August 2002
Reference
Number: 2002-20-138
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
August
13, 2002
MEMORANDUM FOR
DEPUTY COMMISSIONER FOR MODERNIZATION & CHIEF
INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for Audit
SUBJECT: Final Audit Report - The
Selection, Monitoring, and Management of Systems Improvement Projects, Such as
the Print Consolidation Project, Need Modification (Audit #
200120010)
This
report presents the results of our review of the Print Consolidation
Project. The overall objective of this
review was to determine
whether the Internal Revenue Service (IRS) implemented adequate policies and
procedures as required by
legislation and Federal guidance to fund and manage the Print
Consolidation Project.
Several management reforms
enacted in the past decade, including the Clinger-Cohen Act, have introduced
requirements emphasizing the need for Federal agencies to improve the processes
and methods used to select and manage information technology (IT)
resources. The ultimate goal of these
reforms is for agencies to focus on managing IT resources and to make sound
investment decisions that will measurably increase the performance of the
Federal Government. In this review, we
examined the current IRS selection, control, and evaluation processes that were
applied to the Print Consolidation Project. This project was initiated to support
the IRS’ strategy of combining corporate data processing activities by
consolidating taxpayer notice printing capabilities from 10 locations to 2, the
Detroit Computing Center (DCC) and the Ogden Campus.
In summary, we found that
the Print Consolidation Project has experienced early success by obtaining and
implementing new equipment to alleviate notice printing concerns at the IRS
Campuses. In Calendar Year 2000, initial contracts were awarded
and the first printers, inserters, and sorters were readied for production at
the DCC and the Ogden Campus. The following year, the consolidated printing sites handled over 20 percent of the IRS’
notice print volume, and the contract was awarded for the Notice
Delivery System (NDS), a server-based
system that will be able to electronically sort notices before printing and provide
control of individual notices throughout notice processes.
The IRS has established
selection and monitoring processes and executive steering committees to oversee
the funds used for the majority of its systems modernization initiatives. However, over $100 million in funding for
initiatives known as improvement projects is independently prioritized and
managed by the Information Technology Services (ITS) Operating Divisions each
year. We found that no centralized
selection and monitoring process has been established for improvement projects,
such as the Print Consolidation Project.
This makes comparison of competing projects across the IRS more
difficult and decreases oversight requirements. Consequently, the IRS cannot ensure that its improvement project
funds are being effectively and efficiently used to achieve its business
priorities in accordance with Clinger-Cohen Act requirements.
In addition, the IRS
selected a solution for the NDS portion of the Print Consolidation Project that
required purchase of a system that does not comply with the IRS’ Enterprise
Architecture. This solution required
$3.36 million in hardware and maintenance costs and $2.7 million in development
costs to customize and tune the NDS over the life of the system. If a compliant solution had been chosen,
some of these costs may have been avoided.
Instead, such costs reduce the overall benefits the IRS expected to
receive from its broader initiative to consolidate its mid-range systems, which
includes the NDS.
Another concern is the lack of
a standardized life cycle process to guide the development of improvement
projects, including the Print Consolidation Project. The Enterprise Life Cycle (ELC) methodology has been mandated for
the IRS’ Business Systems Modernization initiatives, but a methodology has not
been implemented for systems improvement projects. By not using a consistent, repeatable management approach for
structuring and controlling the systems development process, the risk that
projects will not be completed within budget or on time is increased.
The
Deputy Commissioner for Modernization & Chief Information Officer (CIO)
should ensure that a centralized,
multifunctional investment review process is established and documented for the
selection, funding, and monitoring of all the IRS’ information technology
investments. Planned
corrective actions based on the prior TIGTA report to develop objective
criteria for the classification of IRS information systems projects should
specifically include criteria for systems improvement projects. For
the NDS, we recommend that the Print Consolidation Project Office provide a
full justification for procuring a non-compliant solution. We also recommend that the policy of issuing
approvals to procure non-compliant, mid-range computer hardware and software be
clarified and that Print Consolidation Project management take necessary
action to provide proper project control until a systems life cycle process is
developed, implemented, and monitored for improvement projects. Finally, all existing improvement projects
should comply with basic systems life cycle and project management controls.
