Executive Summary

Objective and Scope

Background

Results

Conclusion

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Clinger-Cohen Act Requirements Matrix

Appendix V – Glossary of Terms

Appendix VI – Management’s Response to the Draft Report

Executive Summary

The Clinger-Cohen Act requires Federal agencies to make sound investment decisions before purchasing information technology systems. In October 2000, the Senate Governmental Affairs Committee stated that the Act was the result of the Committee’s reviews of failed computer system acquisitions, such as the Internal Revenue Service’s (IRS) Tax Systems Modernization project. The Committee further reported that Federal agencies were not using sound business procedures before investing in information technology. If sound business procedures to align information technology acquisitions with business needs are not employed prior to investing in information technology, Federal agencies will not be able to improve operational performance, reduce costs, achieve mission goals, and enhance service responsiveness to the public.

The objective of our review was to determine whether the IRS has implemented the requirements of the Clinger-Cohen Act. Our scope included identifying the processes the IRS has in place to ensure compliance with the provisions of the Act.

Because of the changes to the IRS’ structure and modernization strategy that began in 1998, the IRS is still developing and implementing the information technology investment processes envisioned in the Clinger-Cohen Act. Before 1998, the agency had made some progress in meeting the requirements of the Clinger-Cohen Act. During the audit, we identified that the IRS had recently introduced a new strategic planning process and other related processes, such as the Investment Decision Management process, to better manage its information technology investments. However, the use of these processes, and the integration of the procedures for making information technology investment decisions into the IRS’ overall strategic planning, budgeting, and performance management approach, is still evolving. Because the IRS’ processes are in various stages of being implemented, they do not yet constitute a working structure that fully complies with the provisions of the Clinger-Cohen Act.

Although the Clinger-Cohen Act was enacted in 1996, the IRS is still implementing the processes that will make it compliant with all the major provisions of the Act. A few significant factors have contributed to the IRS’ delay in fully implementing the Clinger-Cohen legislation, such as reorganization efforts begun as a result of the IRS Restructuring and Reform Act of 1998 (RRA 98) and the large amount of resources devoted to Year 2000 compliance efforts.

The IRS still needs to implement repeatable processes in order to be in full compliance with five key requirements of the Clinger-Cohen Act. These requirements include:

• The selection, control, and evaluation of information technology investments.
• Performance and results-based management.
• Accountability and information technology asset management.
• The Chief Information Officer’s (CIO) role in the development of the agency’s information technology architecture and information resources management capability.
• Information systems security policies, procedures, and practices.

Until the IRS has institutionalized many of its recently developed processes for managing its information technology investments, it will not have fully effective methods for prioritizing information technology development projects, detecting cost overruns, achieving performance goals, and meeting its overall mission, in accordance with the requirements of the Clinger-Cohen Act. Therefore, the agency cannot yet fully assure that it is getting maximum value from its $1.6 billion annual Modernization Information Technology Services budget.

We recommend the Deputy Commissioner for Modernization & CIO prepare an overall strategy, plan, and schedule to bring the IRS in full compliance with the Clinger-Cohen Act requirements.

Management’s Response: The Deputy Commissioner for Modernization & CIO agreed to include the IRS’ strategy and plan to bring the agency into full compliance with the Clinger-Cohen Act in its revised Fiscal Year (FY) 2002 and FY 2003 Modernization Information Technology Services Strategy and Program Plan. Management’s complete response is included as Appendix VI.

Objective and Scope

This report presents the results of our review of the Internal Revenue Service’s (IRS) compliance with the requirements of the Clinger-Cohen Act. The Act increases the responsibility and authority of the agencies in the Federal Government and their accountability to the Congress and the public regarding their acquisition and use of information technology. The provisions of the Act were enacted to introduce a framework and set of controls that seek to improve the management of information technology in the Federal Government and to assure that investments in technology are tied to an agency’s strategic plans and goals.

The overall objective of this audit was to determine whether the IRS implemented the requirements of the Clinger-Cohen Act. Our audit also included identifying the processes the IRS has in place to ensure full compliance with the requirements of the Act. Specifically, we determined whether the IRS complied with the requirements applicable to:

• Agency Heads, including performance and results-based management, accountability, investment tracking, inventory and asset management, and security.
• Chief Information Officers (CIOs), including the development, maintenance, and implementation of an information technology architecture and information technology personnel capabilities.
• Procurement, including the use of modular (i.e., incremental) contracting.

Audit work was conducted at the National Headquarters from October 2000 to May 2001. This audit was performed in accordance with Government Auditing Standards.

Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II. Appendix IV contains a comprehensive matrix documenting the individual Clinger-Cohen Act requirements and the IRS’ status in complying with the requirements. Terms used in the report are defined in Appendix V.

Background

Several management reforms enacted in the past decade have introduced requirements emphasizing the need for Federal agencies to significantly improve the management processes and the methods used to select and manage information technology resources. The ultimate goal of these various legislative reforms is for agencies to focus on managing information technology to make sound investment decisions that will measurably increase the performance of the Government. One of these management reforms is the Information Technology Management Reform Act of 1996, also known as the Clinger-Cohen Act.

In October 2000, the Senate Governmental Affairs Committee stated that the Clinger-Cohen Act was the result of the Committee’s reviews of failed computer system acquisitions, such as the IRS’ Tax Systems Modernization project. The Committee further reported that Federal agencies were not using sound business procedures before investing in information technology. If sound business procedures to align information technology acquisitions with business needs are not employed prior to investing in information technology, Federal agencies will not be able to improve operational performance, reduce costs, achieve mission goals, and enhance service responsiveness to the public.

A key goal of the Act is for agencies to have the management processes and information needed to help ensure that information technology projects are being implemented at acceptable costs, within reasonable and expected time periods, and are contributing to tangible, observable improvements in mission performance. Moreover, these management processes should be institutionalized throughout the organization and should be used for all information technology-related decisions.

The Clinger-Cohen Act requires Federal agencies to focus on the results achieved through information technology investments while streamlining the Federal information technology procurement process.

Specifically, the Clinger-Cohen Act introduces more rigor and structure into how agencies approach the selection and management of information technology projects than what had been previously called for in the Brooks Act. For example, the head of each agency is required to implement a process for maximizing the value of the agency’s information technology acquisitions while assessing and managing the risks of those investments. Under this Act, agencies are also required to establish a comprehensive approach to improving the acquisition and management of agency information systems through work process redesign and by linking planning and investment strategies to the budget process.

The Act provides clear accountability for information resources management activities by creating agency CIOs with the authority and management responsibility necessary to:

• Advise agency heads on key budget, program, and implementation issues concerning information technology.
• Oversee the design, development, and implementation of information systems.
• Monitor and evaluate system performance.

The Clinger-Cohen Act assigns primary responsibility for implementing its provisions to the Departments. The Department of the Treasury expects each bureau to establish its own investment review board and has established a capital investment monitoring process that includes a review of significant, high-dollar bureau investments. For the IRS, the Department of the Treasury oversees its information technology at a high level, through various means, but does not monitor the IRS’ information technology investments through the Department’s Capital Investment Review Board.

The IRS undertook a self-assessment of its compliance with the Clinger-Cohen Act in 1997. The document identified that the IRS had made progress in complying with the requirements of the Clinger-Cohen Act but that the agency also had much more to do. After we began our audit work, the IRS undertook another self-assessment, which was completed in February 2001.

The enactment of the IRS Restructuring and Reform Act of 1998 (RRA 98) gave the IRS a new direction and a new challenge, namely to measure its success and failure in terms of the effect on the people served, as well as the amount of taxes collected. In order to comply with the requirements of the RRA 98, the IRS began reorganization efforts that were not fully implemented until October 2000. The IRS’ efforts included redefining strategic goals, restructuring the organization, revising the strategic planning process, and remapping information technology modernization efforts to more effectively serve the new business structure. As a result, the more recent self-assessment identified many areas in which the IRS has increased its ability to plan for and manage its information technology resources.

Results

During the audit, we identified that the IRS has recently introduced a new strategic planning process and other related processes to better manage its information technology investments and that its procurement practices are in compliance with the Clinger-Cohen Act requirements, including those regarding the use of modular contracting. These processes are, however, in various stages of being implemented and do not yet constitute a working structure that fully complies with the provisions of the Clinger-Cohen Act. Specifically, we identified five key areas where the IRS still needs to implement repeatable processes in order to be in full compliance with the requirements of the Clinger-Cohen Act. These requirements include:

• The selection, control, and evaluation of information technology investments.
• Performance and results-based management.
• Accountability and information technology asset management.
• The CIO’s role in the development of the agency’s information technology architecture and information resources management capability.
• Information systems security policies, procedures, and practices.

The Internal Revenue Service Has Not Fully Implemented the Processes to Ensure Compliance With the Requirements of the Clinger-Cohen Act

Although the Clinger-Cohen Act was enacted in 1996, the IRS is still implementing the processes that will make it compliant with all the major provisions of the Act. The major reason for the delay is the reorganization of the agency that followed the passage of the RRA 98. That legislation caused the IRS to rethink its organizational structure, redefine its mission and strategic goals, and recast its modernization efforts to meet the needs of its new structure and mission. The stand-up of the IRS’ new organizational structure occurred in October 2000.

