The Internal Revenue Service Has Appropriate Processes to Accept Modernization Program Software From Developers

 

February 2005

 

Reference Number:  2005-20-028

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

February 15, 2005

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:     Gordon C. Milbourn III /s/ Gordon C. Milbourn III

                 Assistant Inspector General for Audit

                 (Small Business and Corporate Programs)

 

SUBJECT:     Final Audit Report - The Internal Revenue Service Has Appropriate Processes to Accept Modernization Program Software From Developers (Audit # 200420041)

 

This report presents the results of our review of the delivery of contractor-developed source code material for the Internal Revenue Service’s (IRS) modernization programs.  The overall objective of this review was to determine whether the IRS has access to the source code material necessary to operate and maintain its modernization programs.  This review addresses concerns presented to the Treasury Inspector General for Tax Administration by IRS personnel during prior audits.

In summary, the IRS Modernization and Information Technology Services (MITS) organization has appropriate processes in place to accept modernization project source code material from developers.  The software development task orders we reviewed and the PRIME contract incorporate the Federal Acquisition Regulation (FAR), contract provisions, and escrow agreements designed to protect the IRS’ interest in modernization source code material.  The MITS organization has obtained or has access to source code material for modernization projects currently in operation.  Procedures are also in place to ensure the timely delivery of source code material for current and future modernization project releases.  In addition, the IRS’ Development Integration and Test Environment (DITE) has access to modernization source code material controlled by the PRIME contractor.

Management’s Response:  The Chief Information Officer agreed with the audit finding and expressed appreciation that the audit confirmed the MITS organization has appropriate processes in place to accept modernization project source code material from developers.  Management’s complete response to the draft report is included as Appendix V.

Copies of this report are also being sent to the IRS managers affected by the report finding.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

Table of Contents

Background

The Internal Revenue Service’s Rights to Modernization Source Code Material Are Protected

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV Selected Federal Acquisition Regulation Clauses Related to Source Code Material Ownership

Appendix V Management’s Response to the Draft Report

 

Background

The Business Systems Modernization (BSM) program is a complex effort to modernize the Internal Revenue Service’s (IRS) technology and related business processes.  According to the IRS, this effort will involve integrating thousands of hardware and software components.  It is estimated this effort will last up to 15 years and cost $8 billion.

To facilitate the success of its modernization efforts, the IRS hired the Computer Sciences Corporation (CSC) as the PRIME contractor and integrator for the BSM program and created the BSM Office (BSMO) to guide and oversee the work of the PRIME contractor.  Additional contractors have been hired to supplement the design and development of modernization projects.

During the development of a system, programmers create the applications by writing programming statements and instructions.  These statements and instructions are referred to as source code.  Source code is what a programmer writes, but it is not directly executable by the computer.  It must be converted into machine language, or object code, by compilers.  The object code file contains a sequence of instructions that the computer can understand, but that is difficult for a human to read or modify.  For this reason, the source code is the most permanent form of the program.  When operating system or application software is purchased or received, it is usually in the form of compiled object code and the source code is not included.

The PRIME contract specifies how the source code material is delivered to the IRS.  Generally, software proposed for use and/or delivered in a sale of the software to more than one customer requires the use of an escrow agent.  Commercial off-the-shelf (COTS) software with licensing agreements is a good example of this type of software.  On the other hand, software that is delivered under a specific task order contract to one user, such as the IRS, requires delivery of the source code material after completion of the project’s deployment.

Access to source code allows for error correction, modifications, and enhancements of the software.  Further, source code access allows the customer to enhance software independently of the developer if the software developer goes out of business or is otherwise unable to meet its obligations.

This review was performed at the IRS Modernization and Information Technology Services (MITS) organization facilities in New Carrollton, Maryland, and the Enterprise Computing Center in Martinsburg, West Virginia, during the period September through December 2004.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

The Internal Revenue Service’s Rights to Modernization Source Code Material Are Protected

The MITS organization has appropriate processes in place to accept modernization project source code material from developers.  The software development task orders we reviewed (see Appendix I for specific task orders) and the PRIME contract incorporate the Federal Acquisition Regulation (FAR), contract provisions, and escrow agreements designed to protect the IRS’ interest in modernization source code material.  The MITS organization has obtained or has access to source code material for modernization projects currently in operation.  Procedures are also in place to ensure the timely delivery of source code material for current and future modernization project releases.  In addition, the IRS’ Development Integration and Test Environment (DITE) has access to modernization source code material controlled by the PRIME contractor.

Software development task orders and the PRIME contract incorporate the FAR provisions and escrow agreements designed to protect the IRS’ interest in modernization source code material

Representatives from the IRS and the CSC signed the PRIME contract in December 1998.  The PRIME contract provides the legal framework for modernizing IRS computer systems.  This contract incorporates FAR provisions for guidance in the acquisition of products and services.

