Management Advisory Report:
Progress Has Been Made in Establishing a Secure Modernization
Infrastructure; However, Continuing Risks Could Impact Timely Deployment of
Modernization Projects
June 2002
Reference
Number: 2002-20-112
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
June
24, 2002
MEMORANDUM FOR
DEPUTY COMMISSIONER FOR MODERNIZATION &
CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Management Advisory Report – Progress Has Been Made in Establishing a
Secure Modernization Infrastructure; However, Continuing Risks Could Impact
Timely Deployment of Modernization Projects (Audit # 200220020)
This
report presents the results of our review of the Internal Revenue Service’s
(IRS) Security and Technology
Infrastructure Release (STIR) project. The overall
objective of this review was to evaluate
the risks associated with timely integration and deployment of the STIR project
in Fiscal Year 2002. To address this objective, we
evaluated the current status of the project, determined the causes for delays
experienced thus far, and evaluated the impact of STIR issues on other Business
Systems Modernization (BSM) projects.
The STIR project will
provide the secure technical infrastructure to support and enable the delivery
of the IRS’ modernized business systems.
The STIR project team plans to deliver the technical infrastructure over
several years as BSM projects need support to deploy the systems that will
improve taxpayer service and provide increased management capabilities. The first releases of the STIR will meet the
needs of the BSM projects scheduled for deployment in 2002: Internet Refund/Fact of Filing (IRFOF),
Enterprise Systems Management (ESM), e-Services 2002, and Customer Account Data
Engine (CADE) Release 1.
Developing an infrastructure
for modernization projects to build upon is a very complex task for an
organization as large as the IRS. The
infrastructure components are dispersed over many different sites, and contain
many pieces of hardware and software that must work together to be
effective. The STIR project team has
made significant progress in developing the infrastructure components, and had
completed portions of the testing with the IRFOF project as of the end of our
audit. In addition, the STIR project
team is developing guidance and has provided infrastructure training to other
BSM project teams.
The STIR project, however,
has experienced delays and cost increases in the design and development of the
infrastructure. The project team also
experienced problems performing the complex integration with the IRFOF
project. These development and
integration problems contributed to delaying the deployment of the IRFOF
project past the peak of the tax return filing season, when the IRFOF project
would have provided the most benefits to taxpayers.
Existing risks in the STIR project could result in delays for the other
BSM projects dependent on STIR for infrastructure support. We identified risks related to aggressive
scheduling, inadequate levels of IRS staffing on the STIR project team and at
the Martinsburg Computing Center, an inefficient change control process, and
inconsistent risk management.
We are reporting on these risks so that actions can be taken to address
them. We are not making formal
recommendations at this time, but we will be conducting further audit work in
some of these areas to evaluate the work the STIR project team conducts to
address these risks and others it faces in supporting BSM and other
modernization projects.
Management’s Response:
Management’s response was due on June 12, 2002. As of June 20, 2002, management had not
responded to the draft report.
Copies of this report are also being sent to
the IRS managers who are affected by the report. Please contact me at (202) 622-6510 if you have questions or
Scott E. Wilson, Assistant Inspector General for Audit (Information Systems
Programs) at (202) 622-8510.
Progress
Has Been Made in Developing the Infrastructure
The Project Team Has Encountered Delays in Completing Development
Risks Exist That Could Result in Further Delays for the 2002 Modernization Projects
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
The Security and Technology Infrastructure Release (STIR) project will provide the technical infrastructure and security to support and enable the delivery of Business Systems Modernization (BSM) projects that will modernize the Internal Revenue Service’s (IRS) computer systems. The STIR project is compliant with the Enterprise Architecture for the IRS’ modernization effort. The STIR project team plans to deliver security and infrastructure components over several years as other BSM project teams need support to deploy systems that will improve taxpayer service and provide increased management capabilities. The first releases of the STIR have been developed to meet the needs of the BSM projects scheduled for deployment in 2002: Internet Refund/Fact of Filing (IRFOF), Enterprise Systems Management (ESM), e-Services 2002, and Customer Account Data Engine (CADE) Release 1.
Developing a secure infrastructure to support modernization is a very complex undertaking for an organization as large as the IRS. The infrastructure under development is geographically dispersed over various sites, and includes numerous pieces of hardware and software, which must effectively communicate and interact with each other as they support the modernization projects that provide benefits to taxpayers and IRS employees. Significant amounts of effort and time have been required to design and develop this complex, geographically dispersed infrastructure.
