Improvements Are Needed in the Management of
Mid-Level Computer Consolidation to Ensure the Accomplishment of Project Goals
January 2002
Reference Number: 2002-20-043
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
January
9, 2002
MEMORANDUM FOR DEPUTY COMMISSIONER FOR MODERNIZATION &
CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - Improvements Are Needed in the Management of Mid-Level
Computer Consolidation to Ensure the Accomplishment of Project Goals
(Audit # 200120012)
This
report presents the results of our review of the Tier 2 Consolidation
Project. The overall objective of this
review was to evaluate the project management process and controls over the
Internal Revenue Service’s (IRS) effort to consolidate mid-level computer
systems.
In April 2000, the IRS established the
Tier 2 Consolidation Project Office (T2CPO) to manage the consolidation of
mid-level computer systems as part of the Information Technology Services
organization’s strategic goal to optimize corporate data processing
activities. Another goal of the Tier 2
Consolidation Project is to reduce the risk of computer failures resulting from
the inability to obtain repair parts and software upgrades for the aging
computer systems. The consolidation is
expected to be completed at a cost of approximately $178 million over a 6-year
period ending December 31, 2004.
In summary, we found that to manage the
consolidation of Tier 2 systems, the T2CPO prepared
some key project management documents, established several reporting measures
to monitor the consolidation progress, and performed a mid-project
review to ensure that key issues were identified for resolution. However, improvements are needed in project
management to ensure the accomplishment of project goals.
The
IRS has implemented several information system life cycle methodologies, which
are intended to provide a structured approach for the development and ongoing
operation of information technology systems.
None of these methodologies were being followed by the T2CPO. The IRS also did not implement an
Investment Decision Management (IDM) process that provided for proper funding
and monitoring of the Tier 2 Consolidation Project. This reduces project management accountability for achievement of
project goals and compliance with life
cycle policies and documentation requirements.
The lack of proper
funding and monitoring has also contributed to significant consolidation risks,
including inadequate staffing at the project office and computing centers,
insufficient training for systems and database administrators, and a delay in
implementing an automated disaster recovery process. Additional project management
issues requiring management’s attention include the following:
·
Only $4.4 million of the
$12.2 million spent in Fiscal Year (FY) 2001 through July 12, 2001, for
hardware, software, maintenance, and contractor support was charged to the Tier
2 Consolidation Project. In addition,
labor costs for the T2CPO staff and other IRS employees supporting the
consolidation effort were not charged to the project.
·
The T2CPO Business Case
contained calculation
errors that resulted in cost savings being overstated by $147.4 million for FY 2001 through FY 2004. The business case also did not reflect investment costs of approximately $5.8 million for
the T2CPO staff. In addition, the
business case was not approved until July 2001, even though several
applications had already been consolidated and several more were in the process
of being consolidated.
·
Project status reports contained inconsistencies, risk
mitigation activities were incomplete, and only 3 of 10 applications
consolidated prior to January 1, 2001, had obtained a security certification as
of August 2001.
The Tier 2 Consolidation Project has
already encountered significant delays in consolidating applications which,
when combined with the unresolved risks and project management issues, increase
the likelihood of cost overruns and possible failure of the project to achieve
intended goals.
Management’s Response: IRS management agreed with the
recommendations presented in the report.
Corrective actions taken and planned will improve project management. Management’s complete response to the draft
report is included as Appendix V.
Copies of this
report are also being sent to the IRS managers who are affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector
General for Audit (Information Systems Programs), at (202) 622-8510.
Proper Funding and Monitoring Would Enhance Project Management and Accountability
Complete Capturing of Project Costs Would Improve Determination of Investment Results
Additional Measures Would Improve Project Status Tracking and Risk Mitigation
Certification of Several Consolidated Applications Would Improve System Security
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Outcome Measures
Appendix V – Management’s Response to the Draft Report
The Federal Government has made significant investments in Information Technology (IT). Unfortunately, the result of these investments has often been that the projects are not completed within budget and fail to significantly improve mission performance. To address this problem, the Congress enacted several major reforms in the 1990s to improve management processes, including the selection and management of IT resources. For example, the Clinger-Cohen Act requires federal agencies to have processes and information in place to help ensure that IT projects are being implemented at acceptable costs, within reasonable and expected time frames, and are contributing to tangible, observable improvements in mission performance.
