Of the 10 milestones that were reported completed during fiscal year 2008, 6 received conditional exits, meaning that they were allowed to proceed with outstanding issues remaining to be addressed. Examples of outstanding issues include incomplete test cases and incomplete security certification and accreditation. Ideally, projects should proceed to the next milestone without significant issues needing to be addressed. In addition, we have previously reported that investment management procedures typically specify procedural rules for decision- making during project oversight.[Footnote 5] While IRS's guidance states that Executive Steering Committees may grant conditional exits, it does not specify procedures for determining when to grant them. Without these procedures, the conditional exit process could potentially be used to mask cost and schedule overruns and result in projects exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. * BSM project releases continue to face significant risks and issues, which IRS is addressing. For example, CADE continues to face schedule risks for one of its releases, as a result of having to reallocate resources to address software changes necessitated by the requirements of the Economic Stimulus Act of 2008.[Footnote 6] Also, because of the interdependencies between CADE and AMS, IRS has to coordinate significant integration management activities between these two projects. Further, IRS's Commissioner and Chief Technology Officer recently informed us that IRS had stopped work for the 2010 filing season release of CADE and a release of AMS and would re-evaluate the planned scope and functionality for these releases in light of the long- term plans for BSM that are expected to be defined at a high level by June 2009.[Footnote 7] While IRS continues to monitor these issues, the risks and challenges facing future releases of CADE, MeF, and AMS are, nevertheless, significant. Given this, we will continue to monitor the risks and IRS's actions to address them. * IRS continues to use its high-priority initiatives program to address identified challenges. This program improvement process continues to be an effective means of regularly assessing, prioritizing, and incrementally addressing BSM issues and challenges. In September 2008, IRS completed another cycle of high-priority initiatives and is currently working on a cycle that is scheduled to be completed by the end of March 2009. Initiatives that were addressed in the 6-month cycle ending in September 2008 included information security, refining the system retirement and consolidation strategy, and infrastructure improvements (e.g., executing a strategy developed for technology migrations to modernized technology). * Security weaknesses continue to affect IRS's modernization environment. As we reported in November 2008[Footnote 8] and January 2009,[Footnote 9] the agency continues to have weaknesses in its information security controls. In addition, in September 2008, the Treasury Inspector General for Tax Administration reported that both CADE and AMS were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. Further, IRS has identified security weaknesses through its high-priority initiatives program. While actions to address our report findings and the high-priority initiatives help to improve IRS's security posture, the modernization environment will continue to be at risk until the agency completes these initiatives and addresses our report findings. Conclusions: During 2008, IRS continued to make progress in delivering BSM projects that provided benefits to both taxpayers and the agency. IRS also continued to improve its management capabilities and controls by, among other things, implementing two of our recommendations from prior expenditure plan reviews and addressing its high-priority initiatives. These actions will likely result in improved management of BSM and may help mitigate the risks inherent in managing such a large and complex program. However, IRS is still facing challenges in consistently meeting its cost and schedule estimates, managing project-specific risks, addressing high-priority initiatives, and securing its many systems. In addition, IRS has not yet fully implemented all prior recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. Finally, IRS's use of conditional milestone exits is not supported by documented procedures. Without documented procedures, the conditional exit process could potentially be used to mask cost and schedule overruns and result in projects exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. Recommendation for Executive Action: We are recommending that the Commissioner of Internal Revenue direct that procedures be defined for determining when to grant conditional milestone exits. Such guidance would help ensure that IRS's process for granting milestone exit approvals is not used to mask cost and schedule overruns and that projects are not exiting milestones prematurely thereby introducing cost, schedule, and performance risks. Agency Comments and Our Evaluation: IRS's Deputy Commissioner for Operations Support provided written comments on a draft of this report (reprinted in app. II). In these comments, IRS stated it was pleased that the report confirmed that the expenditure plan (1) satisfied the legislative conditions and (2) acknowledged the progress made in addressing prior recommendations, implementing BSM projects, and addressing BSM risks and issues. IRS also agreed with our recommendation to define procedures for determining when to grant conditional exits. The agency further stated it would continue to follow the existing ELC processes for milestone readiness reviews to determine whether projects have met the necessary conditions to exit a milestone, and would strengthen its governance processes to emphasize the prevention of premature milestone exits. We are sending copies of this report to the Chairmen and Ranking Members of the Senate and House committees and subcommittees that have appropriations, authorization, and oversight responsibilities for IRS. We are also sending copies to the Commissioner of Internal Revenue, the Secretary of the Treasury, the Chairman of the IRS Oversight Board, and the Director of OMB. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. Should you or your offices have questions on matters discussed in this report, please contact me at (202) 512-9286 or at pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III. Signed by: David A. Powner: Director, Information Technology Management Issues: List of Congressional Committees: The Honorable Richard J. Durbin: Chairman: The Honorable Susan Collins: Ranking Member: Subcommittee on Financial Services and General Government: Committee on Appropriations: United States Senate: The Honorable JosÚ E. Serrano: Chairman: The Honorable Jo Ann Emerson: Ranking Member: Subcommittee on Financial Services and General Government: Committee on Appropriations: House of Representatives: [End of section] Appendix I: Briefing Slides from the Jan. 13, 2009, Briefing to the Senate and House Appropriations Subcommittee Staffs: Review of IRS‘s Fiscal Year 2009 Business Systems Modernization Expenditure Plan: Briefing for Staff Members of the Subcommittee on Financial Services and General Government, Senate Committee on Appropriations, and, Subcommittee on Financial Services and General Government, House Committee on Appropriations: December 12, 2008: Contents: Introduction and Objectives: Results in Brief: Background: Scope and Methodology: Results: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendixes: I: Description of Business Systems Modernization Projects and Program- Level Initiatives: II: Additional Detail on IRS‘s Fiscal Year 2009 BSM Expenditure Plan: III: IRS Reported Project Cost/Schedule for Projects Scheduled for Completion in Fiscal Year 2008: [End of section] Introduction and Objectives: The Internal Revenue Service (IRS) has long relied on obsolete automated systems for key operational and financial management functions, and its attempts to modernize these computer systems span several decades. IRS‘s multibillion-dollar Business Systems Modernization (BSM) program, initiated in fiscal year 1999, is the agency‘s latest attempt to modernize its systems. IRS contracted with Computer Sciences Corporation as the PRIME systems integration support contractor to assist with designing, developing, and integrating a new set of information systems that are intended to replace IRS‘s aging business and tax processing systems. BSM is a high-risk, highly complex program that involves the development and delivery of a number of modernized tax administration, internal management, and core infrastructure projects that are intended to provide improved and expanded service to taxpayers and internal business efficiencies for IRS. In fiscal year 2006, IRS developed a new Modernization Vision and Strategy (MV&S)[Footnote 10] in response to our recommendation to fully revisit the vision and strategy for the BSM program and develop a new set of long-term goals, strategies, and plans consistent with the budgetary outlook and IRS‘s management capabilities.[Footnote 11] The MV&S represents a new approach to the modernization effort emphasizing, among other things, involving joint business and IT leadership throughout the process; delivering smaller, incremental releases more frequently; and leveraging existing systems where appropriate. As required by the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009,[Footnote 12] which provides appropriations for the IRS for fiscal year 2009, funds for the BSM program (excluding labor costs) are not available until IRS submits a modernization expenditure plan for approval to the congressional appropriations committees.