Management’s
Response: IRS management agreed with the
recommendations presented in the report.
Corrective actions will be taken to develop an information technology
capital planning guide for centrally managing information technology
investments, submit a waiver to request approval for the NDS to deviate from
the Enterprise Architecture, clarify the policy of granting interim approvals
to deviate from the IRS’ Enterprise Architecture, and ensure that proper
management controls are in place for all non-Business Systems Modernization
projects, including the Print Consolidation Project. Management’s complete response to the draft report is included as
Appendix VI.
Copies of this
report are also being sent to the IRS managers who are affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector
General for Audit (Information Systems Programs), at (202) 622-8510.
Initial Efforts To Consolidate Notice Printing Activities Have
Made Significant Progress
Key Project Management Controls Need To Be Followed To Help Assure Project Success
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Outcome Measures
Appendix V – Total Project Funding Fiscal Years 2001, 2002, and
2003
Appendix VI – Management’s Response to the Draft Report
Several management reforms enacted in the past decade have introduced requirements emphasizing the need for Federal agencies to significantly improve the management processes and methods used to select and manage information technology (IT) resources. The ultimate goal of these reforms is for agencies to focus on managing IT resources to make sound investment decisions that will measurably increase the performance of the Federal Government. In particular:
· The Clinger-Cohen Act requires Federal agencies to have processes in place to help ensure that IT projects are being implemented at acceptable costs, within reasonable and expected time frames, and are contributing to tangible, observable improvements in mission performance.
· The Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, was updated and reissued in November 2000 to include the Clinger-Cohen Act requirement to establish effective and efficient capital planning processes for selecting, controlling, and evaluating investments in information systems.
The Treasury Inspector General for Tax Administration (TIGTA) reported in August 2001 that the Internal Revenue Service (IRS) was progressing in its compliance with the requirements of the Clinger-Cohen Act. Specifically, the TIGTA reported, “the IRS is still developing and implementing IT investment processes envisioned in the Act. Because these processes are in various stages of being implemented, they do not yet constitute a working structure that fully complies with the provisions of the Clinger-Cohen Act.”
During this review, we examined the current IRS selection, control, and evaluation processes that were applied to the Print Consolidation Project. This project was initiated to support the IRS’ strategy of combining corporate data processing activities (as outlined in the Fiscal Year (FY) 2001-2002 IRS Information Technology Services Strategy and Program Plan) by consolidating taxpayer notice printing capabilities from 10 locations to 2, the Detroit Computing Center (DCC) and the Ogden Campus. Taxpayer notices encompass a broad range of correspondence between the IRS and taxpayers, which, according to recent IRS estimates, will exceed 1 billion pages in Calendar Year 2003.
The equipment used in
the Print Consolidation Project includes high-speed printers, inserters that
mechanically place notices and accompanying pamphlets into envelopes, and
sorters that organize the envelopes by postal codes. The latest addition to this configuration is the Notice Delivery
System (NDS), a server-based system that will be able to electronically sort
notices before printing and provide control of individual notices throughout
notice processes.
This audit was conducted at the DCC in Detroit, Michigan, and in the IRS offices in Washington, D.C. and
New Carrollton, Maryland, from August 2001 to
April 2002. This audit was scheduled as part of the TIGTA’s FY 2002 Annual Audit Plan and was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
The Print Consolidation
Project was selected and approved in a period where the IRS was beginning to
implement processes designed to meet the requirements of the Clinger-Cohen Act
in FY 2000. IRS customers and
representatives of the Information Technology Services (ITS) organization
prioritized the Print Consolidation Project as a top information systems
investment in May 2000. The Print
Consolidation Project was initially listed as a Tier B Project as defined in
the IRS’ Enterprise Life Cycle (ELC).
The Print Consolidation
Project has produced several operational successes, including:
· From
July 2000 through December 2000, initial contracts were awarded and the first
printers, inserters, and sorters were readied for production at the DCC and the
Ogden Campus in accordance with the planned schedule.
· During
2001, the consolidated printing sites handled over 20 percent of the IRS’
notice print volume, which alleviated the notice print volume concerns at the
IRS’ 10 Campuses.
