The Internal Revenue Service Has Appropriate Processes to
Accept Modernization Program Software From Developers
February 2005
Reference
Number: 2005-20-028
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
February
15, 2005
MEMORANDUM FOR
CHIEF INFORMATION OFFICER
FROM: Gordon C. Milbourn III /s/ Gordon C.
Milbourn III
Assistant Inspector General
for Audit
(Small Business and Corporate
Programs)
SUBJECT: Final Audit Report - The Internal Revenue
Service Has Appropriate Processes to Accept Modernization Program Software From
Developers (Audit # 200420041)
This
report presents the results of our review of the delivery of contractor-developed
source code material for the Internal Revenue Service’s (IRS) modernization
programs. The overall objective of this review was to determine
whether the IRS has access to the source code material necessary to operate and
maintain its modernization programs. This
review addresses concerns presented to the Treasury Inspector General for Tax
Administration by IRS personnel during prior audits.
In summary, the IRS
Modernization and Information Technology Services (MITS) organization has
appropriate processes in place to accept modernization project source code
material from developers. The software
development task orders we reviewed and the PRIME contract incorporate the Federal
Acquisition Regulation (FAR), contract provisions, and escrow agreements designed
to protect the IRS’ interest in modernization source code material. The MITS organization has obtained or has
access to source code material for modernization projects currently in
operation. Procedures are also in place
to ensure the timely delivery of source code material for current and future
modernization project releases. In
addition, the IRS’ Development Integration and Test Environment (DITE) has
access to modernization source code material controlled by the PRIME contractor.
Management’s
Response: The
Chief Information Officer agreed with the audit finding and expressed
appreciation that the audit confirmed the
MITS organization has appropriate processes in place to accept modernization
project source code material from developers.
Management’s complete response to the draft report is included as
Appendix V.
Copies of this report are also being sent to the IRS
managers affected by the report finding.
Please contact me at (202) 622-6510 if you have questions or Margaret E.
Begg, Assistant Inspector General for Audit (Information Systems Programs), at
(202) 622-8510.
The Internal Revenue Service’s
Rights to Modernization Source Code Material Are Protected
Appendix I – Detailed Objective,
Scope, and Methodology
Appendix II – Major Contributors
to This Report
Appendix
III – Report Distribution List
Appendix V –
Management’s Response to the Draft Report
The Business Systems Modernization (BSM) program is a
complex effort to modernize the Internal Revenue Service’s (IRS) technology and
related business processes. According to
the IRS, this effort will involve integrating thousands of hardware and
software components. It is estimated
this effort will last up to 15 years and cost $8 billion.
To facilitate
the success of its modernization efforts, the IRS hired the Computer Sciences
Corporation (CSC) as the PRIME contractor and integrator for the BSM program
and created the BSM Office (BSMO) to guide and oversee the work of the PRIME
contractor. Additional contractors have
been hired to supplement the design and development of modernization projects.
During
the development of a system, programmers create the applications by writing
programming statements and instructions.
These statements and instructions are referred to as source code. Source code is what a programmer writes, but
it is not directly executable by the computer.
It must be converted into machine language, or object code, by
compilers. The object code file contains
a sequence of instructions that the computer can understand, but that is difficult
for a human to read or modify. For this
reason, the source code is the most permanent form of the program. When operating system or application software
is purchased or received, it is usually in the form of compiled object code and
the source code is not included.
The PRIME contract specifies how
the source code material is delivered to the IRS. Generally, software proposed for use and/or
delivered in a sale of the software to more than one customer requires the use
of an escrow agent. Commercial off-the-shelf
(COTS) software with licensing agreements is a good example of this type of software. On the other hand, software that is delivered
under a specific task order contract to one user, such as the IRS, requires delivery
of the source code material after completion of the project’s deployment.
Access to source code allows for error correction, modifications, and enhancements of the software. Further, source code access allows the customer to enhance software independently of the developer if the software developer goes out of business or is otherwise unable to meet its obligations.
This review was performed at the IRS Modernization and
Information Technology Services (MITS) organization facilities in New
Carrollton, Maryland, and the
The MITS organization has appropriate processes in place to accept modernization project source code material from developers. The software development task orders we reviewed (see Appendix I for specific task orders) and the PRIME contract incorporate the Federal Acquisition Regulation (FAR), contract provisions, and escrow agreements designed to protect the IRS’ interest in modernization source code material. The MITS organization has obtained or has access to source code material for modernization projects currently in operation. Procedures are also in place to ensure the timely delivery of source code material for current and future modernization project releases. In addition, the IRS’ Development Integration and Test Environment (DITE) has access to modernization source code material controlled by the PRIME contractor.
Software development task orders and the PRIME contract incorporate the FAR provisions and escrow agreements designed to protect the IRS’ interest in modernization source code material
Representatives from the IRS and the CSC signed the PRIME contract in December 1998. The PRIME contract provides the legal framework for modernizing IRS computer systems. This contract incorporates FAR provisions for guidance in the acquisition of products and services.