For example, FAR Clause 52.227-14, Rights in Data, is included in the PRIME contract and entitles the IRS to unlimited rights to “data” first produced in the performance of the contract.  Computer programs, including source code material, qualify as “data” under the PRIME contract.  Thus, when software is delivered to the IRS, the PRIME contract directs the software developer to turn over all associated source code material.  This clause covers software produced by the PRIME contractor and delivered exclusively to the IRS.

For software that is used by more than one customer, such as COTS software with licensing agreements, the PRIME contract requires the use of an escrow agreement.  A source code escrow agreement allows the IRS to obtain access to the software’s source code material under certain circumstances, such as if the PRIME contractor goes out of business or fails to make required modifications to the software.

Finally, the PRIME contract contains FAR termination provisions that are designed to protect the IRS.  The termination provisions require the software developer to deliver or put into escrow all completed or partially completed source code material.

Similarly, modernization projects using software developers other than the PRIME contractor either incorporate FAR provisions for guidance in the acquisition of products and services or include specific instruction for migrating the source code to the IRS.  See Appendix IV for a list of FAR provisions applicable to ownership of source code material.

The MITS organization has obtained or has access to source code material for modernization projects currently in operation

The IRS Product Assurance organization tests software developed for the IRS’ operations.  The Source Code and Documentation Control (SCDC) Branch is part of the Product Assurance organization.  The SCDC Branch provides independent source code control of the IRS’ critical systems.  The SCDC Branch’s control responsibilities include more than 100 current software applications.

A function of the SCDC Branch is to perform the role of gatekeeper for all IRS source code material.  As the gatekeeper, the SCDC Branch allows only successfully tested software to operate on the IRS’ computer systems.  We verified the SCDC Branch, in performing its role of gatekeeper, successfully obtained source code material for the following modernization projects:

·         The Customer Communications Project (CCP) – The CCP reduces call waiting time for taxpayers and reduces the number of abandoned telephone calls.

·         The Internet Refund Fact of Filing (IRFOF) – The IRFOF project provides instant refund status information for resolving refund problems to taxpayers over the Internet.

·         The Internet Employer Identification Number (IEIN) – The IEIN project allows small business to apply for and receive Employer Identification Numbers over the Internet.

·         The Custodial Accounting Project (CAP) – The CAP provides an integrated link between tax administration financial information and administrative financial information.

·         The Modernized e-File (MeF) – The MeF project provides electronic filing for large corporations and tax exempt organizations.

Procedures are in place to ensure the timely delivery of source code material for current and future modernization project releases

In August 2003, the SCDC Branch developed its Transition to Support Guide for projects residing on the modernized infrastructure.  This Guide focuses on projects currently supported by modernization contractors with plans to transition to the IRS.  As contractor-developed projects begin transitioning to the IRS, the SCDC Branch assumes responsibility for all document control activities previously performed by the contractors.

The SCDC Branch Transition to Support Guide is an evolving document and, as such, is subject to change.  As the IRS further defines and develops its transition activities, the SCDC Branch will review and update the Guide to ensure it accurately describes these changes.  The SCDC Branch will release new versions of the Guide as necessary.

The DITE has access to modernization source code material controlled by the PRIME contractor

The DITE is composed of a Virtual Development Environment and an Enterprise Integration and Test Environment.  The DITE provides a software development facility to build modernization project applications.  It also enables comprehensive integration and testing for multiple modernization projects.

Source code material for modernization projects under development, with the exception of the CAP (which is maintained by the SCDC Branch), is located within the DITE.  The DITE maintains only PRIME contractor-developed source code material.  Modernization project examples include:

·         The Customer Account Data Engine (CADE) – The CADE is an online modernized data infrastructure that will house the IRS’ taxpayer account and return data for more than 200 million individual and business taxpayers.

·         e-Services The e-Services project is a BSMO project focused on revolutionizing the way taxpayers transact and communicate with the IRS.  This web-based project will expand the existing third-party tools and data collection processes.

·         The Integrated Financial System (IFS) – The IFS is a management tool that will help the IRS better budget, plan, track, report, and manage its finances.  It is designed to input, track, and report financial data.

·         The Security Technology Infrastructure Release (STIR) – The STIR project is a customer-focused technical infrastructure for secure telephony and electronic interaction among employees, tax practitioners, and taxpayers.

While modernization source code material may be controlled by the PRIME contractor, it is readily accessible by the DITE system administrators performing their daily duties.

Management’s Response:  The Chief Information Officer agreed with the audit finding and expressed appreciation that the audit confirmed the MITS organization has appropriate processes in place to accept modernization project source code material from developers. 

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the Internal Revenue (IRS) has access to the source code material necessary to operate and maintain its modernization programs.  To accomplish this objective, we:

I.             Determined the applicable Federal Acquisition Regulation (FAR) clauses regarding the delivery of source code material to customers and assessed the impact to the IRS with the current modernization project contract provisions, including the PRIME contract provisions.

