All Small-Scale Information Technology Projects Should Be Included in the Investment Inventory, and Related Procurement Requisitions Should Be Properly Reviewed and Approved

 

March 2005

 

Reference Number:  2005-20-050

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

March 16, 2005

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:     Pamela J. Gardiner /s/ Pamela J. Gardiner

                 Deputy Inspector General for Audit

 

SUBJECT:     Final Audit Report - All Small-Scale Information Technology Projects Should Be Included in the Investment Inventory, and Related Procurement Requisitions Should Be Properly Reviewed and Approved (Audit # 200420009)

 

This report presents the results of our review of the procurement of information technology (IT) goods and services outside of the Modernization and Information Technology Services (MITS) organization.  The overall objective of this review was to determine whether the Internal Revenue Service (IRS) ensures IT goods and services procured outside of the MITS organization are effectively controlled, compliant with the Enterprise Architecture (EA), do not duplicate other systems or initiatives, and follow a disciplined systems development life cycle.

In summary, one of the major objectives contained in the IRS Strategic Plan Fiscal Years (FY) 2005 – 2009 is to modernize information systems to improve service and enforcement.  For FY 2004, the IRS requested nearly $1.67 billion for its Information Systems budget.  Approximately $534 million (32 percent) of the $1.67 billion was allocated for Automated Data Processing services, which include funding for the acquisition of data processing services from the private sector and the purchase of computer hardware and software.

In August 2002, we reported the IRS’ process for selecting and monitoring systems improvement projects needed to be revised to comply with the requirements contained in the Clinger-Cohen Act of 1996.  The Clinger-Cohen Act requires agencies to use a disciplined Capital Planning and Investment Control (CPIC) process to acquire, use, maintain, and dispose of IT property.  In November 2003, we also reported reviews of IT procurement requisitions were not consistently performed to ensure computer hardware and software purchases are consistent with the IRS’ current and projected EA. 

Corrective actions to those reports taken by the IRS included initiating a refined enterprise-wide modernization governance process to prioritize the entire inventory of IT and modernization projects on an annual basis.  Other corrective actions taken by the IRS included developing additional procedures, publishing an approved computer equipment products list, and conducting reviews of submitted requisitions for computer hardware and software purchases to ensure reviews for compliance with the EA are conducted and documented. 

While the IRS has completed several corrective actions to improve the CPIC process, our analysis of 271 requisitions for IT goods and services submitted between October 1, 2003, and July 7, 2004, determined system development projects funded by the MITS organization via a Memorandum of Understanding (MOU) and projects not funded by the MITS organization were most likely not to be identified by the CPIC process and individually identified in the IRS’ IT investment portfolio.  We also determined requisitions submitted by organizations outside of the MITS organization had an increased likelihood that required approvals and reviews were not properly obtained and Requisition Summaries were not attached to the requisitions.  In addition, the Requisition Signatory Authority List, which is used to ensure requisitions have been properly approved, has not been consistently updated.  Without adequate management controls over IT procurements initiated outside of the MITS organization, the IRS risks acquiring IT goods and services that may duplicate other systems or initiatives, spending funds on lower-priority projects, and acquiring IT systems that are not compatible with the EA.

In addition, our analysis of requisitions determined project costs were not completely captured to accurately assess investment results.  While the IRS established a unique five-digit Project Cost Accounting Subsystem (PCAS) code to accurately capture project costs, we identified 3 requisitions totaling $681,522 submitted for the Automated Background Investigation System on which the expenses were charged to 3 separate codes not established for the project.  We also identified 7 requisitions totaling $726,174 for 2 IT investment projects that were not assigned a unique PCAS code for tracking expenditures.  By not properly accounting for all costs, the IRS cannot determine the actual results of the IT investment and comply with the Clinger-Cohen Act requirements to identify significant deviations from costs, performance, or schedule. 