The Fiscal Year (FY) 2001 – 2002 Internal Revenue Service (IRS) Information Technology Services (ITS) Strategy and Program Plan includes a strategy to optimize corporate data processing activities. The IRS’ ITS organization plans to accomplish this strategy by consolidating existing non-integrated computer systems that are geographically dispersed and realigning the processes and labor in support of that environment. The IRS considers a more centrally managed and scalable technical infrastructure as a prerequisite for both Business Restructuring and IT Modernization.
A consulting firm, hired by the IRS to help implement organizational modernization, reported in 1999 that the IRS’ current Tier 2 infrastructure included an estimated 107 applications and supporting data residing on approximately 660 individual platforms supplied by 10 vendors in 60 locations. In April 2000, the IRS established the Tier 2 Consolidation Project Office (T2CPO) to manage the consolidation of all mid-level computer systems to 16 platforms supplied by 2 vendors at 13 sites.
The goals of the Tier 2 Consolidation Project are to
optimize corporate data processing activities and reduce the risk of computer
failures resulting from the inability to obtain repair parts and software upgrades
for the aging computer systems. The IRS
expects to complete the Tier 2 consolidation at a total cost of approximately
$178 million in 6 phases over a 6-year period.
The final phase of the Tier 2 consolidation effort is scheduled for
completion by December 31, 2004.
The audit was conducted at the IRS’ ITS office in New Carrollton, Maryland during May through August 2001. This audit was scheduled as part of the Treasury Inspector General for Tax Administration’s (TIGTA) 2001 Annual Audit Plan and was performed in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
The IRS is currently in the early phases of the Business Systems Modernization (BSM) effort to replace all its major information systems. In December 1998, the IRS selected the Computer Sciences Corporation (CSC) as the Prime Systems Integration Services Contractor (PRIME) for the BSM effort.
The IRS also has what are considered non-BSM projects, including the Tier 2 Consolidation Project. While a prior TIGTA report detailed that the IRS is making progress in implementing a disciplined information system life cycle methodology required for effective management of BSM projects, the IRS has not established a single disciplined process for IT projects not considered part of the modernization effort.
BSM projects
The first priority of the PRIME was to implement an
information system life cycle environment patterned after the CSC’s Catalyst
methodology. The IRS expanded the scope
of Catalyst to form an IRS-specific methodology known as the Enterprise Life
Cycle (ELC). The ELC implements a set
of repeatable processes and a system of reviews, checkpoints, and milestones
that reduce the risks of a system development program and ensure alignment with
the IRS’ overall business strategy. By
using the ELC for BSM projects, the PRIME should meet or exceed the Capability
Maturity Model (CMM) Level 3 for software development and acquisition, which
ensures that the process for both
management and engineering activities is repeatable and defined.
Non-BSM projects
For the non-BSM projects, the IRS has implemented several information system life cycle
methodologies with different phases and milestones over the past several
years. These include the:
· Enterprise Life Cycle.
· Enterprise Life Cycle-Lite.
· Software Development Life Cycle.
· Enhanced-Software Development Life Cycle.
· Information System Life Cycle.
The T2CPO is not following any life cycle methodology, but
it prepared some key project documents and
established measures to monitor the consolidation progress based on prior
project management experience. The absence of a standardized life cycle process for non-BSM
projects contributed to the T2CPO not following a specific life cycle
methodology. The lack of a consistent, repeatable
management approach to structuring and controlling the system development
process increases the risk that projects will not be completed on time or
within budget.
The Deputy Commissioner for Modernization & Chief Information Officer should:
1. Establish one standardized information system life cycle methodology for all non-BSM projects, including the Tier 2 Consolidation Project.
Management’s Response: Management developed the ELC-Lite life cycle methodology, mandated its use for all non-BSM projects supported by the Systems Development organization including Tier 2 Consolidation, and is working with business partners to expand ELC-Lite to meet the requirements for all ITS non-BSM projects.
Office of Audit Comment: We believe the IRS should have one life cycle methodology for all non-BSM projects regardless of the IRS organization managing the project. Having one methodology will assist the IRS in complying with the requirements of the Clinger-Cohen Act, facilitate greater consistency in the way projects are managed, and allow the IRS to gain expertise in one methodology.