· In
September 2001, the initial contract for the NDS was awarded.
· In 2002
and 2003, the consolidated sites plan to absorb the IRS’ notice printing by
adding 40 percent of the notice volume in each of these successive years.
The Clinger-Cohen Act requires a strong and comprehensive IT capital planning process to assure that an agency’s IT-related expenditures receive the executive-level oversight needed to properly select and monitor the most critical projects. OMB Circular A-130 has implemented the Clinger-Cohen Act requirements by establishing capital planning processes for the selection, control, and evaluation of IT investments and by requiring each agency to establish a portfolio of IT projects that supports its mission.
The IRS has established selection and monitoring processes and executive steering committees to oversee the funds in its Information Technology Investment Account (ITIA), which is used for the IRS’ Business Systems Modernization (BSM) initiatives, or Tier A projects. To obtain ITIA funding, projects must provide justification and be prioritized and selected by an investment review board composed of multifunctional business executives.
Similar processes have been established for Tier B projects, or projects that provide a bridge between the current and modernization architectures. The Business Systems Planning (BSP)/Division Information Officers (DIO) Council reviews project plans and documentation and selects projects to allocate Tier B funds. The BSP offices work with the IRS’ four Business Operating Divisions (BOD) to identify business needs and work with the DIOs in the ITS organization to ensure the IT requests within each organization are adequately communicated to the Council.
During our review, we found that no centralized selection and monitoring process has been established for the improvement projects, such as the Print Consolidation Project, that are managed by the ITS Operating Divisions. These projects are not funded from the Tier A and B budgets. Although the Print Consolidation Project was initially categorized as a Tier B project, it was funded out of the improvement projects budget for the Enterprise Operations Division. Consequently, the project followed the less-structured selection and monitoring processes of the Enterprise Operations Division.
Under this less-structured process, the NDS addition to the Print Consolidation Project was not competed against all other ITS improvement projects as part of a portfolio review by an agency investment review board, as required by the Clinger-Cohen Act. Specifically, the NDS was submitted for approval in May 2001 as an improvement project under the Print Consolidation Project, although the original approval for the Print Consolidation Project did not include the NDS. The NDS was competed only against other Enterprise Operations Division improvement projects and later approved by the Chief, ITS. The NDS was funded for total project, or life cycle, costs of $11 million, a 7 percent increase in the life cycle costs of the Print Consolidation Project, which was originally funded for $155 million.
In addition, an executive oversight board or steering committee process has not been established for monitoring all improvement projects. Steering committees serve a key role in monitoring and overseeing projects by involving executive management in directing and controlling projects, such as advancing a project from one milestone to the next, and helping ensure compliance with life cycle policies and documentation standards. While the Print Consolidation Project serves all of the IRS’ BODs, it does not report to a multifunctional steering committee representing these organizations.
These conditions occurred because the processes to select and monitor improvement projects are decentralized across the ITS Operating Divisions. Consequently, there is not a centralized multifunctional investment review board to select and monitor ITS improvement projects.
As a result, prioritization and monitoring of improvement projects is handled within the ITS Operating Divisions, which makes comparison of competing projects across the IRS more difficult and decreases the oversight requirements for improvement projects. Consequently, the IRS cannot ensure that its systems improvement project funds are being effectively and efficiently used to achieve its business priorities in accordance with Clinger-Cohen Act requirements. As illustrated in the chart below, improvement project funds under the ITS Operating Divisions are significantly more than those for Tier B projects. See Appendix V for a complete breakdown of improvement project funds by ITS Operating Division.
FYs 2001-2003
|
Project Type |
FY
2001 (Millions Dollars) |
FY
2002 (Millions Dollars) |
FY
2003 (Millions Dollars) |
|---|---|---|---|
|
Tier B Projects |
40.0 |
40.0 |
60.0 |
|
Improvement Projects |
132.3 |
111.3 |
146.8 |
Total
|
172.3 |
151.3 |
206.8 |
Source: Modernization and Information Technology Services Program Plan FY 2002-2003 (August 7, 2001).