In addition to the reorganization efforts, other factors have contributed to the delay in the IRS’ efforts to establish compliance with all the aspects of the Clinger-Cohen Act, including:

• The IRS has not developed an overall strategy, plan, and schedule for becoming compliant with the provisions of the Clinger-Cohen Act.
• From 1996 through the first quarter of 2000, the IRS devoted a large amount of its resources to Year 2000 compliance efforts, leaving little time to focus resources on implementing the requirements of the Clinger-Cohen Act.

Any effective implementation of the Clinger-Cohen Act needs a robust strategic planning process as its foundation. As part of its reorganization efforts, the IRS introduced a disciplined strategic planning process in March 2000. This process, the IRS’ Strategic Planning, Budgeting, and Performance Management Process, was developed "to provide a formal, structured environment for establishing strategic direction, determining resource levels to support priorities and projects stemming from that direction, and evaluating performance results."

With its new strategic planning approach in place, the IRS was in a position to begin introducing the concepts and practices that would make the overall process work. In 2000 and early 2001, the IRS completed its initial work on a number of significant aspects of its capital planning and investment decision management structure. The concepts and processes related to this structure include the following:

• The IRS Commissioner approved the Information Technology Services Balanced Measures in March 2000.
• In June 2000, the Investment Decision Management process was approved as part of the IRS’ Enterprise Life Cycle.
• As part of the Strategic Planning, Budgeting, and Performance Management Process, the development of separate strategy and program plans for Fiscal Year (FY) 2001 was initiated for each of the IRS’ four new business operating divisions. Strategy and program plans were also developed for each of the functional areas outside of the business operating divisions; the first version of the Information Technology Services organization’s plan was completed in July 2000. These plans link the planning efforts within the individual program areas with the IRS’ business goals.
• The first quarterly Business Performance Review (BPR) of the Information Technology Services organization took place in November 2000, with the second review taking place in February 2001. The BPRs measure the IRS’ progress toward meeting its goals against the strategy and program plans.
• In December 2000, Version 1.0 of the IRS’ Enterprise Architecture was released.
• The two major IRS vision and strategy efforts, the Tax Administration Vision and Strategy and the Internal Management Vision and Strategy, were completed and approved by the Core Business Systems Executive Steering Committee in March 2001.

More details on the concepts and practices associated with the IRS’ capital planning and investment decision management structure are contained in Appendix IV.

In addition to the new concepts and practices introduced in 2000, the FY 2001 budgeting effort was the first ever, according to IRS officials, in which the business units were directly involved in making decisions about information technology investments. The new Business Systems Planning (BSP) offices, in each of the IRS’ new business operating divisions, are charged with identifying opportunities for and managing the delivery of business improvement and information technology projects in order to fulfill the strategic missions of the individual business operating divisions, thereby fulfilling the IRS’ mission.

The BSP offices work directly with the business units to identify the business area needs within the business operating divisions and ensure that those needs are adequately communicated, in order to meet the information technology needs of each organization. The BSP offices also work with the project managers in the business units to ensure the documentation to support initiatives, such as Improvement Project Plans, are prepared to support the Strategic Planning, Budgeting, and Performance Management Process. Additionally, under the IRS’ new organizational structure, the BSP offices work with the Division Information Officers (DIO), in the Modernization Information Technology Services organization, who are responsible for assisting the offices in prioritizing, costing, managing, and coordinating non-modernization projects. The joint BSP/DIO Council will aid in the project prioritization process.

Although the IRS’ reorganization efforts have done much to redirect its focus toward information technology investments, the strategic planning process implemented by the IRS is still new, and the agency has not yet completed a full cycle through the process. During our audit, we identified five key areas where the IRS still needs to implement repeatable processes in order to be in full compliance with the requirements of the Clinger-Cohen Act. These five areas are discussed in detail later in this report.

Since the IRS is still implementing many of the elements needed for an effective overall information technology investment decision management process, the agency cannot yet fully assure that it is getting maximum value from its $1.6 billion annual Modernization Information Technology Services budget. Until the IRS has institutionalized many of its recently developed processes for managing its information technology investments, it will not have fully effective methods for prioritizing information technology development projects, detecting cost overruns, achieving performance goals, and meeting its overall mission, in accordance with the requirements of the Clinger-Cohen Act.