To improve the identification of projects in the IT investment portfolio, processing of IT requisitions, and accounting for project costs, we recommended the Chief Information Officer (CIO) ensure the Internal Revenue Manual (IRM) and MOUs between the MITS and other organizations are revised, as necessary.  We also recommended the CIO ensure the Requisition Signatory Authority List remains current, ensure the current small-scale projects are identified and mapped into the IRS CPIC governance process, and work with the Chief Financial Officer to ensure monies spent on small-scale projects are accounted for separately.  In addition, we recommended the CIO ensure a mechanism is designed and implemented to identify all associated IT project costs, regardless of the funding or PCAS codes used.

Management’s Response:  IRS management agreed with six of our seven recommendations.  The IRS will revise existing MOUs and the IRM to specify that all IT requisitions initiated by the business units are routed through the appropriate Division Information Officer and the Director, Client Services, to ensure projects are included in the IT portfolio, requisitions are properly reviewed and approved, and a Requisition Summary is appropriately attached.  In addition, all small-scale investments will be mapped to the EA and to the EA-aligned executive steering committees, which execute the CPIC governance processes.  The IRS will also amend financial policy documents to ensure accurate accounting of expenditures for small-scale projects and will establish an annual process for updating the Requisition Signatory Authority List.  Finally, the IRS will ensure all requisitions are reviewed to ensure appropriate PCAS codes are used. 

IRS management disagreed with our recommendation to establish a mechanism designed and implemented to ensure all IT expenses are accurately identified and associated with each IT investment project, regardless of the funding or PCAS codes used.  While management disagreed with our recommendation, we agree with their statement that the adoption of the other recommendations constitutes an effective mechanism to ensure the accurate identification and association of all IT expenses with each IT investment project.  Management’s complete response to the draft report is included as Appendix V.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

Table of Contents

Background

Completed Corrective Actions Improved the Capital Planning and Investment Control Process

The Portfolio of Information Technology Investments Is Incomplete

Recommendations 1 through 3:

Requisitions for Information Technology Goods and Services Were Not Properly Reviewed and Approved

Recommendation 4:

Recommendation 5:

Project Costs Were Not Accurately Recorded

Recommendation 6:

Recommendation 7:

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measures

Appendix V – Management’s Response to the Draft Report

 

Background

One of the major objectives contained in the Internal Revenue Service (IRS) Strategic Plan Fiscal Years (FY) 2005 – 2009 is to modernize information systems to improve service and enforcement.  In support of this objective, the IRS instituted a strategy to prioritize all information technology (IT) projects to support business operating needs, continually monitor the IT investment portfolio, and ensure implemented systems meet technical standards.  For FY 2004, the IRS requested nearly $1.67 billion for its Information Systems budget.  Approximately $534 million (32 percent) of the $1.67 billion was allocated for Automated Data Processing (ADP) services, which includes funding for the acquisition of data processing services from the private sector and the purchase of computer hardware and software. 

The Clinger-Cohen Act of 1996 requires agencies to use a disciplined Capital Planning and Investment Control (CPIC) process to acquire, use, maintain, and dispose of IT property.  The Treasury Inspector General for Tax Administration is currently conducting an audit to determine whether the IRS CPIC process complies with the requirements outlined in the Clinger-Cohen Act. 

The IRS categorizes its IT investment projects into three tier levels:

·     Tier A – These are large-scale projects, generally developed over a long time period, designed to modernize the IRS’ antiquated business systems to improve the speed, timeliness, and accuracy of tax administration.  The Tier A projects are managed by the IRS Business Systems Modernization Office.  The IRS receives a separate appropriation, in addition to the Information Systems budget of $1.67 billion, for its Tier A projects that provides for planning and IT acquisitions, including related contractor costs.  In FY 2004, the IRS requested $429 million for its modernization projects.  To manage the Business Systems Modernization (BSM) investment portfolio, the IRS has established selection and monitoring processes and executive steering committees to oversee project funding.  To obtain funding, projects must provide justification and be prioritized and selected by an investment review board composed of multifunctional business executives.

·      Tier B – The Tier B projects are considered medium-sized projects, developed over a period of up to 3 years, that modify or enhance existing systems or processes and establish bridges between current production systems and the new modernization architecture.  The Resources Allocation and Measurement (RAM) organization within the Modernization and Information Technology Services (MITS) organization is responsible for managing the IRS Tier B projects and ensuring the projects are aligned with the agency-wide corporate and division strategies.  The RAM organization also coordinates oversight activities for the IT investment projects and provides a consolidated view of all current and proposed information systems work.  In FY 2004, the IRS requested approximately $50 million (9 percent) of the $534 million allocated for ADP services for its Tier B investment portfolio that consists of 20 projects. 