The audit was conducted in the BSM Office in New Carrollton, Maryland, between November 2001 and February 2002 in accordance with the President’s Council on Integrity and Efficiency’s Quality Standards for Inspections. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
The STIR project team has made significant progress in developing infrastructure to support the deployment of the IRFOF project, which is the first BSM project with taxpayer benefits scheduled for deployment in 2002. The STIR project team met revised dates for completing portions of its system testing to meet IRFOF needs. Although testing of some requirements had to be delayed due to constraints in the testing environment, the initial testing was satisfactory for the requirements that were tested. Additional portions of testing, including IRS acceptance testing and testing of the integration with the IRFOF and ESM projects, were still being conducted when we completed the audit.
In addition, the STIR project team has established ongoing initiatives to better educate personnel on other development projects about the modernization infrastructure. A training session was held for these project team members in December 2001, and a guidance document, The Customer’s Guide to Technical Infrastructure, was under development at the time of our review.
However, some delays have occurred in the STIR development, and risks to timely project deployment in 2002 continue to exist. The remainder of this report describes the factors contributing to the delays, and identifies continuing risks that could delay the deployment of BSM projects planned for 2002.
In the BSM Spending Plan provided to the Congress in April 2000, the IRS indicated that the STIR project team would initially focus on the delivery of infrastructure components needed to support the 2002 tax-filing season. The IRS estimated the cost to complete the initial STIR design at $8.5 million, and planned to complete this phase in September 2000. However, the STIR design was not completed until January 2001, and documents supporting that design were not officially approved until nearly a year later, in December 2001. Actual costs for the initial design phase were $10 million.
The STIR project team began efforts towards final design and development in January 2001. Initial estimates indicated that the development of the STIR would cost approximately $25 million, and would be completed in August 2001. However, parts of the STIR were not completed until February 2002, and others, including support for the e-Services project, were still being worked on as of the end of our field work. Costs for the development of the STIR have increased to over $31 million. According to management, this $6 million cost increase was due to transferring costs for hardware and software from individual project budgets to the STIR budget.
Several factors contributed to the delays in the final design and development of the STIR project. First, one of the STIR sub-contractors did not initially follow the IRS’ Enterprise Architecture standards for the system used to manage the IRS’ Internet activity, which affected both the IRFOF and e-Services projects. Once IRS executives learned of this issue, they required the sub-contractor to meet the Architecture standards, which delayed the completion of the system. Second, the laboratory used to test new projects and applications was not available when the STIR project team planned to begin its testing. Finally, IRS security experts were not sufficiently involved in the initial creation of STIR design documents. It took an additional 11 months to obtain approval for the revised security documentation.
Risks that may impact the timely deployment of BSM
projects in 2002 continue to exist. We
believe actions to minimize these risks should be taken to reduce potential
delays in providing benefits to taxpayers and employees.
Project schedules are aggressive
A critical issue that the STIR project team has been struggling with is developing an accurate schedule for development and testing, including testing of how the infrastructure integrates with the projects it supports. Because this integration is very complex, issues can arise in the testing that require significant amounts of time and expertise to address. For example, the testing of the IRFOF, ESM, and STIR integration was planned to take 3-4 weeks. However, due to issues that arose during the testing, the testing actually has taken about 10 weeks, and was still ongoing as of mid-April. As a result, the IRFOF project was delayed and was not available to taxpayers during the peak of the tax return filing season, when it would have provided the most benefits.
Project schedules for testing integration of the STIR with the e-Services project later this year are also aggressive, and should be reviewed and adjusted as necessary to ensure adequate time is allocated to this critical and complex task.
The allocated staffing levels are inadequate to
support implementation of the modernized infrastructure
A significant issue that the STIR project team has been facing is not having adequate IRS staffing on the project team and in the Martinsburg Computing Center (MCC) to support the implementation of a modernized infrastructure. Although the STIR project team is fully staffed according to its allotted positions, there is a need for additional staff, especially since the STIR team will soon be supporting even more projects.
For example, until recently, the STIR project team was only supporting BSM projects that were part of the 2002 release. However, the IRS has recently realized the need to ensure modernization projects other than BSM, including those managed within the IRS’ Information Technology Services organization, are supported with the modernized infrastructure. For example, the Business Master File (BMF) e-File project will need to use the modernized infrastructure to communicate with business taxpayers via the Internet.