According to Clinger-Cohen Act guidance, a capital planning and information technology investment decision management process is an integrated approach to managing information technology investments that provides for the continuous identification, selection, control, life-cycle management, and evaluation of investments. A strong and comprehensive information technology capital planning process is necessary to assure that agency information technology-related expenditures receive the executive-level oversight required for confidence that the agency head is executing this responsibility in accordance with the Clinger-Cohen Act. The capital planning and investment decision management process also provides mechanisms for selecting information technology initiatives as part of the overall portfolio that supports an agency’s mission.

The IRS has made progress in implementing a capital planning and investment decision management process to manage its acquisitions of information technology as a portfolio of investments. In the past, the IRS has experienced difficulties in establishing repeatable processes to continually evaluate information technology investments in relation to its business goals and functions. A new process for making investment decisions for modernization projects was finalized in June 2000, as part of the IRS’ Enterprise Life Cycle. This process, the Investment Decision Management process, will be used by the IRS to prioritize, approve, fund, monitor, and evaluate all of its Core Business Systems investment initiatives.

Since the Investment Decision Management process is new, the IRS has not yet had experience with all of its phases, including all the life cycle elements in its Business Case Procedure, one of the process’ key components. In addition, aspects of the Investment Decision Management process are still evolving, especially as they affect non-modernization projects. The IRS is reviewing the elements of the process used in the past to determine which ones will be used in subsequent budget cycles.

On February 27, 2001, the BSP Office for the Wage and Investment Business Operating Division introduced an investment prioritization methodology for selecting a portfolio of non-modernization projects for FY 2002, using elements of the Investment Decision Management process. Once this methodology is adopted by each of the BSP offices, the BSP/DIO Council will play an expanded role in the IRS’ strategic planning process.

The Clinger-Cohen Act envisions that information technology investment strategies and spending will be tightly aligned with expected improvements in mission performance and results. Performance measures and management processes that monitor actual performance compared to expected results should be instituted by agencies as part of a performance-based management system. Such a system provides timely information regarding the progress of information technology investments.

The IRS’ BPR process will provide executives with the status of information technology projects on a quarterly basis. Since the first BPR for the Information Technology Services organization was completed in November 2000, just as the final stages of the reorganization were implemented, much of the information contained in the report was at a strategic level. Additionally, performance measures were still being validated and/or refined, or the data to perform an analysis of the measures were not yet available.

The second BPR, completed in February 2001, presents a more detailed description of the Information Technology Services organization’s progress in achieving business results. Since the BPR process is still new, the second report documents the standard process that will be used for planning and developing performance goals and for reporting on how well the Modernization Information Technology Services organization is meeting those goals in subsequent BPRs. The BPR also reports that 17 balanced measures were implemented across the Modernization Information Technology Services organization to provide a corporate view of the Information Technology Services organization’s daily performance in fulfilling its business results. The 17 measures implemented cover 3 main customer service areas: User Support, Data Access and Communications, and Applications.

While the performance measures that will be used to measure information technology performance have been identified, the IRS is still in the process of installing software to capture much of the data that will be used in setting baselines. The data that will be captured include information about systems response time and availability from the perspective of the end-user.

The data collected from the measures will be used to baseline current operations and provide a basis for the establishment of service level agreements (SLAs) between the Information Technology Services organization and each of the IRS’ four new business operating divisions. The IRS is now working on the procedures for establishing the process to define SLAs.

The SLAs will provide the foundation in the IRS’ process to link information technology performance to information technology investments and their contribution to agency-wide performance goals. The IRS will not be able to fully determine how well information technology supports agency programs until SLAs have been established between the Information Technology Services organization and the business operating divisions. The SLAs established will define the specific levels of service, or performance measures, between the Information Technology Services organization and the business operating divisions in greater detail than the balanced measures now in place.

Since 1983, the IRS has identified a material weakness in its controls over property and equipment during the agency’s annual Federal Managers’ Financial Integrity Act process. Specific shortcomings have been identified in the procedures and controls over the information, use, and accountability of capitalized property. In addition, according to the General Accounting Office (GAO) report on the IRS’ FY 2000 financial statements, the IRS continues to face most of the pervasive systems and internal control weaknesses the GAO has reported since it began auditing the IRS’ financial statements in FY 1992. Inadequate controls over the IRS’ property and equipment and an inadequate financial reporting process are two of the pervasive weaknesses that the GAO has cited in its annual reviews of the IRS’ financial statements.

Although the IRS achieved an unqualified opinion for FY 2000, it did so, according to the GAO, on the basis of extensive management and staff work that would not have been necessary if the IRS’ systems and controls operated effectively. As a result, the IRS is unable to ensure that:

• Its accounting, financial, and asset management systems and other information systems, as currently implemented, are designed, developed, maintained, and used effectively to provide financial or program performance data for the agency’s financial statements.
• Financial and related program performance data are provided on a reliable, consistent, and timely basis to agency financial management systems for decision- making on an ongoing basis.