The IRS’ Investment Decision Management (IDM) is a process to select initiatives for funding that are linked to the strategic plan and justify those investments with cost-benefit analyses conducted throughout each investment’s life cycle. The IDM process is designed in accordance with the Office of Management and Budget (OMB) Circular A-11, Preparation and Submission of Budget Estimates, which provides guidance on budget submissions and capital acquisitions, and OMB Circular A-130, Management of Federal Information Resources, which deals with the management of federal information resources and evaluating IT investments. The IDM process consists of:
· Selecting strategic initiatives requiring capital acquisitions for inclusion in the IRS investment portfolio and in associated budget requests.
· Controlling those investments for capital acquisitions within the investment portfolio.
· Evaluating the business results of IRS investment initiatives.
Although the Tier 2 Consolidation Project was selected as part of the investment portfolio, the IRS did not implement an IDM process that ensured proper funding and monitoring of the project.
Project funding
The purpose of the select phase of the IDM process is to maximize mission performance by assessing, prioritizing, and funding projects based on alignment with the organization’s strategic plan, benefits, costs, and risks. One of the key principles for life cycle management contained in the Department of the Treasury’s Information System Life Cycle Manual is that a project should not proceed until resource availability is assured. Full funding improves project management and increases the accountability for the achievement of baseline goals.
Funding has been a serious issue with the Tier 2
Consolidation Project since the current IDM process has resulted in the
selection of projects without the availability of sufficient funding. The FY 2001 funding for the project was
initially reduced from the requested $26.1 million to $11.2 million; it was
subsequently reduced to $5.7 million.
As a result, the T2CPO did not receive any funding for software and
discretionary costs such as overtime, training, and travel. The FY 2001 appropriations also did not
include full funding of hardware, maintenance, and contractor support (see
Table 1).
|
Expense |
Amount Requested by the T2CPO |
Amount Funded for the T2CPO |
Reduction |
|---|---|---|---|
|
Hardware |
$14,000,000 |
$3,644,000 |
$10,356,000 |
|
Software |
$5,000,000 |
$0 |
$5,000,000 |
|
Maintenance |
$2,200,000 |
$100,000 |
$2,100,000 |
|
Contractor Support |
$4,500,000 |
$2,000,000 |
$2,500,000 |
|
Overtime |
$50,000 |
$0 |
$50,000 |
|
Travel |
$340,000 |
$0 |
$340,000 |
|
Training |
$30,000 |
$0 |
$30,000 |
|
Totals |
$26,120,000 |
$5,744,000 |
$20,376,000 |
Source: IRS FY 2001 spending plans for Tier 2
consolidation.
For FY 2002, the T2CPO has requested $36 million; however, that amount is expected to be cut to $15 million. The initiation of projects without certainty of if or when funding will be available can often result in poor planning, acquisition of assets not fully justified, higher acquisition costs, possible loss of sunk costs with project cancellation, or the expenditure of funds from other program areas.
Project monitoring
The control phase of the IDM process consists of a coordinated set of
procedures to manage the investment portfolio by monitoring newly approved
initiatives, ongoing projects, and operational systems with respect to cost,
schedule, and performance. As part of
the monitoring process, each project should be reviewed at key milestones in
its life cycle. Steering committees
serve a key role in project monitoring by involving executive management in
directing and controlling projects, such as advancing a project from one
milestone to the next. The committee
also ensures compliance with life cycle policies and documentation
standards.
The IRS did
not implement an IDM process that ensured sufficient monitoring of the Tier 2
Consolidation Project by an Executive Steering Committee (ESC). While
the IRS initiated the effort to consolidate its Tier 2 systems on June 7, 1999,
the Project Office was not established until April 2000 and did not
begin going before the Corporate Computing ESC until February 28, 2001.
Although the ESC should ensure compliance with life cycle policies and
procedures, the T2CPO is not following a
specific life cycle to manage the project.
As a result, the project plan did not contain several required
components, other necessary project management plans have not been prepared,
and consolidated applications were placed into production without the
completion of an approved baseline business case and security certification.
The lack of proper funding and monitoring has also contributed to significant consolidation risks identified by the T2CPO at a mid-project review meeting held in April 2001, including:
· Only 14 of the proposed 24 T2CPO positions for project planning and oversight were staffed.
· An additional 132 personnel needed to support the consolidated environment in the computing centers are unfunded.
· The T2CPO was not allocated funds to train systems and database administrators on the new hardware and software technology.