In addition, the MCC staff responsible for running and updating existing computer systems also support the STIR by installing and configuring infrastructure equipment for modernized systems. As new projects are deployed, the MCC staff will also have to manage and maintain the new systems that are put in place. The MCC staff is already working significant levels of overtime to try to provide support to the STIR project. Even with the overtime worked, there have been some delays in completion of support tasks for establishing the necessary infrastructure.
Until the IRS completes a staffing and budget analysis to determine the number and qualifications of IRS staff needed to provide the critical support for implementing a modernized infrastructure, additional delays will likely occur in the installation and deployment of new systems.
The change control process needs improvement
Although the STIR project team has a change control process in place, it takes significant amounts of time to move the change requests through the system. In the past, weaknesses in the process to control STIR project design changes have resulted in delays in approval of changes requested, delays in making necessary changes, and a lack of analysis of the impact to the STIR project schedule when changes are made to requirements. For example, change requests generated from the review of security requirements resulted in numerous changes to the STIR project. Although most of these changes were minor, it took nearly a year to complete the revisions and to obtain executive approval of the changes.
To determine if the change control process was currently working effectively, we reviewed the change requests the STIR project team had on file at the time of our review and found 11 of the 25 had not been approved, including the 4 requests classified most critical by the IRS. For those requests that had been approved, the approvals were given much later than the date the change was actually needed. Most were approved three or more months after the change was needed. In addition, only one-third of the change requests had necessary impact assessments completed to show the cost of the change as well as potential implications of making the change.
Without an effective and efficient process for evaluating and approving change requests, changes to systems could occur without proper approvals, delays could occur, and management cannot be certain that the changes requested are worth the cost to make them.
Project risks were not timely identified and addressed
A lack of consistency in risk management processes is another issue the STIR project team has struggled to address. When we began our review, the STIR project team had two different lists of risks and issues, one of which was controlled in the program risk management database, and the other that was managed outside that centralized database. Both lists included significant project risks and issues that had to be addressed, but only the issues in the centralized database were subject to BSM Office (BSMO) control. As we moved through the audit, the STIR project team consolidated its risks and issues into the centralized database, so that all the risks and issues could be controlled by the BSMO.
Although the STIR project team had identified some potential risks and issues, we believe certain risks were not identified and tracked. For example, we did not see any risks related to the timely identification of project requirements for the STIR team to support, which is one of the most critical issues the STIR project team has to address. In addition, the risk of changes to project requirements after they are identified is also significant to the STIR project. Another risk, as discussed earlier in this report, is the complexity of integration between projects and the infrastructure the STIR team is building to support the projects. Consistent management of project risks is a key element of project control because inadequate identification and monitoring of potential risks can lead to schedule delays and additional costs.
Management’s Response: Management’s response was due on June 12, 2002. As of June 20, 2002, management had not responded to the draft report.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to evaluate the risks associated with timely integration and deployment of the Security and Technology Infrastructure Release (STIR) project in Fiscal Year 2002. Work for this audit was performed in the Business Systems Modernization Office (BSMO) in New Carrollton, Maryland, between November 2001 and February 2002.
To
complete our work on this review, we conducted the following tests:
I.
Determined the current status
of the STIR project by reviewing oversight steering committee information.
II.
Determined the causes for any
STIR project delays.
III.
Determined what effect late
delivery of the STIR project may have on other modernization projects.
Appendix II
Major Contributors
to This Report
Scott E. Wilson, Assistant Inspector General for Audit
(Information Systems Programs)
Scott Macfarlane, Director
Tammy Whitcomb, Audit Manager
Michelle Griffin, Senior Auditor
Jimmie Johnson, Jr., Senior Auditor
Suzanne Noland, Auditor
Appendix III
Commissioner N:C
Deputy Commissioner N:DC
Associate Commissioner, Business
Systems Modernization M:B
Deputy Associate Commissioner,
Program Management M:B:PM
Deputy Associate Commissioner,
Systems Integration M:B:SI
Director, Infrastructure
Modernization M:B:SI:IM
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative
Affairs CL:LA
Director, Office of Program
Evaluation and Risk Analysis N:ADC:R:O
Office of Management
Controls N:CFO:F:M
Audit Liaison:
Associate Commissioner, Business
Systems Modernization M:B