[Footnote 13 This plan must: * meet the capital planning and investment control review requirements established by the Office of Management and Budget (OMB); * comply with IRS‘s enterprise architecture;[Footnote 14] * conform with IRS‘s enterprise life cycle methodology;[Footnote 15] * comply with federal acquisition rules, requirements, guidelines, and systems acquisition management practices; * be approved by IRS, the Department of the Treasury, and OMB; and; * be reviewed by GAO. Since mid-1999, IRS has submitted a series of expenditure plans requesting release of BSM-appropriated funds. To date, about $2.6 billion has been appropriated and released for BSM. On August 15, 2008, IRS submitted its fiscal year 2009 expenditure plan to the relevant House and Senate appropriations subcommittees, seeking release of $222 million from the BSM account. As agreed with IRS‘s appropriations subcommittees, our objectives were: * determine whether IRS‘s fiscal year 2009 expenditure plan satisfies the applicable legislative conditions; * provide an update on IRS's progress in implementing our prior expenditure plan review recommendations; and; * provide any other observations about the expenditure plan and IRS's BSM program, including progress in delivering BSM projects and in meeting cost and schedule commitments, and risks and challenges confronting planned project releases. Results in Brief: IRS‘s fiscal year 2009 plan satisfies each of the six legislative conditions. IRS has addressed two of our prior recommendations to improve its management capabilities and controls, including our recommendation to develop policies, procedures, and tools for developing and managing project requirements and determine whether completed projects have achieved expected benefits. However, steps remain to fully implement our recommendations in three areas: (1) developing long-term plans for completing BSM and consolidating and retiring legacy systems, (2) developing a quantitative measure of progress in delivering systems‘ planned functionality (scope), and (3) developing a plan for addressing IRS‘s various human capital initiatives. Regarding long-term plans for completing BSM, IRS‘s Commissioner and Chief Technology Officer recently informed us that they had tasked the agency with defining these plans by February 2009 and ensuring they address key findings and recommendations from recent audits, with particular emphasis on IT security, financial statement material weaknesses, and long-term architecture and planning. While IRS‘s actions are positive steps, until our recommendations are fully implemented, there is a risk that IRS will not effectively manage its modernization program, and Congress may not have the information it needs to effectively assess IRS‘s performance in implementing BSM. We have four observations related to the BSM program and fiscal year 2009 expenditure plan: * IRS continued to implement BSM projects and meet cost and schedule commitments for most deliverables, but one project milestone experienced a significant cost increase and two project milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed despite having unaddressed issues. Since March 2008, when we reported on our last expenditure plan review, IRS completed milestones of Modernized e-File (MeF) (an electronic filing system), Customer Account Data Engine (CADE) (the new taxpayer information database), and Accounts Management Services (AMS) (a system intended to provide applications for IRS employees to access, validate, and update accounts on demand). Our analysis of IRS‘s reported planned and actual costs and completion dates showed that 10 of the 11 project milestones scheduled for completion during the year were completed within 10 percent of cost estimates and 9 of them were completed within 10 percent of schedule estimates. However, 6 out of the 10 milestones that were reported completed had conditional milestone exits, meaning that they were allowed to proceed to the next milestone with outstanding issues remaining to be addressed. While IRS‘s guidance states that conditional exits may be granted, it does not specify procedures for determining when to grant them. Without these procedures, the conditional exit process could potentially be used to mask cost and schedule overruns and result in projects exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. * BSM project releases continue to face significant risks and issues, which IRS is addressing. IRS has reported that challenges and risks continue to confront planned project releases. For example, CADE continues to face schedule risks for one of its releases as a result of having to reallocate resources to address software changes necessitated by the requirements of the Economic Stimulus Act of 2008.[Footnote 16] Also, because of the interdependencies between CADE and AMS, IRS has to coordinate significant integration management activities between these two projects. Further, IRS‘s Commissioner and Chief Technology Officer recently informed us that IRS had stopped work underway for the 2010 filing season release of CADE and a release of AMS and would re- evaluate the planned scope and functionality for these releases in light of the long-term plans for BSM that are expected to completed by February 2009. * IRS continues to use its high-priority initiatives program to address identified challenges. IRS‘s high-priority initiatives program improvement process continues to be an effective means of regularly assessing, prioritizing, and incrementally addressing BSM issues and challenges. Beginning in March 2008, IRS expanded this program to the Deputy Commissioner of Operations Support level, so that it now addresses challenges not only at the level of IRS‘s IT organization (MITS), but also across other organizations such as the Human Capital Office and the Office of Privacy, Information Protection, and Data Security. Initiatives addressed in the recent cycle include developing a strategy and approach for professional security certifications for MITS personnel and developing a comprehensive computer security program plan. * Security weaknesses continue to affect IRS‘s modernization environment. Specifically, we recently reported that IRS continues to have weaknesses with its information security controls.[Footnote 17] For example, we noted that sensitive information, including user IDs and passwords for mission critical applications, continued to be readily available to any user on IRS‘s internal network. In addition, in September 2008, the Treasury Inspector General for Tax Administration (TIGTA) reported that both CADE and AMS were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. Further, IRS has also identified security weaknesses through its high-priority initiatives program, and is working to address them. Until these actions and our report findings are addressed, the modernization environment will continue to be at risk. We are recommending that the Commissioner of Internal Revenue direct that procedures be defined for determining when to grant conditional milestone exits. Such guidance would help ensure that IRS‘s process for granting milestone exit approvals is not used to mask cost and schedule overruns and projects are not exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. In e-mail comments on a draft of this briefing, the Associate Chief Information Officer for Applications Development agreed that clearer guidance and criteria are needed regarding conditional exits but stated that our language insinuates deliberate masking of cost and schedule. We are not implying that IRS would deliberately mask cost and schedule but expressing our concern that, without documented procedures, the potential for doing so exists. We have modified this briefing to clarify this. IRS also provided technical comments which we addressed, as appropriate. Background: Since 1999, we have reviewed and reported on 15 BSM expenditure plans. In particular, we have reported on program management capabilities and controls that are critical to the effective management of the BSM program. They include: * cost and schedule estimates: IRS did not have effective procedures for validating contractor-developed cost and schedule estimates; [Footnote 18] * contract management: IRS did not have effective processes for determining the type of task order to be awarded in acquiring modernized systems;[Footnote 19] * requirements development and management: IRS did not have adequate policies and procedures in place to guide its system modernization projects in developing and managing requirements;[Footnote 20] * post-implementation review: post-implementation reviews conducted were incomplete and did not follow IRS procedures;[Footnote 21] and' * human capital: IRS did not have a plan with specific time frames for addressing its human capital initiatives.[Footnote 22] We have made recommendations aimed at strengthening IRS‘s program management controls and capabilities. Over the years, IRS has addressed several of these recommendations. However, more work remains for some capabilities and controls to be fully institutionalized or implemented. The modernization of IRS‘s tax administration systems and supporting technical infrastructure (BSM), driven by a new Modernization Vision and Strategy (MV&S),[Footnote 23] involves both leveraging existing (legacy) applications and deploying modernized systems. This represents a shift in the thinking at the outset of the program, which was to completely replace the existing environment. IRS‘s Applications Development (AD) organization has primary responsibility for managing and delivering the BSM program. This group, within the Office of the Chief Information Officer, was established in 2006 and integrates Business Systems Modernization”whose primary mission was delivering IRS modernization”with the Business Systems Development Division”whose primary focus was maintaining the current production systems environment (i.e., legacy applications). AD is headed by the Associate Chief Information Officer for Applications Development. The AD organization includes three core competency areas: * Domains focus on IT legacy and modernized systems that support a major functional mission area of the IRS (e.g., Compliance and Customer Service). * Matrix domains support functions for the primary operating domains and are tasked with improving the effectiveness of AD operations (e.g., the Test, Assurance, and Documentation Office and the Program Management Office). * Front office teams perform administrative, human resources, and financial management functions for the entire organization (e.g., Resource Management). To help manage its systems, IRS recently established an enterprise governance structure and an investment decision-making process, which, among other things, provide a standard approach for reviewing projects. The structure is composed of various levels of governance bodies which track projects‘ progress and make project cost, schedule, and scope decisions. These bodies include Executive Steering Committees (ESCs), which are domain level committees that oversee their investment portfolio. The committees are chaired by a business leader and an IT leader who share accountability over the domain strategy and associated project delivery. As investments complete milestones, they submit milestone exit review packages to the ESCs for approval. The ESCs may approve, conditionally approve, or deny a milestone exit. IRS‘s fiscal year 2009 expenditure plan describes the agency‘s efforts to develop modernized systems and supporting infrastructure.