·     Tier C – These are small-scale projects to improve or enhance existing systems or processes to sustain operations.  The RAM organization is also responsible for managing the IRS Tier C projects and maintaining the portfolio to assist the business units in making investment decisions.  However, a portfolio of Tier C projects does not exist, and the IRS does not account for monies spent specifically on Tier C projects.

The mission of the MITS organization Division Information Officer (DIO) is to act as the MITS organization representative to the business units.  When an organization identifies an IT business requirement, the DIOs ensure their customer needs are met and the MITS organization strategic plan is aligned with the business unit’s IT plan.  As a result, the DIOs play a critical oversight role for the delivery of Tier B and Tier C projects, which includes assisting in the prioritization, costing, management, and coordination of the IT investment projects.  In addition, the DIOs are responsible for developing the proposed Tier B and Tier C portfolio and submitting it to senior IRS management for approval.

The Chief Information Officer (CIO) entered into a Memorandum of Understanding (MOU) with organizations (e.g., the Office of Chief Counsel, Appeals, and Criminal Investigation organizations) that formerly received their own IT budget allocations.  These MOUs establish agreement between the organizations and the CIO as to budget formulation and execution, acceptable level of service, staffing allocations, and IT requisition procedures.

This review was performed in the Office of Information Technology Services at the IRS National Headquarters in New Carrollton, Maryland, during the period June 2004 through January 2005.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

Completed Corrective Actions Improved the Capital Planning and Investment Control Process

The Clinger-Cohen Act and Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, introduced more structure into how agencies approach the selection, control, and evaluation of IT investment projects.  For example, OMB Circular A-130 stipulates the CPIC process should include all stages of capital programming, including planning, budgeting, procurement, management, and assessment.  As part of the CPIC process, agencies are required to prepare and maintain a portfolio of information systems to assist in monitoring investments and preventing redundancy of IT capabilities.  In addition, an agency’s CPIC process should ensure consistency with the agency’s Enterprise Architecture (EA).

In August 2002, we reported the IRS’ process for selecting and monitoring systems improvement projects needed to be revised to comply with Clinger-Cohen Act requirements.  The report recommended the IRS establish a centralized process for selecting, funding, and monitoring all of its IT investments.  The IRS responded it would develop an IT Capital Planning Guide that would address its approach to manage risks and returns of IT investments by centralizing the investment review process. 

In the MITS Strategy and Program Plan (FY 2004-2005), the IRS announced it was initiating a refined enterprise-wide modernization governance process that will include prioritizing the entire inventory of IT and modernization projects on an annual basis.  To accomplish this, the IRS chartered the MITS Executive Governance (MEG) Committee in November 2003.  The MEG Committee is responsible for approving all new projects and for creating one IRS portfolio that includes all the individual IRS investments.  In addition, the IRS established the MEG  Investment Management (MIM) Subcommittee, which supports the MEG Committee by ensuring IT investments comply with IRS policies and procedures and align with enterprise and business unit strategic goals.  The MIM Subcommittee is charged with providing general IT investment portfolio oversight, including investment prioritization recommendations, operational analysis reviews and reports, and recommendations for adjustments to the IRS portfolio. 

The IRS also established the CPIC Office, which is responsible for ensuring the IRS portfolio management process complies with the Clinger-Cohen Act.  In addition, the IRS is introducing a CPIC process that will manage a central portfolio of IT investments across the IRS.  By incorporating the “select, control, and evaluate” model for managing IT investments, the IRS intends to better align investment with strategy and mission to ensure efficient resource use and maximized rates of return.  The IRS is currently reviewing and revising the CPIC governance process to be consistent with the OMB’s categorization of projects, which are:

  • Development/Modernization/Enhancement (i.e., new functionality).
  • Steady State (i.e., operations and maintenance for current production environment).