For example, FAR Clause 52.227-14, Rights in Data, is included in the PRIME contract and entitles the IRS to unlimited rights to “data” first produced in the performance of the contract. Computer programs, including source code material, qualify as “data” under the PRIME contract. Thus, when software is delivered to the IRS, the PRIME contract directs the software developer to turn over all associated source code material. This clause covers software produced by the PRIME contractor and delivered exclusively to the IRS.
For software that is used by more than one customer, such as
COTS software with licensing agreements, the PRIME contract requires the use of an escrow agreement. A source code escrow agreement allows the IRS to obtain
access to the software’s source code material under certain circumstances, such
as if the PRIME contractor goes out of business or fails to make required
modifications to the software.
Finally, the PRIME contract
contains FAR termination provisions that are designed to protect the IRS. The termination provisions require the software
developer to deliver or put into escrow all completed or partially completed source
code material.
Similarly, modernization projects
using software developers other than the PRIME contractor either incorporate
FAR provisions for guidance in the acquisition of products and services or
include specific instruction for migrating the source code to the IRS. See Appendix IV for a
list of FAR provisions applicable to ownership of source code material.
The MITS organization has obtained or has access to source code material for modernization projects currently in operation
The IRS Product Assurance organization tests software developed for the IRS’ operations. The Source Code and Documentation Control (SCDC) Branch is part of the Product Assurance organization. The SCDC Branch provides independent source code control of the IRS’ critical systems. The SCDC Branch’s control responsibilities include more than 100 current software applications.
A function of the SCDC Branch is to perform the role of gatekeeper for all IRS source code material. As the gatekeeper, the SCDC Branch allows only successfully tested software to operate on the IRS’ computer systems. We verified the SCDC Branch, in performing its role of gatekeeper, successfully obtained source code material for the following modernization projects:
· The Customer Communications Project (CCP) – The CCP reduces call waiting time for taxpayers and reduces the number of abandoned telephone calls.
· The Internet Refund Fact of Filing (IRFOF) – The IRFOF project provides instant refund status information for resolving refund problems to taxpayers over the Internet.
· The Internet Employer Identification Number (IEIN) – The IEIN project allows small business to apply for and receive Employer Identification Numbers over the Internet.
·
The Custodial Accounting Project (CAP) – The CAP
provides an integrated link between tax administration financial
information and administrative financial information.
· The Modernized e-File (MeF) – The MeF project provides electronic filing for large corporations and tax exempt organizations.
Procedures are in place to ensure the timely delivery of source code material for current and future modernization project releases
In August 2003, the SCDC Branch developed its Transition to Support Guide for projects residing on the modernized infrastructure. This Guide focuses on projects currently supported by modernization contractors with plans to transition to the IRS. As contractor-developed projects begin transitioning to the IRS, the SCDC Branch assumes responsibility for all document control activities previously performed by the contractors.
The SCDC Branch Transition to Support Guide is an evolving document and, as such, is subject to change. As the IRS further defines and develops its transition activities, the SCDC Branch will review and update the Guide to ensure it accurately describes these changes. The SCDC Branch will release new versions of the Guide as necessary.
The DITE has access to modernization source code material controlled by the PRIME contractor
The DITE is composed
of a Virtual Development Environment and an Enterprise Integration and Test
Environment. The DITE provides a
software development facility to build modernization project applications. It also enables comprehensive integration and
testing for multiple modernization projects.
Source code material for modernization projects under development, with the exception of the CAP (which is maintained by the SCDC Branch), is located within the DITE. The DITE maintains only PRIME contractor-developed source code material. Modernization project examples include:
·
The Customer Account Data Engine (CADE) – The
CADE is an online modernized data infrastructure that
will house the IRS’ taxpayer account and return data for more than 200 million
individual and business taxpayers.
·
e-Services – The e-Services
project is a BSMO project focused on revolutionizing the way taxpayers transact
and communicate with the IRS. This web-based
project will expand the existing third-party tools and data collection processes.
·
The Integrated Financial System (IFS) – The IFS
is a management tool that will help the IRS better budget, plan, track, report,
and manage its finances. It is designed
to input, track, and report financial data.
·
The Security Technology Infrastructure Release
(STIR) – The STIR project is a
customer-focused technical infrastructure for secure telephony and electronic
interaction among employees, tax practitioners, and taxpayers.
While modernization source code material may be controlled by the PRIME contractor, it is readily accessible by the DITE system administrators performing their daily duties.
Management’s Response: The Chief Information Officer agreed with the audit finding and expressed appreciation that the audit confirmed the MITS organization has appropriate processes in place to accept modernization project source code material from developers.
Appendix I
Detailed Objective, Scope, and
Methodology
The overall objective of this review was to determine whether the Internal Revenue (IRS) has access to the source code material necessary to operate and maintain its modernization programs. To accomplish this objective, we:
I. Determined the applicable Federal Acquisition Regulation (FAR) clauses regarding the delivery of source code material to customers and assessed the impact to the IRS with the current modernization project contract provisions, including the PRIME contract provisions.
II. Identified previous “lessons learned” experiences in obtaining source code material from contractors and vendors for IRS systems and applications within the Modernization and Information Technology Services (MITS) organization.