In addition, the lack of sufficient IT classification guidelines also contributed to the project’s selection deficiencies detailed above. The TIGTA recently issued an audit report regarding the IRS’ guidelines and processes for classifying IT projects. The report recommended and IRS management agreed that it should, “establish specific objective guidelines for classifying IT projects as ITIA or non-ITIA. The guidelines should include, at a minimum, a) cost, b) development period, c) quantitative/qualitative estimate of risk, and d) integration with, or affect on, the modernization architecture.” Management had initially indicated corrective actions would be completed by December 2001 but has recently delayed the actions until August 2002.
The Deputy Commissioner for Modernization & Chief
Information Officer (CIO) should ensure that:
1. A centralized, multifunctional investment review process is established and documented for the selection, funding, and monitoring of all the IRS’ information technology investments.
Management’s Response: The Deputy Commissioner
for Modernization & CIO is developing an IT Capital Planning Guide
(Guide). The Guide will describe the
IRS’ systematic approach to manage risks and returns of IT investments through
the centralized, multifunctional investment review process for the selection,
funding, and monitoring of IT investments in support of the IRS’ mission,
goals, and objectives. The Guide will
include the IT Capital Planning process, using best management practices as
required by the OMB. The Guide will provide the process
framework; however, the Modernization, Information Technology, and Security
(MITS) Services organization must also implement new workload prioritization
practices, develop and follow through on sound business cases, and enforce
project management and control practices.
These additional activities will take time to perfect because they
involve a shift in practice within the MITS Services organization.
Office of Audit Comment: Although we recognize the time it will take to implement new IT investment management practices, the time period for corrective action may need to be accelerated to meet Congressional expectations. Recent Congressional committee reports, regarding the Treasury and General Government Appropriation Bill for 2003, include expectations that funds provided under the IRS’ Information Systems account, particularly for development-related activities, should be managed with the same diligence and financial controls as those activities funded through the BSM account. In addition, the Senate Appropriations Committee report directs the IRS Commissioner to “submit, concurrent with the Fiscal Year 2004 budget submission, a detailed budget justification for funds provided in the Information Systems account that outlines the specific use of all monies allocated in this appropriation, apportioning responsibility between operations and development functions, and specifying how program governance for these funds will meet the appropriate and rigorous requirements set for comparable activities in Business Systems Modernization.”
2. The planned corrective actions based on the prior TIGTA report to develop objective criteria or thresholds for the classification of ITIA and non-ITIA projects specifically include criteria for projects that are now considered improvement projects.
Management’s Response: The Deputy Commissioner for Modernization & CIO is developing an IT Capital Planning Guide. This Guide will describe the IRS’ systematic approach to manage risks and returns of IT investments, including projects now considered improvement projects, in support of the IRS’ mission, goals, and objectives.
The IRS’ Enterprise Architecture specifies the computer systems on which IRS systems are to be hosted. For mid-range, or Tier 2, application and data support systems, the required architecture is a Sun-based system. The Distributed Systems Management Branch (DSMB) has the responsibility for reviewing proposed Tier 2 acquisitions for compliance with the IRS’ Enterprise Architecture. This review process includes reviewing the requisition, description, and justification of the procurement and comparing it against IRS hardware and software standards.
The NDS can be considered a Tier 2 application and data support system, and therefore subject to the requirements of the Enterprise Architecture, when the NDS’ interaction with another IRS project, Notice Viewing, is considered. The Notice Viewing Project will enable IRS caseworkers to view an actual copy of the notice the taxpayer receives and, if necessary, print a replacement copy. The NDS will support the Notice Viewing Project by providing taxpayer notice data to the Notice Viewing system.
The computer system chosen for the NDS does not conform to the IRS’ Enterprise Architecture requirements because it does not reside on one of the two approved Tier 2 systems. The NDS is hosted on an IBM RS6000 system running IBM’s proprietary version of the Unix-based operating system.
According to the Print Consolidation Project Office, the IBM system was chosen for the NDS because:
· The system chosen for the NDS was considered complete and ready to operate (i.e., a turnkey system).
· The printing software used by the NDS was incompatible with other Unix-based systems.
· Modification of the printing software for use on another Unix-based system would have required significant time and cost to develop and tune the software.
· The performance of the printing software could not be guaranteed on another Unix-based system.