Projects within the two categories are further divided into subcategories (i.e., major, nonmajor, and small-other) depending on the anticipated cost of the investment project.

In November 2003, we also reported reviews of IT procurement requisitions were not consistently performed to ensure computer hardware and software purchases are consistent with the IRS’ current and projected EA.  The report stated the IRS increased the risk of obtaining incompatible IT hardware and software that could necessitate additional purchases to provide EA compliance and increase the potential for inefficient use of resources.  In response, the IRS developed additional procedures, published an approved computer equipment products list, and conducted reviews of submitted requisitions for computer hardware and software purchases to ensure reviews for compliance with the EA were conducted and documented. 

The Portfolio of Information Technology Investments Is Incomplete

A key component of the CPIC process required by OMB Circular A-130 is the requirement that agencies prepare and maintain a portfolio of information systems that assists in monitoring investments and preventing redundancy of IT capabilities.  OMB Circular A-11, Preparation, Submission, and Execution of the Budget, specifies all IT investments must be individually reported by the agency to the OMB.  The Clinger-Cohen Act also requires Federal Government agencies to designate a CIO to help control system development risks and better manage IT spending.  According to a Government Accountability Office (GAO) report issued in July 2004, CIO responsibilities considered to be critical to effective IT management included the CIO being responsible for IT capital planning and investment management and having effective control of systems acquisition, development, and integration.  In November 1999, the IRS issued Policy Statement P-1-229, Management and Control of Automated Data Processing Property, which established the CIO as the IRS official responsible for ownership, management, and control of all IT property within the IRS. 

We are concerned about the implementation of IRS Policy Statement P-1-229, which established the MITS organization as the only organization authorized to purchase IT property.  Table 1 illustrates that some non-BSM appropriated monies are placed by the CIO within the financial plans of organizations other than the MITS organization for expenses associated with the acquisition of IT goods and services.  We reviewed the MOUs with several non-MITS organizations and noted inconsistencies in the language governing approval of IT requisitions.  Table 1 also shows some IT-related funds were originally appropriated by the Congress to non-MITS organizations for the purposes of tax law enforcement, tax returns processing, tax law and account assistance, and management services.  For example, of the $10.1 million appropriated to non-MITS organizations without an MOU for private sector data processing services (see line 3 of Table 1), the Small Business/Self-Employed Division received $6.7 million for a vendor to process over 4 million paper documents.

Table 1:  Allocation of the IRS’ FY 2004 Budget for Select IT Expense Categories

 

Organization

IT Expense Category

 

Total Amount

Private Sector Data Processing Services

Computer Hardware

Computer Software

1.  MITS

$275,548,211

$67,085,766

$125,552,625

$468,186,602

2.  Non-MITS With an MOU

$22,981,459

$5,683,849

$640,586

$29,305,894

3.  Non-MITS Without an MOU

$10,114,370

$1,814,849

$1,795,502

$13,724,721

Total

$308,644,040

$74,584,464

$127,988,713

$511,217,217

Source:  IRS FY 2004 Financial Plan.

We reviewed all 271 requisitions for IT goods and services submitted between October 1, 2003, and July 7, 2004, by organizations other than the MITS organization.  From the 271 requisitions, we identified 30 requisitions requesting private sector data processing services, computer hardware, and computer software associated with the development of an information system.  As illustrated in Table 2, system development projects funded by the MITS organization via an MOU and projects not funded by the MITS organization were most likely not to be identified by the CPIC process and individually identified in the IRS’ IT investment portfolio.  Although these projects were not individually identified in the portfolio, the project office prepared the minimum project management documents (e.g., Project Management Plan, Work Breakdown Structure, and Risk Management Plan) required by the IRS for system development projects, and we did not identify duplicate acquisition of IT goods and services.

Table 2:  IT Requisitions Submitted by Organizations Outside
of the MITS Organization for System Development Projects

Requisition Type

Total Number of Requisitions

Total Amount of Requisitions

Number of System Development Projects

Number/ Percentage of Projects Identified in Portfolio

1.  Funded by the MITS Organization

17

$13,376,234

11

10 (91%)

2.  Funded by the MITS Organization via an MOU

11

$1,483,164

5

2 (40%)

3.  Not Funded by the MITS Organization

2

$400,000

1

0 (0%)

Totals

30

$15,259,398

16

12 (75%)

Source:  FY 2004 requisitions for IT goods and services.