Under the provisions of the Clinger-Cohen Act, the head of the agency is responsible for defining the operating relationship between the CIO and Chief Financial Officer (CFO) functions and ensuring coordination in the implementation of the Act, as well as other Federal legislation. During our audit, we found that the IRS’ CIO and CFO have been working to address the asset management and the financial and program performance issues. It will, however, take several years to implement the property and financial systems that will be needed to overcome the IRS’ material weakness. For example, we identified the following:

• A new Asset Management Modernization (AMM) Program is being implemented in four phases; the IRS expects the new system to be fully operational by 2002. Phase 1 is to be completed by September 2001. In that phase, a Single Point Inventory Function (SPIF) will be implemented nationwide.
• As described in the IRS’ Enterprise Architecture, the Core Financial, Budget Formulation, and Facilities and Asset Management Systems needed by the IRS will be components of the Internal Management System in the future, modernized IRS. The Internal Management System will evolve as the IRS’ Internal Management Vision and Strategy, which was approved in March 2001, is established.
• The Custodial Accounting Project, one of the IRS’ modernization initiatives, will improve the IRS’ compliance with Federal accounting standards, improve the efficiency of IRS operations, and provide more timely and accurate data for management decision-making. This system, however, is not scheduled for complete deployment until December 2004.

According to the Clinger-Cohen Act, in order for the CIO to advise the agency head on key issues concerning information technology, the CIO’s primary duty must be information resources management. The role of an agency’s CIO also includes developing, maintaining, and facilitating the implementation of an information technology architecture, as well as assessing the knowledge and skills needed to achieve performance goals established for information resources management.

In the past, information resources management was the primary duty of the IRS’ CIO. In February 2001, as part of the IRS’ ongoing reorganization of its Modernization Information Technology Services organization, the Commissioner announced the appointment of a new position, Deputy Commissioner for Modernization, who would also hold the title of CIO. The new Deputy Commissioner for Modernization & CIO, who began work in March 2001, is now responsible for the IRS’ overall modernization and management of the information technology that supports the nation’s tax system, as well as integrating new technology and existing systems with re-designed business processes and practices.

At the time of our audit, we identified two key areas in which the IRS had not fully implemented the provisions set forth in the Clinger-Cohen Act, as they relate to the responsibilities of the CIO. They are:

1. Implementation of an Information Technology Architecture

The IRS’ Enterprise Architecture has not yet been fully implemented because the agency’s major vision and strategy efforts, the Tax Administration Vision and Strategy and the Internal Management Vision and Strategy, were just completed and approved in March 2001. With the release of the Enterprise Architecture, Version 1.0, or Blueprint 2000, in December 2000, the IRS has developed a business process-based, baseline version of its architecture. Version 1.0 is being maintained under the IRS’ configuration management procedures. However, because Enterprise Architecture work products that were dependent on the major vision and strategy efforts could be updated, approved, and baselined only after those efforts were completed, the Architecture has not yet been fully implemented. Additionally, although the IRS formally approved its Tax Administration Vision and Strategy and Internal Management Vision and Strategy in March 2001, the activities associated with the major vision and strategy efforts have not yet been employed.

The Tax Administration Vision and Strategy and the Internal Management Vision and Strategy will drive the identification of future modernization projects that will then be included in the Enterprise Architecture. Once the Tax Administration Vision and Strategy and the Internal Management Vision and Strategy have been deployed, the IRS will have to develop a means to ensure that the activities are jointly used to guide the modernization investment decisions that will provide input for the construction of the Enterprise Architecture.

According to IRS management, the IRS’ current Enterprise Architecture builds upon important achievements and lessons learned from its Blueprint 97, which defined enterprise-level information and technology systems. Blueprint 2000 broadens the IRS’ perspective by addressing the organizational roles, business needs, data structure, and technology capabilities of the whole agency. The IRS’ modernization projects that were already underway prior to the release of the Enterprise Architecture will serve as the foundation for the evolving future state of the IRS. Each of the projects begun before the completion of the current Enterprise Architecture will be brought into alignment with the Architecture and play a key part in the IRS’ implementation of a sound information technology architecture.

2. Information Resources Management Knowledge and Skill Requirements

The IRS is in the process of identifying the information systems competencies possessed by current executives and managers. The agency still needs to address recruitment, training, and retention issues. The IRS began reviewing its information technology personnel capability in 1999, when the agency administered skill assessments to its top executives and Modernization Information Technology Services personnel. The results from these assessments were used to determine the basic knowledge and skills IRS executives, managers, and Modernization Information Technology Services personnel should possess to facilitate the performance goals established for information resources management and comply with the Clinger-Cohen Act.