· Implementation of an automated disaster recovery process has been delayed.
The Tier 2 Consolidation Project has already encountered significant delays in consolidating applications, and the prospect of completing the consolidation by December 31, 2004, is unlikely. For example, only 3 of 13 (23 percent) applications scheduled for consolidation between January 1, 2001, and July 31, 2001, were timely consolidated. The combination of significant consolidation risks and schedule delays increase the likelihood of cost overruns and possible failure of the project to achieve intended goals.
The Deputy Commissioner for Modernization & Chief Information Officer should ensure that:
2. The IDM process assures proper funding for approved non-BSM projects, including Tier 2 consolidation.
Management’s Response: Management will issue IDM guidelines and processes for investment decisions that ensure proper project funding and monitoring to enhance project management and accountability for both BSM and non-BSM IT projects.
3. The ESCs effectively monitor non-BSM projects to ensure compliance with life cycle policies and documentation standards.
Management’s Response: Management is developing audit procedures for ELC-Lite compliance and will add a supplement to the ELC-Lite that prescribes procedures and practices for ESC operation. The procedures will include templates for the agenda, probes, and specific items to be reviewed (including compliance with life cycle policies and documentation standards).
The Clinger-Cohen Act requires agencies to determine the results of IT investments and identify significant deviation(s) from costs, performance, or schedule. The Department of the Treasury stipulates that project costs include accounting for the spending of all resources, including items such as the cost of staff hours, contractor costs, equipment, and maintenance. To accurately capture project costs, IRS procedures require the tracking of IT expenditures within the IRS’ financial system by using a five-digit sub-project code. Labor costs are also tracked through the payroll system by entering the code with the time and attendance records.
Although the T2CPO was
assigned a sub-project code in FY 2001, only a
portion of the funds expended for equipment and maintenance were charged to the
project’s five-digit code. As of July
12, 2001, only $4.4 million of the $12.2 million (36 percent) spent in FY 2001
for hardware, software, maintenance, contractor support, and site preparation
was charged to the Tier 2 Consolidation Project (see Table 2).
|
Expense |
Amount Charged to the T2CPO |
Amount Charged to Other Projects |
Total Amount |
|---|---|---|---|
|
Hardware |
$1,730,050 |
$7,471,893 |
$9,201,943 |
|
Software |
$418,000 |
$0 |
$418,000 |
|
Maintenance |
$200,000 |
$368,878 |
$568,878 |
|
Contractor Support |
$2,000,000 |
$0 |
$2,000,000 |
|
Site Preparation |
$4,757 |
$0 |
$4,757 |
|
Totals |
$4,352,807 |
$7,840,771 |
$12,193,578 |
Source: IRS requisitions for Tier 2 consolidation
expenditures.
In addition, the labor costs for the project office
staff and other IRS employees required to support the consolidation effort in
application design, testing, and implementation were not charged to the
project’s code. Project costs were
charged to other project codes because of the lack of funding.
By September 21, 2001, IRS
requisitions for Tier 2 consolidation expenditures during FY 2001 totaled $21.3
million; however, only $7.9 million (37 percent) was charged to the Tier 2
Consolidation Project. In addition, an
ITS organization outside of the T2CPO acquired contractor support totaling
$645,000 for services that included program management and oversight support
for Tier 2 consolidation. By not
properly accounting for all costs, the IRS cannot determine the actual results
of the IT investment and comply with the Clinger-Cohen Act requirements to identify significant deviation(s) from costs,
performance, or schedule.
The Deputy Commissioner for Modernization & Chief Information Officer should ensure that:
4. All expenditures for Tier 2 consolidation are charged to the T2CPO sub-project code.
Management’s Response: Management centrally funds the T2CPO and uses the assigned code to track all Tier 2 consolidation expenditures, including all labor and non-labor charges. The T2CPO provided directions on the use of the T2CPO code to affected areas.
The purpose of a project business case is to
substantiate the initial project need to the investment decision-makers;
provide justification for prioritizing, selecting, and funding the investment
throughout its life cycle; and establish the baseline to control and evaluate
the investment. Estimated costs and
benefits for each alternative solution under consideration are key components
of the business case, providing
the basis for making investment decisions and for evaluating investment
performance. The Clinger-Cohen Act and OMB Circular A-130
also require that agencies update the cost-benefit analyses throughout the
information system life cycle.