In addition, requisitions submitted for IT goods and services by organizations where funding was not provided by the MITS organization are not being routed through the DIOs within the MITS organization to ensure the projects are included in the IRS’ IT investment portfolio.  Maintaining the IT investment portfolio is also more difficult because some organizations with an MOU did not route IT requisitions through their DIO.  The IRS has also not maintained a portfolio of Tier C projects, and monies spent on Tier C projects are not accounted for separately.  Therefore, the IRS may not be spending its funds on IT resources in the most effective and efficient manner and risks spending funds on lower-priority projects.

Recommendations

The CIO should:

1.      Ensure the Internal Revenue Manual (IRM) and MOUs between the MITS and other organizations are revised, as necessary, to specify all requisitions for IT goods and services initiated by the business units are routed through the appropriate DIO and the Director, Client Services, to ensure each system development project is included in the IRS’ IT portfolio.

Management’s Response:  The Director, Client Services, will revise existing MOUs and work with the Directives Management Office to revise IRM 2.21.1 to specify that all IT requisitions initiated by the business units are routed through the appropriate DIO and the Director, Client Services, to ensure projects are captured and included in the IT portfolio.

2.      Ensure the current Tier C projects are identified and mapped into the IRS CPIC governance process for managing the IT investment portfolio.

Management’s Response:  The IRS will map all Tier C investments to the EA and to the EA-aligned executive steering committees, which execute the CPIC governance processes.

3.      Work with the Chief Financial Officer (CFO) to ensure monies spent on Tier C projects are accounted for separately.

Management’s Response:  The CIO, in conjunction with the CFO, will amend financial policy documents in a manner that will ensure accurate accounting of Tier C expenditures.

Requisitions for Information Technology Goods and Services Were Not Properly Reviewed and Approved

OMB Circular A-130 outlines the major IT planning and management requirements for Federal Government agencies, including that agencies develop policies and procedures that provide for timely acquisition of required IT.  In addition, it requires agencies to document their EA and ensure EA procedures are being followed.  The Department of the Treasury also stipulates that agencies are required to ensure proposed IT investments are consistent with the agency’s EA, and the CIO is responsible for reviewing and approving all requests for IT investments. 

IRM 2.21.1, Requisition Processing for Information Technology Products and Services, was issued to improve accountability and standardize the IT requisition process by providing specific guidance to all IRS personnel on the critical elements necessary to complete the requisition approval process.  According to the IRM, the CIO has responsibility for all IT purchases of products and services acquired by the IRS.  The IRM also stipulates that the MITS organization is responsible for approving IT requisitions and that MITS executives are accountable for ensuring their accuracy. 

All requisitions submitted for IT goods and services require several reviews prior to approval, including a Tier Review that consists of an architectural, engineering, capacity, or standards review to ensure compliance with the IRS’ EA.  The Tier Owner, which is the IRS organization responsible for reviewing the requisition to ensure compliance with EA standards for hardware and software, depends upon the Tier Level of the IT equipment (i.e., Tier I – Mainframes, Tier II – Servers, and Tier III – Desktops and Laptops).  Once all the appropriate reviews have taken place, a Requisition Summary must be developed and attached to the requisition within the web Request Tracking System (webRTS) summarizing the findings.  Afterwards, the requisition is provided to the requisition approving authority to ensure the requisition is fully compliant with IRS requirements for processing IT requisitions.

In August 2000, the IRS Commissioner issued Delegation Order (D.O.) 261, which delegated to the CIO the authority to acquire IT.  In addition, D.O. 261 authorized the CIO to redelegate the authority to senior executives within the MITS organization.  As a result, the CIO issued D.O. 28 to provide MITS organization executives with delegated signature authority for approving IT requisitions submitted for IT goods and services.  D.O. 28 also authorized MITS organization executives to redelegate approval to their senior managers.  In addition, the CIO published a Requisition Signatory Authority List, which specifically identifies the persons authorized to approve requisitions for IT goods and services based on D.O. 28 and any redelegation orders.  Evidence that the requisition was approved by someone authorized by D.O. 28 or a redelegation order must be reflected in either the requisition approval path or history record within the webRTS.  Once the review and approval process is complete, the requisition is forwarded to the Office of Procurement for processing.