However, no formal justification was prepared to support the purchase of the non-compliant system for the NDS. The baseline business case for the NDS does not analyze alternate printing solutions for the NDS and does not justify why the chosen printing software and system were selected. In addition, a 1-year interim approval was granted by the DSMB to procure non-architecturally compliant hardware and software for the NDS, although no justification was provided to support the selection of the chosen solution for the NDS. The interim approval stated that any purchase of hardware or software after that year would require a waiver from the Tier 2 architecture requirements and noted several concerns, including which organization would provide support for the system because the IRS lacks in-house expertise on the system chosen for the NDS. As a result, this interim approval appears to establish a “de facto” authorization for non-compliant hardware and software expenditures.
If a full business case justification had been prepared for the NDS, including an evaluation of alternative solutions, then IRS management would have had documented information to determine whether the chosen system for the NDS was the best choice. Instead, the IRS selected a solution for the NDS that required the purchase of a non-compliant system costing approximately $1.46 million in hardware, $1.9 million in maintenance, and $2.7 million in development costs to customize and tune the NDS over the life of this system. If another solution had been chosen, some of these costs may have been avoided. Consequently, by not following the IRS’ Enterprise Architecture requirements, the added costs for the NDS reduce the benefits the IRS expects to receive from the consolidation of its Tier 2 systems, which include reduced hardware, software, and maintenance costs.
The Deputy Commissioner for
Modernization & CIO should:
3. Ensure that the Print Consolidation Project Office provides a full justification for the chosen NDS solution as part of its waiver submission, which should also address the concerns raised in the interim concurrence.
Management’s Response: The Project Manager, National Print Strategy (NPS), will submit an interim waiver request to the DSMB, pending the DSMB review of NDS and current IRS Enterprise Architecture standards. Based on the outcome of the review, either the DSMB will document approval of the installed system or the Project Manager, NPS, will submit a plan to bring the system into compliance with the relevant IRS Enterprise Architecture standards.
4. Clarify the policy of issuing interim approvals to procure non-compliant Tier 2 hardware and software, including guidelines on when such approvals should be granted and the requirements for necessary justifications.
Management’s Response: The Chief, DSMB, clarified the policy, which requires conversion to standards as part of all proposed mini-computer solutions in future requisitions.
OMB Circular A-130
addresses the control of investments in
information systems by requiring projects to follow a defined life cycle. Although the IRS has mandated a life cycle
for its modernization projects, the ELC, no life cycle has been defined for its
non-modernization projects.
During our review of the Print Consolidation Project, we identified several controls that are required by projects following the ELC but were not applied to the Print Consolidation project. In particular:
· The required security certification and accreditation for the NDS will not be completed before the system is used in production.
· The Work Breakdown Structure (WBS), including key project dependencies and a critical path, are incomplete.
· Project cost information used for oversight is incomplete.
· An adequate risk management process has not been implemented.
These controls were not implemented because the IRS has not mandated a specific life cycle methodology and related project management controls for systems improvement projects. The TIGTA’s earlier report on the consolidation of mid-level computers identified similar life cycle and project management control weaknesses for non-BSM projects. The report stated, “the IRS has not established a single disciplined process for IT projects not considered part of the modernization effort.” IRS management responded that a new life cycle based on the ELC was implemented in August 2001. This ELC-Lite will be expanded to meet the requirements for all ITS non-BSM projects by January 2003.
The lack of a consistent, repeatable management approach to structuring and controlling the system development process increases the risk that projects will not be completed on time or within budget. The following sections describe each of the project control weaknesses we identified and the associated risks.
Security certification and accreditation for the NDS will not be completed before the system is used in production
OMB Circular A-130, in combination with the Internal Revenue Manual, requires all information systems that process taxpayer data to have a security certification before being placed into operation. This security certification requires a comprehensive evaluation of technical and non-technical security features to determine the extent to which the system’s design and implementation meet a specified set of security requirements. Contingency planning is a required element to be evaluated during certification. The Certification Program Office, under the direction of the Office of Security Services, is responsible for the security certification process for IRS information systems. In addition, IRS management responded to a prior TIGTA report that they would develop a process to certify all new systems. In March 2002, the IRS completed this corrective action by integrating certification and accreditation with the ELC review process. However, as previously indicated, the ELC applies only to modernization projects.