The Tier 2 Consolidation Business
Case, which was not approved until July 2001, included many of the necessary
components
to satisfy the OMB and Clinger-Cohen Act requirements. The cost savings in the business case for FY
2001 through FY 2004 were primarily derived from the
reduction in both the number of Systems Administrators (SA) and maintenance
costs. However, errors in both
calculations (detailed in Appendix IV) resulted in the estimated savings being
overstated by $147.4 million ($135 million from a reduced number of SA and
$12.4 million from reduced maintenance costs).
The business case also does not reflect investment costs of
approximately $5.8 million for the project office staff. As a result, the
business case overstated benefits and omitted investment costs, potentially preventing the ESC from making
an informed investment decision.
In addition,
the business case does not identify the resource, technical, and
telecommunications requirements for all applications in determining the cost
estimates. The number of applications
identified for consolidation has also increased from 107 to 220. As a
result, the T2CPO anticipates that it will have to purchase 9 additional
systems at a cost of approximately $36 million and
that an additional 76 SA will be required to operate the consolidated
environment. The T2CPO advised
that revisions were necessary and would be incorporated into a revised business
case.
The Deputy Commissioner for Modernization & Chief Information Officer should ensure that:
5. The business case is revised to more accurately identify investment benefits and costs.
Management’s Response: Management will incorporate the T2CPO staffing costs and corrected methodologies and calculations into a revised business case.
Management of IT projects must include activities that identify, quantify, and control project risks. During April 2001, the T2CPO performed a mid-project review, referred to as an In-Process Review (IPR), to ensure that key issues were identified for resolution. The IPR identified 20 risks and established their status, risk mitigation actions, and target completion dates. The risks were also elevated to the Corporate Computing ESC. In addition, the T2CPO implemented project status reporting to monitor the progress of application development during the consolidation process and established a risk management process to identify and track risks for each application. However, the T2CPO could improve the project status tracking and risk mitigation process by increasing the accuracy and consistency of the various reports, prioritizing identified issues for resolution, and developing a risk management plan detailing the risk management process.
Project status
reporting
The Department of the Treasury’s Information System Life Cycle Manual explains that project status reports are necessary
for management to determine whether appropriate progress is being made during
the development process. Status reports
also serve as the basis for coordinating preventive and/or corrective actions
to problems. The T2CPO had established several reporting
measures to monitor the consolidation progress of the individual applications
and the overall status of the Tier 2 Consolidation Project. These include:
·
Biweekly Status
Report – This status report shows the overall progress of consolidating the
individual applications in a color coding scheme of green, yellow, or red to
identify the risk of potential delays.
·
Milestone Progress
Report (MPR) – The MPR reflects the proposed completion date and the
color-coded status of the major milestones for each application.
·
Work Breakdown
Structure (WBS) – The WBS contains the tasks to consolidate the individual
applications and provides the percentage of task completion and the start and
finish dates for each task.
The T2CPO needs to continue improving the
accuracy and consistency of the various reports. For example, the MPR color-coding scheme did not always coincide
with the activity status (e.g., green status with expired completion dates). A review of the May 17, 2001, MPR reflected
that 20 of the 23 (87 percent) applications scheduled for consolidation between
January 1, 2001, and December 31, 2001, had a green status even though at least
one of the activities had an expired completion date. In addition, project status inconsistencies existed between the
biweekly status reports and MPRs.
Several of the MPR completion dates were also not consistent with the
dates reflected in the WBS. These
inconsistencies occurred primarily because the information contained in the
lower-level report (i.e., WBS) was not linked directly into the higher-level
report (i.e., MPR). The lack of
consistency in the project status reports increases the possibility that
schedule slippage will not be identified early enough to initiate mitigation
measures and prevent potential project delays and cost overruns.
Risk management process
Risk management is the process of identifying, analyzing, and tracking risks; assessing the probability that risks will occur; and determining their potential impacts in such areas as cost overrun, schedule slippage, and project failure. A key consideration for developing the risk management requirements is to specify what criteria will be used to analyze and prioritize risks and assess the status of the mitigation activity. The result of this process serves as the basis for development and implementation of risk reduction actions to either reduce the risk or resolve the issue.
The T2CPO established a risk management process to identify,
analyze, and track risks. During the initiation and status meetings
for the individual applications, the T2CPO identifies issues and risks for
tracking in an open actions database; each is assigned to a person responsible
for resolving the issue or risk.