The IRS Human Resources function is currently developing a new self-assessment to re-evaluate the core competencies its senior information technology personnel and other Modernization Information Technology Services professionals possess. The IRS will then develop training and/or developmental opportunities to address the competencies needed to comply with the Clinger-Cohen Act. Additionally, the IRS is working with the Department of the Treasury, through the Workforce Improvement Program, to develop a list of core information resource management competencies to help develop a better system to select managers and hire new employees.

Components of security have been listed, and continue to be, among the IRS’ material internal control weaknesses. Various deficiencies have been identified in the areas of physical security, logical security, data communications management, risk analysis, quality assurance, internal controls, security awareness, and contingency planning.

Although progress has been made in addressing the IRS’ security concerns, the GAO listed the need to improve the IRS’ information systems security controls as a major management challenge in its FY 1999 and FY 2000 reviews of the IRS’ financial statements. The GAO also reported that the IRS’ security program has not been fully implemented across the agency, and that the IRS still had serious weaknesses in the controls designed to protect its computer resources.

The Treasury Inspector General for Tax Administration (TIGTA) reported similar concerns in its Semiannual Report to the Congress, dated September 30, 2000. The Report states that the TIGTA’s Office of Audit identified security weaknesses in key IRS programs, such as security certification and accreditation of sensitive systems, virus protection, and mainframe operating system controls.

The major strength of the Clinger-Cohen Act is the role it plays in prompting an agency to integrate the planning for information technology investments into its strategic planning process. Although the IRS has made strides in implementing many activities that support compliance with the Clinger-Cohen Act, it has done so without a plan for monitoring its progress toward compliance with the Act.

1. The Deputy Commissioner for Modernization & CIO should prepare an overall strategy, plan, and schedule to bring the IRS in full compliance with the Clinger-Cohen Act.

Management’s Response: The Deputy Commissioner for Modernization & CIO will include the IRS’ strategy and plan to bring the agency into full compliance with the Clinger-Cohen Act in its revised FY 2002 and FY 2003 Modernization Information Technology Services Strategy and Program Plan.

Conclusion

In summary, the IRS has identified, designed, and begun to implement the processes that will bring it in compliance with the Clinger-Cohen Act. Due to the size of the agency, the implementation efforts will not be simple; a significant planning effort and a great deal of coordination among the many functions in the agency is needed. Also, these efforts will necessarily be very complex because the IRS is undergoing an extensive modernization of both its business processes and its systems.

The use of the IRS’ Investment Decision Management process, as well as its Enterprise Life Cycle, is still evolving. In addition, the activities to incorporate both modernization and non-modernization initiatives into the IRS’ Enterprise Architecture have not yet been deployed. Further, the IRS faces challenges in overcoming its material internal control weaknesses involving asset management and components of security. Above all, the IRS is still in the process of fully integrating the procedures for making information technology investment decisions into its overall strategic planning, budgeting, and performance management approach.

Without a plan for monitoring its progress toward compliance with the Clinger-Cohen Act, the IRS may not be able to integrate its activities into a viable, repeatable, agency-wide capital planning and investment decision management process. In the absence of an effective capital planning and investment decision management structure, the IRS will not be able to implement fully effective methods for prioritizing information technology development projects, detecting cost overruns, achieving performance goals, and meeting its overall mission.

Detailed Objective, Scope, and Methodology

The overall objective of this review was to determine whether the Internal Revenue Service (IRS) implemented the requirements of the Clinger-Cohen Act. The review included identifying the processes the IRS has in place to ensure full compliance with the requirements of the Act. The audit was conducted as part of our annual audit plan. To complete this objective, we:

1. Determined whether the IRS Commissioner has planned or implemented processes to comply with the head of the agency’s responsibilities, as outlined in the Clinger-Cohen Act.