III. Determined the current procedures used by the MITS organization to obtain source code material.
IV.
Determined whether modernization project task orders
and other associated modernization contracts included sufficient detail
requiring the contractors to deliver the source code material to the IRS. We also obtained documentation verifying the
IRS’ control and access to source code material.
A.
Reviewed project task orders and documentation
verifying the IRS’ control and access to source code material relating to the
following modernization projects.
1. The Customer Communications Project (CCP) – The CCP reduces call waiting time for taxpayers and reduces the number of abandoned telephone calls.
2. The Internet Refund Fact of Filing (IRFOF) – The IRFOF project provides instant refund status information for resolving refund problems to taxpayers over the Internet.
3.
The
Custodial Accounting Project (CAP) – The CAP provides an
integrated link between tax administration financial information and administrative
financial information.
4.
The Customer Account Data Engine (CADE) – The
CADE is an online modernized data infrastructure that
will house the IRS’ taxpayer account and return data for more than 200 million
individual and business taxpayers.
5.
e-Services – The
e-Services project is a Business
Systems Modernization Office project focused on revolutionizing the way
taxpayers transact and communicate with the IRS. This web-based project will expand the
existing third-party tools and data collection processes.
6.
The Integrated Financial System (IFS) – The IFS
is a management tool that will help the IRS better budget, plan, track, report,
and manage its finances. It is designed
to input, track, and report financial data.
B.
Reviewed the following associated Modernization
program task orders requiring escrow agreements for commercial off-the-shelf
software.
1.
SAP and RWD Technologies enterprise software licenses
and maintenance.
2.
Vignette internet management enterprise
software license and maintenance.
3.
PeopleSoft enterprise software license and maintenance.
4.
Sapiens
Business Rules Authoring Environment and Assisted and Automated Sequencing
tools for the CADE.
Appendix II
Major Contributors to This
Report
Margaret E. Begg, Assistant Inspector General for Audit
(Information Systems Programs)
Gary Hinkle, Director
Edward A.
Neuwirth, Audit Manager
Bruce Polidori, Senior
Auditor
Louis
Zullo, Senior Auditor
Steve
Gibson, Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Associate Chief Information Officer, Business Systems Modernization OS:CIO:B
Associate Chief Information Officer, Information Technology Services OS:CIO:I
Deputy Associate Chief Information Officer, Business Integration OS:CIO:B:BI
Deputy Associate
Chief Information Officer, Program
Management OS:CIO:B:PM
Deputy Associate Chief Information
Officer, Systems Integration OS:CIO:B:SI
Director, Procurement OS:A:P
Director, Stakeholder Management Division OS:CIO:SM
Director, Business Systems Development OS:CIO:I:B
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Audit Liaisons:
Associate Chief Information Officer, Business Systems Modernization OS:CIO:B
Director, Business Systems Development OS:CIO:I:B
Manager, Program Oversight Office OS:CIO:SM:PO
Appendix IV
Selected Federal Acquisition Regulation Clauses Related to Source Code Material
Ownership
Federal Acquisition Regulation (FAR) 52.227-14, Rights in Data – This regulation provides the Federal Government shall have unlimited rights in data first produced in the performance of a contract. These rights also include data delivered under this contract that constitute manuals or instructional and training material for computer installation, operation, or routine maintenance and repair of items, components, or processes delivered or furnished for use under the contract.
FAR 52.249-2, Termination for Convenience of the Government (Fixed-Price) – This regulation states the Federal Government may terminate performance of work under the contract in whole or, from time to time, in part if the contracting officer determines a termination is in the Federal Government’s interest. The contracting officer shall terminate by delivering to the contractor a Notice of Termination specifying the extent of termination and the effective date. After receipt of a Notice of Termination, and except as directed by the contracting officer, the contractor shall immediately transfer title and deliver to the Federal Government the completed or partially completed plans, drawings, information, and other property that, if the contract had been completed, would be required to be furnished to the Federal Government.
FAR 52.249-6, Termination for Convenience or Default (Cost-Reimbursement) – This regulation is similar to FAR 52.249-2, except these provisions pertain to Cost-Reimbursement contracts and apply in cases of Termination for Convenience or Termination for Default. The Federal Government may terminate performance of work under the contract in whole or in part if (1) the contracting officer determines a termination is in the Federal Government’s interest [convenience] or (2) the contractor fails to make progress in the work so as to endanger performance [default].
FAR 52.249-8, Default (Fixed-Price Supply and Service) – This regulation states that if the contract is terminated for default, the Federal Government may require the contractor to transfer title and deliver to the Federal Government, as directed by the contracting officer, (1) completed supplies and (2) partially completed supplies and materials, parts, tools, dies, jigs, fixtures, plans, drawings, information, and contract rights (collectively referred to as “manufacturing materials” in this clause) that the contractor has specifically produced or acquired for the terminated portion of this contract. Upon direction of the contracting officer, the contractor shall also protect and preserve property in its possession in which the Federal Government has an interest.
Appendix V
The response was
removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.