[Footnote 24] They include: * continuing ongoing program-level initiatives (e.g., architecture and integration and program management) and core infrastructure projects (e.g., infrastructure shared services), and, * continuing seven tax administration project releases to their next milestones. Key tax administration projects include: * Modernized e-File, which is to provide a single standard for filing electronic tax returns; * Customer Account Data Engine, which is intended to provide the modernized database foundation to replace the existing Individual Master File processing system, which contains the repository of individual taxpayer information; and, * Accounts Management Services, which is intended to enhance the Customer Account Data Engine by providing applications that enable IRS employees to access, validate, and update accounts on demand. Details on these and other BSM projects and program-level initiatives identified in the fiscal year 2009 plan are provided in appendix 1. Table 1 shows a financial summary of the plan. Table 1: Summary of IRS‘s Fiscal Year 2009 BSM Expenditure Plan[A]: Tax administration project: Modernized e-File; Amount requested (in thousands): $25,000. Tax administration project: Customer Account Data Engine; Amount requested (in thousands): $58,800. Tax administration project: Accounts Management Services; Amount requested (in thousands): $26,158. Subtotal”tax administration projects: Amount requested (in thousands): $109,958. Core infrastructure projects: Development, Integration, and Testing Environments; Amount requested (in thousands): $10,000. Core infrastructure projects: Infrastructure Shared Services; Amount requested (in thousands): $22,000. Subtotal”core infrastructure projects: Amount requested (in thousands): $32,000. Architecture, integration, and management: Architecture and Integration; Amount requested (in thousands): $13,745. Architecture, integration, and management: Business Integration; Amount requested (in thousands): $4,206. Architecture, integration, and management: Business Rules and Requirements Management; Amount requested (in thousands): $3,160. Architecture, integration, and management: Management Processes; Amount requested (in thousands): $3,539. Architecture, integration, and management: Federally Funded Research and Development Center; Amount requested (in thousands): $7,396. Architecture, integration, and management: Project Management; Amount requested (in thousands): $2,954. Subtotal”architecture, integration, and management Amount requested (in thousands): $35,000. Management Reserve: Amount requested (in thousands): $2,300. BSM Capital Total: Amount requested (in thousands): $179,258. BSM Labor Total: Amount requested (in thousands): $42,052. Maintaining Current Levels (MCL)[B]: Amount requested (in thousands): $1,354. Total: $222,664. Source: GAO analysis of IRS data. [A] See appendix II for additional details on the plan. [B] Maintaining Current Levels (MCL) is the inflationary factor for the BSM labor cost. [End of table] Scope and Methodology: To accomplish our objectives, we: * reviewed the fiscal year 2009 expenditure plan submitted by IRS in August 2008; * analyzed the plan for compliance with the applicable legislative conditions; * interviewed IRS program and project management officials to corroborate our understanding of the plan and other BSM activities; * analyzed available evidence on recent agency efforts to implement our prior recommendations, including progress on improving its modernization management controls and capabilities; * reviewed and analyzed modernization program review and project management briefings and related documentation to assess program and project status and associated issues and risks; * reviewed program management reports to assess the progress IRS has made in completing actions and implementing program management improvements related to the BSM highest priority initiatives; and, * reviewed related reports by TIGTA. To assess the reliability of the cost and schedule information contained in this expenditure plan, we interviewed IRS officials in order to gain an understanding of the data and discuss our use of the data in this briefing. In addition, we confirmed that information in the plan was consistent with information contained in IRS internal briefings and other governance process artifacts. We did not, however, assess the accuracy and reliability of the information reported in these documents. We performed our work between September 2008 and December 2008, in Washington, D.C., in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Results: Legislative Conditions: Objective 1: The plan satisfies the conditions applicable to IRS‘s fiscal year 2009 appropriations. Table 2: Fiscal Year 2009 Expenditure Plan Provisions for Satisfying Legislative Conditions: Legislative condition: 1. Meets OMB capital planning and investment control review requirements; Expenditure plan provisions: IRS‘s fiscal year 2009 expenditure plan identifies funding for managing IT investments as part of a single portfolio through its capital planning and investment control process. In line with this, IRS has implemented a structured governance and decision-making process framework including various levels of governing bodies to manage its projects under a standardized approach. The framework includes policies and procedures to select, control, and evaluate investments consistent with OMB capital planning and investment control review requirements. Legislative condition: 2. Complies with IRS‘s enterprise architecture (EA); Expenditure plan provisions: The plan identifies funding for complying with IRS‘s EA by providing for continued definition and implementation of the EA. For example, it identifies funding needed for: * performing architecture, engineering, and integration activities to ensure that the IRS EA provides the information and guidance necessary for modernization projects; * supporting the performance of EA compliance certification activities; and; * finalizing and publishing updates to the EA based on change requests. In addition, according to IRS, early milestones within the enterprise life cycle take steps to ensure compliance with the EA. In the preliminary design phase, projects submit an EA Compliance Checklist, in which one item ensures that the project design is checked for EA compliance. For example, it ensures that all products used are present in the enterprise standards profile and can be seamlessly integrated into the current infrastructure without undue burden. Legislative condition: 3. Conforms with IRS‘s enterprise life cycle (ELC) methodology; Expenditure plan provisions: The plan conforms with IRS‘s ELC methodology in that it calls for meeting the requirements in IRS‘s ELC management program. For example, the plan calls for: * providing centralized guidance, administration, mitigation, and closure of risks issued throughout the life cycle of each project and, * maintaining and enhancing the ELC. Further, the plan states that IRS is developing a comprehensive security program to respond to computer security weaknesses and to position the organization to address computer security needs in the future. This approach includes updating the ELC for major systems by developing security guidance, establishing baseline requirements, and launching an initiative to develop an ELC security process for non- major projects. Further, IRS developed a governance structure to ensure enterprise-wide coordination and integration of information technology and systems compliance with the ELC. Legislative condition: 4. Complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; Expenditure plan provisions: As part of the ELC, IRS has defined processes, roles, and responsibilities for implementing Carnegie Mellon University‘s Software Engineering Institute Software Acquisition Capability Maturity Model« practices for the key process areas within the repeatable level (level 2) of the 5-stage model.[A] These practices are consistent with federal acquisition requirements and management practices, and the plan calls for implementation of the ELC on all projects. Legislative condition: 5. Approved by IRS, the Department of the Treasury, and OMB; Expenditure plan provisions: * IRS”May 22, 2008; * Treasury”June 6, 2008; * OMB”August 4, 2008. Legislative condition: 6. Reviewed by GAO; Expenditure plan provisions: GAO”December 12, 2008, briefing to IRS‘s appropriations subcommittees. Sources: The Consolidated Appropriations Act, 2008, Pub. L. No. 110- 161, Div. D, title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007), as continued by the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, Pub. L. No. 110-329, Div. A, sec. 101, 122 Stat. 3574 (Sept. 30, 2008), and IRS‘s fiscal year 2009 expenditure plan submitted to Congress in August 2008. [A] These key process areas are acquisition planning, solicitation, requirements development and management, project management, contract tracking and oversight, evaluation, and transition to support. For this condition, we did not determine whether the expenditure plan comports with the Federal Acquisition Regulation or other federal requirements beyond those encompassed by the Software Engineering Institute‘s Capability Maturity Model. [End of table] Results: Prior Recommendation Status: Objective 2: IRS has implemented two of our previous recommendations to improve its modernization management controls and capabilities, but steps remain to fully implement the remaining ones. IRS implemented our recommendations to complete policies and procedures for requirements management and development and to determine whether projects‘ expected benefits have been achieved as part of its post implementation reviews. However, steps remain to fully implement the remaining recommendations, including developing long-term plans for completing BSM and consolidating and retiring legacy systems. Table 3: Status of IRS‘s Progress in Implementing Prior GAO Recommendations: Prior GAO recommendation: Requirements development and management” Ensure that BSM completes the delivery of policies and procedures for requirements development and management as planned; Implemented: [Check]; Status as of fiscal year 2009 plan: See p. 19. Prior GAO recommendation: Post-implementation reviews”Perform analyses of investment data to determine whether completed projects have achieved expected benefits; Implemented: [Check]; Status as of fiscal year 2009 plan: See p. 20. Prior GAO recommendation: Modernization vision and strategy”Fully revisit the vision and strategy for the BSM program and develop a new set of long-term goals, strategies, and plans that are consistent with the budgetary outlook and IRS‘s management capabilities; In progress: [Check] Status as of fiscal year 2009 plan: See pp. 21-22. Prior GAO recommendation: Quantitative measures of progress in scope” Ensure that future expenditure plans include a quantitative measure of progress in meeting project scope expectations; In progress: [Check[; Status as of fiscal year 2009 plan: See p. 23. Prior GAO recommendation: Human capital strategy”Complete a plan with specific time frames for implementing the initiatives supporting its human capital strategy; In progress: [Check]; Status as of fiscal year 2009 plan: See p. 24. Source: GAO analysis of IRS data. [End of table] Requirements Development and Management: In March 2006, we recommended that IRS complete requirements development and management policies and procedures.