While these IRS-developed procedures comply with OMB and Department of the Treasury requirements, the DIOs do not consistently review the IT requisitions to ensure reviews and approvals are conducted as required by the CIO in IRM 2.21.1.  Overall, our review of the 30 requisitions identified that requisitions were not properly approved and Requisition Summaries were not prepared and attached to the requisitions within the webRTS.  Table 3 provides details of our analysis of these requisitions. 

Table 3:  IT Requisitions Submitted by Organizations Outside
of the MITS Organization

Requisition Type

Total Number of Requisitions

Number/
Percentage Properly Approved

Number/Percentage With Requisition Summary Attached

1.  Funded by the MITS Organization

17

16 (94%)

7 (41%)

2.  Funded by the MITS Organization via an MOU

11

2 (18%)

2 (18%)

3.  Not Funded by the MITS Organization

2

0 (0%)

0 (0%)

Totals

30

18 (60%)

9 (30%)

Source:  FY 2004 requisitions for IT goods and services.

Since Tier Reviews were required only on the requisitions submitted for the acquisition of computer hardware or software, only 6 of the 17 requisitions funded by the MITS organization, and 4 of the 11 requisitions funded by the MITS organization via an MOU, were analyzed to determine if a Tier Review was completed to ensure compliance with the IRS’ EA.  Table 4 provides details of our Tier Review analysis.

Table 4:  Tier Reviews for IT Requisitions Submitted by Organizations Outside of the MITS Organization

Requisition Type

Total Number of Requisitions

Number of Requisitions Requiring a Tier Review

Number/ Percentage With
Tier Review Properly Annotated

1.  Funded by the MITS Organization

17

6

2 (33%)

2.  Funded by the MITS Organization via an MOU

11

4

0 (0%)

3.  Not Funded by the MITS Organization

2

0

Not Applicable

Totals

30

10

2 (20%)

Source:  FY 2004 requisitions for IT goods and services.

The processing of IT requisitions that do not adhere to IRS management controls for proper reviews and approvals and the attachment of a Requisition Summary increases the risk that the IRS might acquire IT systems that are not compatible with the EA.  In addition, the Requisition Signatory Authority List, which is used to ensure requisitions have been properly approved prior to being forwarded to the Office of Procurement for processing, has not been consistently updated to reflect the persons authorized to approve requisitions for IT goods and services based on the preparation of redelegation orders under D.O. 28.  This occurred because IRM 2.21.1 did not specify the MITS organization responsible for updating the Requisition Signatory Authority List, which is posted on the MITS Directives Management Office’s web site. 

Recommendations

The CIO should ensure:

4.      The IRM and MOUs between the MITS and other organizations are revised, as necessary, to specify all requisitions for IT goods and services initiated by the business units are routed through the appropriate DIO and the Director, Client Services, to ensure proper reviews and approvals are obtained and a Requisition Summary is attached to the requisition.

Management’s Response:  The Director, Client Services, will work with the Directives Management Office to ensure IRM 2.21.1 and the MOUs incorporate language specifying that the business units route all IT requisitions through the appropriate DIO and Director, Client Services.  The Director, Client Services, will also ensure the DIOs review and approve requisitions in accordance with IRM 2.21.1 and D.O. 28 and guarantee a Requisition Summary is appropriately attached.

5.      The Requisition Signatory Authority List is updated and the IRM is revised to specify the organization responsible for maintaining it and forwarding a copy to the Directives Management Office.

Management’s Response:  The Director, Financial Management Services, will establish an annual process for updating the Requisition Signatory Authority List and will forward a copy to all relevant offices, including the Directives Management Office.  In addition, the Director, Financial Management Services, will ensure the appropriate IRM is updated to this effect.