Someone from the T2CPO is also assigned to follow up on the status of
the risk.
However, risks were not prioritized (i.e., low, medium, high) in the open
actions database to determine if they should be elevated to an ESC, and 70 of
the 101 (69 percent) action items in the May 22, 2001, open actions report had
expired completion dates. In addition,
the T2CPO had not prepared a risk management plan detailing the risk management
process because it had insufficient staffing and was
not following a life cycle methodology.
Incomplete risk mitigation activities increase the possibility of
schedule slippage, cost overrun, and possible project failure.
The Deputy Commissioner for Modernization & Chief Information Officer should ensure that:
6. The Tier 2 Consolidation Project status reports are linked to improve their accuracy and consistency.
Management’s Response: Management will better define the criteria for determining the overall status represented in the Biweekly Status Report. The overall status in the Biweekly Status Report and the MPR will be linked automatically. Management also resolved discrepancies between the MPR and WBS by developing an automated process for generating the MPR directly from the WBS.
7. A risk management plan is developed that includes a process to prioritize risks in the open actions database and to actively monitor risk mitigation.
Management’s Response: Management will replace its current risk management process with the process used by the Service Center Mainframe Consolidation (SCMC) effort. This process is a two-tiered management review/prioritization process. The T2CPO has documented the new process in a draft plan and is modifying the SCMC automated system to meet the unique needs of the T2CPO.
OMB Circular A-130 and the Department of the Treasury Security Manual require that all information systems that process taxpayer data be certified prior to being placed into operation. Certification requires a comprehensive evaluation of technical and non-technical security features to determine the extent to which system design and implementation meet a specified set of security requirements. The Certification Program Office, under the direction of the Office of Security and Privacy Oversight, is responsible for the security certification process for IRS information systems.
A prior TIGTA audit reported that a majority of the IRS’ systems were not certified as required. Of the 258 sensitive systems identified on the Certification Program Office’s inventory as of January 2000, 232 (90 percent) were not certified. Management responded that the Office of Security and Privacy Oversight started an initiative to improve the certification process, including implementing systems without full certification on a very limited basis.
The T2CPO requires system certification as a prerequisite for consolidation, and all applications scheduled for consolidation between January 1, 2001, and December 31, 2001, are in the process of being certified. However, only 3 of 10 (30 percent) consolidated applications implemented prior to January 1, 2001, were certified as of August 2001. These 10 applications had either already been consolidated or were in the process of being consolidated prior to the establishment of the T2CPO in April 2000 and the implementation of controls to ensure system certification. Not certifying the adequacy of security controls in the systems increases the risk of security breaches and possibly jeopardizes the privacy for over 126 million individual and 6 million business taxpayers.
The Deputy Commissioner for Modernization & Chief Information Officer should ensure that:
8.
All consolidated Tier 2 applications obtain the
required security certifications.
Management’s Response: Management will certify the production systems that have not been certified and implement a process to ensure applications are certified before being put into production. Since June 2001, no application has been implemented in the Tier 2 consolidated infrastructure without a security certification. Security certification will continue to be a key milestone in the WBS.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this audit was to evaluate the project management process and controls over the Internal Revenue Service’s (IRS) effort to consolidate mid-level computer systems.
To accomplish this objective, we:
I. Determined whether the project office followed the IRS’ system development methodology and life cycle process.
A. Identified the IRS’ system development methodology and life cycle process for internal system development projects.
1. Interviewed IRS representatives responsible for establishing the system development methodology and life cycle process.
2. Obtained and reviewed current policy and guidelines and identified required milestones, stages, and deliverables.
B. Reviewed the system development methodology and life cycle process followed by the Tier 2 Consolidation Project Office (T2CPO).
1. Interviewed project office personnel to determine the system development methodology that was adopted for the project.
2. Interviewed project office personnel and reviewed project documentation to determine the system life cycle process that is being followed.
a. Life Cycle Stages.
b. Project Milestones.
c. Project Deliverables.
C. Compared the IRS’ system development methodology and life cycle process for internal system development projects to the process being followed by the project office for the Tier 2 computer consolidation.
II. Determined the accuracy and completeness of key project documents and plans for the Tier 2 Consolidation Project.
A. Reviewed the business case and determined whether:
1. Required components were completed, including the requirements of the Clinger-Cohen Act for Capital Planning and Investment Control and technical requirements for application development and telecommunications needs.