[Footnote 25] IRS agreed with our recommendation, and, in response, developed policies, procedures, and tools for developing and managing project requirements through its Business Rules and Requirements Management office. In March 2008, we reported[Footnote 26] that IRS had developed (1) a standardized process for the elicitation and documentation of requirements; (2) guidance on establishing and maintaining full bidirectional requirements traceability; (3) guidance on tracking cost and schedule impacts of changes to requirements; and (4) a process for ensuring that formal peer reviews are planned and completed for key requirements. We have since reviewed these documents and found that they address our recommendations. The Business Rules and Requirements Management office has been providing support to multiple projects throughout the IRS, including CADE, AMS, and MeF. For example, IRS stated that the new requirements development and management policies, procedures, and tools were used for CADE Release 5 and that the requirements office is providing support and/or consultation services to three AMS releases. By developing and implementing these policies and procedures, IRS will be able to more effectively develop and manage project requirements for the acquisition of critical systems. Post-Implementation Reviews: In November 2004, we recommended that post-implementation reviews (PIR) of deployed BSM projects include an analysis of quantitative and qualitative investment data to determine whether expected benefits were achieved.[Footnote 27] IRS agreed with our recommendation, and, in response, developed a new procedure for conducting PIRs. In March 2008, we reported that, due to resource constraints and other priorities, IRS stated that it planned to conduct streamlined PIRs on CADE and AMS releases 12-18 months after those releases are deployed, and lessons learned activities for other systems. Since then, IRS has conducted PIRs on CADE Releases 2.2 and 3.1, which documented major findings and discussed customer and user satisfactions, benefits achieved, lessons learned, and improvement opportunities. Additionally, according to IRS, PIRs were started at the end of fiscal year 2008 for AMS Releases 1.1 and 1.2A and are scheduled to be completed in December 2008. Finally, IRS is now requiring lessons learned activities to be conducted for all projects that follow its ELC. Performing these activities will allow IRS to better determine whether projects are meeting expectations. Modernization Vision and Strategy: In July 2005, we recommended that IRS fully revisit the vision and strategy for the BSM program and develop a new set of long-term goals, strategies, and plans consistent with the budgetary outlook and IRS‘s management capabilities.[Footnote 28] We also noted that the vision and strategy should include time frames for consolidating and retiring legacy systems. IRS agreed with our recommendation, and, in response, developed an initial cycle of its Modernization Vision and Strategy (MV&S) and 5-year enterprise transition strategy in fiscal year 2006 [Footnote 29] to guide IT investment decisions during fiscal years 2007 through 2011.The MV&S framework was built on a functional segmentation of IRS into core mission business functions (business domains) supported by services necessary for their effective and secure execution (service domains). The enterprise transition strategy described the overall IRS vision and strategy and how existing and proposed investments align to it. It also documented the scope, business challenges, current and transition architectures, redesign opportunities, strategy, proposed projects and associated release strategies, and the planned evolution (i.e., reuse, consolidation, retirement) of related key current production environment systems for each of the MV&S business domains. During 2007, IRS updated its 5-year transition strategy.[Footnote 30] The strategy includes security and privacy (a new service domain), planned business domains, and opportunities for retirement of legacy systems. IRS recently developed a white paper outlining an overall strategy for retiring and consolidating systems. It includes a list of guiding principles for making retirement and consolidation decisions as well as areas of focus for each business domain. An initial 5-year schedule [Footnote 31] for each domain was also developed. IRS has identified several initiatives that are required to sustain and enhance its ability to effectively retire and consolidate systems, including developing and maintaining a single comprehensive inventory of applications and systems and establishing guidance for how retirements should be implemented in the systems lifecycle. The IRS Commissioner and Chief Technology Officer also recently informed us that they had tasked the organization to clearly define plans for completing the program over the next several years and specifically define the expected outcomes, the actions necessary to achieve those outcomes, and a plan to complete those actions within reasonable timeframes and cost. They asked that the plans address key findings and recommendations from recent audits, with particular emphasis on IT security, financial statement material weaknesses, and long-term architecture and planning and stated that they would be completed by February 2009. While IRS‘s actions are positive steps, to fully implement our recommendation, the agency still needs to (1) develop a long-term plan for completing BSM and (2) complete its plans for retiring and consolidating its legacy systems. Quantitative Measure of Progress in Meeting Scope Expectations: In February 2007, we recommended that IRS ensure that future expenditure plans include a quantitative measure of progress in delivering systems‘ planned functionality (scope).[Footnote 32] We also recommended that, in developing this measure, IRS consider using earned value management[Footnote 33] since this is a proven technique required by OMB for measuring cost, schedule, and functional performance (i.e., scope of work) against plans. While IRS agreed with our recommendation to develop a quantitative measure of progress in meeting scope expectations, it has stated that it does not believe earned value management would provide this measure, given the manner in which the technique is being used at the agency.[Footnote 34] Instead, IRS has developed an incremental approach to address our recommendation. Specifically, as an initial step, IRS defined a detailed qualitative measure that indicates the difference between a project release‘s planned and delivered capabilities in the fiscal year 2008 expenditure plan. In March 2008, we reported that, as a second step, IRS planned to leverage its requirements management tools to assign quantitative values to the capabilities in the fiscal year 2009 expenditure plan. [Footnote 35] IRS did not have the measurement of scope ready for the fiscal year 2009 expenditure plan as planned but stated that it is continuing to develop the metric and is currently piloting its use. IRS also stated that a schedule for implementation and inclusion into the annual expenditure plan will depend on the outcome of the pilot efforts. Until IRS fully addresses our recommendation, IRS will not have a quantitative measure and Congress may not have the information it needs to effectively assess IRS‘s performance in implementing BSM. Human Capital Strategy: In March 2008, we reported that IRS had developed a human capital strategy for its Application Development organization that addressed hiring critical personnel, employee training, leadership development, and workforce retention and identified several initiatives it planned to undertake these areas. However, the agency did not have a specific plan, including time frames for addressing the human capital initiatives across the AD organization. Accordingly, we recommended that the agency develop such a plan.[Footnote 36] IRS agreed with our recommendation and stated that it would implement it by October 2008. In response to our recommendation, IRS developed a timeline of activities for fiscal years 2008 to 2010. However, the timeline does not specify what these activities entail or how they address the areas of hiring critical personnel, employee training, leadership development, and workforce retention that are identified in the AD human capital strategy. Until IRS develops a plan, including these specifics, it may be challenged in acquiring and retaining the staff resources it needs to effectively support BSM. Results: Observations: Objective 3: Observations about IRS‘s BSM Program and Expenditure Plan: Observation 1: IRS continued to implement BSM projects and meet cost and schedule commitments for most deliverables, but one project milestone experienced a significant cost increase and two project milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed despite having unaddressed issues. Since March 2008, when we reported on our last expenditure plan review, IRS completed milestones of MeF, CADE, and AMS, which provided benefits to the taxpayers and the agency.