1. Determined whether the IRS has designed and applied a process for maximizing the value, as well as assessing and managing the risks, of its information technology acquisitions and whether the process meets the criteria listed in the Clinger-Cohen Act.
2. Determined whether goals for improving the efficiency and effectiveness of IRS operations and the delivery of services to the public through the use of information technology have been established.
3. Identified whether the IRS is providing information to the Department of the Treasury to be included in its annual report on its progress in achieving its goals in the agency’s budget submission to the Congress.
4. Determined whether performance measurements for information technology used or to be acquired by the IRS have been prescribed and designed to measure how well information technology supports the IRS’ programs.
5. Determined whether the IRS has identified where comparable processes and organizations in the public and private sectors exist and whether the IRS quantitatively benchmarks its process performance against such processes in terms of cost, speed, productivity, and quality of outcomes.
6. Determined whether the IRS has a process in place to analyze the agency’s missions and revise mission-related and administrative processes, as appropriate, before making significant information technology investments to be used in support of the performance of those missions.
7. Determined whether the IRS has adequate information security policies, procedures, and practices in place.
8. Identified whether the IRS Commissioner is consulting with the Chief Information Officer (CIO) and the Chief Financial Officer to establish policies and procedures that ensure accounting, financial, asset management, and other information systems are designed, developed, maintained, and used effectively to provide financial or program performance data for the agency’s financial statements.
9. Determined whether financial and related program performance data are provided on a reliable, consistent, and timely basis to the IRS’ financial management systems.
10. Determined whether the IRS’ financial statements support assessments and revisions to the IRS’ mission-related and administrative processes, as well as the performance measurement of information technology investments.
11. For any major information technology acquisition program, or any phase or increment of such a program, determined whether significant deviations from the program’s cost, performance, or schedule are being identified in the IRS’ strategic information resources management plan.
12. Determined whether the IRS has an inventory of all computer equipment under the agency’s control, as well as an inventory of equipment that is excess or surplus property.
13. Determined whether the IRS is including information technology systems designed to provide information to the public in an index of information disseminated by such a system in the directory created pursuant to section 4101 of title 44, United States Code (U.S.C.).

1. Determined whether the IRS’ CIO has implemented actions and processes to comply with the CIO’s responsibilities, as outlined in the Clinger-Cohen Act.

1. Determined whether the IRS’ CIO has information resources management duties as his or her primary duty.
2. Identified the methods the CIO uses to provide advice and assistance to the IRS Commissioner to ensure information technology is acquired and information resources are managed properly.
3. Determined whether the Modernization Information Technology Services organization has developed, maintained, and implemented a sound and integrated information technology architecture for the agency.
4. Determined whether the Modernization Information Technology Services organization promotes the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to the agency’s work processes.
5. Determined whether a process to monitor and evaluate the performance of information technology programs on the basis of applicable performance measures is in place.
6. Determined whether there is a process for providing the IRS Commissioner with advice regarding whether to continue, modify, or terminate programs based upon an evaluation of the performance of information technology programs.
7. Determined whether annually, as part of the strategic planning and performance evaluation process, the CIO is reviewing the IRS’ information technology personnel capability by:

1. Assessing the requirements established for IRS personnel regarding knowledge and skill in information resources management and the adequacy of such requirements for facilitating the achievement of performance goals established for information resources management.
2. Assessing the extent to which the positions and personnel at the executive level of the agency, and the positions and personnel at the management level of the agency below the executive level, meet the knowledge and skill requirements.
3. Developing strategies and specific plans for hiring, training, and professional development in order to rectify any deficiencies in meeting the knowledge and skill requirements.
4. Reporting to the Commissioner on the progress made in improving the agency’s information resources management capability.

1. Identified whether the IRS Procurement function is complying with its responsibilities under the Clinger-Cohen Act.

1. Determined whether the IRS has established policies and procedures for acquiring information technology to replace the legal requirements previously established under the Brooks Act, which was repealed by the Clinger-Cohen Act.
2. Determined whether there is a process to enter into contracts that provide for multi-agency acquisitions of information technology.
3. Determined whether there are practices in place to use modular (i.e., incremental) contracting, to the maximum extent possible, for the acquisition of a major system of information technology. This modular contracting should include:

1. Dividing an acquisition of a major system of information technology into several smaller acquisition increments.
2. To the maximum extent possible, awarding a contract for an increment of an information technology acquisition within 180 days after the date on which the solicitation was issued or considering cancellation if that increment cannot be awarded within such period.
3. Delivering the information technology provided for in the contract for the acquisition of information technology within 18 months after the date on which the solicitation resulting in the award of the contract was issued.

1. Identified whether the IRS is participating in any discretionary activities related to the implementation of the Clinger-Cohen Act.