2. Estimated costs were based on identified resource requirements.
3. Cost and benefit figures were updated based upon revised cost estimates and staffing reductions.
4. The business case was formally approved.
B. Reviewed the project management plan for required elements and proper approval.
C. Determined what other project plans were prepared by the T2CPO and whether they contained required elements.
D. Determined what additional project plans were prepared specifically for the phase 3 applications.
E. Determined if a Work Breakdown Structure was prepared, including application(s) development activities, with a critical path to identify key resource requirements.
F. Determined if application(s) requirements documents were prepared and included business resumption and disaster recovery.
G. Determined if security certification and accreditation will be obtained prior to an application being placed into production.
III. Determined whether the project was sufficiently funded and expenditures were properly tracked.
A. Reviewed the spending plans submitted by the T2CPO.
1. Determined whether the spending plans are consistent with the figures contained within the business case and cost estimate document.
2. Compared the staffing and budget amounts requested by the T2CPO to the actual amount funded by the IRS to determine if the project received requested funds.
3. Determined from the T2CPO how the unfunded budget items were addressed.
B. Determined whether applications owners and support organizations have sufficient resources to implement consolidation of phase 3 applications.
1. Reviewed resource requirements included in the individual applications’ development plans to determine the total resource requirements for the application owners and support organizations.
2. Interviewed personnel in the Systems Development function, the computing centers, and the Office of Security and Privacy Oversight to determine whether their resources are sufficient to support implementation of phase 3 applications consolidation.
C. Determined if expenses for Tier 2 computer consolidation are properly attributed to the project.
1. Reviewed governmental requirements and IRS procedures for tracking expenses for Information Technology Services (ITS) projects.
2. Determined what accounting code has been assigned to track costs associated with the effort to consolidate Tier 2 systems and reviewed requisitions for software, equipment, contractor support, and other related project costs to verify proper recording of project expenses.
3. Interviewed application owners and supporting organizations for phase 3 applications to determine which accounting codes the staff hours expended by their personnel, as part of the consolidation effort, have been attributed to.
4. Determined if the project office is monitoring actual versus budgeted variations.
IV. Evaluated the risk management process, including project status reporting and IRS management oversight.
A. Determined whether risks are being identified and controlled for resolution.
1. Reviewed procedures established by the project office to identify risks.
2. Determined how risks are being controlled.
3. Reviewed procedures for prioritizing risks and elevating critical risks for resolution.
B. Determined what project status reports are prepared by the project office to monitor progress and evaluated the reports’ accuracy in reflecting the current status of the project.
C. Determined what senior ITS and IRS management committees have been established to oversee the Tier 2 computer consolidation effort.
V. Evaluated the impact on the consolidation schedule of including more applications in the Tier 2 Consolidation Project.
A. Interviewed personnel overseeing the identification of applications for consolidation to determine the number of applications that will be added.
B. Interviewed T2CPO personnel, application owners, and supporting organizations to determine the amount of resources that will be required to consolidate the additional applications.
C. Determined whether the Tier 2 Consolidation Project’s progress report was updated to reflect the current status.
D.
Reviewed the basis for authorizing additional
applications.
Appendix II
Major Contributors to This Report
Scott E. Wilson, Assistant Inspector General for Audit
(Information Systems Programs)
Gary Hinkle, Director
Danny Verneuille, Audit Manager
Ted Grolimund, Senior Auditor
Van Warmke, Senior Auditor
Olivia Jasper, Auditor
Linda Screws, Auditor
Appendix
III
Commissioner N:C
Chief, Information Technology Services M:I
Deputy Chief, Information Technology Services M:I
Director, Strategic Planning and Client
Services M:SP
Director, Systems Development M:I:SD
Director, Corporate Computing M:I:E
Director,
Systems Support Division M:I:E:SS
Director, Detroit Computing Center M:I:E:DC
Director, Martinsburg Computing Center M:I:E:MC
Director, Tennessee Computing Center M:I:E:TC
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation
and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Audit Liaisons:
Chief, Information Technology Services M:I
Director, Corporate Computing
M:I:E
Director, Systems Support Division M:I:E:SS
Office of Program Oversight and Coordination M:SP:P:O
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. These benefits will be incorporated into our Semiannual Report to the Congress.