[Footnote 37] Our analysis of IRS‘s reported planned and actual costs and completion dates showed that 10 of the 11 project milestones scheduled for completion during the year were completed within 10 percent of cost estimates and 9 of them were completed within 10 percent of scheduled estimates (see figure 1). Specifically, one release of MeF exceeded its planned schedule by 54 percent and experienced a 40 percent increase in cost. In addition, work on one release of CADE, which exceeded its planned schedule by 10 percent as of November 24, 2008, was stopped pending the completion of a review of long-term plans for BSM, and will be re-evaluated in light of the new plans. Figure 1 depicts the detailed cost and schedule variances of the project milestones that were scheduled to be delivered during fiscal year 2008. Figure 1: Summary of Cost and Schedule Performance for Fiscal Year 2008 Project Milestones: [Refer to PDF for image: illustration] Project plan depicting the following: Plus or minus 10 percent is within acceptable range. Milestone: 4a-5; Release: 5; Program: MeF; Cost variance: 0; Schedule variance: 0.7%. Milestone: 3; Release: 6; Program: MeF; Cost variance; 40%; Schedule variance 53.8%. Milestone: 4; Release: 3.2; Program: CADE; Cost variance: 0; Schedule variance: -0.4%. Milestone: 2-3; Release: 4.0; Program: CADE; Cost variance: 0; Schedule variance: -2.5%. Milestone: 4; Release: 4.1; Program: CADE; Cost variance: [A]; Schedule variance: -10.4%. Milestone: 3; Release: 5; Program: CADE; Cost variance: [B]; Schedule variance: [C]. Milestone: 5; Release: 1.1; Program: AMS; Cost variance: 0; Schedule variance: 0. Milestone: 4b; Release: 1.2; Program: AMS; Cost variance: 0; Schedule variance: 8.7%. Milestone: 4a; Release: 1.3; Program: AMS; Cost variance: 0; Schedule variance: 0.7%. Milestone: 2; Release: 2.1; Program: AMS; Cost variance: 0; Schedule variance: -2.2%. Milestone: 3; Release: 2.1; Program: AMS; Cost variance: 0; Schedule variance: 0. Source: GAO analysis of IRS data. [A] In e-mail comments on a draft of this briefing, IRS informed us that it had approved a transfer of funds from release 4.1 to release 4.2, resulting in a negative cost variance. [B] This release of CADE has not yet exited milestone 3 and therefore we cannot yet calculate cost variance for this milestone. [C] This release of CADE has not yet exited milestone 3. However, based on the start date, on November 24, 2008 schedule variance exceeded the 10 percent threshold mark for acceptable variances. [End of figure] The following provides details on the milestones that were completed within 10 percent of cost and schedule estimates. MeF: * A release of MeF completed development, test, and integration on January 3, 2008 and completed deployment on July 18, 2008. This release provides for processing the U.S. income tax returns of foreign corporations and the ePostcard forms of tax exempt and government entities. It also includes a continuously operating failover capability that IRS states will allow for posting returns 24 hours a day, seven days a week. CADE: * Release 3.2 (intended to include the legislative changes for the 2007 filing season and the data for generation of math error notices) completed development, test and integration on February 27, 2008. * Release 4 (intended to add extensions, decedent and surviving spouse returns, credit elect processing, receipt processing, criminal investigation refund holds, and last name changes) completed system logical design on February 13, 2008. Release 4.1 completed development, test, and integration on July 24, 2008. It should be noted that while this milestone was completed ahead of schedule, some functionality intended for this release was shifted to a subsequent release as a result of having to reallocate resources to address software changes necessitated by the requirements of the Economic Stimulus Act of 2008, [Footnote 38] which IRS had not anticipated. In email comments on a draft of this briefing, IRS stated that it had approved a transfer of funds from Release 4.1 to Release 4.2 to fund the requirements that were shifted from one release to the other. Release 4.2 is scheduled to be completed on March 31, 2009. Because IRS has not yet defined a quantitative measure of progress in meeting scope expectations as we have recommended, it is difficult to determine the magnitude of the adjustment or its net effect on project performance. AMS: Together, the following three AMS releases provide the capability to update authoritative account data on a daily cycle to IRS customer service representatives and a new inventory and workflow function that automates assignment, research, resolution, and closure for internally generated cases. * One release was successfully deployed on January 29, 2008. This release provides interfaces among the Desktop Integration, CADE, and current processing environment systems and allows address change transactions to be passed to the CADE system. * The second release completed development, test and integration on February 13, 2008. * The third release of AMS completed physical design on February 13, 2008. A final release of AMS completed two milestones during the year. * Conceptual design was completed on January 10, 2008, and, * System logical design was completed on June 24, 2008. The following provides details on the milestones that were significantly over cost or over schedule. * MeF Milestone 3 of Release 6 (intended to roll out the use of Form 1040 and 21 other schedules and supporting forms) experienced significant cost increases and schedule delays. This milestone was completed 63 days behind schedule.[Footnote 39] According to IRS, a longer logical design phase was required primarily due to a requirement for additional application functionality (real time transactions with the IRS National Account Profile (NAP) and new reports) as well as added complexity to the infrastructure for interfacing with the NAP and Electronic Fraud Detection System. * CADE Release 5 (primarily intended to improve the infrastructure and availability of CADE) was scheduled to complete logical design (milestone 3) on September 30, 2008. However, this schedule was not met. In addition, the IRS Commissioner and Chief Technology Officer have told us that work on this release has been stopped pending the results of a review of long-term plans for BSM. This review is expected to be completed in February 2009. * Further, it should be noted that, of the ten milestones that were reported completed during fiscal year 2008, six received conditional exits,[Footnote 40] meaning that they were allowed to proceed with outstanding issues remaining to be addressed. Examples of outstanding issues include incomplete test cases and incomplete security certification and accreditation. Ideally, projects should proceed to the next milestone without significant issues needing to be addressed. In addition, we have previously reported that investment management procedures typically specify the procedural rules for decision-making during project oversight.[Footnote 41] While IRS‘s guidance states that ESCs may grant conditional exits, it does not specify procedures for determining when to grant them. Without these procedures, the conditional exit process could potentially be used to mask cost and schedule overruns and result in projects exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. Observation 2: BSM project releases continue to face significant risks and issues, which IRS is addressing. IRS has reported that challenges and risks continue to confront planned project releases. MeF: IRS indicates that because of delays in completing the logical design phase of the current MeF release (Release 6), there is no slack in the schedule. Further, MeF depends significantly on the portal environment‘s ability to support the volume of Form 1040s. Engineering and capacity analyses have been launched to help ensure that the portal environment can support the volume. CADE: IRS reports that because of the added requirement this year to complete the work necessitated by the requirements of the Economic Stimulus Act of 2008,[Footnote 42] there is no slack in the schedule for completing Release 4 which, as previously noted, is intended to add extensions, decedent and surviving spouse returns, credit elect processing, receipt processing, criminal investigation refund holds, and last name changes. To mitigate this risk, IRS is currently using two separate teams working in parallel to maintain the schedule, along with conducting impact assessments. In addition, four contract line items were shifted from Release 4.1 into Release 4.2. In e-mail comments on a draft of this briefing, IRS informed us that it had approved a transfer of $8 million from Release 4.1 to Release 4.2 to address this. These funds are to be supplemented with $1.525 million from management reserve and $475,000 from fiscal year 2007 Risk Adjustment. IRS has held meetings to develop a re-plan strategy that deploys most of the remaining functionality by the end of February 2009. Certain non-critical components would be deferred to a future release. IRS also reported that CADE Release 5 (to be deployed in 2010) may face resource contention with Release 4.2, as well as funding and cost estimation issues and a possible need to shift functionality from Release 4 into this release. As noted above, logical design work was not completed by September 2008 as planned, and the IRS Commissioner and Chief Technology Officer informed us that the work on the release had been stopped and would be re-evaluated in light of the long-term plans for BSM that are expected to completed by February 2009. IRS also expects future releases of CADE to increase in complexity. AMS: AMS and CADE releases depend on one another to a great extent. Specifically, AMS releases require specific CADE functionality in order to be deployed. CADE also depends on some of the planned AMS functionality deployments to allow CADE to accept more complicated returns and better resolve taxpayer issues. Because of these interdependencies, IRS has to coordinate significant integration management activities. In March 2008, we reported that IRS was working on a Release Content Master Plan to address the risks associated with the interdependencies. In November 2008, the Acting Deputy Commissioner for Operations Support informed us that the current Release Content Master Plan will not be used because, as noted above, IRS is reevaluating CADE Release 5 and also reevaluating the scope of AMS Release 2.1 given its interdependency with CADE. According to the Associate CIO for Applications Development, IRS has also stopped working on AMS Release 2.2 pending the review of long-term plans for BSM. While IRS continues to monitor these issues, the risks and challenges facing future