II.          Identified previous “lessons learned” experiences in obtaining source code material from contractors and vendors for IRS systems and applications within the Modernization and Information Technology Services (MITS) organization.

III.       Determined the current procedures used by the MITS organization to obtain source code material.

IV.       Determined whether modernization project task orders and other associated modernization contracts included sufficient detail requiring the contractors to deliver the source code material to the IRS.  We also obtained documentation verifying the IRS’ control and access to source code material.

A.          Reviewed project task orders and documentation verifying the IRS’ control and access to source code material relating to the following modernization projects.

1.      The Customer Communications Project (CCP) – The CCP reduces call waiting time for taxpayers and reduces the number of abandoned telephone calls.

2.      The Internet Refund Fact of Filing (IRFOF) – The IRFOF project provides instant refund status information for resolving refund problems to taxpayers over the Internet.

3.      The Custodial Accounting Project (CAP) – The CAP provides an integrated link between tax administration financial information and administrative financial information.

4.      The Customer Account Data Engine (CADE) – The CADE is an online modernized data infrastructure that will house the IRS’ taxpayer account and return data for more than 200 million individual and business taxpayers.

5.      e-Services The e-Services project is a Business Systems Modernization Office project focused on revolutionizing the way taxpayers transact and communicate with the IRS.  This web-based project will expand the existing third-party tools and data collection processes.

6.      The Integrated Financial System (IFS) – The IFS is a management tool that will help the IRS better budget, plan, track, report, and manage its finances.  It is designed to input, track, and report financial data.

B.           Reviewed the following associated Modernization program task orders requiring escrow agreements for commercial off-the-shelf software.

1.      SAP and RWD Technologies enterprise software licenses and maintenance.

2.      Vignette internet management enterprise software license and maintenance.

3.      PeopleSoft enterprise software license and maintenance.

4.      Sapiens Business Rules Authoring Environment and Assisted and Automated Sequencing tools for the CADE.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Gary Hinkle, Director

Edward A. Neuwirth, Audit Manager

Bruce Polidori, Senior Auditor

Louis Zullo, Senior Auditor

Steve Gibson, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS 

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Associate Chief Information Officer, Information Technology Services  OS:CIO:I

Deputy Associate Chief Information Officer, Business Integration  OS:CIO:B:BI

Deputy Associate Chief Information Officer, Program Management  OS:CIO:B:PM
Deputy Associate Chief Information Officer, Systems Integration  OS:CIO:B:SI

Director, Procurement  OS:A:P

Director, Stakeholder Management Division  OS:CIO:SM

Director, Business Systems Development  OS:CIO:I:B

Chief Counsel CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons: 

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Director, Business Systems Development  OS:CIO:I:B

Manager, Program Oversight Office  OS:CIO:SM:PO

 

Appendix IV

 

Selected Federal Acquisition Regulation Clauses Related to Source Code Material Ownership

 

Federal Acquisition Regulation (FAR) 52.227-14, Rights in Data – This regulation provides the Federal Government shall have unlimited rights in data first produced in the performance of a contract.  These rights also include data delivered under this contract that constitute manuals or instructional and training material for computer installation, operation, or routine maintenance and repair of items, components, or processes delivered or furnished for use under the contract.

FAR 52.249-2, Termination for Convenience of the Government (Fixed-Price) – This regulation states the Federal Government may terminate performance of work under the contract in whole or, from time to time, in part if the contracting officer determines a termination is in the Federal Government’s interest.  The contracting officer shall terminate by delivering to the contractor a Notice of Termination specifying the extent of termination and the effective date.  After receipt of a Notice of Termination, and except as directed by the contracting officer, the contractor shall immediately transfer title and deliver to the Federal Government the completed or partially completed plans, drawings, information, and other property that, if the contract had been completed, would be required to be furnished to the Federal Government.

FAR 52.249-6, Termination for Convenience or Default (Cost-Reimbursement) This regulation is similar to FAR 52.249-2, except these provisions pertain to Cost-Reimbursement contracts and apply in cases of Termination for Convenience or Termination for Default.  The Federal Government may terminate performance of work under the contract in whole or in part if (1) the contracting officer determines a termination is in the Federal Government’s interest [convenience] or (2) the contractor fails to make progress in the work so as to endanger performance [default].

FAR 52.249-8, Default (Fixed-Price Supply and Service) This regulation states that if the contract is terminated for default, the Federal Government may require the contractor to transfer title and deliver to the Federal Government, as directed by the contracting officer, (1) completed supplies and (2) partially completed supplies and materials, parts, tools, dies, jigs, fixtures, plans, drawings, information, and contract rights (collectively referred to as “manufacturing materials” in this clause) that the contractor has specifically produced or acquired for the terminated portion of this contract.  Upon direction of the contracting officer, the contractor shall also protect and preserve property in its possession in which the Federal Government has an interest.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.