Type and Value of Outcome Measure:
·
Reliability
of Information – Actual; $7.8 million in expenditures for Tier 2 consolidation
(see page 8).
Methodology
Used to Measure the Reported Benefit:
To capture Information
Technology (IT) project costs, expenditures are tracked within the Internal
Revenue Service (IRS) financial system using a five-digit sub-project
code. As of July 12, 2001, the IRS financial system showed that $4.4 million was
charged to the Tier 2 Consolidation Project Office (T2CPO) in Fiscal Year (FY) 2001 for hardware, software, maintenance,
contractor support, and site preparation.
We calculated that
an additional $7.8 million was spent on hardware and maintenance by reviewing
requisitions associated with Tier 2 consolidation.
|
Requisition Number |
Amount Charged to the T2CPO |
Amount Charged to Other
Projects |
Total Amount |
|---|---|---|---|
|
Q1QM01SSD04-000 |
$2,000,000 |
|
$2,000,000 |
|
Q1QM01SSD28-000 |
$1,200,000 |
$597,026 |
$1,797,026 |
|
Q1QM01SSD60-000 |
$5,050 |
|
$5,050 |
|
Q1QCD2AOA16-000 |
|
$2,448,592 |
$2,448,592 |
|
Q1QE30CFB42-00 |
$1,143,000 |
$1,657,538 |
$2,800,538 |
|
Q1QCD2AOA15-000 |
|
$1,420,286 |
$1,420,286 |
|
Q1QM01SSD46-000 |
|
$83,494 |
$83,494 |
|
Q1QM01SSD47-000 |
|
$478,240 |
$478,240 |
|
Q1QM01SSD48-000 |
|
$1,155,595 |
$1,155,595 |
|
Q1QFC5R183-000 |
$4,757 |
|
$4,757 |
|
Totals |
$4,352,807 |
$7,840,771 |
$12,193,578 |
Type and Value of Outcome Measure:
·
Reliability
of Information – Potential; $147.4 million reduced investment benefits (see
page 10).
Methodology
Used to Measure the Reported Benefit:
The business case
contains overstated investment benefits of approximately $147.4 million for FY
2001 through FY 2004. The cost
savings in the business case were primarily derived from a case study that
estimated the reduction in both the number of Systems Administrators (SA) and
maintenance costs realized by the consolidation of Tier 2 computer systems. The
T2CPO business case cited $260.4 million in benefits from a reduction in the
number of SA. However, the $260.4
million should have been reduced by the cost for SA to operate both the Tier 2
systems remaining in the IRS campuses and the Tier 2 systems currently in
production at the computing centers.
The T2CPO also identified another $45.4 million in benefits from reduced
maintenance costs; however, that amount should have been reduced by the
maintenance cost for all Tier 2 systems operating during the consolidation
process. As a result, we calculated
that the savings should have been only $125.4 million from the reduction in the
number of SA and $33 million in reduced maintenance costs, which totaled $158.4 million. We then subtracted the $158.4 million in
cost savings from the $305.8 million in cost saving contained in the business
case and determined that the investment benefits were overstated by $147.4
million.
|
Category |
Cost Savings in Business Case |
Cost Savings After Recalculation |
Overstated Investment Benefits |
|---|---|---|---|
|
Systems Administrators |
$260,381,279 |
$125,359,918 |
$135,021,361 |
|
Maintenance Costs |
$45,385,963 |
$33,027,669 |
$12,358,294 |
|
Totals |
$305,767,242 |
$158,387,587 |
$147,379,655 |
Type and Value of Outcome Measure:
·
Reliability
of Information – Potential; $5.8 million increased investment costs (see page
10).
Methodology
Used to Measure the Reported Benefit:
The business
case also does not reflect investment costs of approximately $5.8 million for
the T2CPO staff for FY 2001 through FY 2004.
We calculated the increased investment costs by identifying the salaries
of the assigned project office staff and projecting the salaries over the life
of the project. We did not include
additional salary expenses for potential step increases or cost of living
increases.
|
FY 2001 |
FY 2002 |
FY 2003 |
FY 2004 |
Increased Investment Costs |
|---|---|---|---|---|
|
$1,073,597 |
$1,563,423 |
$1,563,423 |
$1,563,423 |
$5,763,866 |
Appendix
V
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.