As of April 1, 2002, the Security Certification and Accreditation package for the NDS, including a contingency plan, had not been completed and submitted to the Certification Program Office, although the NDS was placed into production in January 2002. IRS management has not formally accepted the risk of operating the NDS without certification and accreditation since a waiver to the certification process was not obtained. Not certifying the adequacy of security controls in the NDS system increases the risk of security breaches and possibly jeopardizes the privacy of over 200 million taxpayers who may receive notices. In addition, this approach contradicts management’s previous response to the TIGTA report.
The WBS, including a critical path, is incomplete
The ELC and other life cycle methodologies used by the IRS establish an approach to be used for planning, development, and management of IRS projects. At a minimum, the guidance requires the creation, maintenance, and implementation of a Project Management Plan and a WBS, which is composed of tasks and task dependencies that must be met by the project.
Overall plans for the Print Consolidation Project established that all of the IRS’ notice printing operations would be transitioned from the 10 IRS Campuses to the 2 consolidated printing facilities over a 3-year period. However, the WBS for the Print Consolidation Project has been completed for only 1 year of the 3-year project. In addition, dependencies between tasks and a critical path, or a set of tasks that must be finished to complete the project on schedule, were not evident. The tasks specific to the NDS also were not included in the overall Print Consolidation Project WBS but were part of a separate WBS, which also did not include dependencies or a critical path. Therefore, management has no assurance that all key tasks have been properly identified, which could result in the project not being completed on schedule or within budget.
According to IRS management officials, the schedule for the first year of the Print Consolidation Project included the printing of the least complicated notices largely to alleviate notice volume pressures at the 10 IRS Campuses. Adding more complicated notices in successive years, while also implementing NDS functionality, will add complexity to the project plans. The impact of the NDS cannot be planned, monitored, and controlled if the steps of that implementation are not included in a WBS.
Project cost information used for oversight is incomplete
According to OMB guidance, the IRS is required to prepare an IT Capital Plan that incorporates the separate Capital Asset Plans of its major IT systems. The IRS has not prepared an IT Capital Asset Plan for the Print Consolidation Project according to these requirements, nor has it entered project information into the Information Technology Investment Portfolio System (I-TIPS), as required by Department of the Treasury (Treasury) policy for FY 2002. While a narrative of the Print Consolidation Project has been entered in the I-TIPS system, no project-specific financial data, including specific security costs, have been included in the submissions to Treasury. Without complete information on the Print Consolidation Project, the Department-wide roll-up report used by the OMB to assess an agency’s IT portfolio is incomplete. The OMB uses this data to make funding decisions, track project progress, and monitor project cost, schedule, and performance.
Additionally, the October 2001 Business Performance Review (BPR) Report, used by IRS executives to monitor program accomplishments, contains inaccurate project costs. A comparison of the costs presented in the October 2001 BPR to the actual procurement costs derived from the IRS’ procurement system for the Print Consolidation Project showed the following:
BPR
Reported Costs Compared to Actual Procurements
for
the Print Consolidation Project
|
Fiscal
Year |
Costs per BPR (Millions Dollars) |
Actual Costs (Millions Dollars) |
Underreported (Millions Dollars) |
|---|---|---|---|
|
2000 |
0 |
5.4 |
5.4 |
|
2001 |
8.4 |
12.9 |
4.5 |
|
Totals |
8.4 |
18.3 |
9.9 |
Sources: Request Tracking System Analysis and October 2001 BPR Report.
Significant differences in the actual and reported costs for an IT investment can mislead internal management and external reviewers as to the efficiency of a project’s execution. In addition, by not accurately reporting actual costs, IRS management may not be aware of the true costs of the project and cannot act to reduce future cost overruns.
A risk management process has not been implemented
Federal guidelines require that agencies reduce risks associated with IT projects. This is to be achieved, in part, by identifying and reporting risks to the appropriate executives and oversight bodies. Managing risks requires a process to identify, analyze, and track risks; assess the probability that risks will occur; and determine their potential impacts in such areas as cost overrun, schedule slippage, and project failure. The results of this process serve as the basis for development and implementation of risk reduction actions to either reduce the risk or resolve the issue.