releases of CADE, MeF, and AMS are nevertheless significant. If these risks are not effectively managed, the projects could face cost increases and IRS's modernization efforts could be delayed. Given this, we will continue to monitor the risks and IRS‘s actions to address them. Observation 3: IRS continues to use the high-priority initiatives program to address identified challenges. IRS‘s high-priority program improvement initiatives process[Footnote 43] continues to be an effective means of regularly assessing, prioritizing, and incrementally addressing BSM issues and challenges. Beginning in March 2008, IRS expanded this program to the Deputy Commissioner of Operations Support level, so that it now addresses challenges not only at the level of IRS‘s IT Organization (MITS), but also across other organizations such as the Human Capital Office and the Office of Privacy, Information Protection, and Data Security. In September 2008, IRS completed another cycle of high-priority initiatives and is currently working on a cycle that is scheduled to be completed by the end of March 2009. The most recently completed cycle included multiple initiatives for MITS, including many focused on security-related challenges. The key focus areas for MITS during this cycle included: * security improvements (developing a strategy and approach for professional security certifications for MITS personnel and developing a comprehensive computer security program plan); * refining the system retirement and consolidation strategy to align with MV&S); * operational improvements (assessing and addressing security vulnerabilities associated with a computing center mainframe environment, and limiting access controls to authorized personnel); and, * infrastructure improvements (executing a strategy developed for technology migrations to modernized technology). Observation 4: Security weaknesses continue to affect IRS‘s modernization environment. IRS continues to have security weaknesses that affect its modernization environment. In March 2008, we reported that IRS had just recently updated its enterprise life cycle methodology to incorporate security processes, procedures, and tools into the early stages of the enterprise life cycle. Further, we recently reported that IRS continued to have weaknesses with its information security controls.[Footnote 44] For example, we noted that sensitive information, including user IDs and passwords for mission critical applications, continued to be readily available to any user on IRS‘s internal network. These IDs and passwords could be used by a malicious user to compromise data flowing to and from IRS‘s Integrated Financial System, which is part of the modernization environment.[Footnote 45] We stated that the key reason for the presence of these and other weaknesses was the lack of a fully implemented security program. In written comments on a draft of our report, IRS recognized that information security continues to be a significant issue, and noted that it established an Office of Online Fraud Detection and Prevention to address evolving online threats affecting IRS and taxpayers. IRS also noted that it developed a corrective action plan to address information technology security training, systems auditing, access controls, system security configuration control, and systems disaster recovery. Further, in September 2008, TIGTA reported that while IRS had established appropriate system development policies and procedures requiring security and privacy safeguards to be planned for and designed in the early phases of a system‘s development cycle, both CADE and AMS were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. These vulnerabilities increase the risks that 1) an unscrupulous person, with little chance of detection, could gain unauthorized access to the vast amount of taxpayer information that the IRS processes, and 2) the systems could not be recovered effectively and efficiently during an emergency. The IRS agreed with the TIGTA‘s recommendations and stated that it would continue to follow the governance process documented in the Customer Service Executive Steering Committee[Footnote 46] charter and consider all security vulnerabilities to ensure that best practices are in place for the successful delivery of project security and functionality. As noted above, IRS recently informed us that work planned for certain CADE and AMS releases had stopped pending a re-evaluation of immediate and long- term functionality and scope for these systems, including incorporating security concerns raised by GAO and TIGTA. IRS has also identified security weaknesses through its high-priority initiatives program, and, to its credit, it is working to address them. For example, through this program, IRS recently updated its enterprise life cycle methodology to consistently incorporate security guidance for non-major projects.[Footnote 47] Through its high-priority initiatives program, IRS reported having addressed additional security practices including: * developing a strategy and approach for professional security certifications for systems and database administrators; * developing business requirements for the use of digital certificates and public key infrastructure technology; and, * working to develop a comprehensive Computer Security Program Plan to allow IRS to identify current and planned security projects and initiatives. While actions to address our report findings and the high-priority initiatives help to improve its security posture, IRS‘s modernization environment will continue to be at risk until the agency fully implements its security program, as evidenced by the recent GAO and TIGTA reports. Conclusions: During 2008, IRS continued to make progress in delivering BSM projects that provided benefits to both taxpayers and the agency. IRS also continued to improve its management capabilities and controls by, among other things, implementing two of our recommendations from prior expenditure plan reviews and addressing its high priority initiatives. These actions will likely result in improved management of BSM and help mitigate the risks inherent in managing such a large and complex program. However, IRS is still facing challenges in consistently meeting its cost and schedule commitments, managing project-specific risks, addressing high priority initiatives, and securing its many systems. In addition, IRS has not yet fully implemented all prior recommendations, including developing long-term plans for completing BSM and consolidating and retiring legacy systems, developing a quantitative measure of scope, and developing a plan for addressing its various human capital initiatives. Finally, IRS‘s use of conditional milestone exits is not supported by documented procedures. Without documented procedures, the conditional exit process could potentially be used to mask cost and schedule overruns and result in projects exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. Recommendation for Executive Action: We are recommending that the Commissioner of Internal Revenue direct that procedures for determining when to grant conditional milestone exits be defined. Such guidance would help ensure that IRS‘s process for granting milestone exit approvals is not used to mask cost and schedule overruns and projects are not exiting milestones prematurely, thereby introducing cost, schedule, and performance risks. Agency Comments and Our Evaluation: In email comments on a draft of this briefing, the Associate Chief Information Officer for Applications Development agreed that clearer guidance and criteria are needed regarding conditional exits but stated that our language insinuates deliberate masking of cost and schedule. IRS also identified a situation where milestone exits will always be conditional and stated that all work performed is charged to the appropriate milestone, despite the conditional exit. We are not implying that IRS would deliberately mask cost and schedule overruns. We are stating our concern that, that without documented procedures, the potential for doing so exists. We have modified this briefing to clarify this. IRS also provided technical comments which we addressed, as appropriate. Appendix I: Description of BSM Projects and Program-Level Initiatives: Tax administration projects: Proposed modernization initiative: Modernized e-File; Description: Is to provide a single standard for filing electronic tax returns. Initial releases will address large corporations, small businesses, and tax-exempt organizations. Its ultimate goal is the conversion of IRS‘s 1040 e-file program. Proposed modernization initiative: Customer Account Data Engine; Description: Is to build the modernized database foundation to replace the existing Individual Master File processing system that contains the repository of individual taxpayer information. Proposed modernization initiative: Accounts Management Services; Description: Is to deliver improved customer support and functionality by leveraging existing IRS applications (Desktop Integration and Correspondence Imaging System) and new technologies to bridge the gap between modernization initiatives, such as the Customer Account Data Engine, and legacy systems. Accounts Management Services is to enhance the Customer Account Data Engine by providing applications for IRS employees and taxpayers to access, validate, and update accounts on demand. Core infrastructure projects: Proposed modernization initiative: Development, Integration, and Testing Environments; Description: Is to provide oversight for laboratory environments that support evaluation, development, and testing of components from multiple projects: (1) Virtual Development Environment provides a software development environment and a standardized set of tools and (2) Enterprise Integration and Test Environment provides an integration and testing environment for all projects. Proposed modernization initiative: Infrastructure Shared Services; Description: Is to deliver, in incremental releases over multiple years, a fully integrated, shared IT infrastructure to include hardware, software, shared applications, data, telecommunications, security, and an enterprise approach to systems and operations management. Architecture, integration, and management: Proposed modernization initiative: Architecture and integration; Description: Is to ensure that systems solutions meet IRS business needs and that the development projects are effectively integrated into the business environment. Proposed modernization initiative: Business integration; Description: Is to ensure that IRS‘s BSM program is aligned with the business units‘ vision and delivers the desired business results. It provides support to key activities such as transition management, business rules enterprise management, and requirements development and management operations. Proposed modernization initiative: Business rules and requirements management; Description: Is to provide support to business process analysis and redesign by harvesting and managing an enterprise set of business rules, and developing business requirements. Proposed modernization initiative: Management processes; Description: Is to provide sustaining support for program-level management processes, including quality assurance, risk management, program control and process management, and enterprise life cycle maintenance and enhancements. Proposed modernization initiative: Federally funded research and development center; Description: Is to provide program management and systems engineering support. Program management Is to ensure that projects achieve their objectives; provide the management information and IT infrastructure that supports risk management, project cost and schedule estimating, and financial management; and provide procurement management for the PRIME contract and associated task orders. Source: GAO analysis of IRS data. [End of table] [End of Appendix] Appendix II: Additional Detail on IRS‘s Fiscal Year 2009 BSM Expenditure Plan: Proposed modernization initiative: Tax administration projects: Modernized e-File (MeF) Release[A]: 7; Milestone[B]: 4a-4b; Amount requested (in thousands): $25,000; Subtotal”MeF project: $25,000. Tax administration projects: Customer Account Data Engine (CADE); Release[A]: 5; Milestone[B]: 4a; Amount requested (in thousands): $12,000. Tax administration projects: CADE; Release[A]: 5.1; Milestone[B]: 4b; Amount requested (in thousands): $16,800. Tax administration projects: CADE; Release[A]: 5.2; Milestone[B]: 4b; Amount requested (in thousands): $18,000. Tax administration projects: CADE; Release[A]: operations and maintenance; Milestone[B]: Level of Effort (LOE); Amount requested (in thousands): $12,000. Subtotal”CADE project: $58,800. Tax administration projects: Accounts Management Services (AMS); Release[A]: 2.2; Milestone[B]: 5; Amount requested (in thousands): $3,078. Tax administration projects: AMS; Release[A]: 3.1; Milestone[B]: 4a; Amount requested (in thousands): $4,582. Tax administration projects: AMS; Release[A]: 3.1; Milestone[B]: 4b; Amount requested (in thousands): $6,723. Tax administration projects: AMS; Release[A]: 3.1; Milestone[B]: 5; Amount requested (in thousands): $2,291. Tax administration projects: AMS; Release[A]: 3.2; Milestone[B]: 3; Amount requested (in thousands): $5,472. Tax administration projects: AMS; Release[A]: 3.2; Milestone[B]: 4a; Amount requested (in thousands): $4,012. Subtotal”AMS project: $26,158. Subtotal”tax administration projects: $109,958. Core infrastructure projects: Development, integration, and testing environments; Milestone[B]: Infrastructure (INF) Amount requested (in thousands): $10,000. Core infrastructure projects: Infrastructure Shared Services; Milestone[B]: INF Amount requested (in thousands): $22,000. Subtotal”core infrastructure projects: $32,000. Architecture, integration, and management: Architecture and integration; Milestone[B]: LOE; Amount requested (in thousands): $13,745. Architecture, integration, and management: Business integration; Milestone[B]: LOE; Amount requested (in thousands): $4,206. Architecture, integration, and management: Business rules and Requirements Management; Milestone[B]: LOE; Amount requested (in thousands): $3,160. Architecture, integration, and management: Management processes Milestone[B]: LOE; Amount requested (in thousands): $3,539. Architecture, integration, and management: Federally funded research and development center; Milestone[B]: LOE; Amount requested (in thousands): $7,396. Architecture, integration, and management: Program management; Milestone[B]: LOE; Amount requested (in thousands): $2,954. Subtotal”architecture, integration, and management: $35,000. Management reserve: $2,300. BSM Capital Total: $179,258. BSM Labor Total: $42,052. MCLs: $1,354. Total fiscal year 2009 BSM program: $222,664. Source: GAO analysis of IRS data. [A] Releases are software versions that provide a subset of the total planned project functionality. [B] Milestones correspond to phases within IRS‘s enterprise life cycle (0 – vision and strategy/enterprise architecture, 1 – project initiation, 2 – domain architecture, 3 – preliminary design, 4a – detailed design, 4b – system development, 5 – system deployment). [End of table] [End of appendix] Appendix III: IRS Reported Cost/Schedule for Projects Scheduled for Completion in Fiscal Year 2008: This table shows the projects completed in fiscal year 2008. Project segment: MeF, Release 5, Milestone 4a-5; Estimated completion date and funding (in thousands): 3/31/08; $14,300 Milestone exit and cost (in thousands): 4/2/08; $14,300 Change (%): 2 days (.7%); $0 (0%); IRS explanation of change: Conditional exit. Unconditional exit approved on July 18, 2008. Project segment: MeF, Release 6, Milestone 3 Estimated completion date and funding (in thousands): 4/18/08; $7,000 Milestone exit and cost (in thousands): 7/18/08; $9,800 Change (%): 63 days (53.8%); $2,800 (40.0%); IRS explanation of change: Additional application functionality (real time transactions with the IRS National Account Profile (NAP) and new reports) as well as added complexity to the infrastructure of interfacing with the NAP and Electronic Fraud Detection System (EFDS) required a longer Logical Design phase. Conditional exit based on subsequent satisfaction of four conditions. Project segment: CADE, Release 3.2, Milestone 4; Estimated completion date and funding (in thousands): 2/28/08; $18,000; Milestone exit and cost (in thousands): 2/27/08; $18,000; Change (%): -1 day (-0.4%); $0 (0%); IRS explanation of change: Conditional exit. Subject to resolution of conditions identified in milestone exit review. Project segment: CADE, Release 4, Milestone 2-3; Estimated completion date and funding (in thousands): 2/28/08; $11,330; Milestone exit and cost (in thousands): 2/13/08; $11,330; Change (%): -10 days (-2.5%); $0 (0%). IRS explanation of change: IRS explanation of change: Able to exit 10 days early. Project segment: CADE, Release 4.1, Milestone 4; Estimated completion date and funding (in thousands): 8/31/08; $22,410 Milestone exit and cost (in thousands): 7/24/08; $22,410 Change (%): -26 days (-10.4%); $0 (0%); IRS explanation of change: Able to exit milestone one month early. IRS However exit was conditional subject to resolution of six issues identified in milestone exit review. Also some functionality shifted to Release 4.2. In email comments on a draft of this briefing, IRS informed us that it had approved a transfer of funds from release 4.1 to release 4.2 to address this shift in functionality, resulting in a negative cost variance. Project segment: CADE, Release 5, Milestone 2-3; Estimated completion date and funding (in thousands): 9/30/08; $6,025; Milestone exit and cost (in thousands): [Empty]; Change (%): [Empty]; IRS explanation of change: Work on this release has been stopped pending final decision regarding scope and cost. Project segment: AMS; Release 1.1, milestone 5; Estimated completion date and funding (in thousands): 1/29/08; $506; Milestone exit and cost (in thousands): 1/29/08; $506; Change (%): 0 days (0%); $0 (0%). IRS explanation of change: IRS explanation of change: [Empty]. Project segment: AMS, Release 1.2, Milestone 4b; Estimated completion date and funding (in thousands): 1/29/08; $3,463; Milestone exit and cost (in thousands): 2/13/08; $3,463; Change (%): 11 days (8.7%); $0; (0%); IRS explanation of change: Exited milestone 11 days late within 10 percent of plan. Exit was conditional pending resolution of milestone exit review findings. Project segment: AMS, Release 1.3, Milestone 4a; Estimated completion date and funding (in thousands): 2/12/08; $1,655; Milestone exit and cost (in thousands): 2/13/08; $1,655; Change (%): 1 day (.7%); $0, (0%); IRS explanation of change: Conditional Exit on 2/13/2008 pending resolution of one milestone exit review finding. Conditional status was removed on March 25, 2008. Project segment: AMS, Release 2.1, Milestone 2; Estimated completion date and funding (in thousands): 1/15/08; $2,369; Milestone exit and cost (in thousands): -3 days; -2.2%; Change (%): $0; (0%). IRS explanation of change: Were able to exit this milestone 3 days early. Project segment: AMS, Release 2.1, Milestone 3; Estimated completion date and funding (in thousands): 6/24/08; $2,580; Milestone exit and cost (in thousands): 0 days, (0%); Change (%): $0; (0%). IRS explanation of change: Exited milestone 3 on June 24, 2008 as planned. Source: GAO analysis of IRS data. [A] Note: Variances for projects through milestone 3 are based on rough order of magnitude estimates. Post-milestone 3 variances are based on more specific estimates. [B] IRS also completed milestones for a data repository known as the Integrated Production Model. However, we are not reporting on these because funding for them was not requested in the fiscal year 2008 expenditure plan. [End of table] [End of appendix] Appendix II: Comments from the Internal Revenue Service: Department Of The Treasury: Deputy Commissioner: Internal Revenue Service: Washington, D.C. 20224: February 25, 2009: Mr. David A. Powner: Director, Information Technology Management Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Powner: I have reviewed the Government Accountability Office draft report titled "Business Systems Modernization: Internal Revenue Service's Fiscal Year 2009 Expenditure Plan," (Government Accountability Office- 09-281). We appreciate the sound and balanced work of this office and are pleased that it: * Confirmed that our Fiscal Year 2009 expenditure plan satisfies the six legislative conditions specified in the law. These conditions include meeting the Office of Management and Budget's capital planning and investment control review requirements, and complying with the federal systems acquisition requirements and management practices. * Recognized the steps we have taken to address your prior recommendations for improving management capabilities and controls. These include the development of policies and procedures for creating and managing project requirements and determining whether completed projects have achieved