Project Costs Were Not Accurately Recorded

The Clinger-Cohen Act requires each agency to establish a process for maximizing the value and assessing and managing the risks of IT projects.  It also requires agencies to identify significant deviations from costs, performance, or schedule.  The Department of the Treasury stipulates that project costs include accounting for the spending of all resources, including items such as the cost of staff hours, contractor costs, equipment, and maintenance.  To accurately capture project costs, IRS procedures require the tracking of IT expenditures within the IRS’ financial system using a five-digit subproject code called the Project Cost Accounting Subsystem (PCAS) code.  Labor costs are also tracked through the payroll system by entering the code with the time and attendance records.

While the PCAS code was designed to track costs by each IT investment project, we found project costs were not always charged to the appropriate PCAS code.  For example, we identified 3 requisitions totaling $681,522 submitted for the Automated Background Investigation System (ABIS) on which the expenses were charged to 3 separate PCAS codes.  Of the three PCAS codes associated with the requisitions, none were the correct PCAS code that had been established for the ABIS project.  We also identified 7 requisitions totaling $726,174 for 2 IT investment projects that were not assigned a unique PCAS code for tracking expenditures.  Appendix IV presents details on the reliability of information outcome measure resulting from the recording of these costs.

By not properly accounting for all costs, the IRS cannot determine the actual results of the IT investment and comply with the Clinger-Cohen Act requirements to identify significant deviations from costs, performance, or schedule.  The inaccurate capturing of project costs occurred because requisitions submitted for IT goods and services by organizations funded by the MITS organization via an MOU and non-MITS organizations are not being routed through the DIOs to ensure the expenditures are attributed to the correct PCAS code for the IT investment project.

Recommendations

The CIO should ensure:

6.      The IRM is revised to specify all requisitions for IT goods and services initiated by the business units are routed through the appropriate DIOs and the Director, Client Services, to ensure the IT investment project is assigned and uses a unique PCAS code. 

Management’s Response:  The Director, Client Services, will work with the Directives Management Office to ensure IRM 2.21.1 incorporates language specifying the business units route all requisitions they initiate through the appropriate DIO and Director, Client Services.  In addition, the Director, Client Services, will ensure the DIOs review all requisitions to ensure appropriate PCAS codes are used.

7.      A mechanism is designed and implemented to ensure all IT expenses are accurately identified and associated with each IT investment project, regardless of the funding or PCAS codes used.

Management’s Response:  IRS management did not agree with this recommendation on the basis that the adoption of the other recommendations constitutes an effective mechanism to ensure the accurate identification and association of all IT expenses with each IT investment project.

Office of Audit Comment:  While IRS management disagreed with the recommendation, we agree the corrective actions they plan to take will address the recommendation.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the Internal Revenue Service (IRS) ensures information technology (IT) goods and services procured outside of the Modernization and Information Technology Services (MITS) organization are effectively controlled, compliant with the Enterprise Architecture (EA), do not duplicate other systems or initiatives, and follow a disciplined systems development life cycle.  To accomplish this objective, we:

I.                   Reviewed national policies, procedures, and directives for providing management controls over the procurement of IT goods and services to determine whether sufficient controls were in place over procurements made outside the MITS organization.  We also interviewed management to determine the roles and responsibilities for monitoring procurements, identified additional guidelines for processing requisitions for IT goods and services, and reviewed best practices for ensuring acquired IT goods and services are compliant with the EA and do not duplicate other systems or initiatives. 

II.                Reviewed all 271 requisitions submitted for private sector data processing services, computer hardware, and computer software between October 1, 2003, and July 7, 2004, by organizations other than the MITS organization and determined whether each requisition was associated with a system development effort and under what contract the requisition was awarded.  For the 30 requisitions that were determined to be associated with a system development effort, we determined whether the system development project was managed by the Business Systems Development office and whether the project was included in the IRS’ IT portfolio.  We also determined whether the 30 requisitions were properly reviewed and approved and whether the requisitions contained a Requisition Summary.  In addition, we determined whether the project duplicated other systems or initiatives and whether the project office followed a Systems Development Life Cycle methodology.