An analysis of the major reporting mechanisms for IT initiatives within the ITS organization showed that significant project risks and important project data have not been accurately reported for the Print Consolidation Project. Specifically, we reviewed the quarterly Business Performance Reviews, the CIO’s Top 10 biweekly reports, and the Enterprise Operations periodic staff meeting minutes to determine if significant risks to the project were reflected. We found that none of the significant risks to the Print Consolidation Project’s performance were reflected in these reports. For example:
· Space issues at the Ogden Campus, an ongoing concern for the project, were not discussed in any reports. A request for additional space made in October 2001 estimated additional costs at over $900,000.
· The non-compliance of the NDS with the Enterprise Architecture was not raised as a concern even though only an interim concurrence lasting 1 year was granted.
· Agreements with the National Treasury Employees Union (NTEU) have not been finalized for operation in the consolidated sites. These agreements involved the reduction of full-time equivalents supporting printing operations in the 10 IRS Campuses. These reports do not mention that the ongoing negotiations are only for FY 2002. Additionally, documentation that an agreement was not possible with the NTEU until the National Print Site was an official organization did not occur until December 16, 2001.
· Significant changes to the project cost figures from one quarter to the next include no explanation or justification. The absence of this information obscures what could be continuing risks to completion of the project within a planned budget or significant project scope changes.
· Print Consolidation Project costs for FY 2000 were not reported in the BPR and costs for FY 2001 were underreported by $4.5 million. Without such information, IRS management may not be aware of the actual costs of the project and risk significant cost overruns.
In summary, the lack of a consistent, repeatable management approach to structuring and controlling the system development process increases the risk that projects will not be completed within budget or on time. As we identified, the project life cycle costs for the Print Consolidation Project have increased in each of the first 2 years of the project, which were not included in the project’s original budget. Additionally, as discussed above, although the Print Consolidation Project has met its initial implementation dates, the increasing complexity of the project will require a consistent, repeatable systems development process to assure the project is completed within the planned 3-year time frame.
The Deputy Commissioner for Modernization & CIO should
ensure that:
5.
Print Consolidation Project
management takes the necessary actions to provide proper project control over
the identified weaknesses until the previously proposed corrective actions
regarding the implementation of a systems life cycle for non-BSM projects are
developed, implemented, and monitored throughout the ITS organization.
Management’s Response: The Project Manager,
NPS, will ensure proper project
control. He will complete and submit a security certification and accreditation
for the NDS to the appropriate Security Office; establish an overall WBS for
the Print Consolidation Project (the Project), which will include critical
paths, the NDS WBS, and a complete timeline for the Project; complete an
Information Technology Capital Asset Plan for the Project and submit it for
entry to the I-TIPS; and implement a risk management process for the Project by
identifying and reporting significant risks and
documenting completed corrective actions or improvements to the identified
risks through the established BPR.
6.
All non-BSM projects are
complying with basic systems life cycle and project management controls until
the previously proposed corrective actions regarding the implementation of a
systems life cycle for non-BSM projects are developed, implemented, and
monitored throughout the ITS organization.
Management’s
Response:
The Chief, ITS, has
recently recruited a person to provide additional oversight and authority to
ensure all non-BSM projects follow basic systems life cycle and project
management control.
Office of
Audit Comment: While
placing the responsibility for ensuring that all non-BSM projects follow a
basic systems life cycle and project management controls with the recently
recruited person is a positive first step, we believe a specific plan or
schedule is needed to evaluate whether non-BSM projects follow the mandated
systems life cycle and address any deficiencies. As this report and a previous TIGTA report have identified, project control weaknesses
can occur without an effective systems life cycle process to enforce
disciplined project management controls.
In addition, ITS management, in response to the previous TIGTA report,
mandated the use of the ELC-Lite for all non-BSM projects by January 2003. However, based on management’s response to
this report, we are uncertain which systems life cycle non-BSM projects will
follow. As indicated in the previous
TIGTA report, we believe the IRS should have one life cycle methodology for all
non-BSM projects. Having one
methodology will assist the IRS in complying with the requirements of the
Clinger-Cohen Act, facilitate greater consistency in the way projects are
managed, and allow the IRS to gain expertise in one methodology.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this audit was to determine whether the Internal Revenue Service (IRS) implemented adequate policies and procedures as required by legislation, including the Clinger-Cohen Act, and Federal guidance to fund and manage the Print Consolidation Project.