Major Contributors to This Report

Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs)

Gary Hinkle, Director

Vincent J. Dell’Orto, Audit Manager

Barbara Bartuska, Senior Auditor

Mark Carder, Auditor

Nikki Thomas, Auditor

Report Distribution List

Deputy Commissioner N:C

Deputy Commissioner for Modernization & Chief Information Officer M

Chief Financial Officer N:CFO

Associate Commissioner, Business Systems Modernization M:B

Chief Information Technology Services M:I

Deputy Associate Commissioner, Program Management M:B

Deputy Associate Commissioner, Program Planning and Control M:B

Deputy Associate Commissioner, Systems Integration M:B

Deputy Chief Information Technology Services M:I

Deputy Chief Financial Officer, Strategic Planning and Budgeting N:CFO:SPB

Director, Architectural Management M:B:AE

Director, Business Systems Planning LM:BSP

Director, Business Systems Planning S:BSP

Director, Business Systems Planning T:BSP

Director, Business Systems Planning W:B

Director, Business Vision and Strategy M:B:BVS

Director, Corporate Computing M:I:E

Director, Enterprise Systems and Asset Management M:I:EC

Director, Human Resources and Organizational Services M:I:H

Director, Infrastructure M:B:IF

Director, Legislative Affairs CL:LA

Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O

Director, Office of Security M:S

Director, Organizational Performance Division N:ADC:T:OP

Director, Portfolio Management M:SP:P

Director, Procurement A:P

Director, Program Management M:B:PM

Director, Security Evaluation and Oversight M:S:S

Director, Strategic Planning and Budget M:SP:S

Director, Strategic Planning and Client Services M:SP

Director, Systems Development M:I:SD

Chief Counsel CC

National Taxpayer Advocate TA

Office of Management Controls N:CFO:F:M

Office of Program Oversight and Coordination M:SP:P:O

Audit Liaison: Business Systems Modernization M:B:C

Clinger-Cohen Act Requirements Matrix

Performance measurement of the performance in the case of agency investments in information systems.

5126 (3)

5126 (3)
(A)

The Integrated Network and Operations Management System (INOMS) was being used at the time this Act was enacted.  The IRS has plans to upgrade the current INOMS and is in the process of implementing a new asset management system, which should have operational capability by September 2002. 

The IRS has identified a material weakness in its systems and controls over property and equipment every year since 1983, during its annual Federal Managers’ Financial Integrity Act process.  The GAO’s report on the IRS’ FY 2000 financial statements also identifies inadequate controls over the IRS’ property and equipment as a material weakness.  In addition, the GAO notes that while there has been progress in the IRS’ efforts to improve the timeliness and accuracy of recording property and equipment activity, they continued to find a significant number of errors in the IRS’ property records.  Further, the GAO reports that the IRS does not have an integrated property management system that appropriately records property and equipment additions and disposals as they occur or that links costs recorded in the accounting records to property records.

The IRS uses the United States Federal Government Information Locator Service (GILS), a virtual card catalog of Government information, to meet this requirement.  At least once a year, the IRS GILS Coordinator updates IRS information in GILS.

The Core Business Systems Executive Steering Committee, which is responsible for governing IT investment decisions, meets on a monthly basis.  The IRS’ Commissioner chairs these meetings.

The IRS has developed a business process-based architecture with the release of Blueprint 2000, and the baselined version of the architecture, the Enterprise Architecture, Version 1.0, is being maintained under the IRS’ configuration management procedures.  However, as of March 30, 2001, the architecture had not yet been fully implemented.

Both the TAVS and the IMVS, which are to provide a foundation for the development of the Enterprise Architecture, were just completed and approved on March 13, 2001.  The Enterprise Architecture work products that were affected by the TAVS and IMVS were updated, approved, and baselined on March 30, 2001.  Additionally, although Blueprint 2000 was released at the end of 2000, approximately 60 conditions needed to be addressed by the contractor.

Addressed under Agency Head Responsibilities.

The IRS has taken steps to ensure that all IT procurements are reviewed and authorized by the Modernization Information Technology Services organization.  On November 12, 1999, the IRS Commissioner issued Policy Statement P-1-229, designating the CIO as the responsible official for ownership, management, and control over all IT assets in the IRS.  Only organizations within the IT Services organization are authorized to purchase or acquire IT assets or resources.

5202 (c) (2)

According to IRS officials, the Procurement function is using modular contracting to acquire the Tier A modernization systems, in accordance with the Federal Acquisition Regulation (FAR), Part 39.  The IRS’ modernization systems are large-scale investments spread out over many years, and each individual milestone (or module) must be approved before moving to the next milestone.  For example, projects, such as the Customer Account Data Engine (CADE), have been separated into releases; each approved release could be considered one module of the overall acquisition.  Since the task order for the CADE calls for five releases to be delivered, the contractor is responsible for providing five modules that must each be approved prior to working on the next release.

Because the IRS’ ELC process is still evolving, the agency is working with the contractor on better defining the process.  The Procurement function formed a Contracting Strategy Group to work on integrating contract issues into the process.

Member of the Federal Information Council.
Member of the Federal Software Review Council.
Member of any Interagency Functional Groups.

Department of the Treasury’s Architecture Working Group.

Glossary of Terms

Management’s Response to the Draft Report

The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.