III.             Evaluated the results of the corrective actions taken by management to address the internal controls weaknesses over processing IT requisitions reported by the Treasury Inspector General for Tax Administration in November 2003.  For example, we interviewed management on the status of the implemented corrective actions, reviewed documents supporting the implementation of proposed corrective actions taken, and determined whether those actions adequately addressed the reported control weaknesses.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Gary Hinkle, Director

Danny Verneuille, Audit Manager

Van Warmke, Lead Auditor

Charlene Elliston, Auditor

Steven Gibson, Auditor

Olivia Jasper, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Chief Financial Officer  OS:CFO

Associate Chief Information Officer, Information Technology Services  OS:CIO:I

Associate Chief Information Officer, Management  OS:CIO:M

Director, Financial Management Services  OS:CIO:FM

Director, Resources Allocation and Measurement  OS:CIO:R

Director, Stakeholder Management  OS:CIO:SM

Director, Business Systems Development  OS:CIO:I:B

Director, Enterprise Operations  OS:CIO:I:EO

Director, End User Equipment and Services  OS:CIO:I:EU

Director, Client Services  OS:CIO:I:B:DIO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons:

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Chief Financial Officer  OS:CFO

Manager, Program Oversight Office  OS:CIO:SM:PO

 

Appendix IV

 

Outcome Measures

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  This benefit will be incorporated into our Semiannual Report to the Congress.

Type and Value of Outcome Measure:

·         Reliability of Information – Actual; $1,407,696 in project expenditures (see page 13).

Methodology Used to Measure the Reported Benefit:

To accurately capture Information Technology (IT) project costs, the Internal Revenue Service tracks expenditures within its financial system using a five-digit subproject code called the Project Cost Accounting Subsystem (PCAS) code.  We identified 3 requisitions totaling $681,522 submitted in Fiscal Year (FY) 2004 for the Automated Background Investigation System (ABIS) project on which the expenses were charged to 3 separate PCAS codes.  Of the three PCAS codes associated with the requisitions, none were the correct PCAS code that had been established for the ABIS project.  Table 1 provides a listing of the IT requisitions submitted for the ABIS project and the projects that were charged with the ABIS project expenses. 

Table 1:  IT Requisitions Submitted for the ABIS Project but Charged to Other Projects

Requisition Number

Expense Type

Expense Amount

Project Charged With Expense

M-4-M9-22-NB-A44-000

Computer Equipment

$98,859

Security – Maintain and Enhance Security Policy and Planning Capabilities

P-4-P1-30-NB-A19-000

Data Processing Services

$270,000

Employee Resource Center

M-4-M9-22-NB-A19-000

Data Processing Services

$312,663

National Background Investigations

Total Expense Amount  

$681,522

 

Source:  FY 2004 requisitions for IT goods and services.

In addition, we identified two IT investment projects that were not assigned a unique PCAS code for tracking expenditures, and the project costs were charged to PCAS codes that included several activities.  Specifically, 5 requisitions totaling $326,174 were submitted for the Enterprise Mission Assurance Portal (EMAP) project and 2 requisitions totaling $400,000 were submitted for the Internal Revenue Manual (IRM) e-Clearance project.  Table 2 provides a listing of the IT requisitions submitted for the EMAP and IRM e-Clearance projects and the associated project expenses. 

Table 2:  IT Requisitions Submitted for IT Projects Without an Assigned PCAS Code

Project

Requisition Number

Expense Type

Expense Amount

EMAP

M-4-M9-01-MA-S26-000

Computer Hardware

$5,985

EMAP

M-4-M9-01-MA-S02-000

Data Processing Services

$25,000

EMAP

M-4-M9-01-MA-S08-000

Data Processing Services

$25,000

EMAP

M-4-M9-2A-AP-S00-000

Data Processing Services

$70,189

EMAP

M-4-M9-01-MA-S21-000

Data Processing Services

$200,000

IRM e-Clearance

M-4-M0-25-SP-A41-000

Data Processing Services

$200,000

IRM e-Clearance

M-4-M0-25-SP-B01-000

Data Processing Services

$200,000

Total Expense Amount

$726,174

Source:  FY 2004 requisitions for IT goods and services.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.