The scope of this
audit included reviewing and evaluating the IRS’ existing policies and
procedures and determining whether
these policies and procedures were adequate as required by legislation and
Federal guidance for the selection, control, and evaluation of the Print
Consolidation Project.
To accomplish our objective, we:
I. Determined whether the IRS had implemented adequate policies and procedures as required by the Clinger-Cohen Act and Federal guidance (Office of Management and Budget (OMB) Circular A-130) for the selection of solutions for the Print Consolidation Project.
II. Determined whether the IRS implemented adequate policies and procedures as required by the Clinger-Cohen Act and Federal guidance (OMB Circular A-130) for the control of the Print Consolidation Project.
III. Determined whether the IRS implemented adequate policies and procedures as required by the Clinger-Cohen Act and Federal guidance (OMB Circular A-130) to evaluate the Print Consolidation Project.
Appendix II
Major Contributors to This Report
Scott E. Wilson, Assistant
Inspector General for Audit (Information Systems Programs)
Gary Hinkle, Director
Michael Howard, Acting Audit Manager
Kevin Burke, Senior Auditor
Richard Greene, Senior Auditor
Anthony Knox, Senior Auditor
Mark
Carder, Auditor
Appendix III
Commissioner N:C
Chief, Information Technology Services M:I
Director, Budget Policy, Planning and Programs M
Director,
Business Systems Development M:I:SD
Director, Detroit
Computing Center M:I:E:DC
Director, Enterprise Operations M:I:E
Director, Strategic Planning and Client Services M:SP
Manager,
Program Oversight and Coordination Office M:SP:P:O
Chief Counsel CC
National Taxpayer
Advocate TA
Director,
Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
N:ADC:R:O
Office of Management Controls N:CFO:F:M
Audit Liaisons: Director, Enterprise Operations M:I:E
Manager, Program Oversight and Coordination Office M:SP:P:O
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. These benefits will be incorporated into our Semiannual Report to the Congress.
Type and Value of Outcome Measure:
Reliability of Management Information – Actual; $9.9 million in project costs underreported in Fiscal Years 2000 and 2001 for the Print Consolidation Project (see page 14).
Methodology Used to Measure the Reported Benefit:
We compared the project costs listed for the Print Consolidation Project in the October 2001 Business Performance Review Report with the actual procurement costs derived from the Internal Revenue Service’s procurement system, the Request Tracking System, for the Print Consolidation Project.
Appendix V
Total
Project Funding Fiscal Years (FY) 2001, 2002, and 2003
Project Type
|
FY 2001 (Millions Dollars) |
FY 2002 (Millions Dollars) |
FY 2003 (Millions Dollars) |
|---|---|---|---|
|
Tier A
Modernization Projects |
71.6 |
391.6 |
450.0 |
Tier
B Improvement Projects
|
40.0 |
40.0 |
60.0 |
|
Tier C Improvement Projects |
0.0 |
2.0 |
2.0 |
|
Information Technology Services (ITS) Operating Division Improvement Projects |
|
|
|
|
0.9 |
7.5 |
7.5 |
|
|
Application Support |
16.8 |
27.5 |
43.6 |
|
Infrastructure Management |
16.9 |
5.0 |
20.0 |
|
0.0 |
5.5 |
5.0 |
|
|
Telecommunications |
10.5 |
18.0 |
18.0 |
|
79.1 |
25.3 |
25.3 |
|
|
End User Computing Support |
8.3 |
17.5 |
22.4 |
|
End User Life Cycle |
0.0 |
5.0 |
5.0 |
|
ITS Operating
Division Improvement Projects Totals |
132.5 |
111.3 |
146.8 |
|
Totals |
244.1 |
544.9 |
658.8 |
Source: Modernization and Information Technology
Services Program Plan FY 2002- 2003
(August 7, 2001).
Appendix VI
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.