expected benefits. * Acknowledged our progress in implementing Business Systems Modernization projects and in meeting cost and schedule commitments for most deliverables. * Validated that we continue to make progress in addressing Business Systems Modernization project risks and issues, and identifying challenges through our high-priority initiatives programs. I would like to briefly comment on the recommendation included in your report concerning the "procedures for determining when to grant conditional milestone exits be defined." We agree with this recommendation and will continue to follow the existing Enterprise Life Cycle processes for milestone readiness reviews to determine whether projects have met the necessary conditions to exit a milestone. We will also strengthen our governance processes to emphasize premature exit of milestones prevention. We appreciate your continued support and the assistance and guidance from your staff. If you have any questions or would like to discuss our response in more detail, please contact Terence V. Milholland, Chief Technology Officer, at (202) 622-6800. Sincerely, Signed by: Mark A. Ernst: Deputy Commissioner, Operations Support: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286, or pownerd@gao.gov: Staff Acknowledgments: In addition to the individual named above, Sabine R. Paul, Assistant Director; Neil Doherty; Mary D. Fike; Sairah R. Ijaz; Lee McCracken; and Paul B. Middleton made key contributions to this report. [End of section] Footnotes: [1] BSM funds (except labor costs) are unavailable until IRS submits a modernization expenditure plan to the congressional appropriations committees and obtains their approval. See the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, Pub. L. No. 110-329, Div. A, Sec. 101, 122 Stat. 3574 (Sept. 30, 2008), which continues funding under the authority and conditions provided in the Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. D, title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007). [2] This plan must (1) meet the Office of Management and Budget's (OMB) capital planning and investment control review requirements; (2) comply with IRS's enterprise architecture; (3) conform with IRS's enterprise life cycle (ELC) methodology; (4) comply with federal acquisition rules, requirements, guidelines, and systems acquisition management practices; (5) be approved by IRS, the Department of the Treasury, and OMB; and (6) be reviewed by GAO. These conditions for BSM funding availability have been in effect for several years, including the immediately preceding fiscal year. At the time of this report, IRS's funding is being provided under the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, Pub. L. No. 110- 329, Div. A, Sec. 101, 122 Stat. 3574 (Sept. 30, 2008) (which has been extended through March 11, 2009, by H.J. Res. 38, March 6, 2009). [3] For this condition, we did not determine whether the expenditure plan comports with the Federal Acquisition Regulation or other federal requirements beyond those encompassed by the Software Engineering Institute's Capability Maturity Model. [4] Milestones correspond to phases within IRS's ELC (0 - vision and strategy/enterprise architecture, 1 - project initiation, 2 - domain architecture, 3 - preliminary design, 4a - detailed design, 4b - system development, 5 - system deployment). [5] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: Mar. 2004). [6] Economic Stimulus Act of 2008, Pub. L. No. 110-185, sec. 101, 122 Stat. 613 (Feb. 13, 2008). [7] After our expenditure plan review, IRS's Chief Technology Officer provided us with an update on the agency's efforts to define plans for completing BSM. He stated that a high-level strategy was expected to be defined by June 2009. [8] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008). [9] After we provided our expenditure plan review results to the subcommittees, we issued a report focusing on IRS's information security program: GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [10] An initial cycle of the MV&S was completed in fiscal year 2006 and the strategy was updated a year later. IRS, Internal Revenue Service: IT Modernization Vision & Strategy (Washington, D.C: October 2007). [11] GAO, Business Systems Modernization: Internal Revenue Service‘s Fiscal Year 2005 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-05-774] (Washington, D.C., July 22, 2005). [12] The Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. D, title I, 121 Stat. 1844, 1976-1977 (Dec. 26, 2007), as continued by the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, Pub. L. No. 110-329, Div. A, sec. 101, 122 Stat. 3574 (Sept. 30, 2008). [13] These funds support IRS's efforts to modernize IRS's business systems. Other systems efforts, including the maintenance of legacy applications, are supported by other funds which are not subject to the BSM program legislative conditions. [14] An enterprise architecture is an institutional blueprint that defines how an enterprise operates today, in both business and technology terms, and how it intends to operate in the future. An enterprise architecture also includes a road map for transitioning between these environments. [15] IRS refers to its life cycle management program as the enterprise life cycle (ELC). [16] Economic Stimulus Act of 2008, Pub. L. No. 110-185, sec. 101, 122 Stat. 613 (Feb. 13, 2008). [17] GAO, Financial Audit: IRS‘s Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: November 10, 2008). [18] GAO, Business Systems Modernization: IRS Has Made Significant Progress in Improving Its Management Controls, but Risks Remain, [hyperlink, http://www.gao.gov/products/GAO-03-768] (Washington, D.C.: June 27, 2003). [19] [hyperlink, http://www.gao.gov/products/GAO-03-768]. [20] GAO, Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Polices and Procedures to Guide Requirements Development and Management, [hyperlink, http://www.gao.gov/products/GAO-06-310] (Washington, D.C.: Mar. 20, 2006). [21] GAO, Business Systems Modernization: IRS‘s Fiscal Year 2004 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-05-46] (Washington, D.C.: Nov. 17, 2004). [22] GAO, Business Systems Modernization: Internal Revenue Service‘s Fiscal Year 2008 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-08-420] (Washington, D.C.: Mar. 7, 2008). [23] An initial cycle of the MV&S was completed in fiscal year 2006 and the strategy was updated a year later. [24] Efforts to maintain and enhance legacy applications are funded through a different source, and the release of these funds is not contingent on the BSM account legislative conditions. [25] [hyperlink, http://www.gao.gov/products/GAO-06-310]. [26] [hyperlink, http://www.gao.gov/products/GAO-08-420]. [27] [hyperlink, http://www.gao.gov/products/GAO-05-46]. [28] GAO, Business Systems Modernization: Internal Revenue Service‘s Fiscal Year 2005 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-05-774] (Washington, D.C.: July 22, 2005). [29] IRS‘s MV&S initiative is intended to be an annual process through which the agency integrates the strategic plans, business concepts of operations, IT planning roadmaps, and proposed investments into a set of integrated strategies and investment proposals for each domain and ultimately into a proposed IT investment portfolio. [30] IRS, Enterprise Transition Plan: Enterprise Transition Strategy and Enterprise-Wide Sequencing Plan, version 3.1 (Washington, D.C., Sept. 28, 2007). [31] IRS, Applications Development: 5-Year Plan, ’A systems view“ Projects – Programs – Retirements & Consolidations. [32] GAO, Business Systems Modernization: Internal Revenue Service‘s Fiscal Year 2007 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-07-247] (Washington, D.C.: Feb. 15, 2007). [33] Earned value management is a project management tool that integrates the investment scope of work with schedule and cost elements for investment planning and control. This method compares the value of work accomplished during a given period with that of the work expected in the period. Differences between accomplishments and expectations are measured in both cost and schedule variances. [34] In December 2007, the Associate Chief Information Officer for Applications Development stated that IRS uses earned value management to measure progress in completing ELC deliverables, not in delivering functionality, and consequently the agency‘s application of earned value management does not provide a quantitative measure of progress in meeting scope expectations. [35] [hyperlink, http://www.gao.gov/products/GAO-08-420]. [36][hyperlink, http://www.gao.gov/products/GAO-08-420]. [37] IRS also completed milestones for a data repository known as the Integrated Production Model. However, we are not reporting on these because funding for them was not requested in the fiscal year 2008 expenditure plan. [38] Pub. L. No. 110-185. [39] The original schedule for completing this design phase is a ’rough order of magnitude“ estimate based on preliminary project plans. [40] According to IRS, the Executive Steering Committee may grant an ’unconditional“ exit approval to proceed with the next phase of development, or they may grant a ’conditional“ exit with the expectation that progress in resolving any outstanding issues will be regularly reported to the governance body. The governance body may also deny exit approval if it deems the readiness of the investment to be significantly deficient. [41] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G (Washington, D.C.: March 2004). [42] Pub. L. No. 110-185. [43] In August 2004, the Associate Chief Information Officer initiated an incremental approach to assess, prioritize, and address the highest priority initiatives from the program improvement framework in 6-month cycles. These initiatives are derived, in part, from corrective actions recommended by GAO and the Treasury Inspector General for Tax Administration for improving modernization management controls and processes. [44] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [45] Because testing these controls involved assessing the enterprisewide information security program, our findings for IRS‘s financial reporting system also apply to IRS‘s modernization environment. [46] This is the governance board that has final milestone exit approval for CADE and AMS. [47] This high priority initiative was closed in September 2008. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO‘s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO‘s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.